I guess my fingers didn't believe it could be true and autocorrected what I told them to type.
It's interesting that the Microsoft announcement is MORE support for Mac and LESS support for Windows.

You seem to be confusing two totally different things. Mac users had a perfectly working version of Skype. Microsoft broke what had already been working, by changing the network protocol and turning off the existing servers. Skype worked fine on Mac, then one day Microsoft starting rejecting EXISTING clients, and it's still broken today.

You seem to be confusing that vs writing NEW versions of applications for unpatched operating systems. Apple is saying "if you want the new features in new versions of the application software, download the OS update." What Microsoft did was cut off existing versions that worked just fine.

Another point that may be confusing if you're unfamiliar of anything outside of Microsoft's ass crack - updating OSX means downloading a free update, not paying hundreds of dollars and completely wiping the machine like you tend to do in Windows. My 2008 Mac Pro has the latest version of OSX and the Apple applications. I didn't pay them a thousand dollars to update the OS, the Office suite, the mail client, etc. I just click "yes" to install the free update. It's not that hard.

So with this latest announcement, Microsoft is saying they'll support Windows more and Mac less. What a strange world.

> can't help but think "bug bounties" aren't proper capitalism since there's little competition.

I'm not sure quite what you mean here. Just the other day I looked over a list of bug bounty programs to see if it might mange sense for me to analyze some of the software specifically for the purpose of collecting bounties. There were quite a few companies offering bounties, competing for my services analyzing their software. Based on what I saw, there is a reasonable amount if competition on that side, many buyers of bugs.

One company I saw has a bug bounty program sells software that I use on a daily basis and occasionally debug. I've sent them patches and suggestions before, outside of any bug-bounty program. Looking at the rewards offered, it seemed to me that it _might_ make sense for me to analyze certain software for security bugs. The price offered, based on the number of other programmers competing for the money, seemed just about right, maybe slightly low. On the other hand, the rewards are enough that it DEFINITELY makes sense for me to spend the time and hassle reporting bugs that I happen to notice while I'm using and configuring the software. So based on what I saw, there is enough competition on both sides to have prices tend toward reasonable numbers.

I noticed that a lot of companies don't have bug-bounty programs yet, though many do. It reminds me of 15 years ago when a lot of sites had referral programs, but most did not. That changed when third parties including CCBill made it easy to add a referral program. I suspect many more companies will add bug-bounty programs when they don't have to develop and manage the system themselves. If they can just buy or subscribe to an easy-to-use software package for running it, and maybe let the third party vendor handle payments, it will become much more common.

I use a few Java programs on my desktop, which has 16GB of RAM. One program I use is a little editor / mini-IDE for microcontrollers which have 4k of memory. While writing these 4K programs, Java will largely lock up the machine for 30 seconds, probably while it's doing GC.

You seem to be suggesting that 16GB of RAM isn't enough to edit kilobytes of text. Is that what Java fans generally think? In the meantime, I'm programming in simple, effective languages that work quite well with 250,000 times less memory.

There are two ways this can work well.

Yahoo, or any other email provider, doesn't need access to the private key to SEND encrypted email. Someone who wishes to receive encrypted email publishes their PUBLIC key. The message is encrypted with the public key. Yahoo can automatically check popular key servers and if the recipient publishes a private key, offer a one-click option to encrypt the email. Because the recipient publishes a key, that pretty much advertises that they know how to read a message sent with their key. They don't need Yahoo's help on the receiving side. So sending encrypted email is no problem. There are some details to get right, but no fundamental problem.

Now let's consider reading encrypted email via webmail. It has been pointed out that the obvious implementation would be to use JavaScript to do the decryption. Maybe the Yahoo team will come up with something more clever, but let's assume they don't. In that case, it's been pointed out that Yahoo could replace the encryption JavaScript for targeted users, at specific times. That's true until someone releases a browser plug-in that checks the hash of the script, but there is still a big gain. Until then, Yahoo could be ordered to intercept SPECIFIC, TARGETED users. As opposed to today, when Yahoo can be ordered to provide a tap for NSA to collect ALL emails. Getting rid of that bulk collection capability is a big win.

Note that if the FISA court did order Yahoo to switch out the JavaScript, the likelihood that would be detected would be proportional to how often they did it. If they did it once, they'd almost surely get away with it. If they did it all the time, they'd almost surely be caught. So they'd want to use it rarely, saving it for high value targets in order to keep it secret. That's actually exactly what I WANT for a widely deployed technology. The ideal, I think, would be that the technical details are such so that the government can't read everyone's email, but in special cases a proper court can authorize reading Osama bin Laden's email and the technology allows that to happen only rarely. So this actually comes pretty close to the ideal, assuming that NSA wants to keep the Yahoo hack secret and therefore rarely uses it.

Here's an open FPGA design:
Put a buttload of OR gates in parallel.
Follow them with a buttload of AND gates

There just isn't that much design in a basic FPGA to open up, not that I can see.

There is an interesting philosophical question when it comes to US citizens.

> if there is enough evidence to arrest them I'm sure the foreign government will do so.

Suppose Richard Reid, the shoe bomber, had escaped to Iran. Should we not declare that we don't want him on any US-bound airliners? I know I don't want a known terrorist on the same plane _I_ am on. Would Iran arrest him for us? Maybe.

We do know that at least SOME of the people on the no fly lists HAVE been arrested for terrorism related offenses. They did their time and got out, or one juror felt there wasn't proof beyond a reasonable doubt. There might still be enough evidence to say we don't want them flying on on an airliner, without even going through US security first.

Again, the other list, the terrorism watch list, is much more concerning to me, especially because of the number of people on it.

You ask "why would they" sign up for a notification service that costs $120 / year. I suppose it's like just about any other online purchase - it comes down to the reputation of the seller. Why would you buy a computer on Dell.com, when you can't see the product before you buy it? You'd make that decision based on Dell's reputation, and any previous dealings you had with the company.

The companies who were our customers knew we had a very solid reputation for providing excellent security solutions, and on forums other professionals they know would report that our service worked well for them. When we identify a compromised account, we tell the owner of the sites which account(s) are known to be compromised and where we found the compromised account information if it's being publicly traded on a cracker board. Also we provide tools they can use to analyze activity on the account and see for themselves that people in Russia and China are trying to use the account or whatever.

A customer uses this service and tools and it works well for them. Six months later, someone in a Slashdot posts asks "how can I can tell if my site's password database has been compromised?" Other Slashdot users reply "the tools 'raymorris' supplies worked well for me". So pretty much like any other online purchase.

That's true, and funny. It does remind me of another, more well-known "almost got it" attack. For MD5 collisions you keep adding data to the end, getting closer and closer to a match. In fact, that's how the whole hack works. You can't know what will match, but you can generate something that is closer to match. Keep getting closer to match until you happen to actually match.

We used to provide a similar service to web sites. We had many millions of compromised accounts. We didn't offer any services to consumers. The companies who were our customers knew we had a very solid reputation for providing excellent security solutions, and on forums other webmasters they know would report that our service worked well for them. That was sufficient that most customers would add that service or not based on what I recommended for their particular site. In general, on a site making over $5,000 / month it might make sense to spend $5 / month on the extra security. For sites making less than $1,000 / month, I'd suggest they put their limited resources elsewhere and check back in a year. In between, it depends on the type of site. Some are attacked more than others, and a compromise is likely to be more costly on some than on others.

A Billion dollar security firm won't sign up for a $120 per year service to see the data behind the breach? It must be highway robbery unlike most AV products which charge the same $$$ per year for little in return.

Indeed, we used to operate a similar service, and many companies were excited to sign up at just $49 / year. Often, the bad guys get the entire password database, so being alerted to that right away is valuable. I designed our system many years ago and it was somewhat expensive to operate. Crackers compromise new sites every day, so you have to be constantly finding and processing newly compromised accounts. Over time, it became more costly to cover a smaller percentage of compromised accounts, so we advised more and more sites not to buy it, until at some point we just stopped offering the service pending a redesign.

Using different types of resources that are available now, it's possible to run such a system more efficiently. I have a design in mind, but I haven't implemented it yet. If I do, it will likely be priced pretty close to $120 / year. We won't make crazy profits at that price point because it'll cost us $2,800 / year to operate. We'll need about 25 sites to sign up just to break even, and that doesn't include the time spent developing the new system. For a site with $300,000 / year in revenue, $120 will be a great value. For a site with $3,000 / year in revenue, it wouldn't make sense for them to get it.

He went on about it for a while, so it's not a case of mispeaking, of saying the wrong word. When he said commercial companies aren't allowed to use open source software, I think he meant exactly what he said. That's a lie, of course, but it certainly seems he knew what he was saying.

A vote might well go 48% - 52% or something like that. BallmeBallmeer can swing it from 48/52 to 51/49. Ballmer's 3% share is enough to swing many, if not most, votes.

> If you don't have enough evidence to arrest somebody, how do you justify putting them on the [no fly] list in the first place?

That's a question I'd like answered. I did find out that about 280 people on the list are US residents or citizens, so that gives us some sense of the level of threat required. Many more people have the same name as someone on the list, and therefore have to go through extra hassle. The number of people on the no fly list doubled in 2012.

> That is right up there with seizing and selling off assets before you even get a conviction
  If there is actual evidence then arresting them makes even more sense. The only reason to put them on a no-fly list would be if you are trying to arrest them, and just want to ensure they don't blow up a plane before you get a chance to do so.

Doing a few minutes of research, I learned that the no fly list doesn't actually stop them from flying. It's a list of people not allowed to fly INTO the US, or out of the US. It doesn't apply to domestic flights. I would say that a nation has the right to deny entry for any reason whatsoever. I don't have to justify why I don't invite someone into my house, and the US doesn't have to justify why we don't invite a certain person into the country. Not letting people leave is a little different. However, it seems that most often no-fly people are indeed arrested if they try to leave the country, so apparently there is cause for arrest - law enforcement would have preferred to wait longer before arresting them.

Based on what I've learned this morning, it seems the process needs improvement, particularly in regard to false positives, but there probably are about 280 people who really SHOULD be on that list. The other list, the terrorism watch list, is much, much larger.

PS, you are correct that he's a major shareholder. He controls more shares than Bill Gates, enough to swing any shareholder vote, thereby giving him de facto control of the board of directors and the company.