belief is an arbitrary decision to insist something is true
I think that's a little too narrow a definition; the word for what you're talking about is "faith." I've often been asked if I "believe in evolution," and although the choice of words makes me cringe, the short answer has to be "yes." The longer answer is: I believe in evolution (or gravity, for that matter) the same way I believe in Philadelphia. Now, I don't know that Philadelphia exists. I've never been to Philadelphia. I've heard about it, and read about it, and seen road signs in pointing toward it, and even known a number of people who claim to have lived in it, but in answer to Ken Ham's famous question, no, I wasn't there. I have no personal proof that it exists, and yet I believe there is a city called Philadelphia. And I will insist pretty strongly that this belief is true, but there's nothing arbitrary about it.
There are alternate explanations, of course. Perhaps Philadelphia did exist up until five minutes ago, but no longer does. Perhaps there was never a Philadelphia, but someone decided there was money to be made by pretending there was, and put together an elaborate deception to convince people of it. Perhaps it's all just a mass hallucination. But the simplest and most rational interpretation of the evidence is that Philadelphia exists
So what I wrote in my previous post, "the same way you believe in gravity," may not have been quite right. What I should have said was probably something like "just as strongly as you believe in gravity," because the beliefs stem from different sources, one from faith and one from evidence. But "God created the world in six days, six thousand years ago" and "gravity exists" are both statements of belief. And if you don't understand that both beliefs are held with equal sincerity by large numbers of people, you will consistently underestimate those who hold to the former.
Postulate: Innocent kid is about to get run over by a bus. You can easily save her -- no more effort than lifting a finger. You don't. That makes you an evil, low,useless fuck, worthy only of hanging by the neck until dead.
Get it now? If you are able, but not willing, you are malevolent.
Now replace "you" with "god"
...I am technical by nature have been transitioning to this kind of role because I'm at a place in life where it makes sense to do that. My experiences have been fairly good, and I've a couple of basic observations below:
For the last 5 years, I've moved into pre-sales and from there have been project management for extended periods of time. The interesting thing I found is by NOT getting as technical as the developers / implementers are, my ability to keep them out of trouble, ask the right questions, clear barriers have all been significantly improved. One very significant element of that is securing help or resources for them when needed.
They won't always ask and they won't always know because of how close to whatever it is they are. Being able to see this condition and deal with it early is worth gold and they are often very appreciative. As an analogy, you are driving somewhere and refuse to get directions, running the risk of being late. You think, just another coupla minutes and I'll recognize something... while your co-pilot doesn't experience this and brings up the phone nav system to bail you out, or they call in to get precise directions...
They don't have the "in the bubble" mindset the driver does, and this frees them to consider things on a macro level. All of that results in more efficient project work and a generally happier team.
Another comment above mentioned the type who can bring different skill sets together to get something done. That has high value as well and I have worked on teams where we had that person. Amazing really. I concur.
When it comes down to silly metrics, non-value added kinds of management things, sometimes those need attention and the good managers will deal with those in creative ways while their team gets it done for real. The poor ones will highlight those things cover your ass style.
And that brings me to my last general comment. Those that own the project and back their team take heat and personal risk. They are very highly valued and they contribute with the common goal of everybody seeing success on the effort. Where they insulate themselves from all of that, again cover your ass style, the team remains at risk, while the manager really doesn't, and that mess generally leads to a low value, high resentment, high friction environment nobody wants.
Not really. You don't wait for a breach to fix an apparent security hole. Extraordinary proof is required to claim that an apparent security hole is not worth patching... not the other way around.
Please read my other response, which points out that there were some interesting comments on the original article. In short, it appears that only a portion of the WER upload is unencrypted.
(That said, I am not on the WER team, and I have no idea if they will take action as a result of this paper or not. We'll see)
Regarding the other point -- in my opinion, having SSL turned on isn't really relevant if you're trying to hide information from the NSA/FBI.
The Lavabit legal documents that were made available a while back are illustrative here. If the FBI wants information about someone, they get a copy of the SSL certificate's private key for the entire website. The Lavabit guys made many attempts to try and negotiate a constrained delegation of wiretap powers for the FBI, but the FBI would settle for nothing less than the ability to eavesdrop on ALL SSL traffic to the entire site. This held up in court.
So if the FBI were wanting to use WER uploads to help them in an investigation, presumably they'd just force Microsoft to disclose any SSL certs used anywhere in the WER system.
The NSA situation may be different -- based on the Snowden disclosures, they tend to operate outside of the law/judicial system. They wouldn't necessarily use the court system to force handover of certs. Perhaps turning on SSL would defeat or slow them down, but I don't think so.
If you view moxie's talk about Certificate Authorities, he points out that most national governments -- even ones less trustworthy than the US -- can just (ab)use the CA/PKI system to intercept any traffic they like, and unless you're paying very close attention, you'd never know the difference. Government entity Foo replaces the certs on sites of interest with new ones that they hold the keys to, and the CA/PKI infrastructure makes such changes transparent to you because the certs are signed by a CA.
So I guess my thought is that if the opponent is a government entity, CA-issued SSL certificates are probably security theater instead of an actual impediment.
Sadly, I cannot tell you why the decision was made (or even if it was an intentional decision as opposed to an oversight). I'm not on the WER team and I haven't spoken to them. I chimed in because I'm one of many product engineers that looks at WER data after it has been collected, processed, and assigned to the right team/product for follow-up.
That said, I can speculate, and point out publicaly available information, just like any other slashdotter
- regarding the clear text -- one of the comments on the original article was quite helpful. It pointed out that the WER system makes multiple requests to perform a complete incident response. The first request ("stage 1") is indeed sent in the clear, and there are a bunch of query string variables that give some information (faulting app, version, etc).
However, subsequent HTTP requests for a given WER upload, e.g. the actual file payloads, memory dumps, and so on, ARE sent via SSL. I suspect the article omits this details because the author is attempting to generate buzz for his paper and company, ahead of a security conference where more details will be published.
So, as far as what is actually being sent in cleartext over the wire -- it is NOT the memory dumps or file contents. It is, to use a lately popular word, "metadata".
On the issue of USB device insertion:
Again, I am speculating here, but part of what we use WER for is to gather customer evidence -- what are our customers actually doing. When I argue that we need to fix bug foo, if I can point at specific customers that are being impacted by it, or if I can give counts about the number of unspecific customers that are being impacted, my argument has a lot more weight.
Imagine you are on the windows team. You have a finite amount of budget to test hardware compatibility. You can put a finite number of drivers "in the box" (as opposed to making people get them from somewhere). You are constantly under pressure to downgrade support for certain hardware (from inbox to download, from download to unsupported, etc) because every device you say you support costs you real time and money...
So what's the best way to decide which hardware should be supported how much? Well, knowing how many people are still trying to use that piece of hardware seems like a good piece of data to have if you are trying to make that decision.
Here is an example for you: Please figure out what PIN I used in the following output from an AES-128 encryption:2c 5b 22 99 53 42 5b cc 4d bf a7 88 3b 61 95 14
1. I don't care about your PIN. Your grandma's will work fine. I can throw those numbers out the window.
2. For each card try 1234 (or whatever comes out of a random() call.) 1234- stolen, next card. 1234, stolen, next card. 1234- stolen, next card. 1234- *kaching*. 1234, stolen, next card. 40 million cards / (10000 plaintext PINs / (10 guesses per card) = 4000 cards.
Work without a vision is slavery, Vision without work is a pipe dream, But vision with work is the hope of the world.