As usual with these things, it's a non-denial denial. "RSA, as a security company, never divulges details of customer engagements, but we also categorically state that we have never entered into any contract or engaged in any project with the intention of weakening RSA's products, or introducing potential 'backdoors' into our products for anyone's use." Emphasis added. The first part says that they can't say whether they've taken any money from the NSA, so the story of them receiveing $10 million from the NSA could still be true. The second part leaves a lot of wiggle room. The word "intention" is the weasel. The statement leaves open the possibility that they could have taken the money from the NSA in good faith, in the same way that Mozilla takes Google's money in exchange for making Google the default search engine in Firefox. They didn't know then what the NSA's true intentions were in pushing use of Dual_EC_DRBG (never that mind it's several orders of magnitude slower than any other CPRNG algorithm described in NIST SP 800-90A). They were already using it in BSAFE as early as 2004, and the algorithm became a NIST recommendation in 2006. The possibility of a backdoor in the algorithm was floated publicly in 2007, a few months after it was published. I for one don't buy that they did all this in good faith, but there's no way to prove it unless some cryptographer who was employed by RSA at the times in question blows the whistle and says they had suspicions with the algorithm and the NSA's intentions for it.

The NSA wasn't always thought of as so evil. They modified the DES s-boxes so as to strengthen it against a cryptanalytic technique (differential cryptanalysis) that was known only to them and IBM since at least 1974, and kept classified until it was independently discovered by the academic cryptographic community in the late 1980s, so there may be some reason to give RSA the benefit of the doubt.

The only thing corporations care about (insofar as organisations are capable of caring about anything), most especially publicly traded corporations, is money. It would open a corporation to shareholder lawsuits if it were not trying to maximise their profits using whatever means available at its disposal. That is the nature of these monsters that have been created by legal instruments. If you want them to care about anything, you have to show them how much it will cost them not to care about it. In the absence of laws against pollution, it saves money for corporations to pollute, so to get them to stop polluting, laws are written that make them liable for fines when they do. A properly-written anti-pollution law will make it cheaper for a company to buy equipment to clean up or minimise pollution than to pay the fines the government exacts for violating the law. In the same way, it saved money for corporations to be compliant with the NSA, so now other countries are making it impossible for them to operate in their countries (which costs them a market and hence money) using systems that make it easy for the NSA to do its spying. It remains to be seen whether this potential loss of business or increased operating expenses will be enough to make them rebel against the NSA. To corporations, money talks and bullshit walks every time.

If these attackers the NSA supposedly thwarted (the Chinese it is speculated), managed to gain control over large numbers of computers with access enough to damage their firmware, it would make far better sense to keep those machines alive and working for them instead. You could cause far more damage to the US economy by keeping those machines alive and pwn3d than if you simply bricked them. A bricked machine will cost a few hundred dollars to fix. A pwn3d machine is a gift that keeps on giving!

Stalin did exactly the same thing to Commisar Nikolai Yezhov after his fall from grace. They purged him from all official records and even went as far as photoshopping (much harder before digital photography) pictures of Stalin and Yezhov so that the latter disappeared.

If you're rooted, you can install the XPosed Framework and the XPrivacy module for it, which will allow you to lie to an app about the permissions it requests. CyanogenMod 10.1 also has such a feature, although the UI is rather clumsy if you ask me.

Nothing really stops you from changing the firmware on Google Glass to a custom one, with all of Google's spyware ripped out.

Not to bring anybody down... but seriously... we intentionally left the device unlocked so you guys could hack it and do crazy fun shit with it. --- Stephen Lau, Google X Lab

There's source code available for the kernel as required by the GPL as well as for other essential components, so custom firmware is definitely possible for it. Someone out there will probably eventually wind up selling medical editions of Google Glass with custom firmware with HIPAA compliance baked in and apps to interface with common medical information systems, although such a thing will likely be far more expensive than the consumer edition. Someone further down commented that it would cost $19,000, and well, I imagine they're not far off the mark, and perhaps even underestimating it. Certification is an expensive business.

I frankly don't get why there is so much hate on Google Glass. Indeed, the use that is being pushed for it as a consumer device is very creepy from a privacy standpoint, but you don't have to use it as Google intended. As William Gibson famously said, the street finds its own uses for things, and Google hasn't done anything to hinder that, in fact they are actively encouraging it.

The government snooping around doesn't bother me all that much, as while it might be a waste of money, it really doesn't affect me. It's just dead data sitting around on some NSA server.

Until the day that Grumbel decides to run for Congress, on a platform of returning the protections guaranteed by the Constitution against the encroachments of the NSA. All sorts of "dead data" suddenly comes to life out of context like so many zombies.

You would do well to remember a quotation attributed to Richard W. Hamming: "The purpose of computing is insight, not numbers."

Got a two-bedroom house here, married with one child. My power usage has never gone up more than 200 kWh per month, and is almost always below 125 kWh. Well, I do have a nice, efficient one-door refrigerator which I measured to require only a paltry 25 kWh per month on average, and my Raspberry Pi home server/HTPC set up along with external storage, Wi-Fi router and DSL modem consumes roughly 17 kWh per month in total as this is the only other thing that I never turn off if I can help it. Air conditioning gets used mostly in the evenings for eight hours or so at a time (unless it gets really hot during the day), and I gather that's the bulk of the rest of our energy consumption. We have a gas stove for cooking (though I'm considering buying an induction cooker as backup), a washing machine that gets used maybe twice a week most weeks, and our laundry is air dried; we don't even have a dryer. We've got a microwave oven, toaster, and a drip coffee maker that is used just about every day, some fans, and all our lights are either CFLs or LEDs. There's a vacuum cleaner that sees only occasional use. My TV is a 40" LCD, and it actually uses only a relatively modest 60 W. All this and I still have energy usage in the 120-130 kWh per month range, and I haven't even begun my efforts at energy conservation in earnest. The wall plug wattmeter I got last month is only the beginning...

Cash cows are forever? Hardly. Tell that to buggy whip manufacturers at the advent of the automobile, or more to the point, tell that to IBM's Mainframe Division in 1978. All cash cows will eventually die as they fall out of relevance, and cash cows in the computer industry have a far shorter lifetime than they do in other industries as the computer industry moves far more swiftly.

True, MS's cash cows probably still have a few more decades of life in them yet, but Microsoft is at least smart enough not to rest on their laurels and make an effort at getting into the mobile sector, however pathetic their current attempts at doing so are.

By the way, I looked up United Technologies, and well, I don't know why you bring them up. They're a technology company all right, but they don't look a computer company to me. They look more like Boeing than Microsoft or IBM, and well, the aerospace industry is rather different from the computer industry, and doesn't have anywhere near the same rate of change that the computer industry does.

True, Microsoft's revenue keeps going up, but that doesn't mean anything. They are no longer supreme dictator of the tech world, able to control the industry at their whim, as they were in the glory days of the nineties and early 2000s. I remember a time when the industry jumped at every word Microsoft said, when the mere thought that they were getting into something was enough to make the faint of heart pull out to avoid competing with them head-on. No more. They're about as relevant and dangerous to the leading edge of computer technology as IBM or SAP. Microsoft is turning into a boring old company just like them.

The other thing is that a vast portion of Microsoft's revenue comes from only two cash cows: Windows and Office, and those two are beginning their slide into irrelevance with the rise of mobile computing. Hence their rather pathetic efforts so far to try to get into that market. It's something that they must succeed in somehow, and they need someone with true vision to edge into the market dominated by Apple and Google. Ballmer wasn't it.

I suppose using HTTPS would have helped even a little, if Slashdot ever bothered to do so. The victims might have noticed that the certificates changed, even if they did check out, most especially if they used HTTPS Everywhere. They couldn't just foist off an SSL cert for Slashdot signed by some other CA (or even the same CA) then: the SSL Observatory would have noticed the change in the certificate the way SSH notices that public keys to servers you connect to change. Unless of course Slashdot gave its (non-existent) private keys to GCHQ, in which case all bets are now off. Why browser SSL doesn't automatically cache certs the way SSH does and warn if there's a change that doesn't involve certificate expiry or revocation is something that isn't quite clear to me.

I not only read the article but also the associated paper, and it seems that the proposed scheme involves precisely that. They generate some random inkblots and you have to give them some imaginative descriptions. Nevertheless I remain unconvinced that this is a good idea from a usability standpoint. I haven't even been able to find a link to a working mock-up of the system in action, so I could try it out.