Yt is on video: Waching daily Feb 17 2019

"What is a security vulnerability?".

I don't think that there is an easy answer to this question.

And so in this video I want to go over a examples, and share my thoughts.

I'm really curious how you think about it, because my actual job is to find and report

vulnerabilities, but I don't really have a clear definition.

For me it's actually often just a "feeling" or an intuition that I have when I determine

if something is a vulnerability or not.

And I hope you find these examples thought provoking as well.

Let's start with a CVE.

The Common Vulnerabilities and Exposures (CVE) system provides a reference-method for publicly

known information-security vulnerabilities and exposures.

So if something got a CVE assigned, it could mean that we all agree that it's a vulnerability.

But have a look at CVE-2018-17793.

This is labeled as a "virtualenv 16.0.0 - Sandbox Escape", and doesnt make any sense.

virtualenv is a tool to create isolated Python environments.

The basic problem being addressed is one of dependencies and versions.

Imagine you have an application that needs version 1 of LibFoo, but another application

requires version 2.

How can you use both these applications, If you install everything into /usr/lib/python2.7/site-packages?

Also, what if you can't install packages into the global site-packages directory?

For instance, on a shared host.

In all these cases, virtualenv can help you.

It creates an environment that has its own installation directories, that doesn't share

libraries with other virtualenv environments.

So this just helps you developing python programs and I use it ALL the time for the reasons

that were just mentioned.

However I can see that maybe somebody misunderstands the purpose.

The name VIRTUAL environment, and it creates an ISOLATED python environment could be misunderstood.

Also we use language like we "enter" the virtual environment and we sometimes use shells

that indicate when a virtual environment is active.

So It does sound like a typical virtualisation technology, which we do use for security reasons.

For example using virtual machines to isolate malware.

And a virtualbox escape is indeed a vulnerability.

You escalate priviledges from the virtual machine to the host.

However here you should immediately understand that this is not the same thing.

This "virtual python environment" in quotation marks is just a way to structure python projects,

and maybe the language is slightly misleading to an outsider but of course any code ran

here can do anything.

That's why also the maintainers were so frustrated with the report and why so many

people, including me, joked about it.

Just because it's called virtual environment, it doesn't mean there is a virtual machine

with the goal of privilege separation.

So here we don't have a vulnerability.

Let's look at a second example.

I do quite a bit of ethereum smart contract audits.

And in those audits, we of course, look for typical security issues like reentrancy attacks,

logic bugs, and what ever.

So from the ICOs point of view, they want to issue a token, sell the token for an initial

amount of money, ICO (initial coin offering) to raise capital and use it to build something

with that raised money.

And the people buying those tokens hope that whatever this company builds, will cause the

token later to rise in value.

So from the ICOs point of view they mostly care about bugs that would allow others to

steal tokens or even to just manipulate their token balance.

That of course would mean huge financial losses.

However just because this is the ICOs point of view, and the ICO pays for the audit, this

is not my point of view.

Smart contracts are meant to be decentralized contracts between different parties.

So to me the point of view of somebody investing into that token is equally important.

So let's do an example of a vulnerable that I find thought provoking.

sometimes an ICO will advertise that a token has a limited available amount.

A fixed total supply.

But then they might implement a function on the contract that allows the owner of the

contract, so the ICO, to mint new tokens.

This means they can, at will, just raise the number of available tokens.

But this contradicts what they promised.

They promised limited availability but actually implement unlimited availability.

From the point of view of the ICO this is not really a security vulnerability.

They are the owner, they are in control, why would they care.

But from the point of view of an investor who would like to buy these tokens, I think

this is a big issue.

This contract is now very unfair, but the main issue is the contract contradicts promises

that were made.

So the issue could be titled "contract allows to mint tokens despite claim of fixed supply",

and that for me is a vulnerability.

Okay… third example.

A while ago a person wrote me that they found a session account hijack or something.

I can't find the original messages so I'm just telling based on how I remember it going.

the person also included reproduction steps in the message.

They were going like this:

First, Login to this site.

Then copy the cookie.

Now imagine you go to a different computer, we use a different browser now.

So we login here with a different account.

You can see it here.

Now we intercept this request again but replace the cookie from the first account.

BOOM we got access to the other account.

When people send me reports like this I don't even know what to say.

Like it's like DoS attack on my brain because I try so hard to understand if there is a

vulnerability.

Of course there is none, this just how cookies work.

And just because you describe reproduction steps that resulted into access to the other

account doesn't mean this is a security issue.

You just literally explained how session cookies work.

Btw this is the kind of weird crap bugbounty triage people have to read.

Because people who don't really understand it report stuff like that.

And now try to explain to them that this not an issue.

Which of course I did.

Btw it was a regular PHP session id.

And the person still didn't quite get it.

And they insisted this is a security issue, a session or account hijacking.

They were arguing that this is just hex data.

So just 0-9 and a-f.

This is a lot less characters than a full alphabet from a-z.

They were saying it could be bruteforced.

Of course it cannot be realistically bruteforced it's way too long, and thus this isn't

a security issue but this opens up an interesting discussions.

Because let's say the session id is one character shorter.

Do we now have a Secrutiy issue?

Let's make it again shorter.

Now?

Well it think we can all agree that if the session id only had two characters, which

means there would only be 256 possible values for a session id, that this definetly would

be a security issue.

This could be easily bruteforced in a matter of seconds and you could access the account.

So we have this spectrum here and somewhere this example moves from being a vulnerability

to it not being a vulnerability.

And I'm sure we all would draw the line somewhere else, especially in those grey areas

where you can argue with bruteforce speed limitations and so forth.

Let's look at a fourth example.

XSS.

So in cross site scripting issues you can somehow place javascript into a website.

And that javascript can then just do anything in that site.

So if your victim opens a site with your XSS payload, the XSS can do anything like stealing

their session cookie.

So one kind of XSS is what we call reflective XSS.

This happens when part of the URL is directly echoed back into the content of the page.

Now some browser vendors came up with the idea to implement a so called XSS auditor.

This is a best effort defense where the browser tries to look at the URL and check if it contains

something that looks like a javascript XSS injection and then see if it appears in the

document itself.

And then there are different strategies, the browser could for example block the whole

page, or just try to block that specific script.

But this creates two challenges.

Because people quickly figured out you can abuse that.

You could for example take a valid javascript snippet from the document, place it into the

URL and the browser will think you injected it.

But of course you didn't but the browser doesn't know that.

So this is a false positive.

So over the years those XSS auditors got refined but they just can't be perfect.

Because the browser can only guess and bypasses are found all the time.

Though in several cases it actually does stop XSS attacks, which is arguably great for the

user.

However this caused a different problem.

Edge actually stopped and removed the XSS auditor and just recently we saw another proposal

to also remove the Chrome XSS auditor.

And maybe you wonder why, but let's read what it says here.

XSSAuditor Retirement Plan Proposal We haven't found any evidence the XSSAuditor

stops any XSS, and instead we have been experiencing difficulty explaining to developers at scale,

why they should fix the bugs even when the browser says the attack was stopped.

In the past 3 months we surveyed all (google) internal XSS bugs that triggered the XSSAuditor

and were able to find bypasses to all of them.

[...] Furthermore, we've surveyed security pentesters and found out some do not report

vulnerabilities unless they can find a bypass of the XSSAuditor.

And when I retweetetd this one person even commented.

I used to work for a security vendor.

We used to report XSS even if it got stopped by the auditor.

A lot of clients got unreasonably angry about us doing that, so we stopped.

The XSS auditor seems to be a nice first defense, but it was never meant as a protection or

mitigation against XSS.

XSS is not an issue in the browser, the issue is the webapp that doesn't properly encode

output.

Triggering the XSS auditor means your site is vulnerable to XSS.

Maybe the XSS auditor stops one attack, but this doesn't mean it can't be bypassed

or your users use an old or different browser without the XSS auditor.

And now it lead to a culture where clients or the defensive-side in general, say, that

a XSS example that triggers the XSS auditor is not a vulnerability because it got stopped.

So when people try to report vulnerabilities, instead of spending there time on finding

more issues, they now have to spend time over and over again trying to argue why it is still

a vulnerability, or waste time on trying to bypass the auditor.

Even though the underlaying issue is the webapp failing to properly encode output.

I always report XSS issues even when they trigger the XSS auditor.

I don't think it's in the client's best interest, for me to waste time on trying to

bypass the browser.

My job is it to find vulnerabilities or vulnerability patterns in the software of a client, so the

client can fix the actual issues.

That's what they pay for.

I have actually a small related series to a similar topic.

Checkout my AngularJS playlist where I analyse a few angularjS sandbox bypasses.

Several people constantly had to find bypasses to proof to clients that by simply updating

angularjs it doesn't fix the underlying issue.

And this was successful, in the end the sandbox was removed, which allowed easier XSS without

a bypass, because the nice-to-have sandbox was misused as a security mitigation.

The client should just fix the underlying issue.

So this XSS example shows that even if it might not be directly exploitable because

something stopped you, it doesn't mean it's not a vulnerability.

And I have actually even one more example that goes a step further.

So here is example five.

So there was once a mobile app which communicated over SSL with the server, and SSL was properly

implemented in this case.

As you know, SSL protects against man in the middle attacks.

So even if you somehow man in the middle the network connection you cannot see, nor you

modify the messages exchanged between the mobile app and the server.

We can call this an ecnrypted TLS tunnel.

Now the messages exchanged were actually encrypted with AES in CBC mode with PKCS5 Padding.

And it turned out that the server was vulnerable to a padding oracle attack, because there

were kinda verbose errors when you sent a corrupted message to the server.

I don't wanna explain how that attack works here, but it can be used to recover the encrypted

data.

So if you could somehow get your hands on an encrypted message sent from the app to

the server, then you could abuse the error messages to perform a padding oracle attack

and extract the clear-text data.

Is that a vulnerability, that you can decrypt encrytped data?

Well we had huge discussions about this because all of that happened inside of a TLS tunnel.

so even if you were able to get a network man-in-the-middle.

there was no way to actually get to the encrypted message.

SSL or TLS prevents that.

Now think about that.

If there were no encrypted messages, just SSL.

I would never report that "it uses SSL, that protects against MITM, this is safe").

Though I argue that because the client implemented this second layer of encryption, they wanted

that additional layer of protection, and breaking that layer through a padding oracle, is a

vulnerability.

So I report that

So… now we had five different examples that all have something weird about them.

I hope they really help you to think about what a vulnerability is and how hard it is

to define what that means.

I don't think I have a clear definition and if I would try to come up with one, I

would find exceptions and contradictions easily.

For me it's actually mostly intuitive and a "feeling".

I think I know when something is a vulnerability and I know when it's not.

I would tell you that you should just read vulnerability reports to also learn that,

but actually it's not easy to build an intuition, because you would need the intuition in the

first place to filter out the stupid reports.

And I think this is what we see happening.

Due to more and more unexperienced bug bounty reports we get flooded with vulnerability

reports that are not vulnerabilities.

And sometimes they might even get a bounty, because the receiving client might not be

able to realize that the report doesn't make sense.

And suddenly you normalise a certain type of finding as it being a valid vulnerability

for a bug bounty.

And this creates this whole weird economic around it.

When at some point a site or triage team rejects those reports because they realise it's

not actually an issue, then you have people complain and point at previous payouts.

It's really messy.

All advice I can give is to stay sceptical about reports and when in doubt ask a few

trustworthy professionals about their opinion.

And hopefully over time you get the experience you need.

Oh… and we haven't even talked about severity ratings yet.

But I don't really care about that.

I have a hard time to determine if a vulnerability is low, medium, high or critical in a certain

context, so I don't think that calculating a precise score like CVSS makes sense.

I understand why for business tracking reasons the Common Vulnerability Scoring System exists,

but I don't know.

I never used it and I feel like something is forced to be ranked, that cannot realistically

be ranked.

Well… let me know how you feel about this.

And by the way, this is my view in late 2018, and my opinions on something like this can

change, so keep that in mind before you angrily explode.

And now let the hunger games begin.

For more infomation >> What is a Security Vulnerability? - Duration: 16:08.

-------------------------------------------

Next Chelsea manager: The favourites to take over if Sarri is sacked - Duration: 2:50.

Former Real Madrid manager Zinedine Zidane is the favourite to become the next permanent Chelsea manager as the pressure on Maurizio Sarri grows

The Italian boss has come under increased pressure following Sunday's 6-0 defeat to Manchester City as the Blues head into the most important stage of their season so far

Chelsea clash with Malmo in the first round of the Europa League knockout stages on Thursday and the two legs against the Swedish outfit are separated by a tough FA Cup clash with Manchester United

Sarri's side then head to Wembley for another encounter with Manchester City for the Carabao Cup final but it remains to be seen whether the former Napoli boss will still be in charge for that game or any of the three matches that are on the schedule first

According to the latest odds from Betway, two-time Champions League-winning manager Zidane is the 6/4 favourite to take charge at Stamford Bridge on a permanent basis, with Gianfranco Zola second-favourite at 4/1

Atletico Madrid boss Diego Simeone is rated at 7/1, while there is also prices offered for ex-Chelsea bosses Guus Hiddink (10/1), Jose Mourinho (14/1) and Carlo Ancelotti (40/1)

Those who fancy another familiar face to return to Stamford Bridge can find Frank Lampard, who is impressing in the Championship with Derby County, priced at 16/1 while John Terry is considered an outsider at 33/1

Brendan Rodgers, Mourinho's former assistant at Stamford Bridge, is rated at 14/1 to leave Scottish champions Celtic for another crack in the Premier League, while Spain boss Luis Enrique is priced at 20/1

You can find all the latest odds below. Next permanent Chelsea manager Zinedine Zidane - 6/4 Gianfranco Zola - 4/1 Diego Simeone - 7/1 Guus Hiddink - 10/1 Brendan Rodgers - 14/1 Jose Mourinho - 14/1 Nuno Espirito Santo - 16/1 Frank Lampard - 16/1 Luis Enrique - 20/1 Eddie Howe - 33/1 John Terry - 33/1 Carlo Ancelotti - 40/1 Thomas Tuchel - 80/1

For more infomation >> Next Chelsea manager: The favourites to take over if Sarri is sacked - Duration: 2:50.

-------------------------------------------

FINALE WIE IS DE MOL? OOK DIT JAAR WEER IN DE BIOS - Duration: 1:18.

For more infomation >> FINALE WIE IS DE MOL? OOK DIT JAAR WEER IN DE BIOS - Duration: 1:18.

-------------------------------------------

'Ramsey has always impressed me. He is a champion': Can new Juventus signing - Duration: 2:52.

For more infomation >> 'Ramsey has always impressed me. He is a champion': Can new Juventus signing - Duration: 2:52.

-------------------------------------------

WHAT is the Unity JOB SYSTEM? - Duration: 8:52.

Salutations, I'm Jesco and you're watching Game Dev Made Easy.

I have noticed that many people are interested in learning about the Job System and Entity

Component System in Unity but are having issues with understanding the use of them, what they

actually are and how to implement them.

So, why don't I answer some of the questions you may have about them.

(Intro)

First things first, the Job System and the Entity Component System are two different

subjects but they tend to be explained together because they work very well in tandem.

To simplify, let's separate them and cover the subjects one at a time.

By episode 5, we will utilize the Job System and the Entity Component System together.

The Job System is Unity's implementation of multithreading and Unity has written the

Job System from the ground up to interact very well with the core engine.

Multithreading is splitting code to be processed by different processors at various stages

of execution.

To boil it down further, it allows your code to take advantage of multicore cpus.

Because of this, you can obtain high-performance benefits.

That extends to significant gains in frame rate.

The job system has three very distinct interfaces that you can inherit from, IJob, IJobParallelFor

and IJobParallelForTransform.

IJob is for scheduling a single job that runs in parallel to other jobs and the main thread.

The Execute method does not need any parameters for this version.

IJobParallelFor allows you to perform the same independent operation for each element

of a native container or for a fixed number of iterations.

Requires the Execute Method to have a parameter of type int and number of iterations.

IJobParallelForTransform allows you to schedule jobs related to transforms.

The execute method is unique to the Job System and is the method that is called when the

job is scheduled to run.

There are two main attributes that you can use, ReadOnly and WriteOnly.

ReadOnly allows for multiple jobs to read the data in parallel, meaning that the job

doesn't have to be complete before another job can read the data it contains.

WriteOnly allows for multiple jobs to write the data in parallel.

In other words, the jobs don't have to be complete before another job has the ability

to write to that data.

The Job System also has its own type that are used over what you are used to.

It has what is called a Native Container and there are five types that reside within the

Native Container that you can use.

• NativeArray, which is a fixed size array.

• NativeList, which is a resizable native array

• NativeHashMap, which is a key value pair • NativeMultiHashMap, which allows for multiple

values per key in a key value pair • NativeQueue, which is a first in, first

out queue system

You can think of each of these as the standard C#versions to simplify it.

So a NativeArray is just an arraylist, A NativeList is just a list, NativeHashMap is a HashMap,

A NativeMultiHashMap is just a HashMap that has been extended to have more than one value

per key, and NativeQueue is a queue.

Each of these take a generic type parameter.

Which means you can use a MonoBehaviour class as a type for it, Vector values and well,

you get the idea.

When creating a native container, it needs to have the type of memory allocation you

need for it specified.

This allows for you to tailor the allocation for the best performance that suits the use

case scenario.

There are three allocator types for native container memory allocation and release.

• Allocator.Temp – has the fastest allocation and is for allocations with a lifespan of

one frame or fewer.

(Note: You should not pass native container allocations using Temp to jobs)

• Allocator.TempJob is a slower allocation than Temp but faster than Persistent.

This one is used for allocations within a lifespan of four frames and is thread safe.

(Note: Most small jobs use this Native Container allocation type.)

• Allocator.Persistent is the slowest allocation but can last as long as you need it to, which

includes throughout the application's lifetime.

(Note: Persistent should not be used in performance critical operations).

Fun fact, Allocator.Persistent happens to be a wrapper for a direct malloc call in C.

All allocators must be closed by using a dispose call manually.

The anatomy of a Job is as followed.

You first create a job by creating a struct that inherits from IJob or IJobParallelFor.

The reason for the struct and not a class is due to the Job System requires a non nullable

value type to be used.

It should also be noted that a Job has no native concept of a frame.

Define your public variables with any attributes you want for it.

Inside of the public void Execute method, call any methods you have defined that needs

to be directly called.

In a Monobehaviour class, make sure to instantiate a new instance of your Job that you created.

Allocate, schedule, complete and dispose of your job in a method that is called by the

Update method.

Now, the Job System is useful in many situations.

You can generate and process point clouds, check for rays intersecting with bounds, accelerate

a very large number of objects at the same time, change the vertices of a mesh every

frame, change the vertices and normal of a mesh every frame, and other types of algorithms.

Obviously, you can do more than just algorithms with the Job system, but algorithms tend to

be the most performance intensive and the general cause of slowdowns in games.

The same goes for graphics processing, and you can use the Job System to handle that

as well.

There is one gotcha that you need to take into account for any time you deal with multithreading.

You must account for the number of threads you have active at any given time and how

fast the threads can be processed.

You must also take into consideration the user's device and how many threads they

have at their disposal to avoid performance hits.

Let's look at a few examples of processors and their thread counts.

• Ryzen 3 1200 has 4 cores and 4 threads.

• Ryzen 5 1600 has 6 cores and 12 threads.

• Ryzen 7 2700 has 8 cores and 16 threads.

• Intel I3 8100 has 4 cores and 4 threads.

• Intel I5 8400 has 6 cores and 6 threads.

• Intel I7 7700k has 4 cores and 8 threads.

• Intel I9 7900X has 10 cores and 20 threads.

It should also be noted that this does not take the GPU into account as they already

run in parallel and require a different philosophy when working with rendering and computation

with them.

With that being said, you should now know what the Job System is, how it works and how

to use it (in theory).

The next video will cover implementing the Job System.

For more infomation >> WHAT is the Unity JOB SYSTEM? - Duration: 8:52.

-------------------------------------------

Meghan Fashion - PIERS: Meghan is a ruthless social climber with the role of a lifetime - Duration: 5:22.

I was ghosted by Meghan Markle.If you're not familiar with the term 'ghosting', it's when someone you thought was a friend suddenly cuts off all communication with you, with zero warning, and then you never hear another word from that person again

I remember it very clearly because it's never happened to me before.So I found it very weird

The saga began one afternoon in the fall of 2015 when I decided to follow on Twitter four stars of the US legal drama Suits - including Ms Markle

Within minutes, she sent me a private Direct Message: 'Well hello there – thanks for the follow

Big fan of yours!'I replied, and for the next few months, we corresponded on a regular basis

We'd chat about everything from US gun violence (she shares my horror of it) to a charity trip she made for the United Nations to Rwanda, spinning classes, calligraphy, and our joint hatred of 4am filming call-times - hers for Suits and mine for Good Morning Britain in the UK

She even started sending me early preview episodes of her show so we could debate juicy storylines yet to air – which we did, at length

Meghan introduced me via cyberspace to another Suits cast member, Rick Hoffman - who played Louis Litt – and he and I also began to regularly correspond

He described their relationship to me as so close it felt like 'brother and sister'

In February 2016, Rick came to London and at my invitation, he appeared on Good Morning Britain

Nobody really knew who he was here, nor Meghan for that matter, but we had a fun interview and I sent the photos to Meghan afterwards - who was thrilled by them

In early June, 2016, she messaged me to say: 'I'm in London for a week of meetings and Wimbledon

Would love to say hi!'I suggested my local pub, the Scarsdale Tavern in Kensington – ironically just a few hundred yards from where she now lives at Kensington Palace

'Serena Williams sends her love,' she texted on the day from Wimbledon, where she was watching her friend play in the annual tennis tournament

'You're very popular as it turns out. Get you!'I don't hear those words very often, so they made an impression…Then she turned up at the pub and we had a very enjoyable time for 90 minutes or so before I put her in a taxi to a dinner she was having with friends at 5 Hertford Street, a fashionable club in London's Mayfair

She spoke very candidly about her family - there were some private, sensitive things she told me I would never repeat because they were said in confidence - Donald Trump (she's not a fan), and of course, Suits

She asked me for advice on her career and the media, and if she could come on Good Morning Britain next time she was over, which I said I would arrange

From the cab, Meghan sent me a series of texts thanking me and saying she was looking forward to meeting up again next time we were in the same city

She even publicly tweeted about how nice it was to see her 'friend' – me – in London

So at this point, I was indeed labouring under the massive misapprehension that we were friends

I was wrong.She met Prince Harry at the dinner that night, went on a solo date with him the next night, and I never heard from her again

Not a word.I'd been ghosted. And not just by her.At Meghan's behest, Rick Hoffman ghosted me too

I didn't hear from him again for 18 months, then he eventually crawled out of the woodwork after attending the big royal wedding last May

'Piers! I am very sorry for not responding,' he wrote in a lengthy message. 'You must understand, once I heard the news, out of respect for Meghan, I couldn't share a thing

Now I can share fun stuff! I would love to catch up at that favorite pub of yours

Hope to hear from you pal. Love you pal. Rick.'I didn't reply, because no, I didn't 'understand'

A real 'pal' doesn't ghost a friend for 18 months, right?That's just rude.In fact, I found the behaviour of the pair of them damn rude

I'd been 'played' by a couple of B-list actors, who were clearly just using me to advance their careers

But when someone more important and influential came along, in the shape of Prince Harry, I was instantly dumped like a sack of spuds (that's what we call potatoes in the UK)

Now, on a certain level, I grudgingly admire the work.And frankly, who am I, a former tabloid newspaper editor, to take a dim view of such ruthless antics?But on another level, the whole experience left me feeling suspicious and cynical about Ms Markle

And nothing in her behaviour since marrying Prince Harry has alleviated those concerns

From the moment I read that he barked 'What Meghan wants, Meghan gets! at palace courtiers in the run-up to the wedding, my heart sank

Because I fear that's exactly what she's used to getting.And anyone or anything that may not give her what she wants or gets in the way of her social climbing self-advancement gets discarded

Her first husband? Ditched as her Suits career took off.Her dysfunctional family? Banned from the wedding – all of them

Her poor old ailing Dad? Cut off and disowned for struggling to cope with media attention about his daughter

Meghan's swapped her dreary, problematic old real world for a thrilling new fantasy world of the Queen, Michelle Obama and the Clooneys

Only her mother Doria made the cut to Princess Meghan's AAA-list new life.But pieces of work never change their spots

Now, there is a steady flow of negative stories streaming from Palace 'insiders' about Meghan's alleged diva antics

She was said to have 'displeased' the Queen by demanding an emerald tiara for the wedding

There are rumours of a growing rift with the Duchess of Cambridge, who was reported to have burst into tears over Meghan's hostile behaviour during a bridesmaid dress fitting for her daughter Princess Charlotte

Kate was also reported to have complained about Meghan being needlessly unpleasant to a royal member of staff

Meghan's personal assistant Melissa Toubati recently quit after just six months in the job after also being left in tears

Royal courtiers are said to be already 'fed up' with her domineering and dictatorial attitude that involves daily 5am email demands and even led to her apparently insisting on air fresheners to hide the 'musty odour' of St George's Chapel, Windsor Castle

It was an absurd request that was very firmly denied.When Palace 'insiders' start leaking this amount of damaging mud, you can be certain that much of it is true

And given my unfortunate experience with her, I'm afraid I'm not remotely surprised

It's got nothing to do with sexism or racism, as some ridiculous commentators have suggested

No, I think it's far simpler than that: Meghan Markle is a self-obsessed professional actress who has landed the role of her life and is determined to milk it for all she's worth

She's spent most of the past 20 years cosying up to people until they serve no more use to her, then airbrushing them out of her life without so much as 'goodbye, Loser!'I know because I was one of them

But she's now finding out the hard way that if you try to 'play' the Royals and the Royal Household like she played people like me, you'll come up against a system you can never beat

Just ask the late Princess Diana or Sarah, Duchess of York.For the first time in her life, Meghan Markle has discovered she can't always get what she wants

For more infomation >> Meghan Fashion - PIERS: Meghan is a ruthless social climber with the role of a lifetime - Duration: 5:22.

-------------------------------------------

Why Fowler is worried over which Liverpool will face Bayern - Duration: 2:04.

Another break for Liverpool – another chance for them to lose their rhythm in my eyes

Look, I must admit with all the injuries they had, they'll have been able to use the time off to get some players back fit and get their training organised, and work on things

Yet you know my feelings on momentum and playing. I hated not being involved in games when I was a player, I hated being rested

I'd much rather win and take the energy and rhythm from that, . just as Manchester City have done in recent weeks

So I'm a bit apprehensive about which Liverpool we will see next week against Bayern Munich and Manchester United

Read More Liverpool legend names unsung hero who should be first name on Jurgen Klopp's teamsheet There was absolutely no doubt they lost a bit of rhythm after the last break, which cost them points against Leicester and West Ham

They looked a little rusty. I hope the same thing doesn't happen this time. But I will say Jurgen Klopp will be aware of that, and will look at what worked and what didn't at the last training camp

They'll also have the Kop in full European night voice too, which tends to blow the cobwebs away – so maybe I don't have to worry so much about momentum this time! Read More Mirror Football's Top Stories

For more infomation >> Why Fowler is worried over which Liverpool will face Bayern - Duration: 2:04.

-------------------------------------------

Opinion Is Nancy Pelosi a Climate Skeptic? The New York Times - Duration: 2:37.

Opinion Is Nancy Pelosi a Climate Skeptic? The New York Times

Its time to reckon with the internal contradictions of climate policy.

Opinion Columnist

Is Nancy Pelosi a climate skeptic? Of course not — . But you might be excused for thinking so, given the curt wave off the House speaker delivered to the liberally ballyhooed, legislatively stillborn

The green dream, or whatever they call it, nobody knows what it is, but theyre for it, right? That was Pelosi talking about the deal as if it were a grandchilds latest video game obsession. The San Francisco Democrat is nothing if not a political realist, and that kind of realism means that no Congress is going to mobilize the country to fight climate change as if it were an alien invasion, as my colleague Farhad Manjoo .

Higher mileage standards, more subsidies for wind and solar, signing the Paris climate deal? Those are the sorts of policies Nancy Pelosi believes in, and would happily endorse if stars align under a future Democratic president.

But obtaining 100 percent of Americas power needs through renewable energy, upgrading all existing buildings in the United States to meet maximal efficiency standards, and dealing with the issue of cow flatulence by reducing meat consumption, as the Green New Deal proposes? Fuhgeddaboudit.

Then again, if climate change is a potentially humanity wrecking event, why shouldnt we treat it as an alien invasion equivalent? Lets assume and we dont have a moment to lose in substantially decarbonizing the global economy, no matter what the financial cost or political pain. In that case, isnt Pelosis incrementalist approach to climate absurdly inadequate?

Isnt it, in fact, like trying to put out a forest fire with a plant mister?

Marxists of old liked to talk about the fundamental contradictions of capitalism. Today we should also reckon with the contradictions of climate policy. Are we dealing with a problem so severe that it requires the of war socialism? Or should we think of climate change roughly the same way we think about global poverty — a serious problem we can work patiently to solve without resort to extreme measures like or depriving of the attention they deserve?

If its the former, then another windmill subsidy or carbon trading scheme wont do. We need to take extreme measures: to declare a , every citizens carbon footprint, raise taxes on the rich and middle class alike to fund trillions of dollars in green infrastructure projects worldwide, and even impose economic sanctions on China and India if they dont stop .

If the latter, however, then can we at least end the apocalyptic talk, especially since we arent prepared to take more than piecemeal steps?

So far, activists have been able to elide this contradiction, claiming both that climate change is a , and that we can deal with it relatively easily. That may do wonders for public awareness — do your part and bike to work! — but it is self deceiving, if not dishonest. Whatever else might be said of it, the Green New Deal blows the lid off that delusion. Its a remarkably honest attempt to offer a massive answer to what its authors see as an epochal problem.

Yet its virtue is also its undoing. The Green New Dealers may want to spend trillions on a climate moonshot and trillions more on their other policy hobbyhorses . Most people dont even want to spend pennies, at least if its their own money. , voters in Washington rejected a carbon fee by a margin of 12 percentage points. Thats a blue state. Endorsements of the Green New Deal may have rolled in from Democratic presidential hopefuls, but the chances of them enacting any of it if they take office are about as great as Scott Pruitt being elected to the board of the Sierra Club. Even Barack Obama didnt endorse a gas tax when he had a chance to do so in 2009.

All of this means that climate activists should get wise to a central fact: If Pelosi is skeptical of their policies, where do they imagine the rest the country is? Those who believe climate change will become irreversible, uncontrollable and catastrophic in a few years should get to work on their fallout shelters. The E.P.A. wont be coming to the rescue.

By contrast, those who think climate change is a real but manageable problem would do well to say as much, too. Climate change means change, not doom. It shouldnt be hard to make the case, even to conservatives, for large scale investments in climate resilience, such as better coastal defenses. It shouldnt be hard, either, to make the case even to liberals that dynamic market economies are essential for creating the kind of wealth that makes environmental protections affordable, along with the innovations that make environmental fixes possible.

Pelosis seal clap sealed the fate of the Green New Deal. Now its time to move climate policy beyond impractical radicalism and feckless virtue signaling to something that can achieve a plausible, positive and bipartisan result.

The Times is committed to publishing to the editor. Wed like to hear what you think about this or any of our articles. Here are some . And heres our email: .

Follow The New York Times Opinion section on , and .

For more infomation >> Opinion Is Nancy Pelosi a Climate Skeptic? The New York Times - Duration: 2:37.

-------------------------------------------

Update | Opinion Is Nancy Pelosi a Climate Skeptic? The New York Times - Duration: 2:43.

Update | Opinion Is Nancy Pelosi a Climate Skeptic? The New York Times

Its time to reckon with the internal contradictions of climate policy.

Opinion Columnist

Isnt it, in fact, like trying to put out a forest fire with a plant mister?

If the latter, however, then can we at least end the apocalyptic talk, especially since we arent prepared to take more than piecemeal steps?

The Times is committed to publishing to the editor. Wed like to hear what you think about this or any of our articles. Here are some . And heres our email: .

Follow The New York Times Opinion section on , and .

Yt is on video

Chủ Nhật, 17 tháng 2, 2019

Waching daily Feb 17 2019

Không có nhận xét nào:

Đăng nhận xét