> This approach attempts to minimize disruption to existing subscribers using a recently announced Chrome feature to remove default trust based on the SCTs (signed certificate timestamps) in certificates.
I was wondering how Chrome was able to revoke a certificate based on time without trusting the CA to not back date certificates and it looks like this is due to being able to trust certificate transparency logs instead. This is where they get the signed certificate timestamps (SCT) from.
"It forbids them, for the rest of their lives, from criticizing their former employer. Even acknowledging that the NDA exists is a violation of it."
I find it hard to understand that in a country that tends to take freedom of expression so seriously (and I say this unironically, American democracy may have flaws but that is definitely a strength) it can be legal to silence someone for the rest of their life.
> As CEO, I approved and took responsibility for our ambitious staffing trajectory—this is on me
Reminder that Vlad Tenev received $800M in compensation in 2021. In the same year the company made terrible bets on crypto and banking, took an irreversible reputation hit among its core user base because of the GME fiasco, had multiple user data breaches, was subject to several investigations and was fined hundreds of millions by the SEC and other regulatory bodies, and saw its share price drop by 90%.
At this point "taking responsibility" would mean resigning and letting someone more competent fix his messes.
The Gamestop fiasco rightfully killed their reputation among their absolute core fanbase who gave Robinhood the word of mouth that got them off the ground
Those people are never coming back and they're never going to have anything good to say about Robinhood
GP was stating that 50% of tech workers at big companies are redundant. Armed with that knowledge he should be in a stellar position to found a company that is very profitable compared to its competitors who incur double the labor costs. This incredible competitive advantage will enable him to become the next Google eventually.
Sounds plausible? No? I wonder where the error is.
The font is used by the teamviewer website. When inviting a partner to a teamviewer session, one can do so by sharing the invitation url.
The invitation url looks like this (where XXXXXXXX is the session code).
https://get.teamviewer.com/v15/en/sXXXXXXXX
The website will check if a teamviewer font is installed (using javascript). If the font is found, the web site assumes that teamviewer is installed. The teamviewer installer also registers a protocol handler in the operating system.
The website (javascript code) will thus try to launch teamviewer directly using a url like the following:
teamviewer8://instantsupport/?sid=XXXXXXXX
Otherwise, if the font is not found, it will prompt the user to download and install the teamviewer application.
I think I'm not surprised, and I share the sentiment, largely for 2 reasons: (A) I see Uber as significantly less "exploitive" than most or all other work relationships, and I think the term is quite frankly confusing, and (B) I think overall that if laws are bad/unjust it is good to defy them.
Re: (A) If you really zoom out to the history of labor, it is a huge stretch to say Uber drivers are "exploited". They have almost perfect clarity on what they are being paid to do, they do it and it matches VERY closely the expectations, and they get paid in a timely fashion on the agreed-upon timeline. They have no lock-in, and can quit on a moment's notice. There are so many drivers globally who use Uber and vote with their labor. Frankly, it's generally very easy work too, compared to almost every other job (I'm sure it has its moments).
If I were to try and make the Steelman argument for why workers are "exploited", I can come up with basically 2 things:
1) Workers are incapable of deciding what is the right work for their situation.
2) No worker should earn below $x for any reason, and it is better that they be unemployed.
In my experience, I have found that people are very savvy about money when it comes to earnings. Where people have issues is long term planning, but short-term, I have found people are very good at "this hack makes my job easier/make me earn more". So I don't buy either of these arguments, I believe it is generally a pessimistic and paternalistic view of workers.
I don't believe using the term "exploited" is generally helpful here, as it is an emotional term and not specific enough to address. If you were to break it down, we could have a real discussion.
Re: (B) You can't really look at the laws for moral guidance, There are many bad laws out there, that many many people disregard (e.g. the average US commits 3 felonies a day https://www.amazon.com/Three-Felonies-Day-Target-Innocent/dp...). It is totally possible in many cases to break laws justly and comply with laws unjustly. You can look at the "illegal" actions of Rosa Parks and Gandhi for extreme examples of just lawbreaking. There are laws that are absurd, for example in New York during COVID, it was both illegal to wear a mask and illegal to not wear a mask. But there are many other smaller examples in people's lives where they think breaking the law is the right moral thing. And the reason most people support Uber's "law breaking" is that it was NET better for everyone than the old system, both drivers AND passengers. This passes a moral "smell test" for me. If one action is illegal, and the other legal, but everyone is better off doing the illegal thing, then the law is the problem. The legalization of Marijuana is another example of trying to reconcile this type of thing. Everyone is better off if it is just legal.
A lot of the conversation here is based on anecdata (interactions with uber drivers or cabs) or people projecting what its like to be a driver on uber and they are unwittingly being exploited.
I worked at a company that provided products to uber, lyft and doordash drivers, and personally interviewed well over 200 drivers, (along with having access to detailed data on a much larger dataset). The vast majority of drivers we talked to did not feel like they were being 'exploited' and generally liked the flexibility of the gig economy. Most workers were part time, working to supplement income from other jobs or in between other gigs, in fact when i was there, most drivers worked less than 6 months before stopping. I would say these people have a much better sense of whether they are being exploited than people who are not in their shoes.
There was a small but important minority (we called them 'professionals') for whom driving had become their full time profession (most were not cab drivers before) who were perpetually annoyed by uber and their main gripes tended to be the changing promotions systems, and algorithmic changes that reduced/limited profitable rides (like airport pickups) and just general loss of control.
None of the attacks are feasible in a trusted environment. If your code isn't running in an environment where other processes from untrusted sources are also running, these timing side-channels and their mitigations are irrelevant.
If an untrusted source gets shell access to your trusted platform/server/container and can run payloads, you're already screwed six ways from Sunday and the rest of the discussion is moot. It's security theater specifically because individuals and organizations following these blind mitigation recommendations don't assess the attack surface that's being exposed.
A school teacher wearing a condom is strictly speaking safer than the alternative, and yet someone should still be fired.
Performance Improvement Plan. On paper, it's a program where management works with you to improve your weak points so you don't get fired. In practice, it's HR protecting the company by documenting reasons to fire you before they fire you.
It's rare (not unheard of, but rare) to work your way out of a PIP. In general, if you get put on a PIP, I would immediately start doing some soul-searching as to why I might be on the PIP and how I can improve AND I would start looking immediately for a new job.
It took over five years to find the reservoir species for SARS, and decades for most viruses. It's not evidence at all because the facts match the expected result.
I don't know exactly what information you would want. Every single paper about virology research from the institute was published with western authors. Had there been something wrong in the raw data or safety logs those authors would have said so.
Instead they say that everything is normal.
There is a weird double standard here of ignoring data that goes against this hypothesis and interpreting things that happened for every single other zoonosis in the world to be indicative of a lab escape. Such as, for example, three people out of six hundred presenting with symptoms of seasonal illnesses in the appropriate season.
I'm repeating myself, but I'm pretty certain the NSA or other intel agencies (Israel, especially, considering their netsec expertise) have already done it in one way or another.
Do you remember the semicolon that caused a big wifi vuln? Hard to really know if it was just a mistake.
I'm going full paranoiac here, but anyway.
You can also imagine the NSA submitting patches to the windows source code, without the knowledge of microsoft, and so many other similar scenarios (android, apple, etc)
Let me play devil's advocate here. Such pen-testing is absolutely essential to the safety of our tech ecosystem. Countries like Russia, China and USA are without a doubt, doing exactly the same thing that this UMN professor is doing. Except that instead of writing a paper about it, they are going to abuse the vulnerabilities for their own nefarious purposes.
Conducting such pen-tests, and then publishing the results openly, helps raise awareness about the need to assume-bad-faith in all OSS contributions. If some random grad student was able to successfully inject 4 vulnerabilities before finally getting caught, I shudder to think how many vulnerabilities were successfully injected, and hidden, by various nation-states. In order to better protect ourselves from cyberwarfare, we need to be far more vigilant in maintaining OSS.
Ideally, such research projects should gain prior approval from the project maintainers. But even though they didn't, this paper is still a net-positive contribution to society, by highlighting the need to take security more seriously when accepting OSS patches.
If it's AWS, the quickest path to doing this securely is AWS API Gateway mTLS authN[0]. You generate some certs, stuff the public halves in S3, slap an ACM cert on the Gateway, and you're done.
I have also used certificate authentication on TLS-terminating reverse proxies (e.g., this is easy to do with HAProxy) to do the same in other environments. You can pin the API's certificate on the client end in order to further reduce MITM risks.
If you don't want to supply a client certificate in your client application, Stunnel[1] is an acceptable wrapper that lets your clients remain TLS-unaware. You could use it for both ends of the tunnel, if you felt like it.
Either way, you end up with a secure tunnel through the internet to the proxy, at which point you're back inside private networks.
(Source: I build this kind of thing for a living.)
> The war on drugs was started as a way to target people of color by Nixon
So was Planned Parenthood.
Instead of endlessly prosecuting the past, which can never change, let's look at today and tomorrow instead.
Or, if you prefer, we could look at the exact opposite approach- the Opium wars were fought to force China to allow the sale and consumption of opium, the extensive use of which was practically epidemic.
As such, it could also be argued that legalizing drugs is an attack in minorities who are disproportionately poor and thus prone to consumption- a return to the days when inner cities were ravaged by crack.
Things are way more complex than just pointing at simplified versions of history and banging on the race drum.
It looks like drug laws are bound to become a cycle.
1- Drugs are cool, and not really an issue, people take them mostly reasonably.
2- Hey, drugs can be addictive, that's when people stop being reasonable
3- Too many drug addicts, it is a real society problem
4- People demand strict laws, drugs are not cool anymore
5- Parents, who have seen the damage done by drugs support these drastic laws, and tell their kids how bad drugs are
6- Kids, who didn't experience a real drug epidemic, start questioning what their parents told them, and realize that taken reasonably, drugs are not that bad
7- These kids, now adults, seeing how harsh anti-drug laws do more harm than drugs, demand more tolerance
For anyone interested, the original design doc for QUIC from 2013 [0]. Really good writeup, both in terms of engineering spec / architectural design. I recommend reading through if you have the time.
Let’s not pretend this is anything other than just plain old geopolitics with TikTok caught in the middle.
Going by “national security” reasons most countries should ban Facebook and google, not to mention amazon, Microsoft, oracle, Cisco etc. since the us government has already shown willingness and ability to spy on anything they can get their hands on, including foreign heads of state. Allowing US controlled social media and other tech companies is a huge risk.
Of course power doesn’t balance that way so they don’t.
Give me a break. I have been living in China and this man has no idea about what he is talking about. He is talking about pre-bubble China.
People are comparing the official numbers of Governments on the West, like Covid expansion, economy growth, investment on R&D and so on with the Chinese's. But the Chinese numbers are just a lie.
You just can not trust whatever numbers the Chinese give you. You can not trust any government in the West either but those governments have a democracy, journalists that can expose the truth or reality,competition and super super important, rule of Law.
In the West you can expose what your government does bad by law. It is not perfect but orders of magnitude better than on China.
For example journalists or scientists can investigate covid traceability, in China it is just officially forbidden.
Belgium has one of the biggest official numbers on coronavirus deaths just because they lie less than other Governments like Spain that have actually bigger real numbers. And Chinese numbers are in another league.
You just can not compare the numbers given by democratic governments with those of totalitarian regimes, because on paper they are fantastic, but in reality they are not true.
In China everything is controlled by the CCP, including (specially) the statistics.
People that have never lived there just can not comprehend how amazing are the structures that we have in the West(that took centuries to develop).
We take those structures for granted and believe other countries have those and are playing with the same rules as we do, but they do not.
China has lots of problems today, floods and covid had created havoc in the economy, much more than in the West. It is not easy to feed the enormous population they have.
But you don't know about it because giving bad news about China is just forbidden. In fact China had censored Western articles about China(Do you want face masks? We are sorry but until you remove that and that person that criticizes China on your media you will not have face masks.)
The population is growing older fast, they have less women than men because they abort girls and they can not do anything about that because abortion there is super easy.
When the economy was booming everything was great. People lived a tough life but expected their children to life much better. When the bubble burst is completely different.
The US has much brighter future than China. I say that as a European. People on USA have kids and they have much more resources because of the small population density.
Changing a port adds one bit of entropy. Not being forced to use "admin" as a username adds a whole bunch, but at least one bit. Not being forced to use https://url/admin also adds another bunch, but at least 1 bit.
Of course, if any of these things are known the entropy drops to zero... Just like a private ssh key that gets pwnd.
All too often I see tickets on open source projects asking for changes to allow better obfuscation, which are then denied using the mantra "obscurity is not security".
They all add bits of entropy to a security and/or threat model that maintainers ignore.
You want to learn about BGP in order to understand how routing on the internet works. The book "BGP" by Iljitsch van Beijnum is a great place to start. Don't be put off by the publication date, as almost everything in there is still relevant.[1]
Once you understand BGP and Autonomous Systems(AS), you can then understand peering as well as some of the politics that surround it.[2]
Then you can learn more about how specific networks are connected via public route servers and looking glass servers.[3][4][5]
Probably one of the best resource though still is to work for an ISP or other network provider for a stint.
Unfortunately, this infrastructure is at an uncanny intersection of technology, business and politics.
To learn the technical aspect of it, you can follow any network engineering certification materials or resources that delve into dynamic routing protocols, notably BGP. Inter-ISP networking is nothing but setting up BGP sessions and filters at the technical level. Why you set these up, and under what conditions is a whole different can of worms, though.
The business and political aspect is a bit more difficult to learn without practice, but a good simulacrum can be taking part in a project like dn42, or even just getting an ASN and some IPv6 PA space and trying to announce it somewhere. However, this is no substitute for actual experience running an ISP, negotiating percentile billing rates with salespeople, getting into IXes, answering peering requests, getting rejected from peering requests, etc. :)
Disclaimer: I helped start a non-profit ISP in part to learn about these things in practice.
1. it's all about diversity and equality these days, meaning every thing should be distributed proportionally based on race population and by gender. the ultimate goal will be wealth re-distribution(or, communism), until then, it is not going to stop.
2. especially in hi tech and elite universities.
3. NBA is an exception, actually all sports can be an exceptions.
4. Asian is not considered as minority when it come to college admissions, what doe minority mean?
5. MIT and many other STEM universities has 50:50 boys and girls, if not so, it's called gender discrimination.
...
So, let's throw out SAT/ACT/GPA and admit people via 'holistic' review, i.e. totally subjective, which means, the more miserable you're the better chance you will have, we joked as parents the best we can do for our kids is going to jail, do drugs, go bankrupt, so our kids can get some benefits. Nice family, law-biding family are basically punished.
I have not seen anywhere more communism like in USA now, you cut the corner because of your race or gender, merit-based is racism, we're going to hell.
I wish those AA pumpers will get a doctor who was admitted/graduated/career-ed based on AA rules, when they need a cure the most at hospitals.
I've already seen people jokingly use the term "schrodinger's minority" to refer to Asian's and Indians. They're excluded from minority statistics when trying to push for more diversity hires, but included in minority statistics when trying to show how many succesful businesses are run by minorities.
I disagree. I think the primary beneficiaries are the universities themselves and their alumni networks. Employers, particularly elite employers, know about affirmative action - and not just racial affirmative action. Job candidates are sometimes judged by employers in the context of advantages they might have received - employers are known to "unconsciously" penalize candidates who list diversity clubs, fraternities (legacies), and sports teams - three signals that a candidate may have received a non-academic boost in college admissions. In the United States, the right sometimes calls this effect w.r.t. race the "Clarence Thomas effect," as he famously struggled to find any law firms that would employ him, despite having a law degree from Yale. Many universities with affirmative action, including elite universities also have a racial gap in the graduation rate and average GPA exiting university - suggesting that some of those black C-GPA Harvard students (well, black C-GPA Princeton students, Harvard doesn't really give Cs) could have B or A students at Carnegie Mellon or Emory and had an easier time finding employment after graduation. So while some members of the minority group may benefit from affirmative action, I'd argue that many more members of the minority are actually hurt by affirmative action, either because they're forced to compete slightly above their abilities or because they're evaluated as if they received unfair advantages by employers after college.
I've had a couple of observations about this whole process, and I would love to be convinced (either way!) with real data / evidence.
1) For all the contortions that universities in the US go to, to adjust and hand-tune their population -- does it produce a meaningfully better class than if they used a simple score cutoff? Would such a class (chosen by simple, unbiased score cutoff) be so much worse at innovation, leadership, (alumni donations??) than a class chosen by our heavy judgement-laden process? Sports, maybe?
What is all this extra effort and political decision-making worth, in actual outcome? Many other countries use purely exam based entrance. Or allow anyone in, and test them once there and kick out if they don't pass. What is the value of the "high judgement" method of admissions? Is it that you're more likely to produce a president or CEO?
2) To echo Justice O'Connor's final question on the matter in oral arguments, when do we know that we're done with this policy? Who says we're done and fixed the situation? How will we know we've reached a point where we can agree that we've achieved something that was the goal, or is it just arbitrary, up to whomever is in power at the moment? If not, will this just go on forever? Is that not ripe for some bad side effects, or worse, corruption of the process?
3) Why have universities adopted themselves as the place where this modification of outcomes should be applied? As I understand it, the problem of diversity etc. etc. happens long before the college/university stage. Attempting to fix it at the end does no one very much good, than if the effort was applied earlier in students' lives. Or, the metrics by which you decide if it's working become softer and softer.
I struggle to find satisfactory answers to these questions, and therefore don't find myself convinced for why AA is reasonable (or legal).
I was wondering how Chrome was able to revoke a certificate based on time without trusting the CA to not back date certificates and it looks like this is due to being able to trust certificate transparency logs instead. This is where they get the signed certificate timestamps (SCT) from.
See also https://certificate.transparency.dev/howctworks/