All that would change is free apps would check if you gave it the permissions it wanted and if not tell you to enable them. I suspect paid apps would as well, many of those still sell data if they can.
If an app told me it needed a permission when I tried to use that permission, that would be a great improvement. Then I would have some more information on which to make the decision of whether to grant it.
If an app on start-up complained about every permission it didn't have with no explanation as to why it needed it, that would be great as well, as I would instantly know it's an app I don't want.
Google does. Applications need to specifically be granted permissions to access data services.
Except you can't remove internet permission from something that requests it, even though that would be so simple it hurts. You know what I call that? Google fail.
Sure, it's better than Apple, but what kind of a bar is that? It is still far from good, and would be so simple to fix
Lets be honest, there's no accountability on the part of mobile app developers. Before you download an Android app it asks for permission to use certain features, but the developers aren't required to say how they'll use those features, or what they'll do with it.
And what's worse is that despite having a fairly granular permissions system, the end user is totally denied any ability to selectively remove permissions. Want to remove Internet access from an application that doesn't need it? Tough luck--Google knows what's best for you.
And then they try to say they don't add this because 90% of users wouldn't use it. So? Bury it deep down in a menu somewhere that only people that really care will find it. The fact is it would be simple, but Google just doesn't want the user to have this power over her device.
Android already has a great permissions system by which an application is granted permission to access functions of the phone and the Internet connection on a fairly granular level.
However, even though they have already implemented this system that could allow the user to control what an application can do on her device, Google has chosen to restrict the end user from obtaining greater privacy and security by restricting an application's permissions. Through the user interface, one must either grant all permissions to an application or choose not to install the application--a single permissions cannot be removed.
There is a small argument to be made that this makes things easier for developers, but how hard is it to gracefully handle not having certain permissions? For many features like GPS and Internet connectivity, Android could simply respond as if they are turned off if permission is denied.
Some members of the Android development team have tried to spin the lack of user permission settings as a benefit to the user with the argument that "if users can disable permissions arbitrarily, then developers will have no incentive to minimize the amount of permissions they declare their applications need, and the average user will be less secure". This is the only somewhat rational explanation I have gleaned from there responses, and while there might be a small bit of merit to that and certain developers might really believe that, I think on the whole it is misguided.
I believe Google's real goal is to make sure the user has no control over permissions, only a binary install / not install, because they're an advertising company with an interest in your data being sold. They continually ignore this permissions issue even though they have acknowledged it is among the top Android security complaints.
Perhaps I wasn't clear. I was suggesting that the procedure with concatenating the nonce can still be done, just using the hash as the starting point instead of the plain-text password. The only extra step would be hashing the password on the client side at the beginning of the procedure. Wouldn't this provide the same protection against MITM without the server having the password in plain-text?
Being a web dev, I agree--the better decision is certainly to use SSL for the web form and transmit the password, hashing it on the server but never storing it.
In asking the question, I was trying to determine if there could be a good reason Sony stored the password in a readable form. As opposed to the likely not-good reasons, being either ineptitude or thinking your plain-text password along with your email address and user name might come in handy...
Unencrypted passwords being accessed is not speculation. Sony was pretty clear about this point:
Although we are still investigating the details of this incident, we believe that an unauthorized person has obtained the following information that you provided: name, address (city, state, zip), country, email address, birthdate, PlayStation Network/Qriocity password and login, and handle/PSN online ID. -Official Playstation Blog
I think if they could say "encrypted password hashes", they would. Unless they're trying to make things seem worse than they are in some misguided attempt to come out looking better in the end.
If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure.
And why couldn't a hash of the password be used as a shared secret? As long as the client can do the hashing, I see no reason the hash couldn't be used in place of the original password.
As a potential answer to my own question, maybe they wanted to make sure their log in form would work on a web browser without scripting.
No real active "attack", just Sony needing an excuse to have the network down for a week to retrofit security to stop consoles with modified software from connecting ("I know !! we'll blame teh haxx0rs and play the victim rather than look like ones at fault for not providing service for a week! Since people are messing with our consoles, it's not really a lie!"), or
An attack motivated by Sony's anti-consumer practices
Yes, the "Future". I'm glad to see you've heard of it so we don't have to start at the very beginning. It is one of the advanced concepts we can understand as humans, and it holds that while we are conscious of existing right at this moment, we may continue to exist in subsequent moments, and things and circumstances might change! It is truly a wonderful thing to understand and engage with, if you take the time to grasp it.
Sometimes, it is even possible to look at things that have already happened (in academic terms, the "Past" and "History") and try to determine through reason what results might be brought about by the decisions we make today. This practical application is called "Planning", and through it we can sometimes create more favorable outcomes for ourselves!
However, an understanding of these concepts is not enough to qualify one for a tin foil hat. That is a different discipline entirely.
I did a bit of research, and it looks like in 2005 a law went into effect in the U.S. that requires a service provider to be able to locate a subscriber within 100 meters when they dial 911. A GPS is not required for this because it can often be obtained using triangulation, but it looks like most providers of even cheap phones started included them anyway.
So no, the law does not require a GPS in every cellular phone. However, it looks like it may have had the same effect.
All cell-phone manufacturers are required to have GPS data for emergency 911 response. This is required by US law.
Huh? Where do people pull this stuff from? It's possible you're just confused, but the way you phrase that resembles a deliberate misrepresentation more than an honest mistake.
I believe by law the cellular service provider is required to send any available location information to 911 at the time a call to 911 is made. This means that information about the cell tower the phone is currently using will be sent, along with any coarse triangulation data, and, if the phone has a GPS, the GPS will be activated and send any information it is able to gather.
This does NOT mean that manufacturers are required to include a GPS or that the service provider is required to keep records for 911 purposes. If there is a GPS in the phone, it must be able to be activated for these purposes, but not before 911 is called.
If this is not correct, please provide a citation, but I really doubt things have gotten batty enough yet to require a GPS in every phone. Otherwise, please stop spreading this misinformation.
Its still one of those deals where, as long as you aren't looking at CP or committing financial crime, law enforcement doesn't care about you for the most part.
Yet.
The better question is, why are you so comfortable that the huge troves of information collected about you over years and decades won't be used against you in the future? If the information's there, there is surely someone who would like to use it to their advantage. Just because those people (arguably) aren't in power now doesn't mean it's not one disaster, war, or election away from happening.
It's better all-around just to end these information-collection practices now and head off the future trouble we'll cause ourselves. But information is power, so limiting the information the powers that be have on each of us will be no easy task.
Whoever approved this needs some jail time. Merely a fine for the "corporate person" guilty of this would just mean this sort of thing will continue if there's a chance of profitability.
but the X220 can be had with an IPS panel while the T420 has a larger screen and optional discreet [sic] graphics. I hate compromising...
The day IPS displays return as an option to the T-series is the day I buy another one even if I don't need it.
I was disappointed to see the T420 move to a 16:9 screen from the 16:10 ratio I much prefer on a computer, but they made the right choice in increasing the screen resolution with the change, so I can't really complain too much as there's move usable real estate.
But beyond pointing out your wanton disregard for apostrophe usage, that's a matter of opinion. I think the unassuming, form-fits-function design of ThinkPads is beautiful and I personally much prefer it to anything else out there.
I second this. I can't comment on Lenovo's consumer-focused IdeaPad line, but the ThinkPad line is top notch.
If hardware quality, good engineering, and support/warranty service are what is important to you, ThinkPads (at least the T, X, and W series) are still untouchable (even by Apple). And they're less expensive, too.
If you want a good general-purpose laptop, take a look at the T410 (which is on discount as it's being replaced) or the newer T420.
It's called CHEETAH now, but when you refuse to burn down your house and destroy your contraband information, this technology will be much more useful in the mechanical hounds.
Just imagine if all the talented people who spent hundreds or thousands of man-hours making this remake instead spent their energy on something new.
I haven't seen it mentioned in the comments yet, but AGD Interactive's commercial arm, Himalaya Studios, announced during the KQ3 release that they are working on something new: a role-playing adventure called Mages's Initiation. From the official announcement on their forum, their promo page, and a thread on the AGDI forum, it looks like in will leverage a lot of their knowledge in creating the Quest for Glory II remake to really bring that unique genre into the present day and future. I still haven't found a game that followed up on the promise of Quest for Glory II in my mind, so I'm personally looking forward to it quite a bit.
I also still use a similar directory structure, but I've made once change in the past few years that makes it much easier to manage: I keep the special, personal, irreplaceable in a separate hierarchy.
This negates the need for something like a backup_links directory, and makes it much easier to just share the "normal" media directory with everyone/thing on my home network and then handle permissions on the personal stuff with more granularity. It's also much easier when I know I'm looking for a photo I've taken or a document I've made that it'll be in the personal hierarchy under those categories rather than the main ones.
It's a small change, but keeping a separation between stuff I've made and the easily replaceable stuff I've acquired has gone a long way to making my personal data and treasures more secure--both from loss and accidental sharing.
This is sort of a big deal, because Nintendo didn't release a Super Mario Bros. title for about 15 years (between Super Mario World and New Super Mario Bros. for the DS). There are a lot of people who love Super Mario Bros. who really couldn't care less about the newest 3D Mario game or Mario spin-off series. And the gameplay of Super Mario Bros. is the reason most Mario fans started loving Mario.
There's quite a difference between a new Mario title being announced (which is to be expected) and a new Super Mario Bros. title being announced (which Nintendo was reluctant to make because they were busy insisting on making only 3D Mario and spin-offs for 15 years, although they have probably reconsidered that after the rampant success of NSMB and NSMB Wii). This is a confirmation Nintendo is going to keep making games to please fans of the original Mario. Hopefully they do the same with Metroid after the atrocious Other M.
Actually, it's pretty obvious why Microsoft marketing went back to version numbers, especially considering the Mojave Experiment. While it's certainly possible they might have just named it 7 because they felt it was the seventh generation of Windows, the obvious, likely reason is that 7 sounds as little like Vista as possible.
You do know that the iPhone 4 was actually the 4th version of the iPhone right?... Maybe that was the simple explanation.
Actually, it's not an explanation at all to the question "why did the company name the product with a version number at the end when they usually go out of their way to avoid doing this?".
Slashdot Mirror
As to their revenue model, I believe they base that on selling your private information to dictators and despots instead of advertisers.
In that case it's not selling. It's simply the price of doing business in India, China, Pakistan, the U.S., etc.
All that would change is free apps would check if you gave it the permissions it wanted and if not tell you to enable them. I suspect paid apps would as well, many of those still sell data if they can.
If an app told me it needed a permission when I tried to use that permission, that would be a great improvement. Then I would have some more information on which to make the decision of whether to grant it.
If an app on start-up complained about every permission it didn't have with no explanation as to why it needed it, that would be great as well, as I would instantly know it's an app I don't want.
Google does. Applications need to specifically be granted permissions to access data services.
Except you can't remove internet permission from something that requests it, even though that would be so simple it hurts . You know what I call that? Google fail.
Sure, it's better than Apple, but what kind of a bar is that? It is still far from good, and would be so simple to fix
Lets be honest, there's no accountability on the part of mobile app developers. Before you download an Android app it asks for permission to use certain features, but the developers aren't required to say how they'll use those features, or what they'll do with it.
And what's worse is that despite having a fairly granular permissions system, the end user is totally denied any ability to selectively remove permissions. Want to remove Internet access from an application that doesn't need it? Tough luck--Google knows what's best for you.
And then they try to say they don't add this because 90% of users wouldn't use it. So? Bury it deep down in a menu somewhere that only people that really care will find it. The fact is it would be simple, but Google just doesn't want the user to have this power over her device.
See more from me on this below.
Android already has a great permissions system by which an application is granted permission to access functions of the phone and the Internet connection on a fairly granular level.
However, even though they have already implemented this system that could allow the user to control what an application can do on her device, Google has chosen to restrict the end user from obtaining greater privacy and security by restricting an application's permissions. Through the user interface, one must either grant all permissions to an application or choose not to install the application--a single permissions cannot be removed.
There is a small argument to be made that this makes things easier for developers, but how hard is it to gracefully handle not having certain permissions? For many features like GPS and Internet connectivity, Android could simply respond as if they are turned off if permission is denied. Some members of the Android development team have tried to spin the lack of user permission settings as a benefit to the user with the argument that "if users can disable permissions arbitrarily, then developers will have no incentive to minimize the amount of permissions they declare their applications need, and the average user will be less secure". This is the only somewhat rational explanation I have gleaned from there responses, and while there might be a small bit of merit to that and certain developers might really believe that, I think on the whole it is misguided.
I believe Google's real goal is to make sure the user has no control over permissions, only a binary install / not install, because they're an advertising company with an interest in your data being sold. They continually ignore this permissions issue even though they have acknowledged it is among the top Android security complaints.
Perhaps I wasn't clear. I was suggesting that the procedure with concatenating the nonce can still be done, just using the hash as the starting point instead of the plain-text password. The only extra step would be hashing the password on the client side at the beginning of the procedure. Wouldn't this provide the same protection against MITM without the server having the password in plain-text?
Being a web dev, I agree--the better decision is certainly to use SSL for the web form and transmit the password, hashing it on the server but never storing it.
In asking the question, I was trying to determine if there could be a good reason Sony stored the password in a readable form. As opposed to the likely not-good reasons, being either ineptitude or thinking your plain-text password along with your email address and user name might come in handy...
Unencrypted passwords being accessed is not speculation. Sony was pretty clear about this point:
I think if they could say "encrypted password hashes", they would. Unless they're trying to make things seem worse than they are in some misguided attempt to come out looking better in the end.
If the password is stored 'in the clear' on the server side and treat the password as a shared secret, then *if* you design the authentication right, you render man in the middle infeasible with the tradeoff of storage attack being a large exposure.
And why couldn't a hash of the password be used as a shared secret? As long as the client can do the hashing, I see no reason the hash couldn't be used in place of the original password.
As a potential answer to my own question, maybe they wanted to make sure their log in form would work on a web browser without scripting.
Source?
Just my speculation, being familiar with Sony. I suppose I should have said "I strong suspect this is" rather than "This is almost surely".
This is almost surely a result of either:
I really doubt it's a money issue.
Yes, the "Future". I'm glad to see you've heard of it so we don't have to start at the very beginning. It is one of the advanced concepts we can understand as humans, and it holds that while we are conscious of existing right at this moment, we may continue to exist in subsequent moments, and things and circumstances might change! It is truly a wonderful thing to understand and engage with, if you take the time to grasp it.
Sometimes, it is even possible to look at things that have already happened (in academic terms, the "Past" and "History") and try to determine through reason what results might be brought about by the decisions we make today. This practical application is called "Planning", and through it we can sometimes create more favorable outcomes for ourselves!
However, an understanding of these concepts is not enough to qualify one for a tin foil hat. That is a different discipline entirely.
I did a bit of research, and it looks like in 2005 a law went into effect in the U.S. that requires a service provider to be able to locate a subscriber within 100 meters when they dial 911. A GPS is not required for this because it can often be obtained using triangulation, but it looks like most providers of even cheap phones started included them anyway.
So no, the law does not require a GPS in every cellular phone. However, it looks like it may have had the same effect.
All cell-phone manufacturers are required to have GPS data for emergency 911 response. This is required by US law.
Huh? Where do people pull this stuff from? It's possible you're just confused, but the way you phrase that resembles a deliberate misrepresentation more than an honest mistake.
I believe by law the cellular service provider is required to send any available location information to 911 at the time a call to 911 is made. This means that information about the cell tower the phone is currently using will be sent, along with any coarse triangulation data, and, if the phone has a GPS, the GPS will be activated and send any information it is able to gather.
This does NOT mean that manufacturers are required to include a GPS or that the service provider is required to keep records for 911 purposes. If there is a GPS in the phone, it must be able to be activated for these purposes, but not before 911 is called.
If this is not correct, please provide a citation, but I really doubt things have gotten batty enough yet to require a GPS in every phone. Otherwise, please stop spreading this misinformation.
Its still one of those deals where, as long as you aren't looking at CP or committing financial crime, law enforcement doesn't care about you for the most part.
Yet.
The better question is, why are you so comfortable that the huge troves of information collected about you over years and decades won't be used against you in the future? If the information's there, there is surely someone who would like to use it to their advantage. Just because those people (arguably) aren't in power now doesn't mean it's not one disaster, war, or election away from happening.
It's better all-around just to end these information-collection practices now and head off the future trouble we'll cause ourselves. But information is power, so limiting the information the powers that be have on each of us will be no easy task.
Whoever approved this needs some jail time. Merely a fine for the "corporate person" guilty of this would just mean this sort of thing will continue if there's a chance of profitability.
but the X220 can be had with an IPS panel while the T420 has a larger screen and optional discreet [sic] graphics. I hate compromising...
The day IPS displays return as an option to the T-series is the day I buy another one even if I don't need it.
I was disappointed to see the T420 move to a 16:9 screen from the 16:10 ratio I much prefer on a computer, but they made the right choice in increasing the screen resolution with the change, so I can't really complain too much as there's move usable real estate.
ThinkPad's are god awfully ugly.
ThinkPad's what are ugly?
But beyond pointing out your wanton disregard for apostrophe usage, that's a matter of opinion. I think the unassuming, form-fits-function design of ThinkPads is beautiful and I personally much prefer it to anything else out there.
I second this. I can't comment on Lenovo's consumer-focused IdeaPad line, but the ThinkPad line is top notch.
If hardware quality, good engineering, and support/warranty service are what is important to you, ThinkPads (at least the T, X, and W series) are still untouchable (even by Apple). And they're less expensive, too.
If you want a good general-purpose laptop, take a look at the T410 (which is on discount as it's being replaced) or the newer T420.
It's called CHEETAH now, but when you refuse to burn down your house and destroy your contraband information, this technology will be much more useful in the mechanical hounds.
Just imagine if all the talented people who spent hundreds or thousands of man-hours making this remake instead spent their energy on something new.
I haven't seen it mentioned in the comments yet, but AGD Interactive's commercial arm, Himalaya Studios, announced during the KQ3 release that they are working on something new: a role-playing adventure called Mages's Initiation. From the official announcement on their forum, their promo page, and a thread on the AGDI forum, it looks like in will leverage a lot of their knowledge in creating the Quest for Glory II remake to really bring that unique genre into the present day and future. I still haven't found a game that followed up on the promise of Quest for Glory II in my mind, so I'm personally looking forward to it quite a bit.
I also still use a similar directory structure, but I've made once change in the past few years that makes it much easier to manage: I keep the special, personal, irreplaceable in a separate hierarchy.
This negates the need for something like a backup_links directory, and makes it much easier to just share the "normal" media directory with everyone/thing on my home network and then handle permissions on the personal stuff with more granularity. It's also much easier when I know I'm looking for a photo I've taken or a document I've made that it'll be in the personal hierarchy under those categories rather than the main ones.
It's a small change, but keeping a separation between stuff I've made and the easily replaceable stuff I've acquired has gone a long way to making my personal data and treasures more secure--both from loss and accidental sharing.
This is sort of a big deal, because Nintendo didn't release a Super Mario Bros. title for about 15 years (between Super Mario World and New Super Mario Bros. for the DS). There are a lot of people who love Super Mario Bros. who really couldn't care less about the newest 3D Mario game or Mario spin-off series. And the gameplay of Super Mario Bros. is the reason most Mario fans started loving Mario.
There's quite a difference between a new Mario title being announced (which is to be expected) and a new Super Mario Bros. title being announced (which Nintendo was reluctant to make because they were busy insisting on making only 3D Mario and spin-offs for 15 years, although they have probably reconsidered that after the rampant success of NSMB and NSMB Wii). This is a confirmation Nintendo is going to keep making games to please fans of the original Mario. Hopefully they do the same with Metroid after the atrocious Other M.
Who knows what is in the mind of marketing?
...
Windows Vista
Windows 7
Actually, it's pretty obvious why Microsoft marketing went back to version numbers, especially considering the Mojave Experiment. While it's certainly possible they might have just named it 7 because they felt it was the seventh generation of Windows, the obvious, likely reason is that 7 sounds as little like Vista as possible.
You do know that the iPhone 4 was actually the 4th version of the iPhone right? ... Maybe that was the simple explanation.
Actually, it's not an explanation at all to the question "why did the company name the product with a version number at the end when they usually go out of their way to avoid doing this?".