Or maybe they could move them and give them a raise from all the savings found elsewhere.... Like rent, property, taxes and so on.
In Canada CN move their head office from Toronto to Calgary. They paid for the moves, gave everyone a one time extra bonus plus raises. They saved billions and not that many complained.
> p values <0.05 indicate that the results are not due to just chance
This is not how p values are used. See Gelman:
> The p-value does not tell you if the result was due to chance. It tells you whether the results are consistent with being due to chance. That is not the same thing at all.
Imagine if someone in infectious disease research said "I
t's not at all true that researchers on the whole do what they do to prevent disease. Many of the best researchers do the opposite!"
It would be interesting if monetizing the next flu bug worked the way that the market for vulns works.
Infectious disease researchers are finding microbes, just like security researchers are finding vulns.
Now let's try putting words in your mouth: You would be happy with disease microbes being sold to the highest bidder and weaponized, and turned against the population, just as vulns are when security researchers sell them to spy agencies and law enforcement. Is that what you are saying? Are those acceptable professional ethics for... biologists? Anyone?
If it was up to me, we'd come pretty close to banning the manufacture of firearms and ammunition, so I'm not the right person to ask about this. But, once again:
* Vulnerability researchers do not as a rule disclose to vendors. Some do, some don't.
* Sponsoring the discovery of a vulnerability so you can write an exploit for it doesn't prevent others from finding that vulnerability and patching it. If anything, sponsoring vulnerability discovery for exploit development increases the likelihood that the bug will be patched.
* When I ran a security consultancy, we had a "no selling vulnerabilities" rule. Published, on our website. I was comfortable with that, because "my company my rules". I am a lot less comfortable dictating my own morals on other people that don't have a contractual agreement with me.
* It is difficult to come up with an argument that vendors should get disclosure of vulnerabilities that doesn't involve vendors entitling themselves to the (often very expensive) work of vulnerability researchers. It's especially galling to see companies that don't spend any real money on software security expressing that sentiment.
And, of course: software vulnerabilities aren't infectious disease agents. The revulsion we have for weaponizing infectious diseases comes from the concern that they will spread unchecked. But that's not how software vulnerabilities work.
The question is whether selling vulns, or weaponizing them, or stockpiling weaponized vulns is acceptable professional ethics. Some people think that the government having stockpile of zero-days is a good thing. Some even think that vulnerable endpoints are a good compromise outcome so that encryption doesn't turn into intellectual contraband.
But it would be better, for everyone, for it be considered unethical and unprofessional to add to the stockpile and actively keep endpoint devices vulnerable. I think stockpiles of vulns should be disclosed, even through hacks or leaks, like the Hacking Team leaks. Hence the analogy to biologists auctioning off their discoveries secretly to be weaponized. It's analogous enough: The practice of stockpiling vulns for the purpose of spying leaves everyone with less privacy and security, at the mercy of the unaccountable and outright evil. It creates perverse incentives for deeply unethical behavior. It poisons the whole software and hardware industries globally. If vulnerability stockpiles were unilaterally disclosed, it would be a large net benefit to the common technology user.
Also, rewarding researchers for disclosure is fine. There are open, transparent, and ethical ways to do that, like published bug bounties followed by timely public disclosure.
You might have good intentions and high ethics, but industry norms have to be designed for people like Hacking Team.
Your worldview is that because there are bad actors like Hacking Team, anyone who does vulnerability research is obligated to disclose their findings to vendors?
No. Vulnerabilities exist because vendors ship bad code, not because researchers read that bad code. I refuse to sign on to an "ethic" that entitles negligent vendors to the work product of researchers.
You do the work, you choose what to do with the vulnerabilities. There are packages --- Cryptocat is a great example --- where I've found grave vulnerabilities, disclosed that I found them, but refused to divulge details. I would personally never sell a vulnerability; I think vulnerability markets are immoral. But I don't get to impose that morality on others. Would that I could! I think Cryptocat is immoral, too! But I have to live and work in a world where not everyone agrees with me.
The one common denominator we can all share is "nobody is entitled to appropriate my work from me without my consent".
I don't know cryptocat or its authors, so I have no idea why you consider them immoral. What's the story?
Obligations are a two-way street, and good ethics should have support. If you have the means to reward disclosure of a vuln you should announce a bug bounty.
Professions have ethical standards. Some are stronger than others. They are meant to impose a basic level of morality. In the real world, that never happens perfectly. But some of them definitely imply disclosing one's work without extracting every last penny from it, such as disclosing abandoned clinical trials.
I feel about Cryptocat the way you would probably feel about someone who set up an inner-city neurosurgery clinic after reading a bunch of Usenet HOWTO posts.
I think there are two separable arguments here. We may disagree on both of them. But:
* The first argument is whether it's OK for researchers to stockpile vulnerabilities --- to learn things about software and then not share them. This might seem like an artificial distinction, but there are lots of good researchers who back-pocket great, important vulnerabilities. They don't exploit them, they don't sell them, they just find them, make some notes, and move on.
* The second argument is whether it's ok for anyone to weaponize vulnerabilities. If you believe that the USG has an obligation to disclose vulnerabilities, you're almost (but not quite) required to believe they can't do exploit development work --- for any reason. Disclosing vulnerabilities to vendors kills exploits.
I'm OK with researchers stockpiling. I'm OK with the USG weaponizing. I'm OK with the latter in the same sense as I'm OK with them carrying firearms or breaking down doors to serve warrants or freezing bank accounts. Obviously, I'm not OK when the USG abuses those powers.
Inn the abstract is seems OK for researchers to simply sit on vulns they have found, but is that what really happens? Why do that? Do they get sold eventually? Are there a lot of cases where the developer is hostile to fixing them? How OK this is depends on the eventual disposition.
The other one seems clearer: "Disclosing vulnerabilities to vendors kills exploits." Well, yes. The problem is that, in the present situation, endpoint security is terrible. It seems unlikely that our government has made it possible for themselves to break endpoint security, but not the Chinese or any other nation, organized crime group, or other non-state actor with some software smarts. It may take some catastrophic infrastructure penetration or super-Snowden leak to show why this is unwise.
Yes. Vendors are usually hostile to researchers, and vendors generally do feel entitled to researcher work-product. Their feeling is, it's their code, so they're entitled to know about problems with it.
“The relief we seek is limited and its value increasingly obsolete because the technology continues to evolve. We simply want the chance, with a search warrant, to try to guess the terrorist’s passcode without the phone essentially self-destructing and without it taking a decade to guess correctly. That’s it.
“We don’t want to break anyone’s encryption or set a master key loose on the land,” Comey continued. “I hope thoughtful people will take the time to understand that. Maybe the phone holds the clue to finding more terrorists. Maybe it doesn’t. But we can’t look the survivors in the eye, or ourselves in the mirror, if we don’t follow this lead. “
That's a lot of double-speak. They know that removing the timeout so they can try thousands of passwords per second opens up a huge security hole. What he's saying is "we want it both ways". We don't want to take away security for users, we just want to make it easier for someone who's not the owner of the phone to get into it.
Which is a bigger flag for mismanagement. If the phone had had device management software as most major companies provision, no hack would have been necessary.
"public funds" is not a single shared bucket of loot that everyone puts into. In this case it was a county owned device.
County governments are typically recognized incorporated organizations that have no real line of authority or connection with the federal government.
So no, the FBI or federal doesn't have some ownership claim that makes it ok to break into. As others point out they have basically seized the device from its owner in the course of investigation.
can you explain the comment on relevance a bit more? You said it twice but I'm not seeing your point.
Regarding the Director's double speak I think it is relevant. The FBI or federal government is still not the owner. Regardless of whether the device was seized or surrendered the property is still owned by the county.
> What he's saying is "we want it both ways". We don't want to take away security for users, we just want to make it easier for someone who's not the owner of the phone to get into it.
If they have permission from the owner, it's wrong to describe it as trying to get into "someone else's phone". There's no expectation of privacy in a government owned phone.
Who decides paying $1M to get access to a government owned device is appropriate use of public money though?
Why didn't they go through proper channels? Why did they reset the iCloud passwords? What steps have they taken to prevent this from happening in the future?
The FBI is doing a lot of hand waving and there is no accountability. Where are all those fiscal conservatives when we need them?
In my personal experience with an iPhone, it will not backup to iCloud without wifi and it will not connect to wifi without having the passcode entered at least once since boot. According to the government, the device was found powered off. If that is true, the iCloud backup would never have worked.
Of course, you can choose not to believe the government that the phone was found powered off (http://www.wired.com/wp-content/uploads/2016/03/Apple-govt-R...), but I think you'd have to pick and choose what you're willing to believe and not believe from what the government have said.
Finally, even though it wouldn't have helped, it's clear Pluhar's team did not consider the iCloud backup possibility when they were making their examination, so they very well could have screwed this up. It's just that they didn't in this case.
It's also possible the phone was actually found powered on and the battery was drained and it turned off by the time Pluhar's team examined it the same day. It wasn't mentioned if anyone checked it and tried to make sure it was kept charged (probably not). I imagine it might be difficult to train the officers on the ground about mobile device forensics best practices, since they change fairly frequently.
I would not trust their word over Apple's because Apple has a better insight of the situation.
The whole thing was a very poor allocation of resources. Of course, those whose promotions and maybe even jobs are on the line will fight back any claim of incompetence or malice.
The phone is evidence in a police investigation, they didn't buy it, while its owners are dead surely it belongs to their hiers? or does that whole rule of law thing mean nothing
The phone was a work phone issued by the San Bernardino Health Department, so no - the heirs of the killers didn't assume ownership of the phone. It was always the property of the San Bernardino Health Department.
So if someone the FBI is interested in knew they were being targeted and used a strong, complex, long password which would be impossible to 'guess' even without the restrictions then how does
> and without it taking a decade to guess correctly.
even make sense when there isn't a force in the universe that can guess that password in 10 millennia.
If they demand that restrictions like gated attempts and automatic wipes be removed, they're just pushing the industry to move to restrictions that can't be removed.
Hell, if I was feeling really cheeky and worked for Apple, I would give the FBI their backdoor which allowed them access, but they have to provide the phone a proof of work worth at least $10 trillion.
The only way to accomplish the goal in the first paragraph is to execute the steps they "don't want to" do from the second paragraph. It's more than double-speak, it's pure bullshit.
Note that new comments are weighted much higher (e.g. I've had top level comments on a thread with several comments immediately show up first) and so the fact that a comment is near the top at a point in time does not mean that it's popular.
And even then, is 7% supposed to be a little or a lot? They say "hundreds of hours of dieting & exercising" but really that only affects an hour a day, maybe? I'd say that if I could spend 1 hour a day and get a 7% gain in happiness, it probably is worth it.
And perhaps there are other activities that require 1 hour that result in a 7% increase. Say: reading, socializing, writing. Then you've got 4 hours a day and get a 1.07^4 = 1.31 or 31% increase in happiness.
I find that actual metric here to be the most dubious part of the whole argument. I can easily understand making qualitative claims about happiness and maybe even some of the arguments presented by the author are good ones, on a qualitative basis.
But trying to quantify this is just so bogus. What do they think they're even measuring? They're just making statistical claims about questionaire results as far as I can tell. The author doesn't qualify that nearly enough. He is treating this like there's some kind of discrete quanta of happiness. "My current happy level is 7.453 kiloJoys" or something like that. Its just weird.
well the article seems to imply that 7% is low: "by the colossal 7%"
and there is this:
But that same survey found that those with a low level of education were 47% more likely to be the happiest than those with a high level of education.13
so low level of education makes almost 7x more impact than diet + exercising combined. something is seriously wrong with this happiness calculus
Check out The True Beleiver by Eric Hoffer or Deschooling Society by Ivan Illich for some explanations for this long observed effect.
Schooling trained myself and my best friends to expect to be able to use what we learned, even though there were no roles in society for us. We are national merit finalists, calculus users, programmers, 99th percentile GRE scorers... one friend is nearly homeless. Another bags groceries. The best off has a programming job only because his father was higher up in the company. I spray herbicides and pesticides and feed cattle and do whatever I am asked and more at our family veterinary clinic and on our family farm. I am extremely lucky. But I feel intensely guilty that I am not using anything I learned at university. No one owes me anything. But I sacrificed and suffered so much for academic success, debating championships, math team and programming victories, and it has never paid me back with a livelihood and now I am emotionally and energetically burnt out before ever landing an entry-level programming job. I can do all the Cracking the Coding Interview questions. I've never ran into anything in CS I couldn't understand. I'm just very emotionally fragile when it comes to interviews due to being on the autism spectrum and feeling so abjectified. If I had not been so successful in school I would not feel so terribly guilty about my failure at life. I would like a romantic relationship and a family. But I would feel guilty and to ashamed starting one without a career to provide for at least private schooling or more likely homeschooling for my kids. But I am unable to escape my social bankruptcy or move out of my parent's basement. Life seems to complicated and I feel so far behind in non-school skills I feel trapped. I feel I will never gain the prestige to feel desirable enough to make friends much less a wife. I come up with software ideas but I get so depressed at the likelihood of their failure that I feel guilty working on them (and yet guilty not working on them). Education causes higher expectations. Needing more people at university for social reasons has made them so easy that they no longer discipline people enough for success. More importantly, there simply aren't enough role slots people trained to expect those roles. Please give me counsel if you can. I want a mentor or someone to apprentice with so badly. My parents love me but they are very dysfunctional. They have no friends either. I had a genius uncle who got top marks in school, made all sorts of interesting gadgets, could solve a Rubik's cube in seconds... he ended up a derelict and I am so worried I will end up like him even though it might be a self-fulfilling fear... I think he is too. He wanted to see a game I made but I've never gotten one polished to the point I felt I could share it. My closest friends are all failing to launch, too, so I have no role models. And I am down to three people from undergrad that I can still talk to (through infrequent texting). I want to be able to spend real time with someone who has things figured out about a bit so that my mirror neurons might hurt me rather than harm me.
