You don't reside there, you're not liable to abide by their laws. I run a small US company, I don't have to comply with GDPR for example. Same applies here.
I don't see why any company would implement this, perhaps appeasing regulators at the federal level.
You would have been right up to June 21, 2018. After that, you are wrong. See South Dakota v. Wayfair, decided by the Supreme Court on that date [1]. If your business is in the US, and your customer is in the US, you can now be required to collect taxes for your customer's jurisdiction even if you have no connection with that jurisdiction other than online or mail order customers reside therein.
I assume you mean well, but it’s not about your residence (or for businesses the place where they are incorporated) but rather where you do business. Just because I’m in California doesn’t mean I can do business in the EU without complying with their laws. Same goes for Chicago.
You’re not required to do business there, but they can fine you for non-compliance if you are doing business.
Note: all of this is in reference to “software companies” as the GP said, and doesn’t touch on “corporate nexus” and stuff like that.
Are you actually doing business in those places, if people from there just go to your site that is hosted in your home jurisdiction? I'm not sure that it logically follows.
Obviously, governments interpret the situation in the way that accrues them maximal power and brings the most activity into their purview.
A free service probably isn't going to get sued into compliance if you accept sign ups from EU, but if you accept payment from EU that definitely counts as 'doing business' and you should expect to comply with local regulations.
I think the question everyone here is interested in having answered is "what if you don't?" The EU has no jurisdiction here (in my country); the law applies to the citizens of those countries. Sure, some countries might be willing to extradite you to the EU for breaking laws that apply there, but that seems rather extraordinary (in the case of a law that applies to internet sites), not to mention an outrageous abuse of power.
Presumably the main consequence is they shut down your business in their country, and if you dodge fines etc they don't let you come back.
Extradition would be quite reasonable if you were conducting a very large business, and/or ignoring significant laws, e.g. prohibition on human trafficking. But they aren't going to extradite you for failing to be GDPR compliant on $10 of app sales.
That's factually incorrect. No one in the EU can sue a California company for failing to comply with EU laws so long as the company does not have a physical presence in the EU. They'd have to block their site or something as an EU court has no jurisdiction over a California company and would be unable to take action against them.
An explicit law would need to be made in your jurisdiction forcing you to comply with their laws. I'm not aware of any such thing.
There've been a few cases where the ransomware was not decryptable - sites like BleepingComputer frequently discuss which ransomware have been cracked by researchers, which are currently actively run and will provide keys and which are undecryptable and you shouldn't pay in any circumstances. Basically it just makes things more complicated, but people are still willing to pay if they can in their specific case and the one they're infected with is reported as regularly providing good keys.
I feel this is actually a decent service for a few reasons:
- Many average users don't want to understand cryptocurrencies, how to safely and securely buy and use it is a challenge in and of itself.
- They're on the hook and the client pays nothing if the ransomer fails to provide a working key.
- They'll also manage the ransom decryption software - if there's problems with it there are 3rd party tools that can often do a better job of decryption than the original decryption tool, again, this is something that's going to be complicated for average users to deal with.
- For some ransomware there are decryption processes available without the need to pay the ransom, figuring out which of these applies can be challenging
- Certain institutions may be unable or unwilling to work with the attacker directly - introducing a middle man to broker can help solve this.
Yeah, seems like a great service to a certain degree. But it's not the service they're selling and they're lying to their customers. Their service incentivizes ransomware authors, so this absolutely needs transparency. I assume most people go to them because they want the problem solved but they feel they shouldn't be paying the hostage takers. "we don't negotiate with terrorists" comes to mind. So if this service is doing exactly this and making the situation worse for everybody else, this is something that needs to be consciously weighed off and decided by the people considering their services.
If they're making money from ransomware they have no incentive to stop or prevent ransomware. Being the English speaking liaison for ransomware isn't really that different from being an accomplice after a certain point, they both get their cut as long as the industry is booming.
I wonder how many of these "white hat middlemen" are also the ransomware owners...
Obviously the two companies collaborating would give benefits to eachother, and it might just be a convenient way to seperate the illegal from the legal...
This was my first thought as well. What’s the biggest risk when you’re paying the ransom? That the thief will run off with the bitcoin without providing the key. The easiest way to mitigate that risk is to either collaborate with the thieves or become the thieves.
It can be better to know, but ignore the truth, to avoid unsavoury corporate discussions like:
“Are we paying a bribe? I’ll have to create a new line item in SAP for that” asks Alice from accounting,
and
“I need them to sign this form saying they haven’t tortured anyone in the past 5 years”, Bob from procurement auditing.
Or
“Please have one of their senior directors sign this form declaring that none of their funds employees are based in any of these embargoed countries. I’ve attached the list.” Charlie from legal
> Their service incentivizes ransomware authors, so this absolutely needs transparency.
I don't think that companies that offer ransomware decryption services have a problem with this incentive. More ransomware means more customers for their "decryption services". ;-)
For most people, they want their problem solved, plain and simple. And they rather not know the details on how you solved it or how it affects others. especially when it comes to something as urgent as someone holding your data hostage. So to a degree, I am OK with this service.
> they want their problem solved, plain and simple. And they rather not know the details on how you solved it or how it affects others
In general, this sounds like a dangerous attitude. Asking people to do "whatever it takes" to solve an immediate problem, with no consideration of wider or longer-term effects, frequently leads to more trouble in the end.
Wow, is the world drowning in cynicism? I want a service that breaks the ransomware encryption and researches into that direction to ultimately make the incredibly hurtful extortion of vulnerable computer users not viable. To me these companies are criminals if they facilitate the extortion.
Exactly at this point the "decrypter" companies are just partners of the cyber-criminals, they have the same incentives, share the same profits and both are unethical.
Most ransomware is using standard public key cryptography, there is no chance of breaking it. If it is broken, only the intelligence agencies would know. They wouldn't use this weapon on something so trivial.
In that case companies shouldn't be advertising services they cannot provide without facilitating crime (especially since they lie and tell their customers they aren't paying the criminals). Smells an awful lot like fraud, if not an outright criminal conspiracy given they are skimming the proceeds of a crime.
There is indeed such a service, it's called "versioned remote backup". As long as the ransomware is not specifically targeting the backup client in order to damage the backed-up files, you just reinstall and restore.
- It looks bad to the public if companies directly pay the ransomware creator. Decryption companies can act as a PR "buffer" in that respect.
- By funneling the western worlds contact with ransomware creators through a small number of companies, we create an incentive for ransomware creators to follow through with providing the decryption keys and not play games with the price. If they fail to hold up their end of the bargain, their reputation will immediately be ruined within the small number of companies that do this.
It would be decent if it openly advertised as middleman broker service for paying the ransom to the criminals. False advertising is always a bad sign - if you need to hide what you're doing from your client, you know the client wouldn't like it, and are setting up to deceive them.
> That sounds like a contradiction --- if you can already execute code, I'd say you're quite privileged.
If you're in a VM, you have no privileges over the host CPU, you can't switch to another VM or to the host itself. That's what's meant by unprivileged here.
I think a lot of people have had both positive and negative experiences with spirituality (which I want to emphasize is not synonymous with "religion", which I think provokes stronger emotions for a lot of people). Similarly, I've had both good and bad experiences with
public transportation, which I think is also fairly common. There are plenty of things that I've had bad experiences with that I still find useful due to other experiences that were better.
To say mindfulness and meditation is pseudoscientific is totally absurd. There's has been a ton of proper science aimed at it, all the scientific consensus is that it has an effect far beyond placebo.
You're throwing the baby out with the bathwater just because some "out there" people also like it. You might as well stop eating healthy because Acai berries are hip.
Did you read your own link? One line from it mentions the study that actually brought me to this conclusion:
"A meta-analysis on meditation research published in JAMA in 2014,[167] (that included a combined total of 3515 participants), found insufficient evidence of any effect of meditation programs on positive mood, attention, substance use, eating habits, sleep, and weight."
While there may be other with differing results it's... pretty sketchy in any case. I would hardly say scientific enough to belong in such a class.
I had a look at this when I considered meditation once but found it'd most likely just be a waste of my time. I'd rather not flush my time down the toilet.
I started practicing mindfulness after seeing a cognitive behavioral therapist for anxiety. One of the core parts of CPT are learning how to relax your mind (I’d literally have all these thoughts racing through my head that were barely grounded in to any kind of reality). Practicing mindfulness instead of letting my mind wander into dark places effectively cured me of my anxiety. And that’s not just one anecdote, CBT is the gold standard in science-based therapy right now.
That quote is very dishonestly misleading, as the same study found it had evidence of improved anxiety, less depression and pain.
You also cherry picked the negative paragraph for some reason, despite the above paragraph on the Wikipedia article citing a newer meta study with other positive results.
I only focused on the JAMA study as I'd seen it before, sorry about that I see it may have looked pretty slanted now, I wanted to have a better look at the positive metaanalysis, however the link on wikipedia was broken, look at where it points on wikipedia, you'll see "Cite error: The named reference Gotink was invoked but never defined (see the help page)."
I'm not disagreeing with you about that depression and anxiety thing, but it seems a bit of a stretch to suggest it to a generally mentally healthy person.
Finally someone on HN who is not gaga about meditation. :-P
In my understanding, meditation simply enables one to develop a heightened form of emotional detachment that may help deal with life's vicissitudes. Of course, that's again treating the symptoms and does nothing to cure the unhappiness.
Note that most of the research referenced there isn't properly controlled - it's sort of hard to control for something like that, you'd have to have a therapy that could offer something comparable without matching it, so comparing it's effectiveness to placebo seems in some ways quite apt.
<I mean the whole idea of "mindfulness" and "meditation" are the sort of pseudoscientific bullshit>
A good book to go down a scientific path is "Why Zebras don't get ulcers" by Dr Robert Sapolsky. Dr Sapolsky is professor of biology, and professor of neurology and neurological sciences at Stanford.
His book helped me understand the physical effects on my health caused by my stressful company work environment. In short - our primate bodies have a fight or flight response to stress resulting in spikes in blood cortisol, muscle tension, gastrointestinal changes etc.
Once you understand how mind affects the body then it becomes possible to see how breathing and relaxation (mindfulness/meditation) can undo the effects of stress that we battle in our daily lives.
Of course there are other ways towards well-being. I found the tips in 'Getting Things Done' very useful in reducing anxiety. Switching to 'Eat food, mostly plants' advice is helping in mood and energy levels.
It makes you feel better, even if unmeasurably. It belongs more with the arts rather than sciences - people will do it even if there's never any p-value that gets significant. The "is good for you" in the scientific sense aspect is not that important.
Again, just to stress it out - the scientific aspect is not much relevant. From the science department I only care about it not doing harm.
The broad dismissal of entire fields of practice as placebo effect is itself a pseudoscientific reduction of science to a narrow band of European cultural practices labeled “science” then used to indulge discriminatory impulses against other cultures. The sense of certainty and self-satisfaction derived from this destructive effort is, itself, placebo.
"he broad dismissal of entire fields of practice as placebo effect is itself a pseudoscientific reduction of science to a narrow band of European cultural practices labeled “science” "
It can be, but it doesn't have to be.
'Traditional Chinese Medicine' is effectively bogus, or what we would call 'placebo'. It's not 'racist' to point that out. Chinese Emperor's in the 19th century knew that and banned it, Mao knew it as well (he had a Western doctor for himself) but re-introduced TCM after the civil war because it's the only medicine he could afford. And 'it does work' (i.e. placebo) for quite a number of things.
But 'mindfulness' crosses reasonably into the domain of legit psychological and mental well being and frankly it's not rocket science to start to conceive how 'clearing one's mind', and 'being in the moment' as opposed to living in constant anxiety can be an issue in one's mental well being, just as an example.
So yes, it's soft, and susceptible to a lot of hocus pocus and probably some 'believers and hypers' etc., but that doesn't in and of itself abnegate the real opportunities from it.
"We found low evidence of no effect or insufficient evidence of any effect of meditation programs on positive mood, attention, substance use, eating habits, sleep, and weight."
As for "destruction of other cultures" - well, people use the same excuses to say that homeopathy is great and crystal healing will cure your cancer. It's a non-sense argument. This has no cultural bearing at all, just a rejection of bullshit. I have no interest in blindly approving things without analysis just because they came from other cultures. Study them. The results here are sketchy at best.
Switch piracy is massively easier than on PC. You just have to hack the console once and now you have access to every game. Also the games are signed by nintendo and the piracy installers verify that no one has modified the game since nintendo verified it so there is no risk of malware
Because our country has lost 6 million people in WW2 and the holocaust, estimated 1/5th of total population. Saying that it hasn't happened is more than just a lie - it's attacking the core being of our identity and denying the atrocities that were done against us. It should be illegal and luckily it is.
Like - imagine if US was attacked and the attacker killed 60 million Americans. I can almost guarantee that no matter how strongly Americans believe in the 1st amendment, saying that it hasn't happened would be made illegal.
> Like - imagine if US was attacked and the attacker killed 60 million Americans. I can almost guarantee that no matter how strongly Americans believe in the 1st amendment, saying that it hasn't happened would be made illegal.
Why would scale change people's values compared to say 9/11? It's important to me that we're the deciders of truth for ourselves. I believe people fighting in those wars have fought for my right to believe what I choose and not what a government tells me.
Think about this in the context China, even today and I think you'll see why I feel this is an incredibly valuable right. Governments can lie too, the American one has many times throughout history and we should and do demand a right to question it.
I don't see why any company would implement this, perhaps appeasing regulators at the federal level.