If you support export controls for security reasons, this is kind of inevitable.
The government shouldn't be forced to buy any type of military technology someone creates. But even if the government won't buy your tech, it still can be dangerous in the hands of other countries.
One could argue that if the government is preventing you from selling your tech abroad - there should be some sort of compensation for this.
Others could argue that's just the cost of being in the business of weapons manufacturing.
The Government never pays out on 28 USC 1498 claims (Government infringement of a patent) either. I once filed FOIA requests to get data on this.[1] The administrative claim procedure is useless. You have to file suit in the Court of Claims to collect.
One reason for this turns out to be that if the agency settles, it comes out of their budget, but if the agency loses in the Court of Claims, it comes out of a separate Treasury fund for claims against the Government.
If he were willing to put himself in the a position where the US government could claim he had broken the law sure he could do whatever he wants. That would arguably make his bargaining position worse though because then he has the US government after him for what they will likely frame as espionage and he would be dependent on the good will of some other government which effectively puts him in an Assange Snowden style predicament.
Development is the risk involved in that business no? After you have a contract you are guaranteed to sell a certain number of units and the risk disappears. Seems like a good way to private the gains and socialize the losses.
In the past it was illegal to export cryptography, which lead to some ridiculous situations. I once found an export restriction that says it's illegal to export neural network technology (or at least if it's applied to ASICs or FPGAs.) I doubt many people in the industry are familiar with this. Now that Google is starting to produce NN ASICs and Intel is building NN instructions into its chips, this is a serious concern.
Export regulations have been relaxed since 1996 in the U.S. but export is still regulated and may require review and license from Department of Commerce's Bureau of Industry and Security.
One should argue that being prohibited from talking about your technology is a 1st amendment violation, and if we are to have the concept of "Intellectual property" then the government banning you from selling it would be a 5th amendment violation with out just compensation.,
However given that the constitution is widely ignored by the US government today, with full support of the court system, it is unlikely that the constitution will protect anyone.
The authority to create copyright and patent law is most certainly in the constitution, if it were not all copyright and patent law would be unconstitutional
People seem to forget what the constitution is, the Constitution grants government its power, if the constitution is silent on a matter than the government is suppose to be powerless, is not suppose to engage in that activity.
This means a whole host of things the government does, should be unconstitutional, but sadly the courts have interrupted the constitution to include powers it does not contain.
An interesting exercise would be to find court rulings that refer to "intellectual property" rather than to some specific thing that gets dumped in that basket.
I wanted to buy a new rifle stock from the USA, but apparently since it's over US$100, it's a controlled export (firearm component). It's a damn piece of timber with a couple of holes in it!
Apparently I'd need an export certificate to get it out of the USA, which of course requires stacks of paperwork. No issues getting it into New Zealand though, no restrictions at all (I think magazines and receivers are the only parts that require import certificates).
Export controls are there to prevent killing machines getting in the hands of a countries enemies (or potential enemies in the future)
In practice that isn't, umm, practical. Consider the Falklands war - Argentina had Type 42 destroyers sold to them by Britain, and Exocet missiles sold by fellow NATO member France.
Those are more the exceptions that prove the rule, though. I don't see any other countries with B-2s or other major US weapons systems, unless the US intended it.
Not really. Every country that has weapons development also has export controls.
It isn't about believing your government is moral or good.
Its about understanding that your government is responsible for the safety of citizens, and that your enemies will want to kill you (or at least kill your soldiers).
There is a sibling comment that was flagged to death that makes a reasonable point. The word "enemy" is used in political rhetoric as if enemies are a force of nature, like hurricanes or earthquakes. But "enemies" are just people, and there's very little discussion about why those people want to kill those other people, or how their existence is blowback (or even an intended result) from yet another operation against some previous enemy.
I would be much happier with US strategy if the discussion always began with metaanalysis of the motivations and origins of a putative enemy, with the focus on social and humanitarian means to prevent the formation of new problems.
Nothing about dkopi's comment requires one to view the US as good and her enemies as evil, or for him to be American. Anyone whose gov't develops or pays other to develop weapons has at least a passive interest in those weapons not being turned on them.
Well for 1 & 2, this story is about a guy who is from the US, and is trying to sell military tech to the US. Either he supports the US, or he doesn't care what his military tech is used for. Either way he can't really claim the moral high ground if he turns around and sells it to "enemy" countries.
But you don't really need to assume any of that. If you just assume that spreading military tech is a net negative, then this is good. I don't support the US's use of drones, but I especially don't want other countries to have drones. I don't support the use of nuclear bombs, but I certainly don't want other countries to have them. Whether the country is good or not, I think advancing military tech is at best neutral, and at worst very, very bad.
Obviously the internet and GPS are mostly used for civilian applications. Are you really going to argue that there is a huge civilian market for stealth boats?
GPS is still 100% military, the US Military can kill the civil band of GPS at any time it wants, all of the satellites are own, operated and maintained by US Sat Com.
The internet started as a ARPA research project, the fact that it is used by civilians today is not relevant to the conversation
You stated that "I think advancing military tech is at best neutral, and at worst very, very bad." GPS and the Internet are 2 prime examples of Military Tech has that massively improved the world. Nuclear Power being a 3rd, I can cite 1000's of others.
No I would not be upset is some local corporation sold breakthrough military technology to that "enemy"...
I lived through the first cryptowars, I do not have the desire to give the government that kind of power
I see the resurgence of the new cryptowars on the horizon, government can not be trusted to choose what information should be public and what should be secret
There's nothing unlibertarian about a private business making up its own terms of services and privately enforcing them. That's exactly how the free market self regulates without the use of force.
When a single business dominates an entire industry in such a way, it's not just a "private business" anymore - it's an institution and should be treated as such.
I must admit that it's amusing to see libertarians complaining about the decisions made by a private business and implying that the government should step in.
This reminds me of an op-ed in my private college's newspaper written by a self-described libertarian that using a portion of tuition to create a scholarship fund was a socialist redistribution of wealth.
Twitter isn't sinking. It just isn't ascending as fast as investors would like to ensure hyper growth.
While its always great for your career to be in a company that's constantly growing - sometimes being that person that can help the company do a lot more with less resources is even better for your career.
When everyone's jumping ship - the people who choose to stay on-board can often be very rewarded as far as their career growth goes.
Having half the guys around you laid off [or about to be] is not what I would call "ticking along comfortably".
Twitter is not a 100 000 people company where there's a 300 people division being restructured. It's a major management failure that needs at least 50% of lay off. At this scale, it will reflect to the entire environment and all the employees.
1. Not lean enough. That's why today's news bumped their share price.
2. Not great at leveraging value into revenue. That's what an acquirer would do, ostensibly.
Plus, the specifics of the Disney/Google rumors are of dubious veracity. Don't put too much, er, stock into them.
You could argue that they've hit peak audience and that might be fair. A change in leadership would probably push Twitter into becoming a more aggressive on the acquisition front itself, too. Basically, a lot of untapped value and too much overhead.
This often happens when I'm travelling internationally. If I plan on buying a local sim card instead of purchasing a roaming plan - I might not have access to my SMS until I get back home.
Get a next gen phone; They should all do Wifi Calling now. This causes your phone to tunnel the cellular via internet link, and you get full call and sms coverage.
Of course, 2FA via SMS is a bad and deprecated pattern and needs to die! But! you can get your phone overseas without roaming which is pretty neat.
Mistakes were made, and there are definitely lessons to be learned, but if we want to improve the state of security, we really need to change the way we react to these types of bugs.
If a service has an outage and a company posts a postmortem, we all think: "wow! that was an interesting bug, lets learn from this".
We shouldn't be treating security issues differently.
People who make security mistakes aren't idiots. They aren't negligent. They're engineers just like us, who have tight deadlines, blindspots and mistakes.
Shaming people and companies for security bugs will only cause less transparency and less sharing of information - making us all less secure.
This is a really cool bug. Kudos to the researcher for finding it, responsibly reporting it, and to paypal for fixing it in a timely fashion.
Hopefully - this type of bug changes some internal processes and the way the company thinks about 2FA.
As for security questions - these are obviously insecure, and should really never be relied on. If you can opt out of security questions - do so. If you can't - just generate a random password as the answer. "I_ty/:QWuCllV?'6ILs`O12kl;d0-`1" is an excellent name for your first dog / high school. Just don't forget to use a password manager to store these.
I disagree. Your "lets be super nice to everybody" strategy has come to an absurd conclusion. Is there no-one who can be held accountable for competency which they claim, when it comes to computer stuff?
PayPal doesn't write on its websites "We're some enthusiasts with no software or security experience. Let's see how well this works, together!" No, like everyone in this industry, PayPal claims its security experts have your money and financial information super secure. It's one of the first in this space, and has almost two decades of experience.
This wasn't a tricky subtle bug, this was obvious. This should have been caught in code review and tests. PayPal should be afraid of rolling out slick easy-to-use features without code review and tests. It is many years too late for PayPal to be learning the basics.
>I disagree. Your "lets be super nice to everybody" strategy has come to an absurd conclusion.
You and I must have read a different response, cause I saw nothing in there about "being super nice to everyone." What I saw was a reasonable request not to commit the Fundamental Attribution Error. Which is paraphrased as: when I screw up, there were extenuating circumstances. When you screw up it's cause you're a moron.
A company comprised of otherwise reasonable people can behaving shockingly dumb. The only way to make companies learn is to impact their bottom line, and that means not-nice words need to be said.
> If you can't - just generate a random password as the answer. "I_ty/:QWuCllV?'6ILs`O12kl;d0-`1" is an excellent name for your first dog / high school. Just don't forget to use a password manager to store these.
Be wary of social engineering attacks though.
- <support on the phone> I'd also need you to provide me an answer to your security question. What was your first dog's name?
- <me> Oh, you know, it's a long string of random characters I generated, I'd have to give them to you one by one...
- <support> (looks at the answer) uh, right. I see. Let's continue then.
I always fill all social engineering-vulnerable questions with nonsense, especially when it is a banking site. I like when they let you set the question yourself so you can put something like "Why would a secure financial institution allow such a horrible security hole in it's system?" To which the answer is Tyrolese4Tokyo_Beulah!Papuan.
I fill them with nonsense words unrelated to the question. Mother's maiden name? Fire truck. First car? Air conditioner.
If I have to call a company they always ask me why. The explanation is anyone who has me as a Facebook friend can figure out who my first girlfriend was, my maternal grandmother's first name, my mother's maiden name, where I was born, my first car, etc. And if every company has the same data, a data breach at one makes the entire system fall apart.
Same here. But recently, United airlines changed their system to only allow selecting from a list (your favorite dog breed ? Choose 1 of 8. Your favorite movie genre? Choose one of 12). I picked a random set and wrote it in my password stash.
And the answer is "because, by and large, it works just fine". Yes, people fall afoul of these kinds of questions, but the general public cannot handle proper security hygeine - and educating them takes so much effort on both sides, that your customers will just go elsewhere. Proper security procedures would also lock a great many more people out of their own accounts than would be lost to fraud. Can't satisfy security questions? Well, take the morning off work on Monday morning and bring in several forms of identification...
It's why ATM PIN codes are so short - it's easier for the bank to just reimburse losses in case of fraud than to properly/strictly control security access.
Any time I see someone talk about how dumb general banking security procedures are, it tells me that they've spent no time in tech support for the general public :)
But it must be said that GPU evolution, and that password cracking software developers are naturally going to go where the passwords are, that this type of simple password design does NOT work anymore.
How so? The point of a random-four-words password isn't that it won't be hit by existing brute force software, it's that it's easy to remember but impractical to brute force with any software - with a 60,000 word dictionary there are more than 2^63 possible passwords.
That's true, but the whole point of the strip was that you use words that evoke an easily-memorable scene in your head.
That will probably mean you can confine your list to words that most people know, which reduces the search space significantly. "correct", "horse", 'battery" and "staple" are all very common words.
Is it really an easily-memorable scene or has the strip just been referenced in every HN and reddit discussion about password security? There is no way I'm remembering some random story for an account I login to once a month. The point is to have a password that is easy to see in a password manager and then type on a different device. Seeing D8hsegfw_#7Ax42 and then trying to type it into a hidden password field is painful esp. on a phone. Seeing Dynamo-Stench3Player and typing it in is very doable.
Irrelevant. It works fine for passwords too. The security of "correct horse battery staple" method is (nearly) optimally resistant to GPU (or any other) brute force attack.
Generally what I do is put something tangentially related to the question.
For example, "What's the name of your high school?" would be answered with something like "Khan Academy" (the name of a site that helped me) or "Mr. Jefferson" (A teacher, or best friend)
Mine was Rainy Purple Road. Then I get to educate the person on the phone to, in her personal life, never give the correct answer to anything googleable for a security answer. That usually involves a discussion of Sarah Palin...
at least with one of my banks customer support centres this wouldn't happen, if you stumble for a split second they shut down the call and tell you to go into a branch to verify your identity, this is pretty annoying...
That's terrible, because it makes using password managers impossible (while on your phone for example, or you simply don't have it open that instant because you didn't know when/if they would ask).
While I strongly agree with the thrust of your comment, I'd like to chime in and say that this is not a cool bug. On the scale of web security bugs, this is the kind of thing you expect an intern to find.
I actually think the post was written in recognition of that fact, and was amused by the thudding, abrupt conclusion it had; it was like the author was sharing a joke. "Yup, it was that easy".
People who do this kind of security work (check out the rest of the author's posts) tend to be running their browsers piped through a local interception proxy. Once you develop the habit of mind to look for stuff like security parameters, it's hard not to notice these kinds of things. I think more developers should tool up the same way and learn the same habits.
The open source tooling here is getting better but the gold standard, used by virtually every professional application security worker in the industry, is Burp Suite. Lots of people have tried to make modernized, open source versions of Burp, but at this point cloning it is like cloning Microsoft Word.
If I was your director of security, one of the first things I'd do is build a plan to get all your developers trained up on Burp. It's useful for more than just security testing.
In addition to burp that's already had a mention, I'd recommend looking at OWASP ZAP. It's fully open source, which is nice and has had a lot of new features over the last couple of years.
It can also be integrated into CI pipelines for automated security testing.
All great points and true! The problem is PayPal hasn't been a great company to so many people their practices are abysmal. I've had my company account frozen more then once and it was a terrible experience and it's happened to lots of people. This is a company that makes a lot of mistakes and has bad judgement. They don't deserve my understanding. They haven't earned it. Other companies have.
But otherwise you are right. Less scrutiny more understanding so companies will be open and honest when they screw up.
Indeed - I've long since given up on security answers/questions as being secure. Kind of defeats the purpose of unique passwords if all the answers are common knowledge...
Had to laugh at one instance where I actually had to read out the 30 character secret answer on one support phone call :P
The problem is in PayPal's case, 2FA has been terrible for years. I've even been locked out of the account for a whole week because of their shitty SMS sending service. This prompted me to disable 2FA on Paypal, because weirdly enough that makes me feel "safer" (as in safer from losing my money due to Paypal's stupidity by being locked out of the account).
So in this case I'm certainly not one to say "hey, mistakes were made - let's give them another chance." They've been getting reports about their 2FA system for years. So there's no excuse at this point.
Exactly what I came here to say. My partner, son and I are looking forward to sleeping in your spare bedroom, and cooking in your non-spare kitchen, as well as setting up a play yard in your non-spare living room.
What you are both alluding to is exactly why the AirBnB model falls apart in most situations. You want your own thing, but you don't want to follow the law and respect others in the building (that have signed contracts in hand disallowing the practice). Every other owner or legal sublet in that building wanted their own thing. That's why they bought a unit or signed a lease.
That's not at all clear. The cost to resolve civil conflicts is something both basic economics and the law factors into regulation all the time.
Further: two very common kinds of contract we're talking about are with the state itself.
The first and most obvious is zoning, wherein the state promises to reserve some piece of land for a specific use, and private entities purchase that land with the expectation that it will only be used that way. It's for this reason that you can't build a hotel anywhere you want.
The second implied contract we have with the state are the codes and regulations governing residences. Long before Airbnb, residency codes had tenancy requirements.
Finally, the law itself has something to say about people who enter into contracts in bad faith, deliberately misrepresenting their intentions or circumstances in order to obtain concessions: we tend to call that "fraud".
Chicken and egg. Subways enable density. Right now if you greatly increased the density of many SF neighborhoods, you'd overwhelm the transportation infrastructure. (Obviously there are neighborhoods with transit that could already support increased density).
Hilariously, I wrote my highschool senior thesis on this exact topic. It was a case study on Seattle, Houston, and New York and how density changed before/after transit was added. You can see the pattern pretty clearly, transit leads to density and not the other way around. Which makes sense, right? Because density can be increased one building at a time, but generally subways need a huge investment to put in an entire line at once and benefit from having an extensive network.
Is it really a Chicken and egg situation?
SF prices in the last years have skyrocketed, through out the city. The financial incentive to build is there. But there isn't massive building of new housing. That isn't because of the lack of subways. It's because of zoning laws and building regulations.
Thousands of new homes/condos are being built every year in SF, for the last few years. There is a massive amount of building going on, precisely because prices have skyrocketed.
However, more housing would be built, if the zoning laws and building regulations were less onerous.
I went to a private school. It was pretty non-traditional in many respects, and it wouldn't surprise me if writing a thesis wasn't common at other schools.
San Francisco[0] proper has a higher density than London[1], and slightly lower density than Paris[2] — two cities that have thriving subway + commuter rail systems.
I think you mixed up imperial and metric systems --- San Francisco has 18,451 people/sq mi. Paris has 55,000 people/sq mi. It's almost three times as much.
There's got to be a more useful metric than average city density; the 2010 US Census [0] places the 5 densest cities in the US as having a population under 70,000 (yes, I'm quoting Wikipedia). City planners must have a unit more like person-acres or something to get an idea of the actual spread of the density.
Standard density quotes for cities can be pretty misleading as it often reflects fairly arbitrary divisions. For example while Paris is indeed reasonably dense the oft quoted number is for a fairly small parcel of central Paris.
Moraga/Lafayette/Orinda is my favorite example of this in the Bay Area. I sympathize with the complaint that they aren't building enough, but I think the SFBARF/Lafayette lawsuit is stupid. Building more in those places wouldn't help us, because the transit capacity doesn't exist. Have you taken BART, or the Bay Bridge, or the Caldecott tunnel at rush hour? If 20,000 people move from the city to Lafayette, how do they get here for work?
But you can even find this in the city. Yeah, it'd be great to increase density in the Sunset. But have you actually commuted from the Sunset to downtown? It's a disaster. Muni is at capacity, and driving isn't an answer. You can cycle to work (I used to from 48th Ave), but that's a 7+ mile ride with a few hundred feet of elevation: it's not an easy casual ride for most people.
The idea that SF doesn't have the density to justify this stuff is... it's just not true.
San Francisco has a population density of 18,451/sq mi (7,124/km2)[1]. In the Unites States, That is denser than just about any place other than Manhattan. At peak times, busses are crowded and traffic sucks. Personally speaking as an SF resident, having more efficient public transit options would be awesome. I'll let others crunch the numbers of the feasibility of building & paying for it.
> In the Unites States, That is denser than just about any place other than Manhattan.
I think that depends on your definition of "just about." Every borough in NYC aside from Staten Island is much denser than San Francisco. Additionally, many parts of where I'm from – northern NJ – are even more so: Hoboken, West New York, Union City (the densest city in the country), Guttenberg (the densest township in the country), and more.
If you're talking about cities larger than a certain size, then perhaps, but even then, I personally think it's a bit misleading to single out just Manhattan.
It is not a matter of feasibility. Infrastructure transit produces tremendous returns in productivity. Even insanely overbudget projects like the Big Dig in Boston are already breaking even after only a decade, because of how much room for growth they produce.
This is why having fast rail, uncongested highways, and always expanding to meet demand are always worth the cost. Unless you can accurately forecast a downturn in regional economic growth irrespective of whether or not you meet transit demands, it is never rational from the perspective of long term city planning for maximum economic throughput to not grow the system and increase density.
Even as someone who lived on the periphery of Boston for much of the Big Dig, it's good that it was done--in spite of all the well-publicized problems. Of course, the fact that Tip O'Neill managed to funnel $10 billion or so of federal money to the city for the project doesn't hurt.
NYC has subways that extend out to less dense / borderline suburban neighborhoods. Though ridership to these terminals is much lower than in manhattan and northern brooklyn and queens, they're still an important way for some people to get to work.
I agree, however, that SF needs to build at a higher density (outside of FiDi and downtown) regardless of future subway infrastructure.
SF is the second highest density city in the US. I agree that as long as the NIMBYs prevent building housing, then SF won't really reap the benefits of improved transportation, but SF has pathetically bad public transport for the existing density. I live in much lower density Oakland/Berkeley, and I can get around by BART better than most city dwellers.
City-to-city comparisons suffer from all sorts of problems, not the least of which is that cities are defined according to their own historical, arbitrary borders that are practically meaningless when talking about actual issues.
Consider that NYC covers 302.6 sq/mi to SF's 46.69, which means that NYC isn't merely double the density, it's double the density over a much, much larger area.
This is why most serious comparisons are conducted at the level of the MSA (which would fold every one of the cities you're putting ahead of SF in density into a larger metro). Often, when laypeople compare cities, they're thinking about the MSA while quoting numbers they've found for cities-proper. That's why nobody in this conversation is thinking about Guttenberg, NY (and why mentioning it is almost a non sequitur).
I totally agree with you re: meaningless comparisons. However, I think the MSA comparison is pretty flawed as well.
For example, the Los Angeles metro area has a higher density than both NYC's and SF's (which is higher than NYC's), but it's obvious – to me at least – that in reality, considering only areas that most people would agree are remotely close to being in/near "the city," the density order of these three would be more like: 1) NYC 2) SF 3) LA.
But yeah, at the end of the day, I'm mostly being pedantic :)
Now guess which ones are central cities in their respective MSAs. Excluding those, guess which ones aren't part of the NYC or LA areas. Let's do ourselves a favor and exclude Poplar Hills, Kentucky (362). There's one city left, it's part of the Boston area (which is the next densest large city after SF), and you guessed it, Somerville has a subway with a separate light rail extension under construction. The only outlier is Sunny Isles Beach, FL (20,832), in the Miami area. And Miami? It's just after Philly, all known dense cities.
So yea, it's NYC, then SF, minus a couple pockets of LA. And these are all dense places that need subways. It takes a special sort of something to claim, as the top comment did, that SF is not dense enough to warrant a subway, let alone massive large-scale investment in all modes of mass transit as NYC has.
Which part do you consider an opening act of a cold war?
Launching a cyber attack in a foreign country - or arresting someone who launched a cyber attack?
The government shouldn't be forced to buy any type of military technology someone creates. But even if the government won't buy your tech, it still can be dangerous in the hands of other countries.
One could argue that if the government is preventing you from selling your tech abroad - there should be some sort of compensation for this. Others could argue that's just the cost of being in the business of weapons manufacturing.