Try asking the US Post Office to print stamps with the flag of jihad and see what happens.

No, you don't understand FATCA at all. Go and read how the law works and then come back. Actually don't bother - I already explained to you how the recursive "pass thru provisions" work and you ignored me, instead insisting that the law works differently to how it actually does.

Additionally, the idea that borders stopped changing after 1948 (do you mean 1945?) is ridiculous. What do you think happened after the fall of the Soviet Union? What do you think happened in Iraq when America invaded it?

By every definition of Imperialism I've ever seen the Russians are doing a lot more of it then the US. Putin is trying to increase his sphere of influence with the Eurasian Union. eat bits of neighbors who rock his boat, refusing to give up control of a region that included a major military base, etc.

Hardly. If you buy the western line that the rebels in east Ukraine are all reporting directly to Putin then yes, but nobody with any knowledge does buy that line, it's clearly nonsense. Putin told them not to have a referendum, they ignored him. The rebels asked Russia to annex east Ukraine, Putin ignored them. He certainly did not order anyone to shoot down a civilian air liner.

Meanwhile, in the last few years the USA has formally established the global American empire for the first time. Yes, before 2010 it was largely a matter of pressure and the belief by world leaders that America would engage in economic warfare against anyone, including so called "allies", who defied it. But then America passed a law called FATCA that turns every bank or financial institution in the world into an arm of the IRS recursively. Not just institutions that trade with America, but all of them, every last one, with institutions exposed to the US economy punished unless they in turn enforce Washington's will upon their trading partners and so on. America has also started passing recursive trade sanctions, sanctions that say "you're either with us or against us and if you're against us, you get sanctioned in exactly the same way". They did this for Iran, for example.

Now tell me. What is a country that can tax anyone it likes, anywhere in the world, and punish anyone it likes, anywhere in the world, and force anyone to take part in their economic wars, anywhere in the world, regardless of what those people actually want? The ability to tax and the ability to draft into an army is the defining characteristic of an empire. Russia can't do shit to me here in western Europe but America can and will ruin me if I get on the wrong side of them. That makes me an unwilling citizen of the American empire.

They're not making technology for the sake of making better technology, they're doing it purely to monetize it and make money -- for example, Oracle's insistence on keeping that stupid ask.com toolbar in the Java installer.

Yes, that really sucks, but it's probably the only direct way Java makes money. Otherwise it's basically a charity, right?

Fortunately the last installer at least will not try and reinstall this crap on upgrades. So you get asked once. More importantly if you're wanting to distribute desktop apps, you don't have to request that the user installs Java anymore, it can be bundled. And the crapware was only ever a Windows thing. Mac and Linux users don't suffer from it.

My gut sense is that the Java team at Oracle know this is horrible and are doing their best to chip away at it, but can't go to management and ask them to give up the only direct revenue stream the entire project has.

I think the problem is Oracle isn't innovating, isn't advancing the technology, some aspects of it are essentially dead, the Java Community Process is largely ignored ...

Eh, this wasn't my experience so far.

There are many things that suck about Oracle, but so far what I've seen is that they've increased investment in Java, they're resolving a lot of basic, every day problems people face when writing regular apps and overall Java is getting a lot better. There sure was a time when Java stagnated .... when Sun owned it. Now? Well, Java 8 resolves a lot of the more irritating problems with the language (lambdas make a huge difference, even though they're just syntax sugar), but more importantly the Java team have accepted that the real language innovation will happen with other languages that target the JVM and they've got serious about making the JVM a multi-language runtime. For example, in Java 7 they did a lot of work to support dynamic languages and in Java 8 they built on that work to make a fast Javascript implementation on the JVM. It's not as fast as V8 at the moment but it's certainly a respectable showing. Meanwhile Scala, Clojure, Kotlin etc are busy creating the next-gen languages that the Java team is too conservative to tackle.

With respect to community involvement, I don't personally give a shit about some "community process". What I care about is: can I check the sources out of version control, email the developers with a question and get a response the same day? Can I file bugs and have them be fixed? My experience with the JavaFX component of the OpenJDK is yes yes and yes. In fact I've kind of been blown away by how responsive the JFX team are. Right now I'd say they've got a great UI toolkit (easily as good as Cocoa), but it only got good in the last couple of years, so they're relatively unknown and as a result you get fantastic service - for free!

Most importantly the JavaFX team aren't trying to create some uber-platform that replaces the operating system. They've built a tool that bundles the JVM and creates native installers/DMGs/packages for each platform. Finally you can use Java as if it were just a big library. No applets, no Web Start, no fucking about - just make an app that looks normal to your users, but shares 99.9% of the code across platforms. Which is what it always promised.

There is no way for anybody outside of Google to know whether the original claim is correct or not.

That's not quite true actually. VirusBulletin is a third party spam filtering company that made a blog post stating that based on their own measurements, Gmail was indeed dramatically better at stopping hijackings than other providers.

I wonder which ones are already subverted.

None of the leaked documents from Snowden appear to mention compromised CA's, or at least no kind of compromise at scale. This is most likely because (1) CA's are not the weakest link, the browser security is and (2) they need to find their targets traffic streams before they can do the MITM attack, which would mean doing MITM on all SSL connections which would be detected almost immediately. A compromised CA would be useful only if they were unable to exploit the targets computer, and they needed to view SSLd traffic anyway, which does not appear to be a common situation for them circa 2013.

Google has only one way to know if a CA is trustworthy: running its own.

No. They can develop a system that involves every certificate produced by every CA being published in public audit logs, and then make Chrome verify that any given cert is in those public audit logs, thus allowing savvy site operators to find fake certs issued in their name (also useful for old fashioned phishing). And in fact that's exactly what they are doing.

SSL DNS certs are not expensive. You can get them for free (as pointed out) or for perhaps $20 per year. Your hosting costs are almost certainly higher than that.

Yes, for news and such it doesn't make that much sense. Still, HTTPS would at least prevent your ISP from monitoring your browsing activity.

It's actually a lot more than that. HTTPS isn't just about protecting passwords anymore, not post Snowden.

Let us recall one of the more interesting things we learned about SSL via the NSA leaks: the Five Eyes countries apparently have not broken SSL yet despite that the internet is still not capable of stopping them. The reason is a system they've built called QUANTUM.

QUANTUM is a series of systems that work together. Imagine it like being a giant set of guard towers on the internet backbone. QUANTUM is called that because it's based on deep packet inspection and insertion. The first part is a massive set of DPI devices that trawl unencrypted internet traffic passing through intercept points. These DPI devices can be configured by NSA/GCHQ analysts to look for selectors - personal identifiers like email addresses, IP addresses, cookies and so on. QUANTUM does not run on every internet link and cannot see through encrypted traffic, but that doesn't matter: it's like a searchlight crawling the grounds of a prison at night. It doesn't matter that it can't light up everywhere simultaneously - once tasked it will keep searching until it finds you. Given enough time and good selectors, it will always find you, simply because the average internet user makes many different unencrypted connections to many different websites.

Once QUANTUM locates an un-SSLd traffic stream that matches your selectors, the next step begins, this is called QUANTUM INSERT. You see these DPI devices are not only capable of reading traffic but also injecting packets directly onto the backbone as well. This allows them to race legitimate answers from the real servers, and redirect the victim to an entirely different server (this is probably based on racing DNS lookups although I think the leaked docs were fuzzy on this aspect). These races are called "shots" and interestingly, they don't always succeed - sometimes the NSA is slower than the real server. But QUANTUM keeps trying and eventually you end up connected to this new FOXACID server, which then proceeds to act as an HTTP proxy for the real request and injects an exploit kit. That then pwns your system such that the NSA can now see all your encrypted traffic, along with turning on your microphone and so on.

An observant reader will notice something very important about the above description. The longer you can stay in the SSLd web, the longer it will take for QUANTUM to hack you. That means you directly benefit from a website being SSLd even if all it contains is cat pictures and you don't even log in. Once QUANTUM has figured out your IP address, any non-SSLd HTTP connection is a useful foothold.

I didn't make a false claim. You quoted me saying we stopped bulk stolen password based attacks like the ones I described, and then proceeded to argue with a statement I never made (that we stopped all attacks).

To clarify, the attacks I'm talking about are ones where the attacker has a large list of passwords (in the order of hundreds of thousands of passwords or more) and try the password to see if it matches. If it does they log in, if it doesn't they give up and try the next one. Government sponsored attacks tend to care an awful lot about a small set of targets which is the exact opposite.

Google was able to stop these attacks so effectively the people behind them gave up, and there was a large but not infinite number of people who were carrying out such attacks, so eventually they became no longer a real issue for the userbase. Note that our competitors (with the notable exception of Facebook) were NOT able to do this, so if a small ISP struggles to do it too, that would not be very surprising.

More than 1B credentials does not sound implausible to me, though it's on the high end. You may be wondering why my opinion on this is more relevant than anyone else's, so let me explain.

Although I left the company in January, for about 7.5 years I worked at Google and for ~3 of those years I worked on security and anti-spam related matters. Starting around April 2010 we started to see absolutely enormous numbers of compromised accounts sending spam to their contacts. This was not a problem that grew slowly. It went from zero to one gang compromising on the order of 100,000 accounts per day and that happened in the space of, it seemed, a few weeks. We learned about this problem through user complaints and by watching the flow of spam mails being reported to us via the "Report spam" button. We quickly realised this wasn't a Gmail specific problem but was simultaneously impacting Hotmail and Yahoo. Further investigation revealed that although this gang was capable of compromising ~100,000 accounts per day (more than one per second) this was the result of a 10-15% success rate for more like a million attempts per day: most account/password pairs they tried did not work. The reason was they were reversing password hashes stolen from third party websites using GPUs, and it turns out that people who use the same password everywhere make up (surprisingly) only about 10-15% of the user population. People suck less at security than you might imagine.

When this problem first started we believed that such an enormous supply of credentials must surely be some kind of freak one off, the result of compromising an unusually large site. I mean; one million credentials every fucking day was an unimaginably vast pool of stolen passwords. But as the user complaints of being hacked failed to dry up we came to accept the horrible truth - this was not some freak one off but the result of some kind of production line of passwords. Most likely a combination of automated web crawls to discover vulnerable sites, semi-automated popping of those sites, farms of GPUs reversing the passwords and the resulting packages being sold on the black market to spammers who then abused them for bypassing spam filters (mail from contacts is whitelisted by any good spam filter). We only got occasional snapshots of this market, for example we were able to find adverts on Russian blackhat forums by people advertising lists of "washed" vs "unwashed" account/password lists for hotmail, gmail etc, but mostly it was opaque.

Anyway, long story short, we formed a team that built a full blown risk analysis system for every single login (Google has a bajillion logins per second thanks to mail clients that poll Gmail and have to log in each time) and after several years of work managed to block logins with bulk-stolen passwords so successfully that they went away. But the underlying supply of passwords is still out there, and should those defences fall the problem would come back.

I gave a talk about this and various other webmail abuse related topics at the RIPE 64 conference in Ljubljana (video link) in case anyone is interested in this. The slides are also available though lots of info from the talk is missing from them.

Based on the indictments it's hard to know how he was found. The indictment certainly gives a plausible explanation for how it happened - he was sloppy about linkage of his personal and alter-ego accounts online, but as noted in the articles, there are certain gaps and inconsistencies in the story and parts of it may have been filled out retroactively (the notorious "parallel construction"). Apparently what his lawyer is hoping, is that they get a judge who feels like putting the FBI in their place with respect to such issues, and it turns out that they found the Silk Road servers via some NSA related trickery then worked backwards to find Ulbricht, then worked out a plausible but untrue alternative explanation for how he was located. Such a thing if found to have happened could plausibly throw a spanner in the entire prosecution.

However, it seems a long shot.

You think anyone who does not conform to your morale standard is "sick" and needs help? You're arrogant, egocentric and intrinsically extremely manipulative.

He is either well informed or (more likely) simply able to point out the obvious in a world where most don't dare. It is proven beyond doubt that brain tumours can cause paedophilia. That article is a summary of one well known and notorious case, but note that he checked himself into the hospital just one day before he was going to prison. The chances are great that there are more people like him rotting inside the prison system.

Given that the sex drive is an inherently biological thing that evolution has given tremendous influence over people's behaviour, the fact that a malfunctioning sex drive might have a biological root cause should not surprise anyone. And yes, it's absolutely a malfunction and obviously so - the purpose of sex is to reproduce and create offspring that survive to adulthood. The chances of having a child that grows up to be a strong adult by having sex with another child is massively reduced or close to zero, so from an evolutionary perspective it makes little sense.

You condescendingly show "sympathy", but you have absolutely no respect. You say child molesters suffer from a mental illness? Strange, isn't what some people are saying about gays?

Yes, some people do say that, and for all we know they might be right. Homosexuality is another biological dead end that doesn't lead to offspring. However this kind of deviation from the sexual norm is something most enlightened societies have got over because it doesn't harm anyone. OK, those people will not have kids. So be it. They aren't hurting anyone so it's unreasonable and unjustified to cause them problems.

Child abuse is a more complicated area. People tend to think of the "we know it when we see it" type cases, you know, 40 year old men trying to have sex with 8 year olds. Unfortunately the laws are badly written enough that all kinds of other basically harmless behaviour gets tangled up with it. For example, I know for a fact that the NCMEC database contains cartoons. Having a racy cartoon in your Gmail account is now enough to get busted by the police. Other cases of idiocy around these laws include the UK where the legal age of consent is 16 but the age to be considered not child porn is 18, meaning two people can legally have sex but can go to jail if they take a photo of themselves doing it. Cases where two teenagers have a relationship and the older one ends up being busted for child abuse have been reported in the USA. The harm in these cases is hard to see but it all gets dumped into the same bucket, legally.

Until very recently Congress were the only individuals exempt from insider trading laws.

They effectively still are. A key part of the STOCK act was rolled back after the election.

Therefore, Congress will pass a law making itself exempt from CIA/NSA spying and the rest of the country be damned.

Interestingly, the UK already has something like this, it's called the Wilson Doctrine and is not a law but rather a promise the Prime Minister makes to MP's by tradition.

The UK just passed a law that says any company whose website has UK users i.e. all of them has to comply with UK surveillance requests. It's as bad as the USA when it comes to those kinds of extra territorial laws now.

Politicians have generally not been able to handle the notion of borderless transactions and information flows. This "you have to comply with our laws if your service is accessible to our citizens" trick is their solution. You say, how do they enforce it, well, through exploiting the international world in which we live - grab people from planes using the absence of anonymous air travel, extradite people, seize assets, etc.

The way it's going, in future everyone who does anything interesting in this world will have a list of countries they can't go to or fly through, and organising conferences will become an exercise in set intersection ....