Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Note: You can take 10% off all Slashdot Deals with coupon code "slashdot10off." ×

Comment Re:A govt employee charged with a crime? Shock!!! (Score 2) 61

That Shaun Bridges was even charged at all is amazing. He's a government employee, and in most of the world it's very rare for government employees to be charged with a crimes because fellow government employees refuse to prosecute them. Thank your lucky stars, America, you are not like Australia where the press reports alleged corruption, the police ignore it, and it piles up and up and up: https://archive.is/KUTAy#cases

Nah, it's pretty much the same in America.

The difference in this case is the nature of the crime and the victim chosen. No, not Ulbricht. The victim was the federal government, because they were going to seize that money anyway. You steal from the government, or attack the government in any way, they're going to drop the hammer on you. If your victim is an individual, well, it depends in large part on the socioeconomic status of that individual. A government employee can get prosecuted for killing a poor black man, for example, but it's rare. If you're a government agency and your victim is the entire nation, you're almost certainly going to get away with it. At most you'll be told to stop, but no one will be going to jail... well, except the guy who ratted the agency out. There's a good chance he'll go to jail, if he can be caught.

Comment Re:Headline leaves out one very important detail (Score 2) 188

The technical term for jailbroken, insecure versions of iOS is "Android."

That's a common belief. In practice, I don't think it's true. In particular, although the Android world sees lots of announcements of vulnerabilities that affect X hundred million devices, the actual exploitation doesn't seem to follow. One reason is that many of the vulnerabilities aren't actually as widespread or are harder to exploit in practice than the researchers describe. Another is that the diversity of the Android ecosystem often means that an exploit has to be customized for each different manufacturer and model, making broad exploitation harder. A third is that Google is often able to successfully mitigate vulnerabilities with the Play store, Verify Apps and updates to the Play services app. There are other reasons as well.

Whatever the reasons, it's interesting to note that we don't see reports of large numbers of Google accounts being compromised via Android vulnerabilities. I'm not claiming that's impossible, and it wouldn't shock me if it happened tomorrow, but the fact that we don't indicates to me that there is actually more right with the Android security situation than is commonly believed. The low real-world malware numbers disclosed in Google's Android security "State of the Union" report further buttress that view.

(Disclaimer: I'm a member of Google's Android security team. I'm speaking only for myself, not for Google.)

Comment Re:Headline leaves out one very important detail (Score 5, Interesting) 188

I expect to be able to go in and out of my door. That's what doors are for. Apple doesn't even give you a door. You have to break your way through the wall. Then there's a hole there. That's why Apple products are only sufficient for sheep. They don't break down walls, they just wander through holes.

It's worth pointing out that if you root your Android device you're doing the same thing, breaking through a wall. That's fine if it's what you want to do, but you are giving something up in terms of security.

As a member of the Android security team, I'm involved in lots of discussions about lots of different threat models and attack vectors, and while we do think about trying to maintain security on rooted devices, I'd say that 90% of the time we end up deciding that we just can't, so "device is running an official image[*] and is not rooted" becomes a foundational assumption of the analysis.

This isn't because rooting is inherently bad, or because we're trying to control user's devices, but because it's impossible to reason about security in a vacuum. You have to know what you can depend on. For example, we might argue that apps can't break out of their sandbox in a particular way because the information they need to do it is managed by a particular system daemon which validates access in a particular way... but in a rooted device that daemon may be modified, or simply bypassed. We just can't know that stuff is still working the way it's intended to. Some members of the modding community do an outstanding job of adding flexibility without breaking the security model, but many others don't.

Ideally, devices should provide enough native flexibility to allow users to achieve what they want while staying entirely within the normal mode of operation. In the case of Android that means staying within Google's "walled garden": install apps only from the play store, keep Verify Apps enabled (and follow its recommendations), don't root, definitely don't disable SELinux, etc. Where that ideal fails, and users want to do stuff that can't be done in the garden, they should have the option of stepping out of it, and they should be able to do so in a progressive way, not all-or-none... but each step they take increases the probability that they'll change something that violates a security assumption and thereby increases their risk of compromise.

I suspect that Apple security engineers even more strongly assume that devices are not jailbroken. That's just a guess, but it's consistent with the general philosophy of iOS and, if correct, it means that jailbreakers have even less expectation of security. iOS users also live in a software monoculture, which exacerbates the risk. (Android users get security benefits from ecosystem diversity, though there are obvious costs to that diversity as well. Including the update problem.)

[*] Note that given the state of updates in the Android ecosystem, we often don't assume that the device is running an up to date system image. From our perspective that's often easier to work with than a rooted device because at least we know how it behaves and can look at trying to mitigate risks at other layers. We're also working on the update situation, but that's hard given the nature of the ecosystem.

Comment Re:Great experience (Score 1) 182

Google knows my location due to my use of Google Maps

Google receives the map tile requests, etc., but if location history is turned off nothing about it is stored. I have no idea what your cell provider may store, though.

Again, I actually like the location history. I find it convenient to be able to look back and see where I was at a particular date and time. But it's under your control.

Comment Re:Great experience (Score 1) 182

I really have no concern about sharing it with Google, because no one is ever going to see it.

Well, an individual person doesn't need to see it. If they're willing to use searches to send people job offers and ads, what else can they automate?

They can also remind you when it's time to leave for an appointment, and that you have a coupon you can use at the store you just entered, and that your wife's birthday is coming up, and much, much more... but only with your permission. If you don't want it, turn it off and delete the data. Google provides the tools.

And what happens when Google has a breech or a bad setting. Remember when Google signed people up for G+,. and a lot of private data got exposed.

I think you're thinking about Buzz, not Google+. That was bad; Buzz auto-friended contacts, exposing relationships. The fact that that's the worst thing that's happened, and that happened before all of the internal privacy review policies were put in place is pretty indicative, IMO.

As for a breach... nothing is impossible, but I spent 15 years as a security consultant to US corporations, mostly banks, and Google has dramatically better security systems than anyone I ever saw. I'm not worried about my data at Google.

However, if you are I highly recommend going to your Google account dashboard and deleting whatever information there you're concerned about.

Comment Re:Time Management (Score 1) 182

but bored in their current job?

I'd expect a self motivated worker to already be looking for a new one.

Bah. There are different kinds of people. Some will search out a better job, but many of the more introverted sorts won't. It doesn't mean they're not motivated, just that they're not comfortable with interviewing. A lot of top-performing software engineers are very introverted.

easier to teach brilliant problem solvers some time management skills

That's an optinion that not many employers share. Companys that take it upon themselves to teach basic skills tend to hire people without them. And then everyone suffers, because everyone is expected to help out the special snowflakes.

There are no "special snowflakes" at Google. Google gives people time and resources to address their shortcomings, and it's expected that everyone be helpful, but if you can't pull your weight for whatever reason, it'll come out. Your peers will tell you that you need to manage your time better, and your manager will expect you to make use of the internal resources available to improve. It's even fine if you take time away from your job to do what's needed to improve... but if you don't, you'll eventually be gone. It's not like learning to manage your time is hard. If you're capable of solving hard computer science problems, you can learn that, too.

In practice, it's really not a problem. If you find smart people and keep them challenged (or enable them to keep themselves challenged), and give them feedback on how they can do better, it works.

Comment Re:Great experience (Score 1) 182

I buy the "potential" issue. I have enough confidence in the leadership and the culture that I don't worry about it being abused in the near term, but eventually that could change. I actually do have a greater degree of trust in Google than I do other corporations or government agencies, though. I expect that's mostly because of the visibility I have as an employee.

The less they know about me, the better.

In the abstract I see that. But Google Now is useful... and I expect it to become vastly more useful. It's going to be interesting to see how this evolves over the next decade or so, whether most everyone decides that having an excellent personal digital assistant is worth allowing someone to know so much about them. At least it's shaping up that there will be competition... Now, Siri, Cortana, Echo...

And obviously Google is already using information it knows about users to make recruiting decisions so clearly they are using the data for more than just advertising.

Recruiting is advertising.

Suppose that I use an Android phone and I have all my web browsers signed in to a Google account. Google now has access to all my phone data, my contact data, calendar data, search history, and even info about websites that I go to directly w/o the help of google (thanks to Google ads)

Chrome can also tell Google everywhere you go even without the help of ads. It only does that if you turn on web history, though. Same with location. If you turn on location history, Google stores it. If not, Google doesn't get it. As for phone, contacts, calendar, photos, etc., that's true if you turn on backup for everything. If you turn off backup, the data doesn't go to Google. Of course, then you don't get the cross-platform always-updated calendar and contacts list, and if your phone gets run over by a bus it's all gone. Whether or not to use backup isn't a one-time decision, though; if you use it and then later decide not to you can use the privacy dashboard to delete stuff.

And Google does forget the data you ask it to delete. It's a good idea to check the dashboard periodically and wipe out anything you don't want to be there. You should probably do that if you haven't.

Comment Re:Does flipping one electron now flip the other? (Score 1) 212

As I understand it, when you flip the state of one of an entangled pair, you break the entanglement. So site B can do what they like with the second pair, but site A won't know what they did. But IANAP and it's been over two decades since I took physics. Oh, and although my old textbook is on the shelf behind me, I'm too lazy to turn around and look at it :)

Comment Re:Time Management (Score 2) 182

Person is researching python lambda function list comprehension for a programming project. Gets sidetracked for a couple of hours by popup puzzles.

Yep. This is the employee we want.

You mean the sort of person who is an avid problem solver but bored in their current job? Yes, that's exactly who you want to hire if you're going to put them in an environment rich in productive puzzles to solve. Yes, you do also need them to be able to maintain focus when it really matters, but it's far easier to teach brilliant problem solvers some time management skills than it is to teach plodding, methodical thinkers to be brilliant problem solvers.

Comment Re:Not if you're searching for Maaaaaaatlock... ;- (Score 1) 182

FWIW, I'm a Google engineer. I'm 46. Many members of my previous team were in their 50s and 60s, and the median age there was probably around my age. That team was working on complex internal enterprise systems, where decades of experience with complex business logic was at a premium. My current team is younger... but I'm not the oldest.

Comment Re:Great experience (Score 1) 182

Rumor has it the selection process happens through your Google search history over a long period of time, so you're not going to be able to just spam Python jargon at the search engine and get in tomorrow.

Do you keep yourself logged in with a google account when you search? I specifically try to avoid Google tracking my searches to the extent that I can control. This whole thing is kind of creepy to me, and I never ever log into a google account unless I'm in a VM, though I am sure there are still ways to track me.

Out of curiosity, what are you concerned that Google is going to do with your search history?

FWIW, my approach is that I stay logged in all the time, with web history enabled (so Chrome sends a log of every page I visit to Google for storage, not just my searches) and open an incognito window when I'm doing something I don't want recorded. I try not to do that much, though, because I get a lot of value from being able to search my own web history (web history allows you to search in all the stuff you've looked at, so when you find yourself thinking, "I know I read that on some site..." you can typically find it pretty easily).

While there probably is stuff that I'd rather not share with the world, I really have no concern about sharing it with Google, because no one is ever going to see it. Unless there's a warrant or a subpoena for my information, but that seems pretty unlikely, and even more unlikely that any warrant or subpoena wouldn't get more from my e-mail, bank records, etc.

In the interest of full disclosure I should mention that I'm a Google employee, but this post really isn't about trying to convince you that you're wrong. I'm just curious.

Comment Re:Time investment (Score 1) 182

Dude got nerd sniped. I wouldn't be able to resist. An interesting puzzle mysteriously shows up? Yes please. Basically how I got into programming and math in general.

Of course all they're going to get are people who aren't savvy enough to use ad/tracking blockers and duckduckgo...

Heh. Google Foobar popped up for me last week. I blew two hours solving problems before I pulled myself away and got back to work.

Comment Re:Time investment (Score 2) 182

I set to work and solved the first problem in a couple hours. Each time I submitted a solution, foo.bar tested my code against five hidden test cases." After solving another five problems the page gave Rossett the option to submit his contact information

Curious: what prompted Max Rossett to spend hours solving programming puzzles before being even given the opportunity to submit contact information for a job consideration?

The same thing that prompts people to spend hours solving Project Euler or Top Coder or similar puzzles, with absolutely no expectation of return beyond the joy and satisfaction they derive from solving the problems.

Whether or not the sort of person who does is what Google needs is an open question, but it's definitely the sort of person Google hires. The interview process is composed of a series of programming puzzles, and one of the things interviewers look for is people who not only handle that sort of challenge, but who clearly enjoy it -- largely because the interviewers and all of their co-workers like such puzzles, and anyone else who does is very likely to fit in.

It makes perfect sense; the recruiting tool selects for exactly the sort of person who is likely to get hired, and to fit into the culture.

Comment Re:Women Count Too Low (Score 1) 448

I know AM tried to sell itself as a classier place, not just for hookups, but "Life is short, have an affair"?

And with a close up picture of a woman's full red lips. Mostly advertised on porn sites, whose viewership skews male.

They did not place ads with a picture of a hot dude on pintrest.

So, what you're saying is that while AM claimed to be marketing heavily to women, that claim was just part of their actual marketing to their actual target demographic: lonely, unhappy men.

I could buy that.

Comment Re: Smartphones have problems too (Score 1) 415

This is not true. Assisted GPS doesn't rely on cell networks, it makes use of cell networks for faster fixes. They still work fine without service, but they do take much longer to get a fix. This is evidenced by the fact that you can put your phone in airplane mode and hold it near the window of an airliner and still get a 10-satellite fix.

This is correct. There are a number of signals that GPS receivers use to improve their performance and accuracy. They use both cell-based network location and detection of nearby Wifi access points to get a very fast, rough idea of the location. That enables the system to know what GPS satellites should be in view, which means the GPS receiver doesn't have to wait for as much data from the satellites to get a good location.

They also use Wifi triangulation to fill in gaps in GPS coverage, when they don't have a clear line of sight to the sky. For this reason mobile phones often work much better than dedicated GPS units in cities where the rows of tall buildings reduce visibility of the sky.

They also use the GPS WAAS (Wide Area Augmentation System) when available to help make the GPS location fixes more precise. This system is primarily designed for use by aircraft but it can help ground-based receivers as well.

But you can shut off all of the other stuff, and you phone's GPS will still be able to get a location, as long as it can receive signals from the sky. It'll take longer and may not be as precise, but it will work.

The most difficult thing in the world is to know how to do a thing and to watch someone else doing it wrong, without commenting. -- T.H. White

Working...