Comment Re:Google = defense contractor (Score 1) 38
Google's after the defense contractor market now...developing/marketing Glass as a consumer product was an afterthought and mostly for PR, imho
LOL. You don't know much about Sergey Brin, do you?
Google's after the defense contractor market now...developing/marketing Glass as a consumer product was an afterthought and mostly for PR, imho
LOL. You don't know much about Sergey Brin, do you?
The ownership thing can be mildly obnoxious. It's fairly standard practice at Google to click the checkbox to allow all attendees to edit a meeting. Even without that, though, it's always possible to make the change on your own copy; no one else will see the change if they look, but you can add someone (or a room), and the meeting will be added to the appropriate person/room calendar. Maybe Google Calendar works a little differently externally... I wouldn't think that part would be different.
Doesn't the Chromebox offer you the ability to type in a meeting name? That's another option on the internal system. We just go to the other room and manually enter the meeting name. Actually this was a problem a couple of years ago, but refreshes have gotten fast enough I haven't had to do that for a while, except when no one added a Hangout to begin with and we just have to make one up on the fly. Then we pick a name send it to everyone via chat or whatever, and type it into the room controller.
As for getting the other room booked, that's easy. Just make a calendar appointment and put the room on it. Fast.
+1
Excellent points.
We keep statistics, yes, but only in the context of criminal law.
To study, say, gun ownership as a matter of public health, as a risk factor for overall mortality, is illegal(with public funds).
Cite?
It seems to me that the main obstacle to such studies is detailed information on gun ownership, because mortality information is readily available, and not just from law enforcement. The CDC tracks it closely.
In any case, I'd love to see this research done... though I suspect that I anticipate a different result than you expect.
They're both. Just like men.
Ah, the old "If I can say it in a grammatically correct sentence, it must be true!!" fallacy.
No. They can't be both, because the groups OP defined are mutually exclusive. Men can't be both either.
Nonsense. Even individuals aren't only one thing. They're different things at different times and in different contexts. Further, you're talking about two large groups of people; there's clearly a lot of variation among them.
Why would you think that women should fit neatly into one bucket or another?
To state the obvious, because some buckets are neatly defined. For instance, a woman can only fit into at most one of these buckets: "Likes math" or "Hates math." (They could be in neither of those buckets.)
You're a little bit closer in recognizing that women aren't all the same. Congratulations! But you're still wrong. A given woman can like some kinds of math but not others, can like math during some parts of her life but not others, can even like math in some moods but not others.
I don't see how fumbling around with USB sticks is much better.
I use a YubKey NEO-n. It's a tiny device, only extends from the USB port by a millimeter or so... just enough that you can touch it to activate it. I just leave it plugged into my laptop all the time, so there's no "fumbling with USB sticks", I just run my finger along the side of the laptop until it hits the key. It's extremely convenient.
Doesn't leaving the device plugged into your laptop all the time defeat the purpose of two-factor authentication? If someone steals your laptop they have your key now, same is if you left your one-time pad as a text document on the desktop.
I addressed this in the paragraph below the one you quoted, and a bit more in the paragraph after that.
The second channel will not secure a compromised channel, but it will make it easier to detect it.
Oh, you're talking about a completely separate channel, with no joining to the primary channel? That creates its own set of problems... when the user authorizes a login, how do we bind that authorization to the login the user is attempting, rather than a login from some other location? Without a join (e.g. entering OTP from second channel into primary channel, or vice versa), the attacker just has to figure out when the user is logging in, and beat them.
There is very little you can do to combat malware infections unless you are willing to use a second channel.
I maintain that a second channel doesn't really help, either as defense or for detection, and you haven't suggested any way that it might.
At some point in the communication the data is vulnerable to modifiction, no matter how well you try to shield it. It resides in memory, unencrypted, at some point in time.
In the case of a security key no, it does not. Not in the memory of the PC. The PC and browser are merely a conduit for an authentication process that occurs between security key and server. It's actually pretty reasonable to characterize this as a second, virtual channel. It's MITM-resistant; an attacker can block the messages but can't fake, modify or replay them without failing the auth. It is also bound to the primary channel, though that binding is admittedly dependent on the PC being uncompromised. But if the PC is compromised to the level that the attacker can cause the auth plugin to lie to the security key then there is no hope of achieving any security. A separate channel definitely wouldn't help.
And it's heaps easier to do if the interface used is a browser.
Sure. But the goal is to create as much security as possible within the context of what people actually use. Theorizing about some completely different approach that no one would use is entertaining but pointless.
...so today are women ndividuals who can do anything men can do and are perfectly capable of functioning in modern society to wit, choosing the career path that they want to follow out of interest, talent, and education?
Or are they intimidatable, wilting violets incapable of exercising free will, intimidated by the faintest approbation, and unable to choose a career because some shitty 1980s movies didn't ACTUALLY show "girls doing data entry"?
I'm just trying to keep track here. I need to know if I should treat them like plain old people, or tread delicately around their fragile sensibilities?
They're both. Just like men.
Why would you think that women should fit neatly into one bucket or another?
When computers were viewed as toys, it was acceptable for girls to have them. Once they became tools, however, they were only for boys.
Then explain why a high percentage of programmers were women back when the only computers that existed filled rooms, cost millions of dollars and were clearly anything but toys, but once microcomputers were widely available in homes and used for playing games as much as anything, the percentage of women began to decline.
I think you may have the right concept, but with the genders reversed.
Oh, and BTW, thanks for the mention of Chromebox. I had to go look it up. I didn't realize Google was selling it.
I wonder if I could get one for my home office...
What keeps me (or my malware, respectively) from opening a google page in the background (i.e. not visible to the user by not rendering it but making Chrome consider it "open") and fool the dongle into recognizing it and the user into pressing the a-ok button?
For one thing, if the tab with the malware-loaded page isn't on top, Chrome won't allow it to talk to the dongle. If there is some way to render a page that is not visible to the user but which Chrome considers sufficiently "open", that's a Chrome bug which should be fixed.
A machine that is compromised is no longer your machine. If you want two factor, use two channels. There is no way to secure a single channel with two factors sensibly.
You should have stopped after the first sentence, because two channels doesn't help. If the machine you're using is compromised, it's no longer your machine, period. This is true regardless of the authentication method being used. That said, some authentication methods are susceptible to replay attacks... if I can compromise your machine and grab your credentials then I can log in as you from my machine. Security keys make that sort of attack very difficult, much harder than, for example, an out-of-band one-time-password. In that case, I just have to make sure I use the one-time password before you do, grabbing and submitting it before you click "Go". With a cryptographic challenge response protocol performed by a security key that's more difficult, because a secure channel is established between the authentication server (at Google) and the security key. It's still not impossible, but it's much harder.
$60 bucks? No fucking way.
These are devices that have really only been used for enterprise security. Low volume plus low price sensitivity equals high price. As use of security keys becomes more widespread, across more enterprises and businesses, and even to consumers, that will change.
There are other devices available now, including one that is $6. None of the others are as small as the NEO-n, so you'd have to "fumble for USB sticks" rather than leaving them plugged in all the time... but said "fumbling" really isn't that bad. Put it on your key ring, shove it in when needed.
That's okay for you on your laptop. When you go to a conference room with a e.g. a PC set up for conference calls, and someone needs to log in to pull up the hangout, it's a different story
The proper solution for that problem is for the conference room PC to have its own account, which is invited to the hangout, rather than logging in with some individual's account. From a security perspective, having a device that lots of people log into is a bad idea; it's an ideal target for compromise, regardless of whether or not you use 2FA.
FWIW (not much, I suppose, since it's not generally available), the way this works at Google is that conference rooms have their own accounts and calendars. Rooms are added to meetings in a manner very similar to adding guests. Each conference room PC has a small, connected tablet computer sitting on the table that shows the room's upcoming meetings. You tap the one you want and the room joins that hangout. If someone needs to present something from their computer they just join the meeting from their computer, generally with a different URL that only shares their screen and doesn't use their camera, microphone or speakers (or they can join the hangout normally, mute their speakers, disable their mic and then go into presentation mode). All of this also works for people without Google accounts; if they're invited to a meeting they get a URL that connects them to the hangout, and they can present if needed.
It's very slick. IMO, Google should package the solution and sell it, because it's far and away the best VC system I've seen.
They are standing up to government because it effects their income, not because they are being altruistic.
And?
When government leaders act to help the voters you can argue they're doing it only because it affects their chances of staying in power, not because they are being altruistic.
This is called proper alignment of incentives, and it's a very, very good thing. At the end of the day, it's the only thing that keeps us moving forward. And it shouldn't be surprising that corporations like Facebook have an incentive to give users what they want, because in general profit motives are almost always closely aligned to the interests of their customers. Otherwise the customers leave -- and don't give me the crap about users being Facebook's product, not its customers. If users leave Facebook doesn't make money. The details of the mechanism are less important than that core fact.
We're often accustomed to thinking of government as a protection from corporate power, but there's no reason at all that the reverse can't be true. Arguably, government interests are aligned with what the people say they want, while corporate interests are aligned with what people really want, as evidenced by how they spend their money. Neither alignment is perfect because it gets filtered through intermediate mechanisms, and governments and corporations are both ultimately made up of people who have their own goals, beliefs and ideals, which further distorts things.
On that last point, I think it's important to recognize that because decisions are made ultimately by people, organizations -- government and corporate both -- actually can and do at times behave altruistically, sometimes even in opposition to the organization's stated goals(*). We should also keep in mind that organizational dynamics can and do distort or even override the goals of the individuals inside them, often resulting in a group policy which doesn't match any individual's preferences, and which may not even be logically consistent. My core point is that overly-simplified "government good/corps bad", "government bad/corps good", "The Man bad/people good" dichotomies are so inaccurate as to be completely worthless and misleading, as are beliefs that people or organizations can only do good things if they're doing them for the right reasons (or that good reasons justify bad actions, or...).
Reality is complicated. Deal with it as it is, not as you wish it were.
(*) Cue the pseudo-insightful but completely inaccurate post about how corporations have a legal obligation to maximize profit, which (a) isn't true in all cases and (b) doesn't matter in practice anyway because it's not enforced.
"More software projects have gone awry for lack of calendar time than for all other causes combined." -- Fred Brooks, Jr., _The Mythical Man Month_
