Facebook's user base as of January 2014 was at 1.24B monthly users[1]. According to FB's post, up to 7% of their users do not support SHA2 certs. This would mean approximately 86.8m FB users alone would affected by full-stop SHA1 degradation. I'm happy to see FB has implemented a mechanism selective cert selection and other organizations that care about their user's security ought to look at them for a model on how to approach this methodically.
SHA1 isn't great, but it is certainly better than plaintext communications.
It isn't _completely_ broken. That is why FB is still advocating for a two tiered approach (SHA2 when possible, SHA1 everywhere else). SHA1 hash collisions are indeed now within the range of well funded governments, but it is not within the range of your average script kiddie to find possible collisions. To prove my point, I'd ask you to find an arbitrary Root CA cert which uses SHA1 hash and attempt to clone it. I think you'll find that this takes still a considerable amount of effort and/or it is completely out of reach.
I should be clear that SHA1 shouldn't be used for cryptographic purposes that require high amount of trust, but for your average everyday FB status updates it is probably fine when coupled with other protections.
I'm personally on your side of the argument and against Facebook's stance, but this statement is strictly speaking not true. At worst, it will be equivalent to protection provided by an encryption scheme without authenticating the other party and it defeats passive attackers. That's not quite as bad as sending plaintext (in practice, it is much much better when it applies to the internet broadly: cf. firesheep).
P.S. that's basically the state of SMTP encryption, which is quite sad.
AWS is looking for Security Engineers of all skill levels!
Locations: Seattle (WA), Herndon (VA), New York (NY), Sydney (AUS), and Dublin (IRL)
All positions are full time with benefits and possible international relocation/visa sponsorship for great candidates.
AWS is one of the world's largest cloud hosting environments and we're looking to scale up its existing fleet of security engineers. We're looking for engineers passionate in the areas of:
* Security engineering
* Red team / penetration testing
* Incident response
* Cryptography
* Network protocols
* Application Security
* Web application
* Large scale automation tasks
* And pretty much any other topic related to Information Security
No prior knowledge of AWS is required, however it would be preferable.
Interested candidates should send their resumes as a PDF to => osmans @@ amazon . com <= with the subject line "HN Thread".
(keywords: cloud, security, information security, and begrudgingly 'cyber')
It's the same reason why you don't buy and own steel, but rather you buy stock in a mining conglomerate or a refinery. Owning a piece of a business in the long-run may be more less volatile than the commodity itself. Though the two can't necessarily be separated in terms of future outlook.
As the fund tracks the price of bitcoin, this isn't a reason that applies in this case. It's not a fund that tracks the value of Coinbase and Bitpay etc, there are barely any public bitcoin companies anyway (maybe 1 or 2 as far as I know, and they're not big players either.)
It's interesting because it interfaces with existing investment infrastructure, culture, protocols etc. Trying to buy, store securely and apply proper accounting rules to a not fully defined (by law) digital currency concept, is not something investment firms want to bother with unless they specialize in bitcoin. (like SecondMarket).
Instead, they'd just want to pull up a vetted fund on an exchange they're familiar with, on their bloomberg terminal they're familiar with, purchase a financial product whose structure they're familiar with, and apply the same accounting standards as they would normally, and deal with the normal legal ramifications of shares of ETFs.
This essentially means anyone can now get exposure to the price of bitcoin without any extra understanding or investment necessary on the technical bits of storage, accounting etc.
And that could be very interesting. Bitcoin makes for a great opportunity. It can go to 0, or it can do 100x or even 500x value growth in the next 20 years. And I'd say the odds of the latter are greater than 10%. That's why it's not such a crazy idea for billion dollar funds to put $10m into bitcoin, as they'd have a chance of making billions at the cost of losing millions. I wouldn't be surprised if, now that it's easy for any pension fund, hedge fund, family fund or university endowment fund to buy in, that we'll see quite a few of them do.
At least, that's always been the story. "If pension funds dedicated only 0.1% to bitcoin, the price would go up one or two orders of magnitude this decade" or something to that effect.
Your comment is very informative but I don't think most of the above applies to this BIT fund, since it's just an over-the-counter listing. It does apply to the upcoming Winklevoss fund, which will be an ETF.
SHA1 isn't great, but it is certainly better than plaintext communications.
[1] http://thenextweb.com/facebook/2014/01/29/facebook-passes-1-...