I've wondered this myself. I would love a version of reddit only with real people. I'd also love it if the anonymity was a gradient, and not a binary.
E.g. you could join a California based subreddit and verify you are a California resident, but not go further than that, etc., without cross-tying with other claims you've made about yourself in other forums/sub-reddits.
I've thought about using the various crypto-decentralized options here, such as Proof of Humanity or BrightID.
I'd be curious if you've made any progress here thinking about this, feel free to DM me via profile.
This is an amalgamation of ideas I’ve read and may be totally from elsewhere, but I think a good approach here would be to handle this more dynamically.
Every patent is taxed at some arbitrary rate - say 3% a year. The catch is the patent holder decides how much it’s worth. Low value means low tax. However, whatever value you pick is an open price for licensing by anyone else.
Ultimately, use it or lose it. If you don’t think it’s valuable and someone else does, the world still benefits.
Tune the tax percentage based on how much you want to hurt patent trolls vs impact on actual long term R&D
I have a similar experience for personal life. I use this too - it's imperfect, but it's a nice balance of complexity and utility that doesn't get in the way once you set it up.
As a resident of [STATE], I'm writing to express my dismay at some very recent specific tax changes negatively impacting small businesses innovating in technology, as well as express my support for a recently introduced bill to unwind those changes (S.866 - American Innovation and Jobs Act).
As both a software engineer and entrepreneur, changing software development expenses to be exclusively treated as R&D expenses amortized over many years will harm our country's ability to create innovative companies on the frontier of technology, as smaller businesses that take up-front losses in exchange for growth and deferred income will be dramatically penalized and go out of business. Conversely, large companies with established revenue and credit will not be harmed, increasing their ability to reduce competition in the market. So many of America's great companies in the last decades have come from a small number of people working together on software and hardware, losing money up front to gain money in the future. If you cannot write off the up-front expenses as truly spent money with uncertain return, those businesses cannot start.
It's a lose-lose-lose - this change hurts the little guys, helps the incumbent big guys, and will reinforce competitive sclerosis relative to our geopolitical competitors.
I don't know what the exact right answer is, or if S.866 is it - but the current situation is certainly not correct. If we want America to be competitive and create high-paying modern jobs, we can't tax new companies to death before they have a chance to get started.
Love this idea! Clever to build up the repeated skills and software internally, and take cuts of the moat-margin other SaaS tools reap from switching costs.
Can anyone comment on how concerning this is? It doesn’t seem good. I was considering updating from 1Password4 to 7 and biting the bullet on the subscription model. Based on this case study it seems 7 is a security regression trade for UX improvements. Now, I’m considering Keepass or at least waiting to hear some responses from providers involved.
It's not a concern. As an average user your only consideration is "Do they keep my passwords safe on the disk?", and the answer is "yes" for all of them.
If you work for the NSA and cover yourself with a tinfoil blanket to enter your passwords, just lock and close the password manager completely after you've used it to login to a service, and you're all good.
I don't think it's an "esoteric" attack, it's just that the cost-benefit of locking things down a tiny bit more isn't significant. We're always one browser exploit away from malware that can do whatever it wants.
Ok, so say the malware couldn't access all your passwords immediately. It's just going to sit on your computer and collect them (and existing sessions) as you use them, or force you to re-auth and then collect them. And if it's highly prized info, the malware will eventually get updated with a privesc to go around the user context. This is what malware has been doing for years, and nobody notices until exfiltrated passwords start getting used.
By the time I go through all my passwords at least once, browsers and OS will release multiple rounds of patches and potentially fix the exploit in question. This is still preferable to uploading whole database...
I think the cost-benefit differs. If the whole database is leaked, you just rotate everything. Only the stuff that has been used (which tipped you to it being leaked) has a real impact. Nobody's going to compromise every single account you have all at the same time, unless they're specifically targeting you, in which case they're going to get everything anyway. So on balance, it doesn't matter if some random malware gets 1 of your passwords or all of them. The real-world impact is about the same: limited. The cost of worrying about the extra security outweighs the benefit.
Another way to go would be tiers of password managers. Even if all of their unlocked integrity sucks, you can have one manager that keeps your most sensitive accounts, and another manager for the rest. You rarely unlock the sensitive one, and after you log in, you unlock it and exit it. Now you have much better opsec with very little additional cost.
Imagine a malware ad, using zero day browser exploit that is designed to dump 1password db at scale and upload it for further processing. As an attacker you can run this for a while (while exploit is valid) and then compromise thousands of bank accounts you have collected. As many as your scripts support.
Well yes, right now that is true. Without filesystem access, without long term persistence, just process memory access, a compromised browser can dump whole db from 1password7 at once. You only need seconds of time.
If only recently accessed passwords were unencrypted, only those would be available.
If there's malware that can read your memory on your machine, they could also just intercept the paste buffer. Basically, this is a rather esoteric attack that if someone was in a position to perform, they could also do much simpler ones.
Keep using a password manager. Write down your 2FA codes separate in a safe place. (I recommend everyone own a safe deposit box)
Same, I always loved FF but had switched to Chrome maybe 2-3 years ago.
After this incident, I switched to FF Quantum permanently. It has come a long way and honestly I feel more at home in FF after a day than I did in Chrome after everything they've tacked on the browser.
Having read these threads, and personally knowing people in the Chrome team that read these threads, I am almost certain that Google will backtrack this. I know more than a dozen developers that switched from Chrome to FF Quantum this week.
E.g. you could join a California based subreddit and verify you are a California resident, but not go further than that, etc., without cross-tying with other claims you've made about yourself in other forums/sub-reddits.
I've thought about using the various crypto-decentralized options here, such as Proof of Humanity or BrightID.
I'd be curious if you've made any progress here thinking about this, feel free to DM me via profile.