It's sorta social, demented and sad, but social.

I'm surprised they didn't mention the bird in Mary Poppins - the one that sings sitting on Mary's fingers. I always thought that was the first use of Anamatronics. That and the Parrot Head on Mary's umbrella.

Heck things had changed 15 years ago. I don't know when mjwx went to school but a broad swathe of religions have been taught in UK comprehensives for a long time.

story is that one of juniper's major partners was underhandedly selling prerelease, demo, & beta products to cisco. while legal, it's shady as fuck, and is almost certainly something that would have pissed juniper off to the point of severing ties with the vendor.

I don't think it has to be explained why this is a potential problem. So then, it should be explained why this is such a great idea that the problems it creates are insignificant.

The Android permissions model is a mess and has been since day one, but not in the way most Slashdot geeks are up in arms about. When was the last time you actually looked at the full list of permissions? It's ridiculous. You have to be an Android developer to understand some of them. Many are pointless in the extreme: the result of simply associating every API with a permission whether it makes sense or not. Do I really need to know that an app might use the vibrator when I install it? A few permissions aren't even written in understandable English, so god knows what they become when translated into a language like Arabic or Chinese.

What's more, others (like the internet access permission) have never worked. People think it means "you can give this app personal data and it can't upload that data to the internet", but it never did that, because for example there are OS services that let you configure them to retrieve and process data from arbitrary URLs. The media player component does that. You can ask the OS to play music from a URL without having internet access permission, and it'll do it, so just put your personal data into the URL of your "music file" and the data gets uploaded. Heck even just invoking the web browser with a long mystery URL will let your internet-less app upload small amounts of data to the net. And there's no real way to fix any of this because any app that exposes services to other apps that involve downloading from a user-provided URL would end up breaking the "can't upload" model. So now they're hiding the internet access permission entirely, and good riddance.

Conclusion: the permissions framework was badly thought out. It was designed to let you know when apps might do something nasty to the OS, as a way to defend against aggressive apps that would otherwise do what they do on Windows and reconfigure the entire computer at install time. But there were no UI guidelines about how and when to use it, so it became a dumping ground for technical nonsense hardly any users understand. Worse, over time people's expectations have changed, and now some of them want it to be some all singing all dancing privacy framework that gives you a million knobs to tweak, even though it was never meant to be that.

Perhaps in future Android will actually get an all singing, all dancing privacy framework that does what people want, but it probably won't be a part of the app permissions system, which is meant to be for security. And it's not easy. A lot of the hacks people throw around in this thread could be easily detected and apps could just refuse to run entirely if you try and fool them.

What's to stop you from connecting to it as a "hotspot" to do your torrenting and then back to "normal" for the rest of your traffic?

you have a very narrow definition of what 'hacking' is. i disagree, and the mods seem to agree with me.

what these kids did definitely qualifies as hacking.

taking apart a transistor radio to figure out how it works, and putting it back together, is hacking.

talking someone into giving you their password over the phone, is hacking. (yes, it's social engineering. that's a form of hacking.)

there are very many other, very wildly different examples i could give if i had the desire.

it's an umbrella term. deal with it.

they were inquisitive, did some research, and experimented on a system, and succeeded in gaining unauthorized access. they then responsibly reported their findings to the device owner.

what these kids did, while perhaps not quite on par with hacking the gibson, still very much represents the (white hat) hacker ethos at work.

you, on the other hand, represent the asshat ethos, for downplaying what they did and trying to fiddle fart around with semantics.

And how does the phone learn when a new tower goes online? That scheme isn't going to work.

Beating Stingray devices can be done, if we assume that telco's don't approve of Stingray devices. Given that Stingrays interfere with their services, given that they bypass their own power and authority, given that all people like power and authority, given that they can charge the government for processing legal requests and court orders, and given that they were forced to spend lots of money on doing interception the "proper" way by CALEA, this isn't totally unreasonable.

If you're willing to assume that, the best way to beat Stingray's is to disable GSM support in your phone's baseband somehow. In GSM, towers authenticate the handset but handsets do not authenticate the towers, because portable cell towers did not seem like a threat that could surface within the intended lifespan of the technology. UMTS (3G) fixed this problem and now handsets do cryptographic handshakes with the tower.

I am assuming that the reason US cops are fighting so hard to stop info about Stingray's coming out is that these are tools used by little tinpot forces that can't be bothered getting real warrants, not the NSA who prefer to just directly compromise the backhaul networks. Therefore most likely they do not have the keys needed to emulate the real cell towers. If it came out that forcing a phone to 3G+ only could stop them connecting to Stingray's, that's a setting that'd suddenly appear in all kinds of aftermarket firmwares and heck probably Android upstream itself, and then some of the people they're going after would simply tick the "ignore Stingrays" box.

then they're fucked.

seriously, what a terrible idea.

Is there any reason that reducing pointless barriers to trade has to occur in one giant all-or-nothing pact, instead of lots of little treaties over a period of years that don't depend on each other?

I'm all for the notion of free trade in theory, but the problem with treaties like these (and the EU in general, and the US Federal government, etc) is that their notion of "free trade" tends to simply mean "trade under the rules of whatever is biggest" rather than what the term mentally implies, i.e. people trading without lots of red tape getting in their way.

Given the absolute and total weakness of EU "leadership" when it comes to demands by the USA, I suspect any trade deal reached between the EU and USA would simply amount to adjusting EU law to match whatever Congress already came up with regardless of whether it makes sense or not. So this seems like a good incentive to not go for it, for Europeans. Unfortunately both America and EU increasingly tend to enforce their laws internationally, regardless of jurisdiction, so in the end I'm not sure it really matters much anyway: in a globalised world with lots of trade between rich countries you end up with a horrific hodge podge of conflicting laws and regulations, with companies trying to comply with all of them and ultimately putting their hope on lax enforcement to be able to remain in business. I don't see much of a way to solve this, short of a sea change in the level of government intervention in trade people tolerate.

Why? Even if you disregard the reports that have described close cooperation, and exchange of employees, between Google and NSA and other TLA agencies.

Which reports? Could you show me these reports describing close cooperation with respect to spying on people between Google and the NSA?

And the head of Google publicly stating that "you have no privacy, get over it".

I think you are grossly misquoting Eric Schmidt who said words to the effect of, people have to understand the PATRIOT Act, what powers it gives the US government and how little companies can do to fight it. They can't assume they can put stuff into Google and have it be inaccessible to the US Govt. And you know what? He was dead right, wasn't he? But he got crucified by idiots like you for unemotionally stating the facts of the law. A better example of shooting the messenger is hard to find.

What about Google's actions or solutions are so different than the other players that they have earned that trust.

Which other players do you mean? If you mean, big web companies, how about:

Being the first big webmail provider to enable SSL for everyone, all the time. Being the first to develop and then open source TLS forward secrecy code (ephemeral EC Diffie Hellman), then being first to activate it. Developing the first SSL pinning implementation, and catching Iran when they tried to use a hacked CA to monitor everyone. Being first to encrypt all internal traffic, something Yahoo is planning to catch up on maybe by the end of this year. Being first to publish transparency reports. Being first to publish statistics on SMTP TLS to help shame companies into upgrading (looking at you Apple). Being first to add and activate new ciphersuites in TLS (ChaCha20 and Curve25519) to replace the horribly broken RC4. Being first to release a new, modern PGP implementation.

If you put down the Google hate I think you'll find they've done a heck of a lot and routinely raised the bar over the past few years. No, they don't collectively march themselves to jail when served with a court order but that's a failure of our governments and indirectly the people who elect them.

Ob. disclaimer: I used to work for Google, doing security related stuff. And I think my colleagues achieved the best that can be expected of them in this arena. Certainly they went well beyond what other companies were doing (nothing).

The dude broke the law. A very real, very good (shockingly) law.

Is it good?

I don't think there's any problem with governments competing against ratings agencies: I think 2008 showed pretty conclusively that the existing private sector organisations kind of suck at protecting people from risk. But the SEC isn't just an organisation that gives a stamp of approval to well run investment schemes. They actively stamp out any that don't register with them and report to them. That makes the entire economy very vulnerable to poor decision making by a mere handful of people. It also can seriously hinder innovation: look at the glacial speed of progress towards the oh so ambitious goal of "not killing crowdfunding sites". You'd think not doing something would be easier, wouldn't you, but it's taking years and an 800+ page report.

If the SEC lost their enforcement powers and just acted as a place where reputable, respectable fundraisers wanted to go it'd be pretty unobjectionable and there'd be natural flex in the system if they started making bad decisions. They'd give Moody's a run for their money. But it's not like that. They probably stopped some scams by virtue of the threat of their enforcement actions, it's hard to know how many, but they probably also stopped a lot of legitimate and non-scam investments too. The cost/benefit ratio of securities laws is rather hard to know.