> MS doesn't have a magic way to reach into your laptop and pluck the keys.
Of course they do! They can just create a Windows Update that does it. They have full administrative access to every single PC running Windows in this way.
It's largely the same for all automatic updating systems that don't protect against personalized updates.
I don't know the status of the updating systems of the various distributions; if some use server-delivered scripts run as root, that's potentially a further powerful attack avenue.
But I was assuming that the update process itself is safe; the problem is that you usually don't have guarantees that the updates you get are genuine.
So if you update a component run as root, yes, the update could include malicious code that can do anything.
But even an update to a very constrained application could be very damaging: for example, if it is for a E2EE messaging application, it could modify it to have it send each encryption key to a law enforcement agency.
> the problem is that you usually don't have guarantees that the updates you get are genuine
A point of order: you do have that guarantee for most Linux distro packages. All 70,000 of them in Debian's case. And all Linux distro distribute their packages anonymously, so they can never target just one individual.
That's primarily because they aren't trying to make money out of you. Making money requires a billing relationship, and tracking which of your customers own what. Off the back of that governments can demand particular users are targeted with "special" updates. Australia in particular demands commercial providers do that with its "Assistance and Access Bill (2018)" and I'm sure most governments in the OECD have equivalents.
Yes, they can do that. But they can't select who gets the binary, so everybody gets it. Debian does reproducible builds on trusted machines so they would have to infect the source.
You can safely assume the source will be viewed by a lot of people over time, so the change will be discovered. The source is managed mostly by git, so there would be history about who introduced the change.
The reality is open source is so far ahead on proprietary code on transparency, there is almost no contest at this point. If a government wants to compromise proprietary code it's easy, cheap, and undetectable. Try the same with open source it's still cheap, but the social engineering ain't easy, and it will be detected - it's just a question of how long it takes.
Not really, but it's quite complex for Linux because there are so many ways one can manage the configuration of a Linux environment. For something high security, I'd recommend something like Gentoo or NixOS because they have several huge advantages:
- They're easy to setup and maintain immutable and reproducible builds.
- You only install the software you need, and even within each software item, you only build/install the specific features you need. For example, if you are building a server that will sit in a datacentre, you don't need to build software with Bluetooth support, and by extension, you won't need to install Bluetooth utilities and libraries.
- Both have a monolithic Git repository for packages, which is advantageous because you gain the benefit of a giant distributed Merkle tree for verifying you have the same packages everyone else has. As observed with xz-utils, you want a supply chain attacker to be forced to infect as many people as possible so more people are likely to detect it.
- Sandboxing is used to minimise the lines of code during build/install which need to have any sort of privileges. Most packages are built and configured as "nobody" in an isolated sandbox, then a privileged process outside of the sandbox peeks inside to copy out whatever the package ended up installing. Obviously the outside process also performs checks such as preventing cool-new-free-game from overwriting /usr/bin/sudo.
- The time between a patch hitting an upstream repository and that patch being part of a package installed in these distributions is fast. This is important at the moment because there are many efforts underway to replace and rewrite old insecure software with modern secure equivalents, so you want to be using software with a modern design, not just 5 year old long-term-support software. E.g. glycin is a relatively new library used by GNOME applications for loading of untrusted images. You don't want to be waiting 3 years for a new long-support-support release of your distribution for this software.
No matter which distribution you use, you'll get some common benefits such as:
- Ability to deploy user applications using something like Flatpak which ensures they are used within a sandbox.
- Ability to deploy system applications using something like systemd which ensures they are used within a sandbox.
Microsoft have long underinvested in Windows (particularly the kernel), and have made numerous poor and failed attempts to introduce secure application packaging/sandboxing over the years. Windows is now akin to the horse and buggy when compared to the flying cars of open source Linux, iOS, Android and HarmonyOS (v5+ in particular which uses the HongMeng kernel that is even EAL6+, ASIL D and SIL 3 rated).
If you want to refresh an old memory, it actually stands for "Personal Computer Memory Card International Association" but nobody knew that. And it was later called 'PC Card'... then there was the faster ExpressCard that wasn't backwards compatible.
It was fun being able to expand your computer's IO capabilities by adding on a network card, modem, USB, FireWire, etc. with these modules. It's similar to Framework's little USB-C-based modules, though those modules are just too small for a lot of circuits without a very creative design.
That's also not a perfect recollection, but is what my recollection was until I was looking up this history in the past week and found this nugget and posted it elsewhere. Quoting myself:
>So we know these were originally called PCMCIA cards, then later PC Cards, right? Well, I think I might have found the first mention of PCMCIA in PC Magazine. It is in a Dec 1991 column by Dvorak where he "introduces" the "PCMCIA PC-Card". Here's a quote, "In fact, the card should be referred to as the PCMCIA PC-Card, or the PC-Card for short. PCMCIA is the Personal Computer Computer Memory Card International Association (Sunnyvale, Calif., 408-720-0107), and it's the governing body that has standardized the specifications for this card worldwide. JEIDA works with the PCMCIA; it's specifications are identical."
>So at least according this Dvorak column, these were ALWAYS properly called "PC-Cards" (he used a hyphen), but early on people definitely were calling them PCMCIA cards and I remember the shift to everyone later (much later than this 1991 column) calling them PC Cards.
Neat, definitely a part of history that I'm not familiar enough with myself since I was only ~6 or so around then when the article was published.
It definitely seems to reinforce the joke backronym of "People Can't Memorize Computer Industry Acronyms" for the whole thing given how badly it was all refered to. It's a lot like the whole Clippit/Clippy situation with the Microsoft Office assistants. Originally it was only named Clippit but Clippy got coined by everyone else and even Microsoft ended up giving in and using it in marketing materials not too long after the fact.
The problem is that Google isn't hosting the content. They're merely linking to it. There's no content to "take down."
I don't think there's standing to sue. Linking to pirated content isn't illegal. They could be found guilty of contributory infringement but that's a tough case since the legal requirement is that Google needs to know for sure that it's pirated (which is impossible at scale).
The author only needs to show up to court with a driver’s license to prove their identity. The judge would rule in favor of the author the same day if someone from Google actually bothered to show up.
A scammer isn’t going to court. Don’t try to solve for that.
I love how this is the defense of all these tech companies. "I'm sorry, your honor, we are just a poor multi-trillion dollar company... there's just no way for us to control anything, because we're just too big..."
Either they solve it or they should give op the benefit of the doubt. Arguing that x or y isn't possible at scale doesn't mean you get to break the law.
No they shouldn’t give anybody the benefit of the doubt when that person claims copyright infringement! Not unless you want internet randos to be able to take down any YouTube channel they want for “copyright infringement.”
As far as I can tell, requiring valid ID would lose a provider safe harbor protection as it is not one of the required elements:
(3) Elements of notification.-
(A) To be effective under this subsection, a notification of claimed infringement must be a written communication provided to the designated agent of a service provider that includes substantially the following:
(i) A physical or electronic signature of a person authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
(ii) Identification of the copyrighted work claimed to have been infringed, or, if multiple copyrighted works at a single online site are covered by a single notification, a representative list of such works at that site.
(iii) Identification of the material that is claimed to be infringing or to be the subject of infringing activity and that is to be removed or access to which is to be disabled, and information reasonably sufficient to permit the service provider to locate the material.
(iv) Information reasonably sufficient to permit the service provider to contact the complaining party, such as an address, telephone number, and, if available, an electronic mail address at which the complaining party may be contacted.
(v) A statement that the complaining party has a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or the law.
(vi) A statement that the information in the notification is accurate, and under penalty of perjury, that the complaining party is authorized to act on behalf of the owner of an exclusive right that is allegedly infringed.
I'll be the first to shout from the rooftops that the DMCA is in general a bad law, but according to that law, if the takedown notice contains the required verbiage, then they are required by law to give it the benefit of the doubt (that is, if they want to keep their lack of liability).
> Not unless you want internet randos to be able to take down any YouTube channel they want for “copyright infringement.”
Until there's a database of all the copyrighted works in the world that anyone can access—along with their licenses—it is absolutely not possible to know for certain if something is violating copyright.
Simple example: Disney opens up a new website that has some of their obvious content on it. How does Google know that Disney owns that website and has authorized its use? If they get a takedown notice, how do they know the sender owns the content?
There's no formal verification system that exists for such things. It's all based on an honor system that is easy for bad actors to abuse (which is probably why Google changed how they do things).
The entirety of copyrighted law has failed. It isn't working as intended and hasn't for a long time now. Anyone who understands how easy it is to copy bits should know that the original intent of copyright can't work anymore. We need something new to replace it.
> Anyone who understands how easy it is to copy bits should know that the original intent of copyright can't work anymore.
AI makes this even more stringent. You cannot protect the "vibe" of your works, AI can replicate it in seconds. If you make "vibe infringement" the new rule, then creativity becomes legally risky. A catch 22.
In 1930 judge Hand said in relation to Nichols v. Universal Pictures:
> Upon any work...a great number of patterns of increasing generality will fit equally well. At the one end is the most concrete possible expression...at the other, a title...Nobody has ever been able to fix that boundary, and nobody ever can...As respects play, plagiarism may be found in the 'sequence of events'...this trivial points of expression come to be included.
And since then a litany of judges and tests expanded the notion of infringement towards vibes and away from expression:
- Hand's Abstractions / The "Patterns" Test (Nichols v. Universal Pictures)
- Total Concept and Feel (Roth Greeting Cards v. United Card Co.)
- The Krofft Test / Extrinsic and Intrinsic Analysis
- Sequence, Structure, and Organization (Whelan Associates v. Jaslow Dental Laboratory)
- Abstraction-Filtration-Comparison (AFC) Test (Computer Associates v. Altai)
The trend has been to make infringement more and more abstract over time, but this makes testing it an impossible burden. How do you ensure you are not infringing any protected abstraction on any level in any prior work? Due diligence has become too difficult now.
OP got in touch with one (or many) humans on Google. Humans then decided not to act on the DCMA request.
No need for the "doesn't scale" argument, whatever system they have in place is already good enough to process OP's inquire. The problematic bit is what they decided to do once they had all the information in their hands.
I do, however, think this is just a mishandled situation and Google will correct, particularly after being featured on the HN wall of shame.
Before we can assume this is impossible for Google, let's look at their revenue: Is it greater than the salary of 1 person, which is all that's required to comply with OP's request? If so, then it isn't impossible.
To judge the claim of unscalability true, we would first need to know the rate of DMCA takedown requests, the number 1 person can investigate in a day, and then we can do the math of whether total revenue can pay for those employees.
Even if not, it's not an excuse. The only legal venue google has to complain about this, is getting the law changed.
It’s certainly due for an update, but it isn’t doing nothing at all. The friction it creates for unlicensed use at scale is enough to keep all the streaming services etc. afloat, which in turn are still funding the production of content. Maybe the anarchy that would follow its abolition would be superior to the old system creaking along, but that remains to be seen (and would be silly to accept on faith).
I don't know, how did the world manage to work before the internet?
You call someone, you send a letter, something. It's not rocket science.
It's not automated, sure, but somethings will never be automated, just by their nature. That doesn't mean it doesn't scale. Well, sure it does. You just hire more staff.
For Christ's sake, it used to be that phone calls required physical action from an operator to get connected. And now we can't do shit if there isn't an API for it or some bullshit.
> It's not automated, sure, but somethings will never be automated, just by their nature. That doesn't mean it doesn't scale. Well, sure it does. You just hire more staff.
You're right, of course, but when people say "it doesn't scale" they tend to mean "it doesn't scale at with a near-zero marginal cost".
Right, it scales linearly, as is the case in most businesses. Only tech craves a constant time scaling factor, because in most business it's just not possible. You can't run 100 walmarts with the same employees as 1 Walmart, and Walmart knows that and is very successful in spite of it.
Deathbed regrets aren't fun at all. Deathbed wishes for their next life are much more interesting!
For example, Gil Amelio—former CEO of Apple—once expressed that he wanted to be reborn as a woman owning/working a vineyard in Southern France. That was so specific and interesting, I still remember it.
Wishing you used social media less doesn't exactly spark the imagination.
Simpler "fixes": Prevent corporations from owning single family homes and don't allow anyone to own more than one single family home.
It'd crash the housing market, making homes MUCH more affordable, immediately. As corporations—who currently own 25% of all single family homes in some markets—are forced to sell off their inventory.
They could still own multi-family dwellings, just not single family homes.
The wealthy would just build multi-family dwellings for themselves, owned by corporations (that they own), and rent them to themselves. So it wouldn't really interfere with their rich lives much.
Hey now... We have to evolve somehow. The folks that continue to reproduce in this technological dystopia are passing on their "just ignore social media" (or more likely, "get bored with social media") genes to the next generation.
In a 1000 years, social media will recommend people stop spending time outdoors and warn against the dangers of non-ultraprocessed food.
Power outages at places where young people are forced to gather will be engineered in order to facilitate breeding as their minds will be completely starved of anything else to do while their hormones rage due to the aphrodisiac aerosols pumped into the building where they remain captive.
Not even grammar correction? That's lame and kinda evil.
When you submit your manuscript to a big publisher I guarantee they're using AI to check it (now). At the very least, AI is the only tool that can detect a great number of issues that even the best editors miss. To NOT take advantage of that is a huge waste.
It sounds to me like they're just trying to push out independents and small publishers. Because you know they're not going to ask big publishers if they use AI (who will likely deny it anyway... Liars).
FYI: AI is both the best grammar checker ever as well as the best consistency checker. It'll be able to generate intelligent lexical density report that will know that you used "evasive", "evaded", and "evading" too much (because it knows they're all the same base word). They're also fantastic at noticing ambiguities that humans often miss because they're like-minded and "know what you mean." (Our brains are wired like that to improve the efficiency of our repetitive tasks like reading words).
AI tools can help you improve as a writer and enhance your craft in a lot of ways. To not take advantage of that—to me—feels like burying your head in the sand and screaming, "LA LA LA LA! I don't want to think about AI because it can be used for bad things!"
I've chatted with many writers about AI and nearly all of them don't understand the technology and assume it's literally just taking chunks of other writers works and spewing them out one sentence at a time.
I literally had a conversation with a writer that thought you could take ten sentences written by AI and trace them back to ten books.
That literally *is* what they’re doing though, just not at sentence granularity—they’re doing it at both larger and smaller scales. Sometimes they may give you a plagiarized paragraph, sometimes they’ll give you a plagiarized phrase, sometimes they’ll give you a structure that they fill in with “their own” words where the structure itself was taken from something… They do nothing original.
Bitcoin—>Altcoin—>NFTs—>StableCoin—>AI—>They'll just invent something new to over-hype and spend billions on.
It won't end until we reach the Shoe Event Horizon.
reply