can someone explain to me why this cant be fixed over night. im no crypto expert, but
" If a client and server are speaking Diffie-Hellman, they first need to agree on a large prime number with a particular form. "
why can't you just switch the large prime number and then continue on sending encrypted data?
Can someone explain to me what the authors mean by "cracking" a prime? Is the difficulty of this related to the difficulty factoring a composite number? The language used is annoyingly imprecise.
Edit: Question was already asked by smegel, and has some useful answers.
I mean, say we put through a few patches and started generating primes more often. Then there big-ass special purpose prime machine becomes an order of magnitude less-effective, right?
I think the best way to defend against these one-to-many attacks is to spread out the cost of decrypting large quantities of data. If we all had our own keys, even if they weren't as strong as one single key that everyone used, that much more work has to be done to decrypt data for a group of users.
I know nothing about crypto, but a layman can hear about these implementation architectures and immediately realize what's wrong with it all.
Also the latest openssh package warns against Diffie hellman ssh keys now we know why they warn us.
I know I can, but I'm hoping for something simpler than having to parse the TLS messages from:-
openssl s_client -connect host:port -msg
The basic algorithm is that you take some candidate X (which will be our 2048 bit number here) and classify your question (primality, whether it is the product of 2 primes, etc) --- once you have your question, Q, then you can pick a number Y0 to get X % Y0 = Z0 ... sometimes ~sqrt(X) works well, other times it's the closest prime factorial, etc.
now using those results, [Q, Y0, Z0], you can optimally pick Y1 and do the operation again, X % Y1 = Y2 ...
Like the Chinese remainder theorem each Z gives you information on the next optimum Y given your question Q ...
I called it tunnel factoring and saw some great early results ... but for some reason I haven't ever pursued it
Still, it's a good reminder that you should not be using 1024-bit Diffie-Hellman.
Is there an easy way to check if a VPN provider has updated?
The ASICs NSA built for breaking some common 1024 bit fields are probably breaking specific RSA keys now...
Then, if the prime number is standardized or hard-coded, why they just not use it? Why we need to break it?
Today they simply formally presented their research at ACM CCS.
The government of the people should not be spending $10B a year to monitor and track all of its people just to warehouse the data.
That is quite literally Stasi. Not vaguely like, exactly like.
Imagine the money not spent on more pressing issues we face these days: health problems, poverty and the destruction of nature earth, just to name a few.
Why do we, as a society, tolerate this?
What if few hundred millions is 10x less than actual amount. What if it takes 10 years instead of 1.
Analysis and attempts to decode the Voynich manuscript lead me to believe mathematical patterns intended to hide information, languages in particular, are not safe in the least.
No one will get their privacy "back" by fighting the NSA through technology, considering their mission, budget and capabilities they'll always win, the only way to pacify the NSA is through legislation that will ensure that they only use their capabilities when it's warranted.
I wonder what world you all live in in which this is a bad thing. Theres real threats out there and i'd hate to live in a country that lacked the geopolitical leverage to make use of these tools to my nation's interests.
When I moved to London's SE4 postcode three years ago (it's pretty close to Peckham, FWIW), the regeneration of the area has just started and the more middle-class looking people appeared around, the more men and women in running gear were visible in the streets in the morning. Poor on average take worse care of their health and fitness, so tapping into Runkeeper's data may prove useful.
In the meanwhile, during these three years, the value of my home grew more than 100%.
I think some of the key indicators it used were number of bowling alleys, liquor stores, and payphones (keep in mind, it was published in 1989).
To offer an alternative, my own theory is that the 'up and coming' areas are cropping up down the Shoreditch fringe, i.e. Borough (which is seeing a lot of commercial and residential development, and Elephant & Castle (same as Borough, albeit more behind in completion). Such a 'fringe' also spills off into the East, too.
You could extrapolate this trend to Peckham, one of the primary areas the author has highlighted, however I doubt we're going to get anywhere near same level of 'pop-up' commerce/entertainment in these much more southernly areas for some time to come indeed.
There's a few regions of the US I've lived where fried chicken isn't really a thing, in general. I'm not sure that'd it would make sense to extend the model to those locations at least.
What a data scientist would have done is find the list of shops and property prices and see which correlate.
Of course, you also need to do it over time because "up and coming" implies the future state, not the current.
1. Buy cheap housing in area that attracts new grads / creatives / artists
2. Those people attract certain business types
3. Hot area attracts richer people + people in 1 get more money
4. Property prices rise
It's a shame it can't use all of PyPI though.
There are some official and close-to-official social media accounts that are used by the Russian rebels to announce progress (Twitter, Facebook, VK) usually straight from the mouths of commanders and higher ups.
When MH-17 was downed they boasted about shooting down a Ukrainian plane only to find themselves quickly deleting all mention of it several hours later.
Those same accounts also boasted about acquiring a Buk missile launcher weeks earlier, but those status updates were also deleted.
The official also hinted that the missile was fired from a village in the Donetsk region, where Ukrainian forces were said to have been stationed at the time of the crash.
Russian deputy foreign minister Sergei Ryabkov called the report an attempt to make a biased conclusion.He argued that the report had failed to take account of the Russian investigations."
So, even if the truth is out in the open (and given the tweets right after hitting the plane there wasn't much doubt) there is apparently no way Russia is going to own up to this.
It came to a similar conclusion as the dutch report, the main issue with the dutch report is it's too little to late and the government had repeatedly delayed publishing it while they searched for a way to indirectly accuse Russia. The dutch report is quite weak in that it won't take the next logical step given the evidence available and accuse Russia of ordering the downing of MH17.
It has come to something when social media can point the same spotlight on whole armies doing things they would rather keep secret as it has done on politicians doing the same.
It's very useful in some situations. It offers, in a way, a mean to do a sort of compile-time introspection on some class/enum.
I use this for dispatching, enum creation, method creation etc.
But probably a good resource for people trying to save their time by macro based code generation ;)
Can't really blame people for using ad blockers on pages like that. That said, I'm quite interested in the story so I'll give it a read regardless...
Burglars have always targeted items that are valuable to them. Easy to sell, gets a good price, etc.
Now we have digital assets in the home, and burglars are going to focus on those things too. For most of the population, and probably many of "us", physical access to those digital assets isn't particularly secure. And to have those assets "taken" today is much more far reaching than to have lost a stereo or checkbook.
Just because the attacker had to get off his couch and go somewhere shouldn't minimize this threat. "Physical access means's you're pwned" is a true statement.
One thing I do at home, for example, is to use full disk encryption on my laptop, and hibernate it when I leave. So that if someone steals it, it's just a plastic brick. For exactly the scenario described in the article.
To understand, that your door opener, your TV and other things can be "hacked" is important. The information to use different passwords for every service is important.
We as people in the know have to help our elders and peers to see how easy it is to use a pwd-mgr and have a little bit more basic security.
If nothing more, this piece goes a step in the right direction.
I'm surprised they only care about the electronic locks and didn't show how easy it is to pick most of the mechanical locks. Especially when they are talking about the "not hyperconnected" hacks.
I'm signing up for Phish5. Looks like exactly what I need for my team.
Update: This post has been updated to correct that Dorsey will commit 10 percent of the entire company, not just his equity as previously stated. In addition, our calculations were off and I regret the error.
This is commendable. Actually intending to making the world a better place (in the non HBO-Silicon-Valley-Show-way).
It takes a lot of thought and planning to make sure you're 'default alive' in all circumstances. It slows you down, and it requires you to think through the implications of every decision, big and small.
This sounds like a fairly similar notion...
This accurately reflects my own experience. Most common pitfall: converting VC capital to users at a rate that will not sustain the company once the VC capital runs out. So many companies fall into this particular trap that it should have a name of its own.
Bought growth is only worth it if the users remain long enough to make back the money you pumped into them at the time of acquisition in net profits otherwise you might as well do without them.
I'm not sure if the reference to airbnb helps, whatever they did, they're an outlier and simply doing what they did without carefully evaluating your reasons is going to work about as well as any other cargo-cult strategy to success, it would be (a lot) more useful to see this point expressed in an alternate form, start-ups funded by YC in cohorts of months from when they started hiring besides the founders compared to their survival rate.
Not to mention other big levers like working capital (and potentially running a business with negative WC and generating cash, a la Amazon). It's funny to be running a start-up in SF and still feel a world apart from a lot of the ecosystem.
Perhaps the most important underlying point in the article.
It's easy to think that more people will make the company grow faster. Adding people actually makes it harder to tune a product's direction (and thus growth rate). Great to see another dense and on-point post from pg. Every sentence is worth several reads.
For a private company, it's much harder to tell from the outside. Any CEO who doesn't know how many months (days?) of cash they have left is hopeless.
That's how I run my company. Complacency kills, and prevents being able to be proactive in an ever changing market.
To make this alarm explicit: if you were that investor, would you save the company? I wouldn't.
This is a bit like in the early stages of a poker tournament, where you might fold even quite strong starting hands to all-in bets where your expected value is positive - because you're not just betting the number of chips in your stack, you're betting the entire remainder of your tournament.
Or you could reconsider the size of your total addressable market (hint: it's probably a lot smaller than what's in your pitch deck) and give weight to building a smaller company that's sustainably profitable.
Note that I'm not suggesting growth isn't important. What I am suggesting is that a lot of founders seek "Silicon Valley growth" without considering the possibility that they have an opportunity to build a lasting business that doesn't need hundreds of employees, tens of millions of dollars in funding, hundreds of millions in revenue and billions in enterprise value to succeed.
Now if this is efficient in any way - no idea.
* The two "job sharers" can freely organize how they want to split their working time between each other, giving them a lot of flexibility and increased work-life balance.
* The company will have filled one full-time position with a team of two people, thereby greatly reducing the risk of sickness and one person leaving the company with all his/her knowledge.
So, basically it's RAID0 for people :)
I think this is why a lot of acquihires fail (like, acquihired employees leaving quickly). They way the acquired team works together doesn't mesh with the way the new company works.
1. To all intents and purposes this is a co-op model of an agency.
2. If the team could not break through to their employers that the employers were in the way and not letting a team of eight build something to help, then why do they think they can do this repeatably (is the value of an agency the ability to build valuable stuff or to persuade business to take the valuable stuff it needs?)
3. This should be the model for the future. Damn it, succeed damn it.
Also, the Prime Minister and most members of the cabinet are MPs. I wonder if this disclosure affects them too?
A few months ago there was a leak  which suggested GCHQ were spying on Scottish MSPs (Members of the Scottish Parliament) and MEPs.
Now, of course, they can continue to spy on Scottish elected officials without anyone being able to claim unfair treatment of MPs over others.
Edit: The other argument is of course that before this ruling, MPs were "above the law" so to speak. So in that sense it is a bit of a re-balancing.
Those who surrender freedom for security will not have, nor do they deserve, either one.
Slightly ironic considering James H. Ellis worked for GCHQ
It's called PolderCast, and the way it works is that it models subscribers of a topic as a ring, and then uses 3 different overlay networking modules to efficiently constructing the network (a basic gossip one, one that finds nodes with intersecting interests, and then a final one which constructs the neighbours for a node in the topic ring). Thus, only subscribers of a topic are responsible for hosting, in contrast to a DHT where every node would be (even for questionable content that they may not agree with).
 BitWeav http://liamz.co/wp-content/uploads/2015/03/whitepaper.pdf
I mean "nice" as in, a good read...it's a flattering profile of Holmes -- she comes off well, as a genuinely passionate person, and even if she had stayed in school, it sounds like she would've still made a great impact.
But the article also raises concerns that seem to be corroborated by the OP:
> Clarke argues that finger-stick blood tests arent reliable for clinical diagnostic tests; because the blood isnt drawn from a vein, the sample can be contaminated by lanced capillaries or damaged tissue. Holmes strongly disagrees: We have data that show you can get a perfect correlation between a finger stick and a venipuncture for every test that we run. When I asked for evidence, I was sent a document by Daniel P. Edlin, Theranoss senior product manager, titled Select Data. It purported to show favorable results from numerous comparison tests. I asked Edlin if the tests had been conducted by an independent third party. He replied by e-mail: The clinical tests were conducted by a combination of Theranos and external labs, but he wouldnt say which ones.
Um, OK. I don't know much about this testing process...but...what trade secrets are being protected by hiding the methodology and source of the comparative test results?
Wow. What a terrible response to get from company leadership. It should be completely appropriate for an employee to bring a concern to the attention of leadership based on a plain-English reading of a statute or regulation. Obviously, I don't know what kind of email the person sent, but if it was something like, "A plain English interpretation suggests that we are required to ... " then the right response is to thank them for bringing it to attention, and then engage people for an appropriate review. Every time I've dealt with a legal situation in a corporate environment, the plain English reading was ballpark a correct way to understand it, with occasionally some detailed nuances for which it was important to have legal input, but which did not radically change the situation. I've never run into a case where the required action was opposite than it seemed, or anything like that, although I'm sure surprising things come up from time to time.
I understand why they might ask people to stop discussing it, on a big company email list or something like that, but bringing it to the attention of the appropriate company leader, is exactly the right thing to do. Thank them and look into it.
This is the same kind of bullshit I see in academia, where a new technology is promised to replace an old technology that works fine, but now they have a 9 billion dollar valuation!
1st Theme says: Theranos doesn't use Edison (thier in house testing device) & instead use regular equipment from companies like Siemens. This is a marketing problem because the company is saying its using one device but is actually using another one.
2nd theme: lab tests from Theranos differ from generally accepted standards. How do they differ if in fact they are using the same tests as everybody else? Is it just the general variability of lab results and similar variability could be find in quest diagnostics as well?
3rd Theme: almost all people say Theranos is dramatically cheaper than competitors. How is that possible when they are using the same equipment as everybody else for most of the tests? Is it a process innovation in operations rather than from Edison/better equipment tech? Or are they just subsidizing these costs and being cheaper and possible have bad unit economics?
The are two plausible storylines that can seem to reconcile these three themes is:
Storyline 1 (Negative)-Theranos seem to be doing a process innovation rather than an underlying equipment innovation. That process innovation perhaps includes diluting blood samples 1) to meet thier marketing promise of taking less blood 2) somehow taking less blood and diluting the samples to meet the standard for traditional equipments AND still lead to cheaper operational costs that lead to lower prices. But - somehow these diluted blood samples show more than normal variability.
Storyline 2 (not so negative)Traditional lab companies are ridiculously inefficient from an operations perspective. Theranos is able to take the same equipment as everybody else but because of thier operational efficiency make the end service dramatically cheaper. The variability in tests results is kind of standard in the lab testing market.
Am I thinking about this the right way or missing any big parts?
I don't doubt that she is sincere in wanting to build this business and take over the blood testing industry. But Theranos is looking more and more like a cautionary tale about why VC's and angels shouldn't give any Stanford dropout with little more than an idea and a dream a multi-billion dollar fictional valuation and tens or hundreds of millions of dollars in real cash to burn in the streets.
It seems like disclosing that a sample is a test is more likely to negatively affect the accuracy of the test than improve it. The need for double blind trials is normally well understood. This is not an experiment, but as a test it seems like it would benefit from at least single blind: lab is unaware - accuracy tests are mixed randomly into the genuine population of testing requests. Kind of like how the TSA is occasionally tested by inspectors who bring all sorts of weapons through.
Seems like there would a lot more complaints considering the number of tests conducted, and that the relationship would have been soured/severed if the results were not living up to Walgreen's satisfaction.
I had known about Theranos mostly for being a highly valued startup by a young college dropout involving something in the medical field...I assumed it was more related to the scientific research side...but in the article it says it's been offering tests to the public since 2013 (and that that appears to be the main potential source of revenue)...has anyone's doctor suggested the tests to them? It looks like they have a couple testing centers in Palo Alto but my general physician has never mentioned the option to me.
They were never able to produce them, she says. Ms. King says the company did show detailed testing-accuracy data to the nurse.
We still do the same, but now we call it a smartphone.
They show several examples where speeding up a line is predicted to slow down execution, but ~actually optimizing it had the opposite effect, so kudos to them for including bizarre results too. I hope they take this farther; seems promising.
It is also a little disingenuous to characterize the russian effort as "military" and the american effort as not. It wasn't Mr. John Glen first american in orbit. He remained an military officer while at Nasa and was awarded military honors for his flight (DFC). Smack whatever label you want, both programs had heavy military involvement.
>But the frantic pace of the space race ensured that you had to sacrifice thorough ground testing in favor of debugging the technology in space. This means that you automatically increase the risk to human subjects on board spaceships.
By my memory, the US lost most astros to ground testing than to flight, the Apollo fire being top of the list. Training and testing are safer than flight, but are not absolutely safe. There is a balance point where the risks presented by ever more training outweigh any further reduction in risk during flight.
From this perspective Gagarin would die if both accelerating stage worked longer and retrorockets failed. Only one of this two systems malfunctioned - so, barely, he managed to return unscathed.
Overal their program probably killed about the same number of cosmonauts as US killed astronauts, or maybe even less.
You can play some games with numbers maybe if you want to include unmanned rockets exploding on launchpads or not -- China killed maybe around 500 people with an a satelite launch in the 90's. Russians killed 50 launchpad personnel during a failed Vostok lunch in the 60's.
Hypothesis - if someone on facebook views your profile then facebook is more likely to suggest them as a friend. Increase the probability if the person is a low degree of separation from you.
Obviously people on dating apps are often going to be searching each other out on facebook to see more info.
I guessed this was how facebook did it because I saw an ex of mine once on the street (I don't have the fb app on my phone or anything like that - so I doubt it was using location data). We never spoke - but made eye contact. Later that day she appeared as a friend suggestion for the first time. My guess is that she viewed my profile out of curiosity.
That's a straightforward conflict, but it makes me wonder why people are comfortable with revealing "all [their] information" publicly on facebook, when their dating network behaviour shows they don't want total strangers to know all this? Facebook provides lots of privacy controlls, allowing you to finely tune who sees what. If you don't want strangers to know your last name, or which area you're from, why make it publicly viewable on facebook?
Is the problem with facebook making it not simple enough to hide things from total strangers (i.e. people you have not friended)? Is it a problem with people never bothering to change default settings? Or is it something about the way people use facebook that makes this apparent inconsistency actually completely rational?
Your Tinder/Grindr matches are people in your local area. Your Facebook social graph contains people in your local area, even ones you don't know, through your local friends. The chances of one or several Tinder matches eventually intersecting with your Facebook graph are significant. When this happens, people interpret it as a deliberate act, not just a coincidence.
If you use Tinder in an area which does not contain any of your friends, and people from that area subsequently show up, and have no connection to any of your friends, that would be a lot more suspicious.
There was someone I was meeting in real life but we had absolutely no FB connections. No mutual friends. And I didn't even know she was on Facebook.
Suddenly I saw her on my 'Suggested friends' list.
The only reasonable explanation is that she found me on Facebook and viewed my profile.Facebook saved the incident and suggested her to me as a friend.
Facebook forgets nothing. Nothing.
Facebook App copies your matches phone book.
Facebook finds that your phone book contains your matches number and vice-versa.
Facebook suggests your match as a friend and vice-versa.
Nice and simple.
> Facebook goes through your phone book ... you give it permission to do this when you install the app.
This is 100% demonstrably false. It literally comes down to advertising/tracking.
Because tinder is ad-supported for the free app, they're sending data directly to advertising networks (of which Facebook is one), and that's being used to track you. Period.
On iPhones an app specifically has to ask for permission to read your contacts beforehand. There's nothing "implicit" about that, you literally have to agree it explicitly.
I really wish the COO at a Security research company wouldn't spew nonsense. And people wonder why the general public is misinformed as to the harm of advertisers/tracking.
If people knew how little information is needed to get started they would be either terrified or amazed.
First name + Location + Instagram profile and you are already off to a good start. And maybe there's a picture from some marathon you participated in, and they might have an online list of participants, narrow down to matching first names, then look them up on facebook.
What facebook then sees mimics person A trying to find his new friend person B, which makes it natural to include this person on the other "do you know list"
Facebook sends me phone notifications telling me they've found someone I might know. I get it if it was a new profile and they want the ball rolling, but I have over 900 friends on Facebook already, many I can barely remember where I've met. Why do I need more people I barely know?
What is it that makes Facebook think their app is more engaging if my friend list if full of people I barely know and never interact with?
The best way to handle the advent of this information is to treat your public facebook profile as public information and assume even the creepiest stalkeriest guy on the internet has access to it. Cause they do.
I will also be going out of my way to spread as much FUD among my less tech savvy friends as I possibly can.
Go Zuck yourself, Mark.