It may be worth pointing out here that with substance abuse, people often end up substituting one dangerous thing for another. Just because someone's a recovered heroin or cocaine user and not an alcoholic doesn't mean alcohol's not riskier for them than for other people. Whether or not that'd be true of Anthony Bourdain or not I can't weigh in on.
This separation needs to end. The sooner, the better. Alcohol is very much a drug.
"An estimated 88,0008 people (approximately 62,000 men and 26,000 women8) die from alcohol-related causes annually, making alcohol the third leading preventable cause of death in the United States. The first is tobacco, and the second is poor diet and physical inactivity."[0]
Nowadays every webpage downloads 2 megabytes of framework JS and css preprocessors and analytics trackers and then pegs the CPU for a few milliseconds to display a paragraph of text.
If the page actually does anything on top of that the problem grows quickly.
My experience is just the opposite in my 22 years. I've only twice received a raise of more than 3% - once in 1997 when I was "promoted" to a junior programmer from a computer operator ($11K) and once again in 2000 at a different job with a ($10K) market adjustment.
I learned my lesson after 7 years of COLAs (I was a slow learner /s). Jump ship at the first sign that the company won't pay you your market rate.
Now 10 years, 5 jobs, and $70K later, I don't expect major jumps anymore. I'm within $15,000 of the most that any company in my local market is willing to pay an individual contributor. I have no desire for management and I live a comfortable life.
We already have troops stationed in 146 countries around the world, the thought of adding killer AI drone capabilities to the mix isn't exactly comforting.
Then of course, if gets sold to everyone labeled an "ally" by whatever administration in five years time.
You're pretending like 90% of people don't interface with the network by just using google. The few people who don't do that just search social networks instead.
I'm old enough to type in a URL, I rarely see anyone else who does that anymore.
Most of these articles have the same narrative, summarized as: We have seen how dangerous and important technology is with elections, now it's more important than ever we educate everyone about AI.
As if the two concepts follow or are related at all, it seems more like a extremely convenient way to pivot the conversation to this new area of hype in technology while not actually owning up to anything.
How about we talk about anti-trust law, privacy, and busting up Facebook and Google instead?
I want something to new to come up and shatter Facebook, Google etc. We need more internet companies, and right now Facebook & Google reek with a vile stench. They lack creativity and innovation. They are the IBM of the current generation.
As far as fundamental research goes, they are both currently doing a lot of the very best machine learning research.
What they are as companies is an entirely different matter, in which case I would not doubt your comparison.
Take, for example, the decreasing quality in user experience in map apps over the last few years. Mining our data is apparently much more valuable than doing a simple job better.
It strikes me as not a coincidence that they are also the company in the big few which most highly values its users' privacy. Still not great, but it's something.
No, part of this involved using Windows's Data Protection API to decrypt it.
Other non-administrator users can't read these registry keys, it's encrypted with the login password (as is common with macOS Keychain and GNOME/KDE's credential stores) so even other administrators can't decrypt it.
On Linux, administrators (root) can extract the keys from ssh-agent. This is actually no less secure and usually more secure.
This is a cool demo of how to do it on Windows, and there's a reason the author didn't call it a vulnerability - it's working as designed and this form of attack is outside the intended threat model.
>On Linux, administrators (root) can extract the keys from ssh-agent.
I don't understand how the situation is different. Of course you can extract the keys from a running ssh-agent since the whole point is not having to provide your password every time so they have to have access to the private key one way or an other. How is the situation different on Windows? Surely when the user is logged an administrator with access to the full RAM and storage will be able to piece everything together (like TFA does for instance)?
On the other hand if you really can't trust your admin you have a huge problem anyway, even with a HSM you could be phished very easily.
Actually overall I'd say that this Windows method is slightly less secure because it means that the Windows keychain thingy is a single point of failure, if somebody compromises it they have access to everything including the ssh keys in the registry.
I don't think Windows gives an administrator account unfettered access to the full RAM, no. And without that or the user's login password, all they could get from the registry is the encrypted version, just as on disk. The encryption is separate per-user with that user's password.
Of course there may be ways to get an even more advanced level of access than administrator, such as the system account, but honestly Windows does lock some things down really hard at the kernel level and Data Protection decryption based on in-RAM credentials might be one. I don't know modern Windows internals to that level.
>I don't think Windows gives an administrator account unfettered access to the full RAM, no.
Are you sure? Typically root has access to the full RAM on an unx system. Unless this is linked to a hardware TPM module I'm not sure why and how it would be protected. Maybe I'm wrong to assume that Windows Administrator == unx root?
Anyway, if the OS has a way to hide some of its state from even the admin then surely it could use it to hide the unencrypted SSH key in RAM instead of hiding the key-to-the-registry-key? My main argument is that at some point if the OS doesn't want to prompt the user for a password it must have access to the private key one way or an other, so I'm not convinced that Windows is more (or less) secure than Linux in this situation.
If you're admin, you might have to install a driver to scrape all memory. So... one hoop to jump through :)
Caveat: you're still trapped in your hypervisor partition. Enclaves (e.g. SGX) are also protected from admin/root snooping. IIRC, this is the same as on Linux.
It's protected by DPAPI [0] which uses the user's password to encrypt the keys. Any other programs running under that user can theoretically access it (just like how any program can access your ~/.ssh/id_rsa) but other users shouldn't be able to access it.
~/.ssh/id_rsa can be protected by a password, you'll want to access the running ssh-agent process memory to get the key in cleartext (unless the person use some security token in which case you can't access the key, just try to login on a remote computer directly while the HSM is available).
But while ssh-agent has the key unlocked on a Linux system, any process running as that user can use the key without knowing the passphrase the ssh-agent. That's the more direct comparison.
