It doesn't surprise me it happens within the Elsevier ecosystem.
Elsevier has a long tradition of scientific misconduct and scientifically immoral behavior (see Wikipedia).
The operating margin of Elsevier is around 40% which is huge! At the end mostly paid by tax-payer money.
Personally, I never review or publish with Elsevier.
MDPI is gamed by design, I think that while Elsevier is awful, MDPI is even worse with 100s of special issues where you are guaranteed to land publication in journals with quite nice IF (which is inflated by publishing large proportion of reviews and less original research).
I wonder if the term "published" as a binary distinction applied to a piece of writing is a term and concept that is reaching the end of its useful life.
"Peer reviewed" as a binary concept might be as well, given that incentives have aligned to greatly reduce its filtering power.
They might both be examples of metrics that became useless as a result of incentives getting attached to them.
Both metrics are supposedly binary but in reality have always depended heavily on surrounding context. Archival journals have existed all along. Publication is useful as an immutable entry in the public record made via a third party. Blog posts have a tendency to disappear over time.
I'm certain that the comment you responded to never claimed that it was "isolated to Elsevier" in the first place, nor is it very compelling to speculate about how in the future something even worse might emerge.
Right now Elsevier is by far the biggest offender and also happens to the be the topic of the conversation and the article.
Exactly. Elsevier is a dominant company. Of course it's going to have a huge share of anything that goes into journals. They probably also have a huge share of the Nobel prize winning papers too.
That being said, I'm happy to encourage open access.
One of the reasons why in Germany universities were able to collectively negotiate better open publishing deals with Wiley and Springer, but Elsevier just flat out refused to agree to any better terms for three years.
I’m not sure why I’ve never really concerned myself with Elsevier, but that makes a lot of sense, knowing a rather vile and slimy con artist snake that works/ed for them.
This can have pros and cons. They will get much more vcpu / dollar on bare metal. And they can develop great operational discipline if they do it right.
On the downside, I don’t see them yet taking ops seriously. They are getting a lot of attention, but not yet establishing SLAs (at least not publicly). And their donations don’t seem to be scaling to the continued and expected demand.
It’s hard to know for sure what’s acceptable when it comes to working conditions in China. The information we get is incredibly limited. Most of what makes it through is propaganda.
That said, it wouldn’t surprise me if he does it all day long, 6 days per week.
They are, there's a video on YouTube you can find where they interview someone with that job and they test 10,000 a day. Then they mention that they go home and vape some more
There's no laws banning this in any European countries that I'm aware of, except maybe Hungary? It's just banks being stupid, consumer-hostile, and anti-competitive.
Well, I've built a bunch of mobile banking apps and we did detect if the phone was rooted, was in dev mode, etc. and it is not because we were "stupid, consumer-hostile, and anti-competitive".
If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.
There is no way to store customer's secrets in a PC browser securely, so all the "dangerous" transactions were outright prohibited in the web app or made available only via temporary QR login.
All this is just is a negative side effect of customer protection laws.
These practices are strengthening the Google/Apple hegemony and are ultimately damaging user freedoms and consumer protections. I'm sure that's not your employer's intention, but it is a negative thing that they're contributing to. And because of how essential banking is, banks have a big thumb on this particular scale, and I wish they'd use it for good rathet than for enriching and entrenching evil.
> If someone steals the secrets from a rooted phone and steals customer's money the bank is on the hook, so banks do everything they can to minimize this risk.
Now that's just not true now, is it? Sure the lawyers told you that (the ones that get paid to tell you that), but nowhere in EU was a bank actually fined for not root checking a device.
They were plenty fined by being utterly incompetent with security practices and doing them poorly - like trying to inject wierd .SOs to do the root detection you're defending.
"Payment service providers (PSPs) operating in the EU will have to cover customers’ losses from fraud if their fraud protection regimes are inadequate or poorly implemented under new EU rules."
The fact that no root lockout means "inadequate protection" is something you projected onto this statement and that's the part I'm addressing in my comment.
No one actually got fined for root protection specifically.
Regulators love vague standards like "inadequate protection" because it means they can implement a ratchet effect without needing to understand anything or constantly rewrite the laws. If someone gets hurt they just look around at whatever the competition is doing, pick the most extreme thing, and declare that any other standard is inadequate.
So sure, if you want to not use security tactics your competitors are using and then try to lawyer out of it by arguing, "it didn't specifically say we had to do that" in front of the EU Commission, go ahead. But don't blame the banks that are more realistic about how this works.
Yeah, so you admit there's no real legal basis for those kind of restrictions.
Which anyone of us who worked with banks, mobile, banking security and their legal already knew. They're a source of greatest security hits like "let's use SMS for only auth for web banking" after all.
But what's really hiding behind all your fluff is something else:
Abusing users with root lockouts is EASY for the programmers at banks. The auditors have a checkbox "root lockout" and they tick the box. Legal ticks the box. CISO ticks the box. All happy, who cares about user. That's what this is all about. The insulting thing is trying to sell it like some kind of security feature.
The regulations are the "real" legal basis. The fact you don't like them or how they're written doesn't make them any less real. And you're not arguing with me or my "fluff", you're arguing with the entire banking industry.
If you really think this is all just fluff, by all means, go get yourself employed inside a bank's security team and convince them to turn all this stuff off. Let us know how it goes.
No bank got fined for not root checking, correct. However banks are on the hook for unauthorized transactions. And "unauthorized" means different thing in different countries.
In some jurisdictions if bank can prove that transaction was made with customer's key then customer can not demand their money back. That's the best case, but there are only few of such jurisdictions and even there the burden of proof is on the bank and it costs a lot.
In other jurisdictions bank must reverse a transaction even if it was proven that the transaction was signed with a legitimate key, but the key _may_ have been stolen.
In some jurisdictions (i.e U.S.) banks are required to reverse a transaction at a customer’s request, even if the customer does not dispute having made the transaction.
In any case dealing with all this is too expensive and risky.
Let's say you are a bank and you make $10 on each $100K transfer. If customer disputes a transaction and you must return the money, you lose the whole amount and twice as much on lawyers, internal audit, compliance people working on the case.
With this math you can't afford the risk if it is more than 1 in 30000.
For many European banks the math is even more brutal.
Practically impossible to store secrets in a desktop app too.
Besides, customers would not willing to install a desktop app. And those who would, will require support.
And surprisingly I can pay securely using my PC, fully rooted, on FOSS software. Hardware tokens have been a thing for decades. There are more second (or third) factor authentication and signing solutions than I can enumerate.
Do peope get defrauded using online banking? Sure. But usually not in a way that would be stopped by secure attestation.
Is this yet more evidence of how utterly broken US banks are? Assuming you are referring to US banks.
For the past 20 or so years, every bank I've been with in Belgium has provided me with one of three types of hardware token:
1. An OTP token that's just a screen that displays a new 6 digit token every couple of seconds (haven't seen one of these in a few years now). This was used to supplement username/password on login and to verify every bank transfer.
2. A token with a screen and a display, which generates OTPs based on input. E.g. for a payment the bank would tell me to enter the amount + the last N digits of the bank account, the token then generates an OTP, which I can use to confirm the payment. That's what 2 of my 3 banks currently use. They have separate modes for logging in, for signing bank transfers, for signing 3D Secure online payments, etc.
3. A card reader where where I just slot in my card. I can then log in or sign payments using the card's chip & pin. This is what my third bank uses. There are a couple of variants on this, such as models which connect with USB and models which can read QR codes from your screen so you don't have to tap in anything except for your PIN.
The problem is you cannot plant enough trees around the globe to offset our CO2 emissions.
Also, a forest only absorbs CO2 while alive. Once it dies, it emits CO2 too.
You would need to permanently store the wood somewhere (submerging in water, etc).
Planting trees solves both the carbon capture and the emissions issue from different angles. Some examples are:
- With more wood available it’s more economical to use it as a building/manufacturing material over other emissive sources (concrete, steel, plastic)
- We can replant the same area multiple times
- Even if we plant crops for biofuels, it’s closer to carbon neutral than burning fossil anyway
Every move we can make towards planting (and managing) more of the surface of the Earth is an improvement, without waiting for miraculous new technology.
You don’t need to convert it to coal. Use it to build houses, furniture, and other things.
I am currently building a wooden house this way. Wooden frame, wooden exterior, wooden floors, even wood-based insulation (https://huntonfiber.co.uk/). The isolation has the shortest life span and it is expected to last at least 60 years.
If these forests are planted by humans, why do we think the dead trees would just be left to rot like you suggest vs being harvested for wood? The logic does not compute other than trying to make a ridiculous point.
I think this loses the forest for the trees. That is, a single tree rotting isn't what matters its how long the ecosystem the tree is part of lasts. Consider a square kilometer of denuded land turned back into a forest. You can think of the forest as a temporary storage for carbon, its stored in the trees, soil, animals, insects, etc in that square kilometer. Individual trees may die but on average if the forest remains in good health there will be a number of tons of carbon kept out of the atmosphere.
using the wood for heating also releases the CO2. I do think planting trees is a good idea, but it's worth pointing out they can be a carbon source even after harvesting, depending on the usage.
On the other hand if the wood is used for construction or furniture it will not emit.
No, but when built right, log cabins have lasted 100+ years easily. Furniture has lasted that long as well. If you keep it dry, it will last longer than you, your children, and your grandkids. Easily. At that point it is more forever than you
One little appreciated fact is that trees also respirate CO2 when they are cracking their stored sugars produced via photosynthesis. So they don’t sequester all of the CO2 that they consume.
I suppose I’m pointing it out to highlight the trade offs with any of these solutions.
What is unsaid is that we need to sequester CO2 for hundreds of years—often far beyond the lifespan of the trees. Trees are short term storage, and sometimes the storage is a lot shorter than popular imagination purports.
Individual trees are short term storage which is why its important to create healthy ecosystems for them to live in. Turning denuded farmland back into a forest buffers carbon from the atmosphere for as long as the forest stands. It could stay there for centuries or return to the atmosphere if it gets bulldozed for a subdivision.
It's a hugely underappreciated option. I'm not sure how accurate it is (or how legitimate the companies doing biochar carbon removal are), but cdr.fyi shows biochar as the top carbon sequestration method that's actually happening.
The operating margin of Elsevier is around 40% which is huge! At the end mostly paid by tax-payer money.
Personally, I never review or publish with Elsevier.
reply