"The U.S. Marshals Service (USMS) offers property for sale to the public which has been forfeited under laws enforced or administered by the United States Department of Justice, its investigative agencies (Drug Enforcement Administration, Federal Bureau of Investigation, and Bureau of Alcohol, Tobacco and Firearms), and certain other federal law enforcement agencies. "
My guess here is that bitcoin is considered property and not currency, and there are laws around this.
I wonder if anyone has used this as evidence that Bitcoin should not be regulated under FinCen rules (as its property not currency). I guess it would depend in part how the Marshall's service treats foreign currency they seize.
No - the actions of a bureaucrat, or a bureaucratic committee are not grounds for court decisions. A court could force them to treat bitcoin a currency, but they can't force a court to recognize bitcoin as property.
The IRS designated it as property because they do not have the authority to designate anything as currency, only Congress does.
FinCen is not limited in congressional currency designations to carry out its regulations. Only services that exchange national currency to bitcoin are regulated under FinCen. Bitcoin is not regulated by FinCen.
It's a one time action. They're operating under what they know right now. In the future, if things change with how the government treats Bitcoin, they'll probably change their liquidation procedures accordingly.
"Sleeping animals are incredibly vulnerable to attacks, with no obvious benefit to make up for it — at best, they waste precious hours that could be used finding food or seducing a mate; at worst, they could get eaten."
It seems pretty obvious that sleep had an evolutionary advantage to conserve energy when the species couldn't be productive. For example, human sleep during the night because we can't forage / hunt / find a mate during the night because our vision requires light.
"Pretty obvious" answers never hold up much to scrutiny, or the questions wouldn't be actively studied.
Many animals are nocturnal. They eat and mate during the night, and sleep during the day. From your theory, what reason do they have to sleep during the day? They could be doing all sorts of productive things in the light -- more mating, making homes, defending themselves and their babies from predators, migrating, etc etc.
It looks like some pretty heavy optimizations are needed if you want to be successful in one of those environments (daytime vs nighttime). Visual perception has to be fine-tuned for one of those environments. Perhaps thermal regulation is different too.
So I guess one possible explanation is that too many fine-tunings are required to work well in one environment, to allow the organism to be a good performer in both. So the logical choice is to withdraw from the other environment - just don't participate.
The parent comment only mentioned humans being diurnal, not other animals.
There's a number of strong evolutionary forces that explain nocturnality: niche differentiation, crypsis, a predation arms-race, water conservation, etc.
That doesn't seem obvious at all, it presumes sleeping is about conserving energy and that's an unwarranted assumption and baseless assumption. Sleep very well could be a requirement for brains to work they way they do. If you are deprived of sleep you will shortly go crazy; sleep isn't about saving energy.
If you see anything that seems obvious, you can bet science already checked that out and moved past it and that it's more complicated than that.
Anytime your beliefs conflict with science, you should immediately question your beliefs, not the science. The odds are absurdly high, near a virtual certainty, that your beliefs are wrong; never assume science is missing the obvious (unless you're a scientist and it's your field of study, then you might be onto something but you're still probably wrong).
Yeah. For starters, there is a whole bunch of toxins that build up when you don't sleep enough. But it can't be the whole story, as why wouldn't we have mechanisms to remove those and keep the brain functioning?
It can't be all about memory retention. There are some fascinating studies on how some groups of neurons repeat the same patterns they did when the organism was awake, presumedly for long-term storage. But why can't storage happen while awake?
There must be a reason why these "brain batch processes" run while most of the brain is shutdown.
I've found that it's best to not think that evolution optimizes for the best thing but rather that it optimizes for "good enough". Sometimes they are one and the same but they don't have to be.
Sleep could have started as a rudimentary adaptation to one thing and ended up being refined and coopted for other things.
Evolution is diverse, if all living things need sleep then I think its A: something that is absolutely needed, without it you wont survive [guaranteed]
B: A left over from our common ancestor
> why wouldn't we have mechanisms to remove those and keep the brain functioning?
I don't know if it's in the links below, but I remember hearing a talk that the flushing required physical changes inside the brain: Widening of channels (by neurons getting smaller and making room, if I remember that correctly?). So normal function can't go on while the flushing process is being performed.
>If you see anything that seems obvious, you can bet science already checked that out and moved past it and that it's more complicated than that.
Science doesn't do anything. Even if it did, you should be able to look the obvious results up and figure out where current research has taken your question.
Many nocturnal animals have eyes and utilize vision of light. Also, many animals who wake during the day and utilize vision of light also frequently hunt at night (eg see lions during hotter seasons).
It may well be that specializing systems such that they perform well during daylight only could lead to greater advantage than maintaining additional mechanisms for performing well at night also (or vice versa), and that sleeping during the downtime in order to conserve energy might confer supplemental advantage in this scheme. But we don't know if this explains all sleep, in all species.
Even if we did, then sleep in animals which perform reasonably well at any time of day would still be unexplained. Common ancestry wherein sleep evolved earlier may explain that, but we don't have that evidence as far as I know.
As such, it doesn't seem this is quite so easy to conclude about, let alone obviously so.
> For example, human sleep during the night because we can't forage / hunt / find a mate during the night because our vision requires light.
What makes you think the causality is in that direction? This is clearly a teleological argument (read: assumes that everything has a function, which is contradictory to the way evolution works, where the only function is to help your genes propagate).
Taken on its own, unconsciousness is a massive evolutionary setback--an explanation like "conserves energy" doesn't cut it, when there are plenty of nocturnal predators around. Why didn't humans evolve to lie down at night, with their heartrate and breathing slow, but remain fully aware of their surroundings? That would make survival to reproduction age a lot simpler.
As other commenters has said it's not that obvious.
I suspect it's more that sleep is a necessary requirement for consciousness, but it's not clear why. Maybe recalculating weights for the neural net based on new input data requires 'downtime'.
There was some earlier evidence that 'cleanup' is happening the brain or some chemical pathways were being reversed. Either way behavioral speculation based on evolution isn't very good science.
It isn't about the vesting periods, it is about the exercise period. Vesting periods are fine in most cases.
The exercise period is usually 90 days, if you leave a company.
What happens a lot is there is no liquidation event for years meaning that an employee with shares needs to make a decision fast to convert or lose their shares (which they earned) and that cost $$$. I've seen time and time again, where people get locked in because they need to drop 4-6 figures to exercise their shares.
> If the employee loses the stock when he's fired early, then the company has a huge incentive in firing him a day before he vests, and thus he should regard the vesting compensation as nonexistent.
I've seen this happen a few times in SV where employees are fired 1-2 weeks before their vesting period. Sad when it happens. Not saying that all times it is because of the cliff, but people talk and are aware of companies that have done this.
It's even worse when you consider AMT; sure, dropping $10k to buy your stock might be achievable, but if the FMV of those shares has gone up appreciable, you may find yourself in pain come tax day. (If your strike was $1/share, but the FMV is now $10/share, $9/share "gain" has to be considered as income for calculating your alternative minimum tax.)
I dunno, I had to pay nearly $15k to exercise options and while I barely escaped amt issues, the money wasn't easy. And represented a 10% rebate on after-tax salary for the period I worked for that company.
Sure, that happens. But it is a very different situation from the one where AMT (in the US, other jurisdictions have similar issues) makes it financially impossible to exercise your options.
All of these points are sound. There are some benefits of using a JWT over a session identifier, though. And I think that most of these were covered in the comments of your first post.
We have an implementation of JWTs @ Stormpath for Token Authentication. We help a lot of customers with token authentication / user management and Stormpath hold a whitelist of all unexpired tokens.
In the Stormpath SDKs, there is the ability to locally validate the token for speed or validate against our API to make sure the token hasn't been revoked.
A common strategy for our customers is to always validate an access token locally, but force refresh against the Stormpath API. This is a good way to not incur state in your application (Stormpath will keep the state for you).
The Stormpath Integrations (like Express / Spring / Laravel / etc) use cookies to store the tokens because we have been advocating for cookies as the JWT storage mechanism for a while:
Always happy to get feedback. Again, this article was written back in 2014, and will be updated.
In regards to your advice about id_tokens and access_tokens. Usually, what I've seen in most attacks is that if a malicious user can get one, they can get both.
A lot of your points though are valid outside of using JWTs. Open redirects vulnerabilities should be plugged and sanitizing user input should be looked at regardless of what you are using in a web application.
Users tend to be looser with their id_tokens (for example posting on forums, stackexchange, etc) than with access_tokens because they understand the access_tokens are credentials whereas the id_tokens are (technically) not.
Definitely open redirects and the session fixation problems are not JWTs specifically - it's just that they tend to plague applications that use JWTs for transport. I admit it's kind of like telling people that talking on the phone while driving is a bad way to use your seatbelt. It's true - but maybe not scoped enough.
Thanks, Evan. these are all good points, I'm surprised to see this on HN since it is an old article I wrote.
In regards to the replay attacks, if you are using JWTs in a 3 party setup, and they are validating JWTs locally (not sending them back to a validation endpoint), the jti claim won't be enough.
Thanks again for clearing that up! Considering this blog post may still have a use, I'll update it soon.
Every company will want a PM that understands their vertical. This isn't as simple as researching, a PM should never interview without using the product and using as many of the competitors products as possible.
Every company wants a PM that is a jack-of-all-trades. This could be any degree of technicality, UX skills, marketing skills, developer skills, design skills, customer success skills, sales skills, and PM skills (prioritization, specs / user stories / strategy / go-to-market / scoping / shipping etc). If you aren't a jack-of-all-trades, pick up some hobbies / books / go to meetups to make yourself as well-rounded as possible.
Every company wants someone that is deep in one of the areas above.
Commonalities between companies are they want someone that is a foot deep across every skill set, and a mile deep on one skill set.
Figuring out where you fall on the scale of things and make sure you find a company that is looking for your exact strengths is the most important thing to pass a PM interview. Screen the company as they would screen you. Once there is a match, then Sam's advice kicks in if they are looking for a Technical Product Manager.
For aspiring PMs, I highly recommend taking a job in customer success as a gateway into product management. You learn a lot about working with customers, prioritization, and should be aligned with seasoned PM's at the company for advisement and mentorship possibilities.
As a developer, I feel like I have more control over mitigating CSRF then XSS.
But where I have more issues is that OWASP clearly advises not to use web storage for identities:
+ A single Cross Site Scripting can be used to steal all the data in these objects, so again it's recommended not to store sensitive information in local storage.
+ A single Cross Site Scripting can be used to load malicious data into these objects too, so don't consider objects in these to be trusted.
+ Pay extra attention to “localStorage.getItem” and “setItem” calls implemented in HTML5 page. It helps in detecting when developers build solutions that put sensitive information in local storage, which is a bad practice.
+ Do not store session identifiers in local storage as the data is always accessible by JavaScript. Cookies can mitigate this risk using the httpOnly flag.
This page is one of the ones that persuaded me to write that blog post - I've read it and don't think it's accurate. In spite of the OWASP brand name it's just a wiki - I could edit it myself. If my own post is persuasive and technically sound then that page may be updated in due course.
This is an important point and one that's often overlooked with OWASP content. Being on the wiki doesn't necessarily constitute well reviewed up to date advice (indeed there's a lot of outdated content there)
That said as it is a wiki anyone is free to create an account and improve it :)
By comparison, CSRF is trivial. You use a token that only the client should know, and implement a trivial challenge/response authentication layer onto your HTTP POST APIs, make sure you're using TLS, and call it a day.
The blog post tackles this. As I understand it, if the attacker can run `localStorage.getItem` on your webpage, you are already screwed. They will just craft an AJAX request, which will have the `httpOnly` cookies tagged on, and send that data back to the attacker's servers.
`httpOnly` doesn't protect you from anything if you are using those same cookies in AJAX requests.
You can't transmit information through entangled pairs. What is instantaneous is the change of the state for the whole system (the pair) after you measure one of particles. However the result of that measurement (if it's non-trivial, i.e. if the measurement actually changes the state) is fundamentally random so the only thing you would be seeing is perfectly and instantaneously correlated noise on both ends.
I'm sorry but no, you cannot transfer information with quantum entanglement. What entanglement says is that if you have a photon and I have a photon and they are entangled and you make a measurement on some attribute of your photon, my photon will assume the complimentary state. However, the state your photon assumes when you measure it is random and once you measure it, you lose the entanglement. So, there's no way for you to encode any information in your entangled photon. Yes, I can infer what state your photon was in as soon as you measure it, this is useful for encryption as we can then compare notes after making a measurement and make sure nobody tampered with our entangled photons.
My guess here is that bitcoin is considered property and not currency, and there are laws around this.
Edit: Looks like they are treating bitcoin as property -https://www.usmarshals.gov/foia/directives/asset_forfeiture....