The summary links to four different commentaries but not Asimov's original article. I'd rather get it from the source.

Do agree. I am originally from the Netherlands, and my father once told me a story about police being respected, in the 1930s. In a pub, there was a brawl, and some knives were being drawn. Someone still sober called the police from the nearby police station. A constable arrived, opened the door, stepped inside, looked around and said: "Well, it's about time to stop this nonsense, I guess." The rest of the evening was quiet.

I think that's a little too narrow a definition; the word for what you're talking about is "faith." I've often been asked if I "believe in evolution," and although the choice of words makes me cringe, the short answer has to be "yes." The longer answer is: I believe in evolution (or gravity, for that matter) the same way I believe in Philadelphia. Now, I don't know that Philadelphia exists. I've never been to Philadelphia. I've heard about it, and read about it, and seen road signs in pointing toward it, and even known a number of people who claim to have lived in it, but in answer to Ken Ham's famous question, no, I wasn't there. I have no personal proof that it exists, and yet I believe there is a city called Philadelphia. And I will insist pretty strongly that this belief is true, but there's nothing arbitrary about it.

There are alternate explanations, of course. Perhaps Philadelphia did exist up until five minutes ago, but no longer does. Perhaps there was never a Philadelphia, but someone decided there was money to be made by pretending there was, and put together an elaborate deception to convince people of it. Perhaps it's all just a mass hallucination. But the simplest and most rational interpretation of the evidence is that Philadelphia exists ... which is the foundation of my belief.

So what I wrote in my previous post, "the same way you believe in gravity," may not have been quite right. What I should have said was probably something like "just as strongly as you believe in gravity," because the beliefs stem from different sources, one from faith and one from evidence. But "God created the world in six days, six thousand years ago" and "gravity exists" are both statements of belief. And if you don't understand that both beliefs are held with equal sincerity by large numbers of people, you will consistently underestimate those who hold to the former.

... I have an old car, with an expired examintation sticker on the windshield, parked in a side street ( I live on a main street ). Once in a while, the police will notice it, and stick a fine under the windshield wiper ( € 55 ). I only use the car for getting booze late in the evening from the local petrol station. Total cost is less than if I had it examined each year. Don't get me started on equipping it, in the winter, with the "winter tyres" obligatory here. I guesstimate that it will take another three years to fully rust through.

Dude, doesn't it say, at each /. poll, "if you're trying to do anything serious with these numbers you are insane", or something like that ?

is now being turned, all nice and easy, into Nanny State 2.0: a Surveillance State. Police State will be Nanny State 3.0. Rejoice, o Britons !

Postulate: Innocent kid is about to get run over by a bus. You can easily save her -- no more effort than lifting a finger. You don't. That makes you an evil, low,useless fuck, worthy only of hanging by the neck until dead.

Get it now? If you are able, but not willing, you are malevolent.

Now replace "you" with "god"

...I am technical by nature have been transitioning to this kind of role because I'm at a place in life where it makes sense to do that. My experiences have been fairly good, and I've a couple of basic observations below:

For the last 5 years, I've moved into pre-sales and from there have been project management for extended periods of time. The interesting thing I found is by NOT getting as technical as the developers / implementers are, my ability to keep them out of trouble, ask the right questions, clear barriers have all been significantly improved. One very significant element of that is securing help or resources for them when needed.

They won't always ask and they won't always know because of how close to whatever it is they are. Being able to see this condition and deal with it early is worth gold and they are often very appreciative. As an analogy, you are driving somewhere and refuse to get directions, running the risk of being late. You think, just another coupla minutes and I'll recognize something... while your co-pilot doesn't experience this and brings up the phone nav system to bail you out, or they call in to get precise directions...

They don't have the "in the bubble" mindset the driver does, and this frees them to consider things on a macro level. All of that results in more efficient project work and a generally happier team.

Another comment above mentioned the type who can bring different skill sets together to get something done. That has high value as well and I have worked on teams where we had that person. Amazing really. I concur.

When it comes down to silly metrics, non-value added kinds of management things, sometimes those need attention and the good managers will deal with those in creative ways while their team gets it done for real. The poor ones will highlight those things cover your ass style.

And that brings me to my last general comment. Those that own the project and back their team take heat and personal risk. They are very highly valued and they contribute with the common goal of everybody seeing success on the effort. Where they insulate themselves from all of that, again cover your ass style, the team remains at risk, while the manager really doesn't, and that mess generally leads to a low value, high resentment, high friction environment nobody wants.

Not really. You don't wait for a breach to fix an apparent security hole. Extraordinary proof is required to claim that an apparent security hole is not worth patching... not the other way around.

They are a dinosaurian government agency, that has a habit of gobbling up money by the truckload. They have no reputation for technical or scientific excellence whatsoever. Neither do they have a track record in building first-rate equipment or software. Moreover, they have been proved, over and over again, to be pathological liars. In other words: who gives a shit ??

Please read my other response, which points out that there were some interesting comments on the original article. In short, it appears that only a portion of the WER upload is unencrypted.

(That said, I am not on the WER team, and I have no idea if they will take action as a result of this paper or not. We'll see)

Regarding the other point -- in my opinion, having SSL turned on isn't really relevant if you're trying to hide information from the NSA/FBI.

The Lavabit legal documents that were made available a while back are illustrative here. If the FBI wants information about someone, they get a copy of the SSL certificate's private key for the entire website. The Lavabit guys made many attempts to try and negotiate a constrained delegation of wiretap powers for the FBI, but the FBI would settle for nothing less than the ability to eavesdrop on ALL SSL traffic to the entire site. This held up in court.

So if the FBI were wanting to use WER uploads to help them in an investigation, presumably they'd just force Microsoft to disclose any SSL certs used anywhere in the WER system.

The NSA situation may be different -- based on the Snowden disclosures, they tend to operate outside of the law/judicial system. They wouldn't necessarily use the court system to force handover of certs. Perhaps turning on SSL would defeat or slow them down, but I don't think so.

If you view moxie's talk about Certificate Authorities, he points out that most national governments -- even ones less trustworthy than the US -- can just (ab)use the CA/PKI system to intercept any traffic they like, and unless you're paying very close attention, you'd never know the difference. Government entity Foo replaces the certs on sites of interest with new ones that they hold the keys to, and the CA/PKI infrastructure makes such changes transparent to you because the certs are signed by a CA.

So I guess my thought is that if the opponent is a government entity, CA-issued SSL certificates are probably security theater instead of an actual impediment.

Sadly, I cannot tell you why the decision was made (or even if it was an intentional decision as opposed to an oversight). I'm not on the WER team and I haven't spoken to them. I chimed in because I'm one of many product engineers that looks at WER data after it has been collected, processed, and assigned to the right team/product for follow-up.

That said, I can speculate, and point out publicaly available information, just like any other slashdotter :)

- regarding the clear text -- one of the comments on the original article was quite helpful. It pointed out that the WER system makes multiple requests to perform a complete incident response. The first request ("stage 1") is indeed sent in the clear, and there are a bunch of query string variables that give some information (faulting app, version, etc).

However, subsequent HTTP requests for a given WER upload, e.g. the actual file payloads, memory dumps, and so on, ARE sent via SSL. I suspect the article omits this details because the author is attempting to generate buzz for his paper and company, ahead of a security conference where more details will be published.

So, as far as what is actually being sent in cleartext over the wire -- it is NOT the memory dumps or file contents. It is, to use a lately popular word, "metadata".

On the issue of USB device insertion:

Again, I am speculating here, but part of what we use WER for is to gather customer evidence -- what are our customers actually doing. When I argue that we need to fix bug foo, if I can point at specific customers that are being impacted by it, or if I can give counts about the number of unspecific customers that are being impacted, my argument has a lot more weight.

Imagine you are on the windows team. You have a finite amount of budget to test hardware compatibility. You can put a finite number of drivers "in the box" (as opposed to making people get them from somewhere). You are constantly under pressure to downgrade support for certain hardware (from inbox to download, from download to unsupported, etc) because every device you say you support costs you real time and money...

So what's the best way to decide which hardware should be supported how much? Well, knowing how many people are still trying to use that piece of hardware seems like a good piece of data to have if you are trying to make that decision.

fixing parentheses:: (40 million cards / 10000 plaintext PINs) * 10 guesses per card = 400,000 cards, not 4000.

1. I don't care about your PIN. Your grandma's will work fine. I can throw those numbers out the window.
2. For each card try 1234 (or whatever comes out of a random() call.) 1234- stolen, next card. 1234, stolen, next card. 1234- stolen, next card. 1234- *kaching*. 1234, stolen, next card. 40 million cards / (10000 plaintext PINs / (10 guesses per card) = 4000 cards.

Yeah yeah. But the plaintext space is small and can be brute forced. They have 40 million cards. They don't need 40 million working PINs.