CtrlAltT5wpm's comments

I don't think you can claim a loss when the reduction in revenue is due to a reserve. But I'm not a tax lawyer, circumstances may vary, yadda yadda.

Accrual of Reserves for Estimated Expenses

Although reserves for contingent liabilities are often set up in business practice, amounts credited to reserves are generally not deductible for income tax purposes because the fact of liability is not fixed ( Portland Copper & Tank Works, Inc., CA-1, 65-2 ustc ¶9687). For example, advance deductions have been denied for additions to a reserve for expected cash discounts on outstanding receivables, amounts credited by a manufacturer to a reserve for possible future warranty service, and additions to a reserve covering estimated liability of a carrier for tort claims. However, to the extent that the Code specifically provides for a deduction for a reserve for estimated expenses, the economic performance rules ( ¶1540) do not apply ( Code Sec. 461(h)(5)).

https://answerconnect.cch.com/contents-document/mtg012e61a34...

Not the original poster, but the book "The Best Way to Rob a Bank is to Own One" by William K. Black (former bank regulator during the S&L crisis) might shed some light onto the S&L crisis, if not 2008's comparative response, though not directly.

One of the only reasons I'm still with Google Voice is because having your number with them mitigates (far as I can tell) SIM swap attacks. Yeah, someone can swap my SIM, but effectively nothing goes to the carrier number, just the GV number, which is much harder to socially engineer (even if some of that is because it's impossible to get someone on the phone).

If you tightly lock down your GV account, it should be much more difficult to compromise than a random cell carrier. I don't know if there's a comparable service, but I'm dying to pay for one, if only to not have a single point of failure.

This point, mentioned in the article, bears repeating, especially if you aren't familiar with Lastpass or their 2FA:

Lastpass uses Yubico's one-time password, which is more similar to TOTP than it is to FIDO's U2F (which Yubico had a hand in). Lastpass has had this for YEARS, long before U2F was even a thing, or before Lastpass was bought by LogMeIn.

10 years or so ago (back when I was a paying user of LP), the Yubico OTP was a really nifty bit of security, and probably state-of-the-art, at least to a user like me. Now, not so much. I don't know if this feature has a future, or if there are any plans to phase it out, since U2F is more secure. I'm not sure if there are really any existing applications for it, but this isn't my field of expertise; there might be something novel that can be done.

What I DO know is that users of Lastpass have been asking for U2F as an option for several years now, with no real movement on LP's part. If a one man outfit like Bitwarden, or a famously reticent company like 1Password, can implement U2F, Lastpass has no excuse (to be fair, 1Password's reluctance to implement a second factor was understandable when they didn't have a cloud component in their software).

Unfortunately, the only thing that will likely move LP is if Yubico announces they're dropping the OTP feature entirely.

Thanks for the reply. That makes sense in the context of Secure Value Recovery (to be rolled out, I think); it sounds similar in concept to how 1Password uses a user-derived master password along with a semi-random secret key in order to make a Master Unlock Key, which is then used to open the vault [1]. This seems pretty solid, at least to me.

It doesn't speak to any unexpected weaknesses in SGX due to hardware issues with Intel, though, that could be exploited with speculative execution attacks, and what possible information might be obtained were that to happen. I'm not certain how useful it would be to attack this specific feature to obtain saved social graphs when it may be easier to leverage those speculative execution flaws elsewhere in Signal's back end (I may be talking out my ass here, since even your link was pretty in the weeds for me).

I'm also not sure if it's prudent to trust SGX when it seems its protections can be overcome. Hiding all this information behind different SGX features might be all for naught if SGX itself isn't much of an impediment. Which all gets back to my original concern: is this trust in SGX (and by extension Intel) putting too many eggs in a single basket? Is there any fallback, just in case? What would that look like?

I sure as hell don't know, but I haven't even seen the question asked. Signal hasn't addressed it, and it may not even be worth making hay over, but I figured the smart folks around here would, if nothing else, be able to make some headway.

[1] - https://1password.com/files/1Password-White-Paper.pdf; pgs. 24-26

I'm hoping someone here has some insight they can share, because I've not really seen it addressed elsewhere.

As per the linked article:

> Another new feature it's testing, called "secure value recovery," would let you create an address book of your Signal contacts and store them on a Signal server, rather than simply depend on the contact list from your phone. That server-stored contact list would be preserved even when you switch to a new phone. To prevent Signal's servers from seeing those contacts, it would encrypt them with a key stored in the SGX secure enclave that's meant to hide certain data even from the rest of the server's operating system [1].

I assume that this is an offshoot or a continuation of what Signal started a few years back with Private Contact Discovery, a truly difficult problem considering the amount of user data and metadata Signal wants to avoid collecting [2]. It's a hell of a job, and I commend Signal's efforts.

Assuming I'm right, I'm curious as to why Signal is going down this road, specifically, relying on SGX (or any proprietary vendor solution) for security, or if they should. Due to the spate of speculative execution vulnerabilities in Intel hardware, it would seem to me (a layman) that this is a bad approach that will create more work for them down the line, and may rely too heavily on a single set of features. The Foreshadow attack was one that supposedly compromised SGX, with full mitigation only being possible with hardware revisions [3]. Even then, it may not be safe to assume that's the end of problems. Only recently, another attack on SGX was found, specifically, PlunderVolt [4], which at least can be supposedly mitigated via microcode update vs hardware refresh. Still, it seems like shaky ground, especially to be building additional Signal features upon.

Much further down the list of concerns, it seems like all these SGX-reliant features lock them into using Intel's platform exclusively. It's probably neither here nor there, but is this something they should be concerned about, or is that just the price to be paid for the advanced privacy features Signal offers? Is there any effort to disconnect these features from the hardware platform? Is it even possible? Should they? Am I even asking the right questions?

My worry is that Signal finally reaches some form of feature parity with the biggest messengers (I'd say it's there, mostly), SGX gets broken in a way that's not easy to fix, and all this time and effort will have been wasted, especially if they have to roll back user features which grow the platform in order to maintain safety.

I ask all this having no solutions myself, unfortunately. I'm neither dev nor cryptographer, only someone curious with some mild technical leanings. I generally lump myself in with the average user crowd, knowing just enough to be saddled with the 'Family's IT Person' label, but not enough to actually work in the field...as such, forgive any ignorance or obvious mistakes on my part. I've just not seen these issues addressed, and figured you would be the crowd best able to do so.

[1] - https://www.wired.com/story/signal-encrypted-messaging-featu...

[2] - https://signal.org/blog/private-contact-discovery/

[3] - https://arstechnica.com/gadgets/2018/08/intels-sgx-blown-wid...

[4] - https://plundervolt.com/

I was a paid user of LastPass for about a decade. I don't mind a subscription-based model, especially if there's cloud-syncing involved (I've evaluated the amount of risk I'm comfortable with, and cloud syncing is fine for my use case). Part of the benefit for a paid account is the ability to access your passwords when there's a network outage.

However, in the year before I left LP, they went down three times, at most for about 4 hours. Each time, I could not access my local vault, not through the browser extension, not through the Android app, and certainly not through the website; no matter what I did, it was nothing but errors, and their support was useless. It just would not work. That was enough to spook me and get me off their service.

I was complacent, thinking that no matter what, I could always see my vault, regardless of network status, until it actually hit the fan. I'm currently with 1Password, which is quite slick (their change on 2FA is what actually got me to give them a try), but I've killed network access to my devices and was able to access my vaults.

Just in case, though, I have KeePassXC as well. You never know.

The situation in the linked article is way different than what's happening to me. In any case, I appreciate the response and link.

Would you happen to have a link? I'm going through the same thing, and support is no help.

It might be even more vulgar than you described, depending on regionalities. In my experience, 'año' indeed means year, while 'ano' literally translates to anus. It's that extra bit of specificity that kills me.

> GDPR compliance can be extremely expensive to implement, especially for complex software comprised of thousands of microservices that handle customer data. And imagine working in an industry where data retention is legally mandated by other jurisdictions...

I only know of the broad strokes of GDPR, but wouldn't the costs be mostly mitigated if one just decided to not collect data? I thought the cost was really only borne if an entity decided to collect and retain data.

Take this with a grain or two of salt, as I don't recall the source, but it seems plausible - I read somewhere that when it comes to businesses like bars, at least in the US, there is a normal rate applied to the cable package, and an additional rate applied 'per head' for the event in question. This may only be for pay-per-view events where multiple people can congregate at a single location which has paid the PPV fee, and not necessarily for widely broadcast events; I've seen sports bars charge cover for highly anticipated MMA matches.

How those rules are enforced is beyond me. Tangentially related, some of the legitimate, paid-for streams have been of pretty low quality, cutting out frequently. Not sure if it's because of draconian DRM or just excessive demand, but it would be interesting to find out.

>...ordinary Titanium-based alloys would melt or weaken over time leading to rapid, unplanned disassembly.

That's a rather understated way of saying "She'll fly herself apart!"

I should be working, but your comment was enthralling.

Thanks for that. Some of the news sites I had been reading had neglected to mention this (and to be fair, I neglected to catch it) this, and I could swear some had reported that Bitwarden had claimed that this was a difficult issue to solve, and would likely not be implementing it in the near future. Information overload, I guess.

I'm in the same boat you are. I'm considering alternatives to Lastpass, mostly because the client has gotten worse over the past few years (since they were picked up by LogMeIn). I don't mind price hikes, but I don't feel as if I've gotten a commensurate increase in the utility or smoothness of the application (though I've certainly noticed an uptick in bugs).

My big thing is the integration of the Yubikey, which is almost mandatory. Bitwarden has this, but their recent security assessment had a showstopper, as far as I'm, concerned:

'BWN-01-010 – Changing the master password does not change encryption keys'

https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess...

If Bitwarden gets that fixed, I'd jump ship instantly. Otherwise, I may play with Firefox Lockbox and see where that gets me.

To add context, the original awarded amount was calculated to be the revenue of a single day of coffee sales for McDonald's. Stella Liebeck had originally sued for ~$50,000, to cover the cost of her medical bills, which McDonald's refused to do. Additionally, the award was calculated at that amount as a punitive measure, because McDonald's had received hundreds of complaints from customers of the coffee being too hot, which it summarily ignored. The coffee had been a problem; McDonald's just didn't care.

Unfortunately, the lawsuit, and the seemingly 'ridiculous-at-first-glance' nature of the headlines surrounding it, was used by several companies to push for specific tort reforms, which were mostly to the detriment of the average public.

There's more to this than "Dumbass sues company because hot coffee was hot".

Hot Coffee https://www.imdb.com/title/tt1445203/

Forgive any ignorance on my part; I'm not a dev, just a lurker with a moderately above average familiarity with tech.

I mostly type with 6 - 8 fingers, with my attention split 50/50 between the keyboard and the screen. I can type around 50 wpm, more or less, though I probably average around 30. While I'll concede that typing faster would be a boon, how much faster can one realistically type before they start to outrun their inner voice? When I'm typing up emails or narrative reports for work, I regularly stop and consider what I'm going to write, with frequent revisions. Typing papers is just as start/stop, if not worse. I can think at a certain speed, but having my hands go much faster than that seems like wasted effort. What am I missing? Is it simply a RSI (repetitive strain injury; had to look it up) thing? I can see the obvious benefit if you do a lot of transcribing, but beyond that...I'm not entirely sure. Might someone help me out?

I've noticed the similarity between speech writing/delivery and comedy as well, and find it quite fascinating.

The really compelling bit for me is watching a skilled comedian get a feel for the crowd. It's easier to spot with a comic you've seen more than once, but you can see this with others as well once you know to look - you'll see them go into a routine, and for some reason the jokes just aren't hitting with the expected force (the crowd seems into it from my perspective, but what do I know?). They'll then almost seamlessly pivot into another completely different bit, and NOW it almost audibly clicks, and the audience just swells and starts laughing with their whole being. It's difficult to describe, considering that much of it is a feeling in the air. An off-the-top example...a comic is doing political material, and it's not being totally received, so they'll segue into sex material, and it pops with this crowd, so they'll continue from there. Considering that even within the same town, an 8:00 crowd and an 11:00 crowd may differ wildly in their tastes, to the point where the 8 crowd wants politics, and the 11 crowd wants sex. Geography plays a factor, too. It's an incredibly complex skill to master, and generally takes several years of road work to get down. Some of the hardcore touring comics are on the road for 250 - 300 days a year, which is insane to me.

It's easier to get a feel for these moments if you watch a lot of amateur comedy (not open mic beginners, though, as that's another beast), where the comedians are working on material or honing their chops - they're not as skilled as the headliners, usually, in mastering the pivot, so you see them successfully feel out the crowd dynamic, but not necessarily execute completely, so the struggle is much more obvious.

It's incredibly difficult work. Weeks of writing and 20 pages of notes might lead to 3 minutes of actual, usable material (likely less), if you're lucky. All respect to these professionals.

I'm not entirely certain you need to go that far. My issue is that most trailers, especially the ~two minute ones, show the majority of the story arc, and either contain spoilers, or hint heavily at those spoilers. That removes dramatic tension and any desire for me to watch.

A made up example, but I've seen similar: let's take an ensemble superhero action piece. You see a clip of a scene in the trailer where superhero A is in mortal peril, set against a desert backdrop. Compelling, but when I see the movie in theaters, there's an action set piece where superheroes A and B are fighting against villains C and D. B is temporarily incapacitated, and it looks like C and D have the drop on A. Unfortunately, this fight has an ocean backdrop. As such, all dramatic tension is gone, since I know A makes it to a desert I haven't seen yet.

I've had some success making a strict rule of watching only teasers (~30 seconds), or the first 30 seconds of a normal trailer, where they have time to set up the basics, but not enough to ruin anything. If I'm at a movie, I'll just close my eyes after that point, since I can't fast forward, and removing visuals is usually enough.

I wish movie makers would keep that in mind.

That's never how it works, though. Instead of offering a cheaper TV, they will instead offer a TV priced at what they can sell it for, and make money on the data sale as well. If they WERE to increase the price in exchange for not selling the data, someone would likely ask them why they weren't selling the data anyway, along with the price increase, if sales weren't negatively affected. To not do so would be leaving the money on the table, theoretically. The safest thing to do would be to not have the data at all, avoiding the temptation to sell.