> It's not about who is dispensable or not, companies do not exist to hire people ...

For many years I worked for a corporation that was set up primarily for the purpose of hiring people and taking care of those employees. For the last 12 months, the company has been losing money by continuing to provide health insurance and such for employees who work fewer than 12 hours per month.

You may think that's incredibly unusual, but actually it's not because many, possibly most, corporations are set up for the purpose of hiring a very small number of people, most notably the owners. There have been many times over the last 20 years when I, as the sole shareholder, have needed to choose between making more money or doing more good for the employees and customers. I decided that money is a means to an end. The PURPOSE if making more money would be in order to better take care of the people I care about. I'd like more money because it would allow me to send my daughter to a better school. I'd like more money because it would allow me to give more to my employees and other friends. I'd like more money because it would allow me to give more to organizations such as United Way and the Crisis Pregnancy Center. Choosing between being good to people or making more money, I choose doing good because after all the whole point of more money would be to do good with it. Choosing more money would be putting the means ahead of the ends.

That's completely false. You just made that up out of thin air.

Customers can, as I did, upgrade from Leopard (2007) to the newest version at a cost of $0.
Upgrading from Vista to Windows 8.1 would cost $120 - $320. (Plus the cost of upgrades to Outlook, etc.)

Customers could also choose to upgrade at each step, paying $30, $20, and $0 for Mac - a total of $50.
With Windows, the analogous path would be Vista - Win7 - Win8 - Win8, which could cost over $800, depending on which edition of Windows. In what world is $50 more than $800?

I'm on the technical side. Marketing and especially advertising annoys me greatly. My experience is primary in prevention and incident response for web server security. So finding and eliminating potential risks. "Security researcher" might emplo imply actually developing specific exploits, whereas I'd sanitize and bind all input, not often spending time developing a specific injection string.

I've tried to get a breadth of relevant experience, though. My time working as a locksmith informs my info sec work, I've been a licensed private investigator, I'm licensed as a security officer, etc. Same on the code side - programming microcontrollers a little bit gives an appreciation for timing attacks, etc.

Why do you ask?

Thanks for that detailed information. I have another Java app that I use daily so optimizing the settings you mentioned might make a big difference.

With very few exceptions, I don't think refinements to the details like exactly what counts as a catch have changed how the game is played much. A receiver tries to catch a ball today the same way they tried to catch it in 1970. The skill hasn't changed. It's possible that an attempted catch might be ruled a fumble today and incomplete 40 years ago, but that changes what the officials do. The player will still do the exact same thing - reach out and try to get control of the ball.

Of course there are exceptions, primarily changes related to player safety, where it's now against the rules to do certain dangerous things.

I guess my fingers didn't believe it could be true and autocorrected what I told them to type.
It's interesting that the Microsoft announcement is MORE support for Mac and LESS support for Windows.

You seem to be confusing two totally different things. Mac users had a perfectly working version of Skype. Microsoft broke what had already been working, by changing the network protocol and turning off the existing servers. Skype worked fine on Mac, then one day Microsoft starting rejecting EXISTING clients, and it's still broken today.

You seem to be confusing that vs writing NEW versions of applications for unpatched operating systems. Apple is saying "if you want the new features in new versions of the application software, download the OS update." What Microsoft did was cut off existing versions that worked just fine.

Another point that may be confusing if you're unfamiliar of anything outside of Microsoft's ass crack - updating OSX means downloading a free update, not paying hundreds of dollars and completely wiping the machine like you tend to do in Windows. My 2008 Mac Pro has the latest version of OSX and the Apple applications. I didn't pay them a thousand dollars to update the OS, the Office suite, the mail client, etc. I just click "yes" to install the free update. It's not that hard.

So with this latest announcement, Microsoft is saying they'll support Windows more and Mac less. What a strange world.

> can't help but think "bug bounties" aren't proper capitalism since there's little competition.

I'm not sure quite what you mean here. Just the other day I looked over a list of bug bounty programs to see if it might mange sense for me to analyze some of the software specifically for the purpose of collecting bounties. There were quite a few companies offering bounties, competing for my services analyzing their software. Based on what I saw, there is a reasonable amount if competition on that side, many buyers of bugs.

One company I saw has a bug bounty program sells software that I use on a daily basis and occasionally debug. I've sent them patches and suggestions before, outside of any bug-bounty program. Looking at the rewards offered, it seemed to me that it _might_ make sense for me to analyze certain software for security bugs. The price offered, based on the number of other programmers competing for the money, seemed just about right, maybe slightly low. On the other hand, the rewards are enough that it DEFINITELY makes sense for me to spend the time and hassle reporting bugs that I happen to notice while I'm using and configuring the software. So based on what I saw, there is enough competition on both sides to have prices tend toward reasonable numbers.

I noticed that a lot of companies don't have bug-bounty programs yet, though many do. It reminds me of 15 years ago when a lot of sites had referral programs, but most did not. That changed when third parties including CCBill made it easy to add a referral program. I suspect many more companies will add bug-bounty programs when they don't have to develop and manage the system themselves. If they can just buy or subscribe to an easy-to-use software package for running it, and maybe let the third party vendor handle payments, it will become much more common.

I use a few Java programs on my desktop, which has 16GB of RAM. One program I use is a little editor / mini-IDE for microcontrollers which have 4k of memory. While writing these 4K programs, Java will largely lock up the machine for 30 seconds, probably while it's doing GC.

You seem to be suggesting that 16GB of RAM isn't enough to edit kilobytes of text. Is that what Java fans generally think? In the meantime, I'm programming in simple, effective languages that work quite well with 250,000 times less memory.

There are two ways this can work well.

Yahoo, or any other email provider, doesn't need access to the private key to SEND encrypted email. Someone who wishes to receive encrypted email publishes their PUBLIC key. The message is encrypted with the public key. Yahoo can automatically check popular key servers and if the recipient publishes a private key, offer a one-click option to encrypt the email. Because the recipient publishes a key, that pretty much advertises that they know how to read a message sent with their key. They don't need Yahoo's help on the receiving side. So sending encrypted email is no problem. There are some details to get right, but no fundamental problem.

Now let's consider reading encrypted email via webmail. It has been pointed out that the obvious implementation would be to use JavaScript to do the decryption. Maybe the Yahoo team will come up with something more clever, but let's assume they don't. In that case, it's been pointed out that Yahoo could replace the encryption JavaScript for targeted users, at specific times. That's true until someone releases a browser plug-in that checks the hash of the script, but there is still a big gain. Until then, Yahoo could be ordered to intercept SPECIFIC, TARGETED users. As opposed to today, when Yahoo can be ordered to provide a tap for NSA to collect ALL emails. Getting rid of that bulk collection capability is a big win.

Note that if the FISA court did order Yahoo to switch out the JavaScript, the likelihood that would be detected would be proportional to how often they did it. If they did it once, they'd almost surely get away with it. If they did it all the time, they'd almost surely be caught. So they'd want to use it rarely, saving it for high value targets in order to keep it secret. That's actually exactly what I WANT for a widely deployed technology. The ideal, I think, would be that the technical details are such so that the government can't read everyone's email, but in special cases a proper court can authorize reading Osama bin Laden's email and the technology allows that to happen only rarely. So this actually comes pretty close to the ideal, assuming that NSA wants to keep the Yahoo hack secret and therefore rarely uses it.

Here's an open FPGA design:
Put a buttload of OR gates in parallel.
Follow them with a buttload of AND gates

There just isn't that much design in a basic FPGA to open up, not that I can see.

There is an interesting philosophical question when it comes to US citizens.

> if there is enough evidence to arrest them I'm sure the foreign government will do so.

Suppose Richard Reid, the shoe bomber, had escaped to Iran. Should we not declare that we don't want him on any US-bound airliners? I know I don't want a known terrorist on the same plane _I_ am on. Would Iran arrest him for us? Maybe.

We do know that at least SOME of the people on the no fly lists HAVE been arrested for terrorism related offenses. They did their time and got out, or one juror felt there wasn't proof beyond a reasonable doubt. There might still be enough evidence to say we don't want them flying on on an airliner, without even going through US security first.

Again, the other list, the terrorism watch list, is much more concerning to me, especially because of the number of people on it.

You ask "why would they" sign up for a notification service that costs $120 / year. I suppose it's like just about any other online purchase - it comes down to the reputation of the seller. Why would you buy a computer on Dell.com, when you can't see the product before you buy it? You'd make that decision based on Dell's reputation, and any previous dealings you had with the company.

The companies who were our customers knew we had a very solid reputation for providing excellent security solutions, and on forums other professionals they know would report that our service worked well for them. When we identify a compromised account, we tell the owner of the sites which account(s) are known to be compromised and where we found the compromised account information if it's being publicly traded on a cracker board. Also we provide tools they can use to analyze activity on the account and see for themselves that people in Russia and China are trying to use the account or whatever.

A customer uses this service and tools and it works well for them. Six months later, someone in a Slashdot posts asks "how can I can tell if my site's password database has been compromised?" Other Slashdot users reply "the tools 'raymorris' supplies worked well for me". So pretty much like any other online purchase.

That's true, and funny. It does remind me of another, more well-known "almost got it" attack. For MD5 collisions you keep adding data to the end, getting closer and closer to a match. In fact, that's how the whole hack works. You can't know what will match, but you can generate something that is closer to match. Keep getting closer to match until you happen to actually match.