2281 posts • joined 21 Dec 2007
Re: I used to underestimate Poe's Law too...
I was forcefully reminded just how much of "the internet community" is made up of people who are either 14 years old and don't know anything, or are completely lacking whatever genes are required to recognise "irony" when it beats them over the head
The whole point of Poe's Law is that it is impossible even for a competent human judge - or indeed any entity - to reliably distinguish satire. It's the opposite of what you're complaining about.
For example: While a majority of readers correctly determined that the Onion story in question is satire, how many, with no other context, would say the same of this one:
<quote>Ferguson Cops Once Beat an Innocent Man and Then Charged Him With BLEEDING ON THEIR UNIFORMS</quote>
Certainly that looks like satire, particularly as it too is directed at the beloved Police Department of Ferguson, Missouri. But it comes from a reputable source and appears to be true. It cites an actual charge sheet and court documents from the subsequent lawsuit filed by the victim1. Change the location to Detroit and it's satire2; keep it in Ferguson and it's just reporting the truth.
Poe's point was that people were posting satirical treatments of religion to the newsgroup that were indistinguishable from the sincere messages posted by their antagonists. "indistinguishable" is the key here. It has nothing to do with being "14 years old", or with not "know[ing] anything", or with some genetic deficiency.
Richard Rorty claimed (e.g. in "Trotsky and the Wild Orchids"), contra Plato, that people do not have an innate sense of right and wrong; that we can't simply detect ethical behavior, and have to learn how to evaluate real and hypothetical situations. We could say the same about irony; except we can strengthen the claim because we can prove, through reader-response studies, that there are many texts in which readers cannot, with any significant degree of accuracy, discern the author's intent.3
1Who'd been arrested on the perfectly reasonable grounds that his name resembles that of some guy with an outstanding warrant.
2For some value of satire. At any rate, it's not true. I hope.
3I could go on about how we typically rely on logical and ethical evaluation to decide whether a text is sincere, but I doubt anyone's still reading. I'll just lecture to myself for a bit. Ah, that's good.
Both gzip and bzip2 parallelize well only for compression - because that's a "blocked" operation
True, but encryption1 can also be done in parallel blocks, for example using a block cipher and GCM (Galois-Counter Mode) combining.
One can, though, obviously compress/decompress multiple streams (files) at the same time
Yes, and clearly that's the solution for large archives: build them from multiple compression streams. With many corpora, you can get close to the same overall compression ratio even if you partition the input in various ways, for example interleaving (one stream for each Nth block, for some block size, then interleave the outputs the same way when decompressing). There are other possibilities that can improve compression ratios for typical jobs, even higher than what a good compressor (e.g. PPMd) would if simply run over the entire corpus as a single byte stream.
1I know you went on to talk about decompression, but the OP mentioned encryption in this context.
A plethora of new words were added to the arbiter of our language
Assuming your language is English, there is no arbiter of it, and in particular the OED is not one.
Damn prescriptivists are everywhere. Must be something in the water.
However, dictionaries like to OED may not be "rules", but they are, in a very real sense, standards
Only among those who don't know any better. And it's difficult to sympathize with pedants who can't be bothered to learn what a descriptive dictionary is.
Re: Code vs data
While I've made several objections to this piece, Watkinson1 does correctly point out that this distinction went the way of the dodo with John von Neumann. It's no more "modern" than the rest of computer programming.
1Ugh, I see I've gotten his name wrong in previous posts. Bad form on my part, and I apologize. I'll see if they're still editable in a moment...2
2Think I got the one post in error.
My favorite was this bit: "Since malware relies on having access to the whole computer in order to do harm when the code is executed..."
Since that premise is completely, utterly, obviously false, pretty much everything that follows is a big ol' load of rubbish.
As others have said, this article is an embarrassment. I'm concerned that so many people early in the comments praised it; that doesn't reflect well on their understanding of IT security. Or contemporary hardware and operating systems, but particularly security, on which this piece is appallingly simplistic.
(And while we're on the subject: "the Orwellian term 'Information Technology'"? Oh, please. That's a perfectly good and neutral use of both of those words. Does Watkinson fret about the use of techne as a term of art in rhetoric, too?)
Re: The x86 architecture offers memory segment protection since the 286...
It's impossible to solve security issues at the software level only - hardware specific features are needed
It's "impossible to solve security issues" in the general sense, so this claim isn't substantive. A microcontroller-based embedded system may be much safer against any threat model that doesn't include physical tampering than a multiuser system with a fancy capability architecture. Without specifying the threat model, there's no sense in which "security issues" can be alleviated, much less "solved".
Re: The last machine on my desk with no MMU was an Amiga 2000
Actually, the Morris worm simply guessed passwords.
That's utterly incorrect, as a quick glance at any of the analyses of the Morris worm would tell you. Its most famous vector was a stack overflow in fingerd (for 4BSD, the worm's target), but it used a number of them.
It did not even attempt to break into the kernel, or even attack other processes.
Except for fingerd, sendmail, etc.
So the phrase "bomb proof" still remains valid for the hardware.
That's a vapid claim. VAX systems running 4BSD were infected by the Morris worm, which was malware by any sensible definition, so clearly Wilkinson's claim is a load of rubbish.
Re: False economy is an ugly thing, Detroit.
jake wrote: "Stop allowing Money Bags from making Technical decisions, it'll do the city's budget a world of good"
Tom 13 wrote: "No, the core of their problem was assuming they didn't have to do anything to fix their financial problems long before they got to the point of buying discount batteries for their parking meters."
Need I point out that these are both so ridiculously oversimplified that they're useless? Apparently yes, I do need to point that out.
The battery decision was almost certainly made like this: "Parking Enforcement, you need to cut $X from your budget." "Well, let's see what line items we can trim." My guess is few EEs are available in the Parking Enforcement back offices. (Oh, and Peter2: I suspect the person procuring the batteries for the meters doesn't have authority to buy them from eBay. My guess would be that the city requires a purchase order and other paperwork, not just an email receipt from some random online account.)
And everyone has been aware that Detroit's finances have been in trouble for decades - long, long before the parking meters became a problem. There are certain complications that arise when a huge chunk of the population abandons your city, leaving you with just as much infrastructure to support but a drastically reduced tax base. Certainly a series of incompetent and corrupt city leaders didn't help, but it's not like everyone woke up one day a couple of years ago and said, "Hey, the city's out of money! Better switch to cheap batteries!".
But please, continue with your armchair mayoring. I'm sure Detroit would love to hear your brilliant advice.
I do hope not, having a commentard handle of "Irongut"
You object to firm abdominals in your nude starlets?
I assume Irongut looks like Emilia Clarke. Based on the data I have, that seems like the best assumption.1
1N.B. I did not write "the most probable assumption". Even a Bayes reasoner needs to take the occasional liberty.
Re: IPv6 like OSI is far more complex than necessary
I think a more apt aphorism is that the elephant is a mouse designed by a committee.
An aphorism is an insight designed by committee.
Re: URLs are Content
pierce writes: "URL's CAN be the address of static content.. but they also can be an API, passing data as POST or GET arguments."
HTTP URLs can include a query-string. Since the HTTP GET method does not include a message-body, the query-string is the usual way to pass parameter data to the server. But the user agent can use a query-string with any method (except possibly CONNECT, since the syntax of that method isn't defined by RFC 2616).
By convention, web browsers processing HTML forms that use the GET method will URL-encode the form field data and append it to the action URL's query string. Parameters for HTML forms using the POST method are sent in the message-body, not in the query string. But the method is irrelevant to the presence of a query-string in the URL, from HTTP's point of view.
Whether the presence of a query-string makes a URL an "API" is debatable. The latter term is not, of course, defined by RFC 2616.
AC writes: "Because technically speaking, HTTP GET request was not designed to be used for posting data or API, it is even written in the specification."
Citation, please. No, don't bother; I'll tell you what RFC 2616 says. It says that the GET method is both "safe" (9.1.1) and "idempotent" (9.1.2) - terms of art in this context. Safe methods SHOULD NOT have user-visible side effects1; idempotent methods can be replayed without additional side effects.
Nowhere does RFC 2616 say that GET cannot "be used for posting data or API". An idempotent method can "post data" (presumably - the term is not defined by 2616) as long as multiple invocations don't have additional side effects. A safe method can "post data" as long as the side effect isn't user-visible.
And whatever "API" might mean in this context, it almost certainly includes operations that are not only allowed for safe methods, but are in fact commonly achieved by them. I use APIs all the time that include operations without side effects.
More broadly, though: the query-string has no special status in this regard. It's intended for passing parameter data, but any part of the URL that's visible to the server (at least the abs_path and query-string, and possibly the entire URL) can be treated as whatever sort of data the server likes. There are conventions for using other parts of the URL as input, for example the use of PATH_INFO in the CGI/1.1 specification. Nothing about query-strings or any HTTP method magically turns an HTTP request into an "API". In isolation, all HTTP requests have the same status; it is the server's interpretation that distinguishes between simple retrieval and operations with other side effects.
1That is, side effects beyond retrieving data; 2616 9.1.1 is less specific than it might be on this point, but it's clear what's intended.
Re: I dont want all this crap....
I wonder if a lot of recent complaints about the incidental music drowning out the dialogue on TV shows are due to surround mixes being mixed down to stereo.
They're due to idiot sound engineers and directors. The technical details don't matter.
Re: Wonderful. Brilliant. Absolutely fabulous.
I'll just keep the TV hooked up to my 2.0 stereo.
I just use the speakers that are built into the TV. As far as I'm concerned, audio exists so my shows can have dialogue without subtitles. (Though I'm pretty happy with subtitles, too.) I wouldn't take one of these things for free - for me, it's not worth the time spent setting it up.
My wife's deaf in one ear, so she has no interest in fancy audio either.
(And as for the cinema experience - the last time I went to the cinema, the audio experience was LOUD LOUD LOUD idiot talking on cellphone LOUD LOUD. And that was for something mostly explosion-free. It's bad enough at home, trying to watch stuff where dialogue is mixed too low while SFX and BGM are too loud, but at least there I control the overall volume.)
Kids, lawn, etc.
That linked PDF is great
I do love watching writers try to explain complex technical topics.1 From the PDF the article links to:
Riemann surfaces are named after the 19th century mathematician Bernhard Riemann, who was the first to understand the importance of abstract surfaces, as opposed to surfaces arising concretely in some ambient space.
I'm trying to imagine the writer who would be informed by the former clause, and enlightened by the latter. "Reimann, eh? I've always wondered who first got out of that whole ambient-space trap."
The piece actually does a pretty good job of summarizing how topology is connected to algebraic geometry, hyperbolic geometry, &c, but I really must wonder how many readers will stick through it to find out.
1No, really. I have a degree in professional writing. 's not what I do on the day job, but it's still interesting to watch.
Re: I'm wondering ....
the optimal paths to Hitler from any given Wikipedia article (possibly using Dijkstra's algorithm or something similar)
Dijkstra's would work, but it'd be a good application for an ant algorithm. Now that you mention it, that'd be a nice assignment for a CS undergrad, combining practical stuff like HTTP scraping and HTML parsing with the graph data structure and algorithm work.
Re: I'm wondering ....
Is there a branch of mathematics which describes the hyperlink paths that are followed by someone reading mathematical articles on Wikipedia? If not, there ought to be.
There is, but unfortunately the problem turns out to be intractable.
I cannot agree. Chang's is not "indifferently overpriced". It's overpriced deliberately and with malice. Quite possibly glee.
It's unfair to call this a "java [sic] problem". Oracle made the JVM enforce one of the rules documented in the specification. They fixed a bug; it just turns out that a lot of code relied on the old, broken behavior.
This of course comes as no surprise to anyone with substantial knowledge of, say, C, where this sort of thing happens all the time. The majority of programmers cannot be bothered to look at language specifications, and their metric is "if I don't see a problem, there is no problem".
Re: semantic topics within this corpus
I can not take anybody serious that writes sentences like this
Yet I can take you seriously (at least enough so to point out your inability to present an articulate, cogent argument) despite your inability to write "cannot" as a single word, or understand the difference between adjectives and adverbs. Perhaps you should seek professional help for this neurosis.
Then you can explain what's wrong with the sentence you quoted.
this is yet another one of these prediction methods that are based upon on the assumption that history repeats itself
No, it isn't, in any meaningful sense. Obviously if future events are completely random and there is no correlation between past events and future ones, any "prediction method" is doomed. But so is causality, so that's not a very useful assumption.
the funny thing about economics is that it is a man made system, but not a fixed system
Is that funny "ha ha" or funny "strange"? What "man made" [sic] systems are "fixed"?
it would seize to do so
Homonyms are fun, aren't they?
Re: Questions for rocket scientists:
I'm not actually sure where a solar sail gets its energy from.
The Wikipedia article seems decent. Basically, EM radiation - regardless of whether you consider it as wave or particle - has momentum, even though photons are massless. Since it has momentum, it will transfer some of that to a surface it encounters. A perfectly reflective surface would gain momentum through elastic collision; a perfectly absorptive one through a completely inelastic one. (Of course any real surface will be partly reflective and partly absorptive.)
The actual quantum-scale interactions are more complicated, but you can just say "EM radiation has momentum" and at the macro level it's quite straightforward. The calculations are simple for perfect absorption and perfect reflection.
Re: Questions for rocket scientists:(@AC)
With a little bit of luck we could be sending fecking tourists to Mars in a few decades!!!
Ugh. They'll just make it uninhabitable for the rest of us, as they do everywhere else.
Actually, that sounds like a pretty good idea.
Re: The biggest challenge ...
I would be explaining to him in no uncertain terms that you are paid to work specific hours, and outside those hours, he should not be contacting you with work-related matters.
I'd be damned annoyed if people didn't let me know about urgent work matters while I'm away, holiday or no. I'm still free to decide whether I want to do anything about them.
I know this is a difficult concept for many Reg readers, but not everyone holds the same opinion about every subject. Many here seem to think that a "holiday" is a sacred period of time during which it is an unforgivable sin to so much as think about work. There are, however, a few of us who think we should be able to do whatever we damn well please while on holiday, even if that includes keeping a hand in.
Re: Maybe not the whole car....
Turning the engine on and watching the ice melt in seconds is always a joy
I bought my first car with a heated windscreen in May, and I'm really looking forward to trying it out. I live in an area that averages 50 inches of snow a year and I don't have a garage, so I spend a lot of time scraping windshields in the winter.
Re: Same old
When was the last time you drove 400miles straight after spending 3 minutes at the fuel pump, (if pay@pump)?
Couple of weeks ago.
Actually, I lie. It was only a little over 300 miles between stops.
But I certainly wouldn't want to try driving between Michigan and New Mexico in this electric Golf, nice though it might be as a commuter car.
I'm sorry driving 400miles in one go after filling up is not how cars are used today....
Here's a recent groundbreaking discovery: Not everyone is you.
Re: No spare wheel?
Apparently, you are more than twice as likely to be stranded with a flat battery than a puncture.
Perhaps you are. Try driving on the roads around here.
Though I admit most of my flats have been due to sidewall damage, not punctures, so I suppose you're technically correct.
Re: No spare wheel?
changing to a spare wheel (15 minutes for an amateur?)
I wish. The last two times I had to change a tire, I couldn't get the damn alloy wheel free from the steel hub. Even tried the "drive it a little with the lug nuts loose" trick. And I didn't have a mallet or similar handy in the car. And the first time it was pouring rain, the second time snowing - and both times at night, of course.
The first time I just finally ended up calling for a tow. The second time, I called AAA, and when the tow truck driver arrived, borrowed a block to knock the wheel loose. Then we put the spare on and he went on his way. But the whole process took well over an hour.
Re: My ISP words it correctly
Downloads up to 50mbps
50 millibits per second? Harsh.
Re: A flaw in his argument
So the mechanics of using encryption to obscure metadata can be relatively simple: you can broadcast encrypted messages to a wide group of people including your receiver, but in a form that only they will understand (numbers stations seem to have been doing this for decades).
More generally, there are any number of protocols to impede traffic analysis, from broadcast1 to steganography to using covert channels to chaffing-and-winnowing and so on.
All of these involve costs. As with anything in security, it's a question of trading off one part of the threat space for another. For example, protocols that involve message expansion (broadcasting, chaffing, &c) typically have a greater resource cost and make less efficient use of bandwidth, and potentially create the possibility of amplification DoS.
Most generally, you can say that if one secure-communications technique has problem X, there is probably an additional technique that can be layered on top of it to exchange X for problem Y. Repeat until you have a problem you can live with, or boredom sets in.
1With or without encryption. Encryption in your example is orthogonal to the goal of evading metadata surveillance.
For quite a few years I have urged nearly everyone I know who is even marginally computer literate to use PGP or OpenPGP to secure email, with exactly one success, who already was set for, and using, one of these product.
IT security is one of my fields; I've have GPG installed on all of my computers for years; I have a thorough understanding of cryptography and a passing familiarity with the specifics of the PGP, PEM, and S/MIME protocols. I don't bother encrypting or signing any of my email.
Why not? Few or none of the recipients are prepared to do anything with either, and the presence of signatures would only confuse them. And there's very little benefit to me in sending encrypted or signed email, even if my recipients did handle it correctly. My email just isn't that valuable (except internal work email, which never leaves the corporate network, so an attacker who gained access would almost certainly have stolen creds to read it anyway).
I think promoting secure email is a quixotic quest. Yes, if we could get most people using signed email, it'd at least cut back somewhat on phishing and the like. But the threshold for that to be useful is very high. Beyond that, it's mostly useful only if two parties agree beforehand that their threat model justifies it, and they configure it as a special arrangement. For everyone else, it's "oh, there's one of those weird paragraphs of garbage at the end of this message".
In my experience, the chief use of PGP/GPG is to sign software distributions, which has some utility, though many organizations don't practice any sort of consistency or provide decent key verification (hello, openssl.org).
Re: Defeat of slavery
The anti-slavery movement was probably more due to the Enlightenment - and the new breakaway Christian groups who were not part of the established Churches eg the Methodists and Quakers.
And strongly supported by middle-class capitalists, who realized that wage-slavery in the factories was far more efficient than the plantation slavery being practiced by the land-owning aristocracy. Abolition was just a nail in the coffin for their class opponents.
(Eric Williams is probably the most famous proponent of this analysis, in Capitalism and Slavery, though CLR James claims - in his interview in Lamming's Kas-kas - that he proposed the thesis to Williams. Since they're both dead now, no one can say for sure; but certainly that group bandied many ideas about, and the influences are complex. It doesn't help that there was some friction between the two, after Williams put James under house arrest. That sort of thing can sour a friendship.)
You can already check-in online and go directly to the gate area (with hand luggage).
Often you can't, with international flights departing from the US. This may depend on carrier and airport, but I haven't seen online check-in available for any of my international flights.
That said, it's not an issue for me, because I'm always checking baggage when I fly internationally (and for most domestic flights; I refuse to be one of those road-warrior types fighting over the luggage bins), and I fly out of a regional airport where the queues are typically no more than two or three long. Often I can walk right up to the desk, check in, walk over to TSA, hand over my luggage, and then go right through security with no wait at all.
Did I mention my airport also has ample seating, lots of electrical outlets available to passengers, and free wi-fi?
The food still isn't much good, but you can't have everything.
Re: Battery life
how are you supposed to remember to connect you phone to a charger if it isn't needed every day?
Joking, yes, but I have at times forgotten to charge my phone1 for just this reason. Fortunately it uses USB charging and so I've always been able to charge it when it's run down.
But it's a problem I'm happy to live with.
1It's a low-end LG Android slider (an LG-C555), which I bought because it was cheap and I insist on a physical qwerty keyboard. The battery often lasts two or three days, particularly if I remember to only turn Bluetooth on when I want it (in the car, or if I want to sync photos to my laptop).
Images containing animals?
Pornography should be restricted to images containing only naughty acts between plants, fungi, microbes, and inanimate objects. Animals are right out.
Re: One problem
'Murica won't let people go off grid. Well they do but I've read several stories of people being arrested for taking their homes off grid
Texas and Florida are only two states, and two of the craziest at that. There are 48 other states and various non-state territories in the US.
I think they cited terror laws as the reason.
Shrug. Authorities will use any over-broad law to cover a multitude of sins. Before 9/11 it was RICO; these days the Global War on Whatever is the usual excuse.
There are plenty of folks living off-grid in the US. I know some in Michigan, Vermont, New Mexico, and California, and that's just off the top of my head.
Re: Unused speed
If you only ever use your WiFi for Internet access, you might be right.
For the rest of us, the extra bandwidth is essential.
There are two kinds of commentards: those who think there are only two kinds of commentards, and those who know better.
I use my WiFi for local comms between my machines frequently, but they're rarely bandwidth-limited. I'm not streaming HD video (or any other media), but that's my point - there are other uses for networking. So no, it is not "essential" for all of "the rest of us".
That one-meter range is still a bit of a pipe dream, though.
Not for my scheme, which involves a powerful fan at the base station and little wind farms on the receiving devices.
And everyone knows wind farms are Green and the Way of the Future.
For longer distances, I use an air compressor and air hoses, which are not, you'll note, wires.
maybe we need keys that require firmer action so they generate more power
I learned to type on a mechanical (non-electric) typewriter. Good times. I suspect many users might find that much key force (and travel, if we wanted to reproduce the whole experience) difficult, though. And those who remember typing pools will recall that firm-action keyboards tend to be a bit noisy.
Of course there are various folks who convert mechanical typewriters into computer keyboards.
Re: Inefficiency is irrelevant
Have a look at some of the keyboards and mice promoted as "high-end gaming" equipment, and you can spend £150 on the keyboard and another ton on the mouse.
Fools. Everyone knows you can convert a regular mouse into a high-end gaming one by coloring it with a green marker.
Re: Inefficiency is irrelevant
I'm pretty sure the energy can be created in a green way.
Frogs on treadmills would be my choice.
Re: Inefficiency is irrelevant
it's generally reckoned that all the TVs we leave on standby require a whole major power station all by themselves
I'm leery of "facts" that are "generally reckoned". Do you have a reliable source for that?
If we banned the power button on TV remotes we could close that station down.
LBL tests showed that CRT TV sets drew an average of 0.18W more when turned "off" via remote, versus off via switch on the set. Generation stations vary widely in their output, of course, so let's assume the general reckoning in question refers to a 1GW station. So you're saying there are 5.5 billion TV sets in use in the US? Seems high to me.
Now, it's certainly possible that LCD TV sets have on average a greater disparity between off-by-remote and off-by-switch-on-set. But it's also quite possible that they don't.
Re: Simple Solution
> This consists of a diode inserted in the command feed
I hope not literally otherwise some salesman was having a good laugh.
Not just a diode, obviously. The upgrade also involves a copper bracelet, several magnets, and distilled water. It works well except when the gibbous moon is in Aquarius.
Software liability is not a new idea
"Software houses will yell bloody murder and pay any lobbyist they can to scream that this will end computing as we know it,” he said.
Well, yes, of course. Publicly-traded companies have a fiduciary responsibility to oppose burdensome regulation, unless they have reason to believe it will give them a competitive advantage. Doesn't mean it's not a good idea, but blaming software vendors for opposing it is more than a little disingenuous. This is precisely why we have governments - to force people to do things they'd rather not.
In any case, the idea of software liability is a old one, and has been vigorously debated by the IT security community. Schneier used to talk about it a fair bit, and there have been some interesting discussions of it on his blog.
Re: Make un-patched software open source is a great idea. Period.
Whether or not a chunk has been abandoned is irrelevant. The monolithic code has been abandoned
OK, now show us how to define "chunk" and "monolithic code" in a manner that is legally useful, fair, and can't trivially be avoided by software authors.
I like the idea of copyright lapsing on orphaned software, and the source being published, I really do; but it's patently unworkable.
It's an unworkable proposition in any case, because the cost of "maintaining" software can be reduced to nearly zero. Physical property, children, etc are abandoned because they have high minimal maintenance costs (at least in terms of opportunity costs and the like, if we're talking about something that doesn't require active maintenance). A company could "maintain" software indefinitely by issuing an annual vapid update of some sort. There's also the inheritance argument made by other posters - what's to stop a company from saying "this new product is the maintenance release for the old product"? (Try to create a legally useful definition of maintenance that prohibits that while recognizing whatever you consider legitimate maintenance.)
It would be impossible to regulate what significant maintenance (to prevent abandonment) would entail - the range of software is just too wide - so software could often only be determined to be abandoned by costly litigation.
The proposal also doesn't work well with a lot of embedded software.
It's a cute idea, but it would require a massive, hugely complicated, highly fraught regime of software oversight. Ain't gonna happen, and the cure would be worse than the disease.
My car has three back doors. Hah!
Is your security as good as it could be. If you just answered "yes", prepare to be boarded. What was the best last week is old news and vulnerable. Security is a moving target and if you don't keep looking at ways of improving it you will be a victim.
"security as good as it could be" is a meaningless phrase anyway - you don't have to invoke the "moving target" argument. Security is only meaningful in the context of threat models, costs to attackers, and costs of defenses. There is no "security" in an absolute sense.
And defense budgets are limited. Worse, security costs are asymmetric - across a broad threat model, defense will be much more expensive than attack. There's no point in saying "keep looking at ways of improving [security]"; without context, that's not useful advice. Someone has to decide how to allocate the defense budget to increase the attack cost of the cheapest and most probable attack vectors, analyze the system for new attack vectors and update the threat model, detect violations, etc.
Re: At last?
Well, yes. But one of the interesting, and unfortunate, aspects of the Target breach is that it wasn't the sort of obviously, stupidly poor security, as we saw with e.g. the TJX unencrypted-wireless-PoS breach some years back.
The infection came indirectly through a third-party supplier, and was spread by Target's over-engineered Windows-based PoS system. Those are architectural security issues, not simply a matter of "hey, turn on network encryption, stupid". Harder to spot and significantly harder to fix.
Then Target's outsourced intrusion-detection team did spot malicious activity, and informed Target as they were supposed to - but the second-line team sat on the information instead of investigating and escalating. That's a procedural failure, but again it's not obvious or easily fixed - it's not a case of Target not having any monitoring at all.
What it really demonstrates, once again, is that security is hard, and prominent victims (like large retail chains) won't have anything close to adequate security even if they make a good-faith effort to check the obvious boxes. They need someone in the C-suite whose remit is solely IT security; they need a formal process that includes threat modeling, penetration testing, and systems review; they need clear, well-documented procedures that create incentives for failing to a secure state rather than an insecure one. That's a very expensive proposition. Is it more than 148M USD expensive? Hard to say.
Re: Who says Germany doesn't spy on their allies?
So Germany, having reunified and forged a country with the knowledge that 20% of their population* was engaged in spying on the others, decides that it will organise its foreign policy around spying on others? I suspect not.
Your faith in humanity is adorable.
Essentially all humans can be corrupted in such ways
While that's an unprovable proposition, experimental and historical evidence does suggest that the probability that a person can't be induced to spy on others is indeed low.
the Germans decided that this should not be possible/encouraged
Your previous clause contradicts "possible", and history (and psychology, and critical thinking) suggest "encouraged" is highly dubious.
Governments are very good at espousing ethical positions. They're very poor at practicing them.
And, of course, governments are not homogenous monoliths. The vast majority of German government officials might take a sincere, principled stand against spying on allies; it takes only a few realpolitik SIGINT types to go ahead and quietly do it anyway.
- Review Is it an iPad? Is it a MacBook Air? No, it's a Surface Pro 3
- Game Theory The agony and ecstasy of SteamOS: WHERE ARE MY GAMES?
- Hello, police, El Reg here. Are we a bunch of terrorists now?
- Intel's Raspberry Pi rival Galileo can now run Windows
- Microsoft and HTC are M8s again: New One mobe sports WinPhone