That's what the current "Obamacare" plan was supposed to solve. After thrusting much of the health system firmly under government control, raising costs substantially, and literally fining people for being unable to afford more expensive plans, we're left with ... the same number of un- & under-insured people.
> we're left with ... the same number of un- & under-insured people.
No, we're not.
"Gallup reported in July 2014 that the uninsured rate among adults 18 and over fell from 18.0% in Q3 2013 to 13.4% by Q2 2014."
More Americans are insured today than ever before, both in absolute numbers and as a percentage of the population. This doesn't mean that the ACA is responsible, but saying that we have the same number of under/uninsured people is simply false.
> That's what the current "Obamacare" plan was supposed to solve.
And it reduce the problem considerably (though less than it would have without the bizarre Supreme Court decision that Congress can't actually set the terms on which states get federal Medicaid funds, and particularly change the rules on Medicaid to require states accepting federal money to expand coverage -- which resulted in a number of states opting out of the expansion in Medicaid coverage that was intended to cover the lowest-income portion of the uninsured population not already covered by Medicaid -- the higher-income segment was addressed by the exchange-and-subsidy system.)
> After thrusting much of the health system firmly under government control, raising costs substantially, and literally fining people for being unable to afford more expensive plans, we're left with ... the same number of un- & under-insured people.
Actually, a much smaller number, but still more than many people would like.
> After thrusting much of the health system firmly under government control,
Everyone outside of Medicare is in private insurance, which is regulated but not "firmly under government control".
> raising costs substantially,
While there is debate about whether the ACA has slowed the rate of healthcare inflation in its short life, there is no evidence that it has "raised costs substantially" across the system.
> literally fining people for being unable to afford more expensive plans
Fining people for choosing not to pay for health care if they are able. Everyone needs health care, most everyone gets (possibly lacking) healthcare when they need it, and it costs money.
The previous solution, brought to you by Ronald Reagan, was the mandate that hospital emergency rooms couldn't turn people away who needed help. A humane concept, but poor social or economic policy for addressing the healthcare system in the large.
I've been wondering, when we get to the point that there is a mix of autonomous and human driven vehicles on the road, if we will see the human driven vehicles start to game the autonomous vehicles' collision avoidance systems? For example, the main reason not to cut off traffic is because the driver might not react quickly enough (ok, the other reason is no to be a jerk.) but with autonomous vehicles, human driver may be able to become significantly more aggressive, knowing that the autonomous vehicle will get out of the way.
(As a side note, I wonder how autonomous vehicles will handle lane splitting motorcycles? They get pretty close to the cars to either side.)
The autonomous car could automatically send the video and sensor data of illegal human driving behavior to the appropriate authorities. It seems pretty stupid to drive dangerously around a car that's recording so much information.
Free idea I've kicked around: Give away free dashcams to drivers that upload their footage nightly to Google (with user's permission), have Google process the data to find high risk drivers, sell that information to their insurance companies to properly re-price their premiums. Take a cut, share said cut with dashcam drivers.
Drive the price of human driven vehicle insurance high enough to where self-driving vehicles are the logical choice.
No, not that. The comment I replied to was implying that once people figured out car AI wouldn't kill them, they'd just halt cars for the fun of it or when they felt like it.
With a fallible human behind the wheel, you can't take chances like that.
(To be clear, I don't drive and am for pedestrianism. But I can see how it would be a problem if people can simply block autonomous cars. I'm also worried that a heavy handed response to that problem could harm pedestrianism.)
which was factored in 1991, so I bet you can get the right hardware and software to factor your number too. Maybe one of these implementations will do it:
Wow -- I'm impressed. I just threw that out there to show how hard factoring is -- I didn't think anyone would actually do it. Ummm... Do you work for the NSA?
I don't work for the NSA—I just have a laptop, and a copy of Mathematica. The factorization took about 10 seconds.
Mathematica is really a pretty remarkable piece of software. I doubt it's world class for factorization, but it gives you easy access to a lot of pretty darn good algorithms for a wide range of problems.
There's 1 sentence on the implementation of FactorInteger in the docs, FWIW:
OK, so take a 64 bit integer. That's the typical size of an integer in a modern programming language. A signed integer can represent 2^63-1 which is 9223372036854775807.
Imagine a "big integer" which is a composite of multiple 64-bit integers. With a big integer made up of two regular integers, you can represent the value 170141183460469231731687303715884105727. With three, you get to 3138550867693340381917894711603833208051177722232017256447 if I'm doing the math right. That's already in the ballpark of the number you mentioned - just three regular integers together.
Granted, I'm not talking about how difficult the factoring is, but it's worth noting that the size of the numbers are pretty small to a computer. Modern computers are really fast and can brute force a large number of computations. Mathematica probably has a fairly optimized general purpose factoring algorithm as well.
A number like this might be more difficult to factor:
I would say factorisation is more tedious than hard. Modern computers can perform several billion operations per second. The simplest algorithms take O(N) time, that is to factorise N, you need to perform around N calculations. There are better algorithms which run in logarithmic time, so you only need log(N) calculations (and some which are better than that). Even with what you and I think of as big numbers, this is fast.
You get problems with numbers over 100 digits. I recently entered a challenge where one of the questions involved prime factoring a 130 digit number. That was a record feat a couple of decades ago, now it takes a day or two on a modern computer.
Anyone care to elaborate on the downvote? Given that the parent seemed surprised that it was possible to factorise a 'big' number quickly on a modern PC, I thought I'd elaborate.
Brute force search is O(N), the sieve of Eratosthenes is O(N log(log(N))). The Quadratic sieve is good up to 100 digits and runs in O(exp(sqrt(log n log log n))). Some utilities you can use for this are YAFU, MSIEVE or GGNFS.
This isn't all that complicated, as far as I can tell.
Guy discloses a vulnerability. He knows it potentially has wide reaching security concerns, and downloads enough data to prove that if necessary.
Guy gets shortchanged on the bounty, indicating that either a) facebook is trying to shortchange him, or b) facebook doesn't realize how big of a vulnerability this truly is
Everything about Facebook's response indicates b): they didn't realize how big a vulnerability this truly was. Otherwise, the data he downloaded would have been useless by the time he used it.
You can argue that the guy "went rogue" by hostaging information, but fact is he deserved to be paid more and he was able to prove it. Now facebook looks bad.
Guy discloses vulnerability. Facebook is not as impressed as guy would have hoped. Maybe it's because he's one of several people to disclose the same vulnerability. Maybe there are just a lot of vulnerabilities (they've paid out 4.3m in bounties).
Guy's reaction to rejection: take hostages and threaten Facebook. Facebook moves to defense and cuts guy off.
You are not a good neighbor for kidnapping someone's family to prove to someone their busted lock is a big deal. You show them their lock is busted and trust they can figure out what harm that could lead to. The alternative is companies being hostile to people just looking around their locks, which is the world in the 1990's and 2000's that responsible researchers are trying to avoid going back to.
This is, of course, Facebook's narrative which conflict's with Wes's.
One obvious hole I can see in Facebook's story is that they insinuate that Wes broke back into the server after they disputed the bounty. If this were true, they did nothing in response to the problems Wes found for over a month.
If you look at Wes's timeline, he says access to the server was no longer possible a few days after he filed the second report.
It comes down to who you believe. Personally, I find Wes to be more credible. It sounds like it was most likely a misunderstanding by FaceBook. Now they are doing damage control.
"With the newly obtained AWS key... I queued up several buckets to download, and went to bed for the night."
He definitely took data off of Facebook's server.
Also you misunderstand his access being denied was a firewall change earlier in his story. This was merely to speculate other systems he could have penetrated--completely separate from the S3 buckets he took data from.
From Facebook's perspective it could very well have seemed like he went back for the goods since he submitted three separate reports, the last of which triggered the response. But this is also irrelevant, the question is whether he took data off or not and this is unambiguously yes, by Wes's own admission.
Honestly, I think he did go too far downloading the S3 data, but nothing in their policy stated or implied that was against the rules. He did not violate their written guidelines. And so, Facebook should have paid him (and then changed their policy), even if begrudgingly.
FB: He's an experienced bug bounty hunter and should know where reasonable borders are.
All the experienced security guys itt: He's an experienced bug bounty hunter and should know where reasonable borders are or at least not pivot/escalate without asking. Also never dump and hold data.
Everyone else: What he did isn't technically against the rules FB wrote, so they are screwing him, despite it also being written that they have sole discretion.
* You are stating that all (not some) experienced security folks are agreeing unanimously. The implication is that those show disagree are not "experienced security guys" (as you called them: "everyone else") - they are the ones who aren't true scotsman
* you assume those who don't explicitly indicate that they work in infosec industry do not work in the infosec industry
* also, you do you need to be "experienced" in the infosec industry to be correct / wrong.
The general theme of the thread seems to be security industry people, like tptacek (or commenters self-identifying as being in the industry), expressing concern with the researcher's actions (while still admitting Facebook didn't handle it well). The primarily negative comments don't seem to have a specific affiliation tied to them. And given HN's demographic, odds are much more of them are developers than are infosec people.
I don't think the person you were replying to was suggesting that any infosec people who fully support the researcher aren't real infosec workers. I just don't think he saw any who even claimed to be.
I disagree; this is non customer, non-financial data which is often considered fair game because downloading data is useful to locate many security bugs. Source code or config data is a prime target, but so is network diagrams etc.
Defense in depth means every defense needs to be validated not just the outer layers.
PS: Further, if FB says they know about a bug then anything he downloaded could easily be in the wild and should be investigated.
This. Literally every single person who identified themselves as in the security fields that I saw said the researcher went too far.
What's really getting to me is the overwhelming number of responses containing idea that everything that isn't explicitly banned is permitted, despite the recipient saying "No" (even indirectly/without justification) at some point. How to deal with the grey area of consent is something that every adult should know, and it's worrying to me that so many here seem to feel entitled to whatever they can take as long as it wasn't explicitly forbidden.
Obviously FB should update their policy, but at the same time it's important that we as the community use this as an opportunity to learn and discuss where the implicit boundaries are, where one needs clear-cut agreement to proceed.
No. The question is whether FB understood the severity of the bug and paid in proportion to its severity. When you run a bounty program, that's what you do.
This whole thing is silly. Facebook (or any other tech company) have a lot of flexibility and hardly any accountability in defining what a "million dollar bug" is. You really can't believe they are going to just hand you over 1m because you think it is a 1m bug. It very well may be but in the end facebook will be the one deciding the value of said bug and you will have nothing to do with their decision so assume they just won't do that.
Sure, they'll be the one deciding. Except, that other bounty hunters are watching their reaction and their fairness in paying out people for their work.
The next $1M bug that gets discovered will probably go out onto the black market because of Mr. Alex's actions here.
No, the free market decides the value of the bug. You can either pay that value to a white hat to find it or wait til a black hat sells it.
Facebook has now demonstrated that they will not only not pay you, but they will attacking you publicly, slander you, and threaten you. Now what does that mean for the next hacker coming along? Someone who is clean and wants to stay clean will avoid Facebook. Someone who isn't will realize that Facebook is now an easier target because of the clean guys staying away.
Exactly this. Facebook have just demonstrated that at best they'll get an anonymous warning and then all their private keys dumpd onto pastebin when they do nothing.
I don't think he is claiming 1 million for the bugs, he mostly wanted to share the whole story (that title was just to get some eyeballs instead of using maybe "facebook cheated me")
At no point did he take hostages. It's that sort of thinking that lead to all this drama in the first place. He did however disclose, which is pretty reasonable considering a lot of us are trusting these services to protect our information.
What if Instagram blead all your browser information? So people can now fingerprint billions of people and figure out who (and their pictures) are surfing their sites? What if there are pics on instagram that people rely on being private?
You make "downloading" sound more sinister than it is. Downloading something from the network is the only way to see that it's there or know what it is. There is no substantial difference between downloading and viewing in this case.
> "With the newly obtained AWS key... I queued up several buckets to download, and went to bed for the night."
This isn't about whether viewing files on an internet is technically downloading them; this is about retrieving files of enough size and quantity that you have to queue them up for an overnight download.
Under the assumption the keys would be revoked it's just trash anyways - it'd have been useless anyways, but apparently they didnt realize how serious stuff was, otherwise they would have revoked it
A month is plenty of time to change critical S3 credentials
"Maybe it's because he's one of several people to disclose the same vulnerability"
The thing that gets me about this whole situation is that Facebook either didn't understand the extent of the vulnerability (which seems to be the case to me, and in which case I think Wes Wineberg should have been rewarded far greater than they did for showing them how serious it was, though I wouldn't say this is literally a "million dollar" bug) or they were grossly negligent for not patching it up a lot sooner than they did. They can't have it both ways.
Are they bad at managing their bug bounty program, or just bad at responding to serious security issues? It has to be one or the other.
I'm not sure anyone really understands how the law works when it comes to bug bounty programs and legal retaliation by companies. Is there any case law precedent yet?
In most cases where the opposing parties are one large publicly-traded company and one small company or individual, the law works like this:
* little guy offends large company, usually through some totally well-meaning and innocent activity that, if illegal at all, is only so due to obscure, obsolete, and/or obtuse laws
* large company unleashes unholy wrath of $1000/hr law firm on little guy threatening to destroy little guy's world if he doesn't immediately comply with all demands
* lawyers laugh at the plight of little guy and say it doesn't matter what he thinks because he can't afford to oppose large company
* little guy is forced to comply no matter how absurd large company's demands are, because only other large companies can oppose large company in court
* should the large company feel inclined to sue the little guy even after he acquiesced to their ridiculous demands, little guy loses all of his possessions in his attempt to pay legal fees. little guy will run out of money before the case wraps, resulting in him getting saddled with a judgment for massive personal liability (cf. Power Ventures)
* large company is free to make the same infractions whenever they feel it's appropriate to do so, because what are you gonna do, sue them? (cf. practically every company who has ever brought a CFAA claim; Google's whole business is violating the CFAA, as well as various copyright laws)
* bonus points: large company has friends in the prosecutor's office and gets the little guy brought up on life-destroying criminal charges (cf. Aaron Swartz). if the case makes it to trial, little guy spends time in jail (cf. weev)
Total aside: I have a startup idea to throw a wrench into your accurate depiction of how things currently play out: little guy hires full time lawyer from large pool of unemployed lawyers, suddenly has legal counsel at reasonable (relative) price for extended time. Suddenly little guy has more of a fighting chance to fight back against lawsuit, instead of having to pay out his counsel at $1,000/hr. (He can add a full time yearly lawyer at the clip of every 2 weeks of his adversary's costs)
I'm not sure in this case, that's true. But whether or not this was illegal I generally support skirting laws if it makes everyone else more secure. To that end, I also support Snowden.
This is interesting only because Mark didn't address it head on from the start, but honestly it's not all that surprising.
Private foundations have something called "expenditure responsibility" which makes giving funds to a taxable entity (a grant) tremendously annoying. Any misstep makes you liable to some massive surcharges, public scrutiny, and potentially major headaches. It's the antithesis to Mark's "move fast and break things"
There's some argument he should push for a public charity instead. There, expenditure responsibility isn't expressly required, but you're still expected to see that the money you grant is used for our charitable purpose, and still subject to audit.
I'm expecting them to write quite the essay in response. On it's face, I don't think people should fault this decision. I'm fully expecting a strong effort to use this money efficiently, which is no easy task with such a massive sum. Check out GiveWells recent post about trying to "give away" Dustin Moskiwitz and Cari Tuna's money - which I believe is an order of magnitude less in volume, but still very challenging.
Universities love to complain about needing to react to what parents are saying, but this seems like something they bring on themselves. With such expensive tuition, a student's choice of college often cannot be made independently, and parents feel like they are buying their right to hassle higher educators. I would love to see a world where students truly decide on their own university and the ability for parents to affect the day-to-day of a university is drastically reduced. To me, this is the most interesting aspect of the push for free college.
I don't think it has as much to do with parents paying for college as it does the fact that it's an almost-requirement to have a parent paving the way for the vast majority of kids to make it into a Stanford. Normal human beings don't exhibit the level of dedication required, but parents know they can set their kids up for life if they remove a lot of the obstacles. It's not surprising to me that pattern doesn't stop.
These helicopter parents are the same people that protest when their kids don't get a trophy for losing a soccer game.
Granted this is off topic, but I've reached a similar conclusion that "everybody gets a trophy" is an urban legend spread to promote a conservative political agenda. Most parents -- conservative or liberal -- roll their eyes at that idea.
A handful of anecdotes:
1. When my kids were little, they participated in soccer. For the smallest kids, it's apparently customary that they don't keep score. Well, the kids themselves kept score. Every kid knew the score, who won, who scored the goals, and who were the best players on the team.
2. My daughter brought home a ribbon for something. She said: "Oh, this is just one of those ribbons that everybody gets for participating." So this apparently liberal agenda can't have had much of an effect.
3. The most liberal parents in town put their kids into competitive or selective situations from a very early age. Through the fairly standardized repertoire for violin lessons, my daughter has known her exact rank as a violinist, since she was practically a toddler. There's no ambiguity about who can play song 6 from book 8, and who can't.
> protest when their kids don't get a trophy for losing a soccer game
It's great to respectfully debate across an ideological divide, but these kinds of propogandistic catch phrases immediately flag your comment as "looking for an internet food-fight" and shut down any thoughtful discussion before it starts.
"Liberal political agenda" and "Bernie Sanders bill" in the same comment. I also learned NCLB is an integral part of liberal thought. Truly a better detachment of semiotics from words has never been foisted.
The butchering of the English language done by U.S. pundits after the New Deal era to redefine liberalism (or, really, to eradicate all meaning out of it) is unfortunately spreading all across the globe thanks to the web.
"To say that more of their ideas will help to solve the very issue they created..."
I don't see how I did that.
I do appreciate your perspective that I spun a cultural issue to support my political agenda. I'd argue that I'm actually doing the opposite, but I agree I did nothing to make that clear
In all honesty, I've long thought that parental influence on college students' decisions - whether it be the choice of college itself or the concept of "helicopter parenting" within college - has the single greatest negative influence on top universities. Without a consistent "expected contribution" across colleges, cost is a dominant factor in the decision process, and we end up with students that don't necessarily want to be studying where they are. I loved my school, and while I felt bad for the kids who complained about being there because they had no choice, I often just wish they'd leave and stop dampening the culture. At top universities, it's similar to someone in YC constantly complaining that they have to try this pesky startup thing.
I also disagree that the effects have existed forever. I think it came with the cultural shift of helicopter parenting, and parents generally making more decisions for their children.
Ultimately though, I support the Bernie Sanders bill because I think it's an interesting way to try and resolve the negative impacts of the cultural shift. It's a bit like using a sledgehammer to drive a nail, but I'm not one to complain about free college (and I do think free public tuition will extend to the private sector, especially quickly at the top university level)
Like many here, I'm confused with how people could be upset with GMOs but not random mutation. Either could result in the same vegetables.
It turns out - when talking to strongly GMO-opposed persons - it's usually not the genetic modification they're worried about. Instead, it's that a crop has been showered in roundup before we eat it. Saying "anti-GMO" has become a simpler way of saying that you're anti-roundup-sprayed-crops.
Even though I disagree with this redefinition, I've found it to be common among anti-GMO parties. I also consider their real argument much more respectable than actually being opposed to arbitrary genetic mutations.
When a seed is genetically modified to support wide spectrum herbicide use, does the nuance really matter? A lot of people in this thread are poo pooing the anti GMO movement, when a lot of anti GMO folks are against genetically modifying food to support corporate greed. Monsanto isn't an angel sent from the heavens to feed the starving.
I have a friend who likes to parrot out every anti-GM article in the mainstream press.
He eventually kind of changed his argument (he is a stubborn bastard who will never admit being wrong), when I asked him:
What is it about targeted gene mutation (as in GM organisms) that you think is so much more dangerous than random gene mutation that occurs in nature?
I agree. Personally, my concerns with GMOs lie more with environmental factors (contamination of surrounding areas for example) and concerns about gene/seed patenting by "big agro".
It's a technique that one uses to cut through with people who don't care about anything but the bottom line.
Essentially, you say that first and foremost, it's bad for business. Plus, it also has some negative effects on society and the ability for people to participate as equal members in society; you know, for airy fairy types with lofty ideals in ivory towers who care about such things.
It's somewhat upsetting that people see the need to frame things this way, but unfortunately it's an effective way to deliver a message without being 'partisan' (whatever that is).
The business community has figured out a lot of things great for business. Non-Discrimination is on the list, but so is wage-fixing (on one hand) and providing alcohol to minors (on the other).
Leveraging Apple's weight here just seems inappropriately selective to me.
On this one, I think both shard972 and gotothrowaway are both equally correct.
Business isn't a monolithic entity, nor is the 'business community'. I'm not sure arguing down this line makes much sense, as it's very very easy to construct straw-men.
Remember that Tim Cook and Donald Trump are both in the business community. I wonder how much they have in common...
The other day I noticed that they're inlining image data in the src attribute instead of pointing at an external URL. Really taking things to the next level all-around - I wonder when that will become the norm instead of css image sprites.
Hopefully never, and certainly not with http 2.0 around the corner (this adoption wont be so slow, things are already starting to fall neatly into place). It's a micro-optimization Google can afford to do, others will just rely on optimize images size and a CDN instead (possibly an extra hostname) and vast majority wont/don't even bother..
