One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this. The best you can do is refuse to hire people that worked on these or similar systems, and I'm sure they will find jobs somewhere within the government-contractor software engineering space.
IMO Occam's razor ends up here. Electronic voting systems do two things very well: obfuscate the system in a way that is relatively incomprehensible to a layman, and provide plausible deniability in the case of manipulation. Even if manipulation is discovered, you can chalk it up to a "bug" and re-run the manipulated election again. People are stupid, and most ordinary people only want to believe there's malice involved when they've run out of more pleasing cognitive options.
I believe that if this site enumerated all the ways that you can maliciously use computerized vs. paper voting systems, we would show a hell of a lot more benefits to a manipulator than a voter.
> If I go see a doctor, I have no idea if I will end up with a $40, $400, $4000, or $40,000 bill until the bill comes months later and I have to pay it. NO IDEA.
This is what's really strange about the American healthcare system. For everything else in America you can either get a price up front or an estimate of total costs up front. Why should going to the doctor be any different than going to a mechanic? Pay advertised flat rates for issue diagnosis, and get estimates for the problem.
Yes, in cases of emergency you can't really shop around too much, but the majority of the time you're going to a doctor, you could at least call and get estimates of how much things will cost. It's not even possible to do this with most healthcare organizations. If you call your doctor's reception and ask "how much will it cost for this visit?" they'll tell you they don't do billing and they won't know until it's processed by insurance.
Price transparency in the healthcare market - or at least some decent estimate of it - would be a great thing to see. American healthcare is ridiculously inefficient because it appears wholly designed to be byzantine.
> Unbelievable that these companies take security for their prized assets way less seriously than I do.
A lot of engineering teams unfortunately see strong security as a hurdle to fast development, and/or security is put as a lower priority to feature development or other deadlines. A lot of business units see security as a cost sink and have the "there's only so much we can do to protect ourselves, if they want it they can get it" or "it won't happen to us" mentality.
On the other hand, some companies have security built deeply into their lifecycle, and really care.
> their graphs (at least on Android) have no labled Y axis!
It's the same on iOS.
I can't say I'm happy with Robinhood. It's dumbing down something that can get you into a world of financial pain if you don't know what you're doing.
If they want to target people that don't understand what they are playing with, they shouldn't be giving away options/crypto access/margin buying to people that don't understand those concepts. Expect a lot of people to lose a lot of money. /r/stupidfinance has some pretty great posts in which people were left in the cold after playing with fire in RH.
It's been literally years since node-forward got its talk about signing packages [1] with a lot of pushback from the npm team. Every time a new typosquatting article shows up, there's some more waffling by npm. left-pad happened to much consternation. Now this.
I used to really care about trying to harden the Node ecosystem, and last year it was one of my main goals. I tried to send multiple vulnerability reports, do mass static analysis of npm packages, and wanted to contribute more to the ecosystem, but the consistent ambivalent reactions of much of the community that I talked to turned me off of the project entirely. If npm wants to continue to be a security dumpster fire, let it burn. Node is a waste of security researchers' time and an honest goldmine for black hats looking to compromise relatively powerful novice webdev hardware.
I don't see it changing anytime soon. npm is a business that isn't focused on security. These things keep coming up, and yet npm install metrics I'm sure aren't decreasing. Until they face meaningful competition and/or the rest of the Node community begins to give even half a care to security outside of this forum, there will be no incentive for anyone to do anything about it. It's easier to play PR, give a little lip service to it and dodge the problem than it is to add any friction to their potential growth.
While I guess this is something, I would be curious to know what types of users are being targeted with these NSLs, and for what crimes. While it's natural to think "Islamic extremism and terrorism" as that's the usual natsec rallying cry, I wouldn't be surprised to see these being used for other purposes.
It's good for pseudonymous worldwide transactions. Blockchain analysis software is now a thing, and while costs are high, there are companies that specialize in tracing BTC transactions. [1] It is possible to launder/mix BTC or play a shell game to/from other currencies and wallets and raise analysis costs enough to make it not worthwhile for many adversaries and many targets.
While this may seem pedantic, it is important that people do not rely on BTC transactions for anonymity. Perpetuating this myth may become dangerous for some Bitcoin users.
There are plenty of absolute crackpot petitions on there at this stage that undermine the legitimacy of this one by being placed alongside it. I believe this motion is futile as well.
I'm not very fond of Tim's product, but I agree with him in his perspectives on SF and the Bay Area in general. Too much of it feels toxic at this point, and it has felt that way (to me) since about 2011 or so. It pushed me further and further into a state of introversion. While I used to go out and talk to people, I got tired of people wanting to talk "the mono-conversation" as he called it. It's been great for professional development as I have a lot more time to tinker with things, but it certainly hasn't helped me too much socially. I don't really care about who's funding who, who paid for what, what shit that founder just bought in Hayes Valley, or who's sleeping with whomever. I just want to poke at things, find bugs, and make shit.
> The rock stars these days are rappers and DJs and they don't play guitar.
And nearly every kid can afford a shitty chinese USB->MIDI controller and a cracked version of Live/Logic/FL Studio. The DAW and a controller is the weapon of choice for today's pop music industry. The fact that guitar is dying as "mainstream" shouldn't come as much of a surprise.
Microsoft developed quite a few of these ideas internally with the TwC (Trustworthy Computing) initiative in the early 2000s, and built a protocol - and development workflow - around threat modeling and security awareness. Most of their internal security-oriented protocol is listed for free:
As are some of their tools. For individual developers wanting to have a better sense of what threats their applications may face during the design stage, there’s a good Wiley book on threat modeling:
If you’re really in a hurry, a lot of the typical OWASP vulnerabilities are mitigated by choosing higher—level, long-standing frameworks and abstractions (e.g. Rails, Symfony, ASP.NET MVC) that handle a lot of the things that can hurt you. From there, most of the low hanging fruit skids will find can be mitigated simply by following the security best practices documentation for your framework before you start writing code in it.
Anecdotally, auditing web applications for security issues is my day job. The majority of the time, ignorance is the real issue, not speed of development. They simply don’t have any idea what threats they are facing, or any real education in secure coding principles. Very rarely have I dropped vulnerabilities and had teams say “yeah, we know about that”. It’s way more “whoa, I didn’t even know you could do that”. Basic security education really matters.
Your story resonated with me because I had the same experiences with a 12” MacBook.
While I can’t really use you as an example, since you kind of need a Mac for a lot of the work you do specifically, I’ve heard the same complaints about Apple hardware from other long-time Mac users that don’t actually need to have a Mac.
I am curious how many of those of us that don’t need macOS day to day have voted with their wallet away from Apple’s pro line, and what they switched to. I still use a mid-2014 MacBook Pro at work, but at home when it was time to upgrade I took the same path you did and went for the 12” MacBook. It sucked in every way.
Now I’m the owner of a Dell XPS, the supposed most Mac-like PC, and I’m simply stuck with another set of problems: it’s developed a great amount of coil whine, thermal management is spotty to say the least, and the sound card drivers have to be reinstalled every few reboots else it will not detect when I have plugged or unplugged headphones, which has me carrying around a USB DAC. When I need macOS, I’m still running High Sierra on a quad-core Mac Mini server from 2011.
The sad thing is that I don’t think there is a good option at this point. All of the “alternatives” to the MacBook contain their own faults.
How much is this based on the libsignal-protocol-JavaScript code? Where does it differ from it? Where are the tests to test protocol steps?
I actually love seeing things like this, but it’d be nice if there was some more documentation on the project. Crypto libraries generally aren’t the kind of thing you want to pick up when they’re new unless they are both heavily audited and developed by those with backgrounds in crypto work.
Room to grow housing and office space requires a whole lot of development to happen. My greater point is that there is very little incentive for most people to move to Detroit compared to other locales that are further along on actually having a lot of the type of housing that is popular on the west coast, some semblance of working public transport and infrastructure, etc. The M-1 Rail is a good start, but I think we are still years from Detroit being a truly viable choice.
There are better options than Detroit for this largely just because Detroit is very far behind other cities that can offer some of these needs now and grow into the future ones. Detroit is still at the stage of needing to grow a bit more to support the influx.
One of the downsides of programming being easily accessible and easy to get a job in is that there is no required standards body to write code. There's no way to fix this. The best you can do is refuse to hire people that worked on these or similar systems, and I'm sure they will find jobs somewhere within the government-contractor software engineering space.