Most of the scammers tend to be those casting a wide net. They bought an info dump with thousands of names, phone numbers, and such in it, feeding the numbers into a robodialer, and having people in a boiler room use names of relatives automatically on a scripted speech.
An anti-fraud device, or something asking for info to be called back at will be more than enough protection, because the scammer will just move to the next potential mark on the data dump and try them.
They try to be relatively quick about it. Eventually, bad number blocking sites like Mr. Number and others will have enough entries to have the fraudster's number blocked on devices subscribing to the service.
VoIP scams are easy to do. For example, callerID is fairly easy to forge and it doesn't cost much money to set up a boiler room and staff it with people who do this. This allows a company to be in India, but still call from a US number.
To boot, there are very stiff fines... but have you seen how a lot of the robocall firms are organized? Most have a lot of holding corporations that they work with, one owns the furniture, one pays the employees, one possesses the computer data, so when the main company, say XYZ corp, gets sued, they just file bankruptcy, then a new company, ABC corp gets created, and they are back in business the next day. To boot, all of these companies are registered offshore, so finding the true owners will be virtually impossible unless the company decides to hit a third rail in the US (drugs, guns, and IP violations.)
That is what I wonder about as well. Sintering requires heat, so that makes me wonder if the metal can handle the high temperatures that a turbine spins at.
However, TFA states a 3D printed rocket engine was made and actually used by UCSD researches in 2013, so there is a good chance that this can be made to function.
The rocket was 3D printed via DMLS, but then "hardened, polished, and assembled." I have zero clue on the hardening method, because non-ferrous metals can't be really heated and quenched.
I'm hoping this is something that can see actual use, because if done right, maybe we can get more people researching jet/turbine engines.
There is always the fact that a turbine engine can be used for a vehicle. With the 7+ speed transmissions available, as well as CVTs, the limitation of a turbine's narrow power band can be overcome at the gearbox.
The biggest issue that people have is app compatibility, and without apps, the entire ecosystem winds up marginalized, as it did with Maemo/Meego (which were excellent operating systems, but without popular support, just didn't continue on.)
The good news is that we have tools to fix this, especially with containers, virtualization, and btrfs that offers online and offline deduplication.
Virtualization is important. With this, one can have their apps for work in one VM which is up to corporate policies when it comes to encryption and access control, and a second VM for personal stuff. It would be nice if US phones had more dual SIM card support, so one could use two numbers at once, and "never the twain shall meet".
Containers are useful as well, mainly as a way to isolate and secure apps.
Of course, having deduplication saves space, so one can have 2-3 VMs, with most of the Android footprint (mainly/system) being shared between them.
This is a good thing. In the past, a company would get breached, and it would have a minimal impact after paying for a PR campaign, definitely forgotten after six months.
However, the Sony hack with E-mails leaked which got celebs mad and data destroyed is different. Before that, a company got hacked... but their data was still there, so a lot of managers just brushed it off. However, if an intrusion means that the entire company is unable to do business and likely will fail in days to weeks [1], security goes from something in the backseat that is perceived as having no ROI, to a major concern.
This is a good thing. We have had solid security concepts since the 1970s, and most enterprise applications and devices can be well locked down. It is just using the functionality involved and making it work for that company/organization's culture.
It also might get vendors focused on security, perhaps being able to standardize on things. For example, it would be nice to have a style of USB cryptographic token that works with anything, be it an AIX machine or a Windows box.
Which means more money for those who can keep pace with security.
[1]: There are a lot of businesses who decided to follow the hype and drop tape, and instead, go with tiers of SANs for backups. Backing up to SANs does provide decent protection against hardware faults.
However, all data accessible comes at a cost. A bad guy can log onto the SAN's backend and purge all data with just a single command. Once this is done, the data is gone, and because there are no backup tapes... there is no recovery possible. Even with SANs that replicate to different physical locations, the deletion will be replicated. Even more insidious is tampering over time where someone logs on a SAN, and just starts overwriting stored data that nobody ever accesses.
It makes me wonder if tape will go from being laughed at as "retro" to being a primary medium for storage again. A pile of tapes stored offline will require physical access to destroy, as opposed to zeroing out everything with just one button. Even cloud "media" is easily destroyed if a blackhat gets enough access.
What about DISA/NIST and their publications/guidelines? This is paid for by the taxpayers, and can be very useful, even though the info might be obvious in some places [1]. They have decent checklist guides on recent operating systems under their national vulnerability database.
It is nice to be able to fetch info, even if one doesn't have to worry about stuff like FISMA and SCAP, just to have a decent baseline of security.
[1]: Things like using group policies, not allowing multiple users use the same account, etc.
One of the best examples of abuses of patent reform is part of the history of refrigeration.
Refrigeration, and air conditioning as we know it was locked down for over 25 years because the ice industry was gigantic, purchased patents or had them granted (a metal tube with stuff flowing through it that chances phase, for example), which effectively blocked the refrigerator from becoming a household appliance until after World War 1.
The PGP implementation applications, like archaic PGP versions, NetPGP, APG, OpenKeyChain, GNU Privacy Guard, Symantec Encryption Desktop, and a number of others.
As far as I know, all the above have their source code available under various licenses, even the Symantec stuff either has, or used to have, its source available for examination.
I do agree that a revamp in some of the OpenPGP implementation programs is direly needed, because as of now, the most usable implementation (IMHO) is Symantec's version, which is a commercial product.
It might be nice to see about breaking the OpenPGP implementation programs up into to parts -- two library frameworks (one for BSD, and one for GPL v3), and the code that accesses the libraries.
As for the OpenPGP format itself, it does need some incremental improvements:
1: Additional encryption and the ability to chain encryption algorithms. This isn't meant to win a bitsize war, but so that if one algorithm like SERPENT gets broken, there is still AES and Twofish. TrueCrypt implements this.
2: Splitting how much you trust a key versus how much you trust a key's owner to sign, introduce, and validate other people's keys, with both of these values exportable. This way, if you are 100% sure you have a key of a cretin, you can pass that along.
3: Newer compression protocols like LZMA2, bzip2, and others, so that data is further shrunk before encryption.
4: An error correction protocol applied after encryption and signing, with a user selectable amount of ECC applied. This way, a signed OpenPGP file that suffers some damage can likely be repaired, and the signature still be valid.
5: Share splitting. This way, a user can select x out of y pieces be required to recover an OpenPGP packet.
However, all and all, the OpenPGP protocol has stood the test of time when it comes to security. Its main strength is that it is not tied to a communications or messaging protocol, so an OpenPGP packet can be sent on a file on a SD card, via E-mail, AIM, SMS, MMS, posted on a newsgroup or forum, or virtually any other means. There are people who bash OpenPGP, but oftentimes, they have their own solution, and have a vested interest in getting people to leave OpenPGP for a closed system.
OpenPGP fills a crucial need. Not just securing data over communications, but protecting data stashed away. Few encryption protocols can secure both data at rest, and data in motion.
There are also different keyservers. For example, Symantec has its own for its commercial PGP Desktop.
Then there is the need for a key for a transaction. For example, when helping a client out, he already had my key's fingerprint and ID, so there would be no need to publish that for an interchange that was just between the both of us.
Moxie might have a point... maybe it might be wise for some time to be spent improving the PGP/gpg keyserver network, adding more servers, working on better ways to propagate keys, adding code to defeat bogus keys being added in bulk, and so on.
It also is time to see about getting the OpenPGP into other projects. TrueCrypt and 7Zip come to mind. This way, there isn't an issue of having to use an encrypted keyfile or encrypt the entire archive using gnupg, when sending to multiple people and using their public keys.
The problem is that OpenPGP products fill a need, and adding additional, usable features is hard, other than new algorithms.
However, nothing fills the role OpenPGP does with as much reliability, interoperability, and trust. I can encrypt a message on AIX, sign it on a Solaris box, validate the signature on a FreeBSD box, then decrypt and read the file on a QNX embedded machine.
The problem with people bashing PGP and gnupg is that usually they have their own encryption solution they want to peddle. There isn't anything wrong with that... but it is in their interest to belittle the competition, and the one thing OpenPGP (PGP, GPG, NetPGP, etc.) has going for it, is that it is not tied to a single messaging platform. I can sign and send messages on E-mail, decode a message via FB PM, forward the message via AIM, or just send someone a small file via MMS.
This doesn't mean that OpenPGP utilities are "finished." There is a lot of code that can be cleaned up, UI tweaks, work on better WoT tools, new types of keyservers [1]. However, it just seems that people want to sell their own encryption solution, so OpenPGP at best winds up neglected.
[1]: The old style keyserver where keys can't be deleted, just revoked is the best. However, what would be a nice extension to the OpenPGP protocol is a date a private key expires off of keyservers. This is different from when the actual key expires (since one might want the key on keyservers a while longer so it can be used for validation), but this would help with long since outdated keys.
Bingo. Where I live, having more than four sex toys is an "obscenity" state jail felony as per Texas penal codes. So, they are sold as "teaching devices", "medical mockups", or other items.
This is a fight that doesn't need to be dealt with. Just call it a CNC mill, which is designed for fabricating automotive parts. Hoppes calls their #9 product, "lubricating oil", instead of "gun oil." Might as well not have to deal with a wedge issue when it comes to business if one doesn't have to.
The problem is that this employee data, which would be innocuous in the hands of a company, can easily leave the premises. e-Discovery and fishing expeditions are common, and that info can wind up in the hands of someone completely irrelevant.
Of course, there are always the criminal organizations who would love that info. They find that Joe Ducato is out on a long haul... grab his address, sell the info to a local gang, and they clean his home out. This hasn't been the case yet, but as time progresses and if the economy sours further, it wouldn't be surprising to have your local gangbangers swing deals with overseas organizations to buy dumps of potential victims and when their places will be empty. Right now, crime is relatively low, but that can easily swing up due to economic factors.
My philosophy is to use the least amount of data needed, and if has to be obtained, it be decentralized (for example, the AD servers are separate from the HID badge locks, which are separate from Exchange, which is separate from the CCTV room). If the data isn't present, it can't be slurped off overseas and sold.
Ideally, it should do both. One device would have an extremely large amount of bandwidth to play with if in range of the tower, but as more devices get handed off to the tower, there is less bandwidth per device, but all devices get some level of service until a threshold is reached where the tower cannot accept any more items, where even EDGE or GPRS speed cannot be maintained. This is especially important at sporting events or SXSW where there are tens to hundreds of thousands of people in one space. Assuming the tower has terabits of bandwidth available, it should at least provide 3G coverage, decent enough for people to pop selfies and upload them or tweet about how badly the band on stage sucks.
From what I've seen at stores, people fumbling for their phones at stores is actually slower than the coupon-clipper with the checkbook.
If Google's mechanism goes via credit cards like Apple Pay, it would be useful, should I lose my wallet, as a backup mechanism. However, if it is ACH based like CurrenC... then I would avoid it at all costs, since all it takes is one bad transaction, and I'm cleaned out with no recourse.
It isn't cheap, but there are ways to use 3D printed parts to make "real" parts. For example, with a dissolvable filament, one can print out an intricate part, put it into sand, plaster, or one's preferred moldmaking substance (making sure you have a hole to pour in, and a vent hole), pour limonene in to get rid of the filament, then pour molten plastic or one's metal alloy of choice. Let cool, then separate (or break apart) the mold pieces. The result is a usable part made out of a material that is up to task.
It might be a part just may need improving. The turbo resonator on Mercedes Sprinter T1N models is one example. The original part was OK, but an aftermarket part would completely fix glitches with the item.
Another item might be RV door handles. There was a batch recalled that had breakage issues. If someone scanned the pieces and made identical items, except of a very tough Iconel, the same door handle would easily outlive the RV.
Right now, 3D printing is plateauing, because there is only so much one can do with plastic. However, if sintering, stereolithography, and other items which work with metal or ceramic become inexpensive, this can mean a lot of useful items.
My worry is that we start seeing DRM mandated for 3D printers. All it would take is having the print controller refuse to print any design unless it was signed with an approval certificate, with a number of parties on the Net that are set up to vet that some item isn't a copy of something.
Of course, DRM ends up an arms race, but ultimately, the victory goes to the deepest pockets. (For example, the PS4 and XBox One have yet to even have a dent made with them.)
I have given up on theaters except for the Alamo Drafthouse here in Austin. Where other theaters have the constant people prattling and tapping on their devices, I have seen the ADH ushers be pretty proactive at tossing the texters and the yakkers out.
Long term, with people's tempers already raw, I wonder how long it will take until brawls start happening because people end up just sick and tired of the phone zombies, be it the cretin with one finger in his ear, screaming into his phone, or the people expecting others to clear a trail for them on the road. It only is a matter of time before this starts rubbing people past their breaking point.
As for lanes... good luck with that as pedestrians, that is great in theory, but once you get the people walking 3-5 abreast, that idea is going to go out the window unless there is a physical barrier preventing people from doing that.
In my experience, the average person buying a system with crapware on this doesn't care about it, provided it doesn't slow their machine down. It is just like the people who spill their lives onto social networks. They don't care who reads it, so likely wouldn't care to be tracked by "marketing browser experience enhancement" software.
The real takeaway from this is for people to pack their own parachute -- image off the drive's original software (just in case), wipe the drive [1], then install the OS from clean media, and from there, install applications. Of course, it doesn't hurt to make a zero-level image after the machine is installed, updated, drivers loaded, and activated, so a complete "bare metal" reinstall is just reloading that image.
[1]: Boot a Linux CD, dd if=/dev/zero of=/dev/hdx if the drive is a HDD, blkdiscard -v/dev/hdx if the drive is a SSD.
My shopping experience is just fine without active MITM attacks.
The ironic thing is that Lenovo has had a good reputation. They inherited the Thinkpad name, and it used to be that it was the go to brand for laptops before Apple jumped in that market. Plus, business-line Thinkpads are pretty secure, be it a decent TPM implementation, fingerprint scanner, and other items.
I just hope they learn their lesson, and this doesn't pop up again, as their products are quite usable.
Ad injection is quite lucrative. This is what entire companies like Phorm which intercepts in-flight connections and inserts ads.
As for ad injection like this, I've seen a number of consumer level PCs route traffic through a local proxy, installing Web browser add-ons to keep the browser switched to the proxy and to inject their own SSL key. The fix was removal, and even then, there were processes that had to be stopped via autoruns, as well as blocked from phoning home via the Windows Firewall (so there wasn't a chance they could do damage even if restarted.)
The exception to this seems to be HP, which might have sample programs on it (Norton, for example), but no crapware that loads in Web browser add-ons. It actually was a shock seeing a new HP consumer laptop actually in a usable state out of the box, without having to go swinging at what starts up with the autoruns pickaxe.
The problem is that companies face zero negative consequences for adding intrusive software like this onto a machine. Joe Sixpack won't know or care that his search engine gets redirected through some no-name third party site so his google search page has flash ads. With the private key out, he won't realize that his banking stuff is compromised until his bank account gets drained.
The fix? As a consumer, either bring your own OS and completely wipe and reinstall the box, or buy a business-line version. Lenovo would not dare to try installing anything like this on the Thinkpad line, just like Dell's Latitude line, and HP's EliteBook line. Of course, there is always Apple, which seems expensive, but if one compares like for like, a MacBook Pro actually has a price advantage to a comparable business line HP or Dell with the same features and chipset.
I personally use a disk image utility to clone the drives before the machine ever boots for the first time, but almost all non-IT people end up losing the recovery disks, or just not making them in the first place. This is why having an OS image in ROM (or technically read-only SSD) would be useful.
The ideal would be both install media, as well as a recovery instance. This way, one could boot the machine, mount the volumes, and save off documents to external media in preparation for a complete format and reinstall. A recovery instance would also be useful for fixing boot issues, or even dealing with malware (although it is best to reinstall if malware is present.)
This is why you use VMs. If malware hits the disk, it is going to find a generic HDD, like a VMWare Virtual drive, and that vector of attack stops for good right there.
We are almost at a point where we should virtualize everything, and what sits at the bare metal is a hypervisor, where there is a definite layer of separation between the OS and devices. This way, a compromise on the OS level won't allow hardware to be tampered with. If there is a firmware update needed, then it should be made available for manual flashing that takes a deliberate set of actions by the user (or via remote, using some administrator certificate) to ensure that a firmware update is authorized.
In fact, virtualization on newer machines is more of a "why not?" item, than a "why?" item. For example, Windows 8 and Windows 8.1 have Hyper-V available with a switch setting and a reboot. With a little bit of work, one can have one instance of Windows just for Web browsing, and the browser would be a seamless application. The advantage of doing this is that if/when something nails the Web browser and gets a user context, rolling back to a snapshot/checkpoint is pretty easy.
A good example of this was when I was browsing in a VM a certain social network without an ad blocking extension in the browser... 10 minutes later, that VM was slammed by malware, likely from an ad server that was serving up exploits. The fix was two clicks and a confirmation dialog away. Of course, if malware isn't detected, that is another story, but for browsing the Web, it is wise to just roll the VM back every so often anyway (at least every month for Patch Tuesday's festivities.)
What would be nice is if PC makers could allow one's choice of hypervisor to be installed on a dedicated SSD that either is physically set read-only and read-write by a DIP switch (with preferences and system info stashed on a separate writable partition), or similar functionality. The advantage of this is that the hypervisor would be pretty much static except for occasional updates (and the update mechanism can be made decently secure), and hardware would be isolated from the VMs.
If a device does need a firmware upgrade, a mechanism at the hypervisor level would address this.
GM cars seem to be relatively rare in my neck of the woods. For college students, Kias, Hyundas, VWs and Mazdas have that market, with the Toyota models after that.
I really don't like GM's ability to disable any vehicle, anywhere. I'm reminded of an Austin dealer which installed devices to disable vehicles if the buyer didn't pay their loan payment... and a disgruntled ex-employee logged on as a valid employee, disabled all vehicles in the system and set them to honk until the batteries went dead. Wasn't a relatively big thing... but if someone did hack GM, the damage they could do with OnStar could be tremendous... for example, if there is a forest fire, hurricane or a disaster causing an evacuation, killing all GM vehicles in that area can turn the disaster into a catastrophe with extreme loss of life, just because the GM cars stalled would prevent movement of everything else.
For desktops, I end up doing similar, and building my own (for my personal use.) However, for laptops, it is good to go with a brand's business line (not consumer junk, but business tiers that actually will offer decent CS). Similar if one needs desktops for a company (since for accounting and auditing, it is good to have machines that have similar hardware or one easily trackable model ID.)
Of course, for personal laptops, there is always Apple. Even if one installs Windows on it (easy to do as it is a UEFI machine), the hardware is quite solid, and for individuals, Apple CS is quite good. Businesses and the enterprise, it is a different story.
tl;dr, there isn't really one fix for this, but in general, avoiding consumer-line stuff like the clap is the best thing one can do, either by building one's own machine, buying the business/enterprise tier, or going Apple.
Slashdot Mirror
Most of the scammers tend to be those casting a wide net. They bought an info dump with thousands of names, phone numbers, and such in it, feeding the numbers into a robodialer, and having people in a boiler room use names of relatives automatically on a scripted speech.
An anti-fraud device, or something asking for info to be called back at will be more than enough protection, because the scammer will just move to the next potential mark on the data dump and try them.
They try to be relatively quick about it. Eventually, bad number blocking sites like Mr. Number and others will have enough entries to have the fraudster's number blocked on devices subscribing to the service.
VoIP scams are easy to do. For example, callerID is fairly easy to forge and it doesn't cost much money to set up a boiler room and staff it with people who do this. This allows a company to be in India, but still call from a US number.
To boot, there are very stiff fines... but have you seen how a lot of the robocall firms are organized? Most have a lot of holding corporations that they work with, one owns the furniture, one pays the employees, one possesses the computer data, so when the main company, say XYZ corp, gets sued, they just file bankruptcy, then a new company, ABC corp gets created, and they are back in business the next day. To boot, all of these companies are registered offshore, so finding the true owners will be virtually impossible unless the company decides to hit a third rail in the US (drugs, guns, and IP violations.)
That is what I wonder about as well. Sintering requires heat, so that makes me wonder if the metal can handle the high temperatures that a turbine spins at.
However, TFA states a 3D printed rocket engine was made and actually used by UCSD researches in 2013, so there is a good chance that this can be made to function.
The rocket was 3D printed via DMLS, but then "hardened, polished, and assembled." I have zero clue on the hardening method, because non-ferrous metals can't be really heated and quenched.
I'm hoping this is something that can see actual use, because if done right, maybe we can get more people researching jet/turbine engines.
There is always the fact that a turbine engine can be used for a vehicle. With the 7+ speed transmissions available, as well as CVTs, the limitation of a turbine's narrow power band can be overcome at the gearbox.
The biggest issue that people have is app compatibility, and without apps, the entire ecosystem winds up marginalized, as it did with Maemo/Meego (which were excellent operating systems, but without popular support, just didn't continue on.)
The good news is that we have tools to fix this, especially with containers, virtualization, and btrfs that offers online and offline deduplication.
Virtualization is important. With this, one can have their apps for work in one VM which is up to corporate policies when it comes to encryption and access control, and a second VM for personal stuff. It would be nice if US phones had more dual SIM card support, so one could use two numbers at once, and "never the twain shall meet".
Containers are useful as well, mainly as a way to isolate and secure apps.
Of course, having deduplication saves space, so one can have 2-3 VMs, with most of the Android footprint (mainly /system) being shared between them.
This is a good thing. In the past, a company would get breached, and it would have a minimal impact after paying for a PR campaign, definitely forgotten after six months.
However, the Sony hack with E-mails leaked which got celebs mad and data destroyed is different. Before that, a company got hacked... but their data was still there, so a lot of managers just brushed it off. However, if an intrusion means that the entire company is unable to do business and likely will fail in days to weeks [1], security goes from something in the backseat that is perceived as having no ROI, to a major concern.
This is a good thing. We have had solid security concepts since the 1970s, and most enterprise applications and devices can be well locked down. It is just using the functionality involved and making it work for that company/organization's culture.
It also might get vendors focused on security, perhaps being able to standardize on things. For example, it would be nice to have a style of USB cryptographic token that works with anything, be it an AIX machine or a Windows box.
Which means more money for those who can keep pace with security.
[1]: There are a lot of businesses who decided to follow the hype and drop tape, and instead, go with tiers of SANs for backups. Backing up to SANs does provide decent protection against hardware faults.
However, all data accessible comes at a cost. A bad guy can log onto the SAN's backend and purge all data with just a single command. Once this is done, the data is gone, and because there are no backup tapes... there is no recovery possible. Even with SANs that replicate to different physical locations, the deletion will be replicated. Even more insidious is tampering over time where someone logs on a SAN, and just starts overwriting stored data that nobody ever accesses.
It makes me wonder if tape will go from being laughed at as "retro" to being a primary medium for storage again. A pile of tapes stored offline will require physical access to destroy, as opposed to zeroing out everything with just one button. Even cloud "media" is easily destroyed if a blackhat gets enough access.
Devil's advocate here:
What about DISA/NIST and their publications/guidelines? This is paid for by the taxpayers, and can be very useful, even though the info might be obvious in some places [1]. They have decent checklist guides on recent operating systems under their national vulnerability database.
It is nice to be able to fetch info, even if one doesn't have to worry about stuff like FISMA and SCAP, just to have a decent baseline of security.
[1]: Things like using group policies, not allowing multiple users use the same account, etc.
One of the best examples of abuses of patent reform is part of the history of refrigeration.
Refrigeration, and air conditioning as we know it was locked down for over 25 years because the ice industry was gigantic, purchased patents or had them granted (a metal tube with stuff flowing through it that chances phase, for example), which effectively blocked the refrigerator from becoming a household appliance until after World War 1.
There are two items when people mention PGP:
The OpenPGP format.
The PGP implementation applications, like archaic PGP versions, NetPGP, APG, OpenKeyChain, GNU Privacy Guard, Symantec Encryption Desktop, and a number of others.
As far as I know, all the above have their source code available under various licenses, even the Symantec stuff either has, or used to have, its source available for examination.
I do agree that a revamp in some of the OpenPGP implementation programs is direly needed, because as of now, the most usable implementation (IMHO) is Symantec's version, which is a commercial product.
It might be nice to see about breaking the OpenPGP implementation programs up into to parts -- two library frameworks (one for BSD, and one for GPL v3), and the code that accesses the libraries.
As for the OpenPGP format itself, it does need some incremental improvements:
1: Additional encryption and the ability to chain encryption algorithms. This isn't meant to win a bitsize war, but so that if one algorithm like SERPENT gets broken, there is still AES and Twofish. TrueCrypt implements this.
2: Splitting how much you trust a key versus how much you trust a key's owner to sign, introduce, and validate other people's keys, with both of these values exportable. This way, if you are 100% sure you have a key of a cretin, you can pass that along.
3: Newer compression protocols like LZMA2, bzip2, and others, so that data is further shrunk before encryption.
4: An error correction protocol applied after encryption and signing, with a user selectable amount of ECC applied. This way, a signed OpenPGP file that suffers some damage can likely be repaired, and the signature still be valid.
5: Share splitting. This way, a user can select x out of y pieces be required to recover an OpenPGP packet.
However, all and all, the OpenPGP protocol has stood the test of time when it comes to security. Its main strength is that it is not tied to a communications or messaging protocol, so an OpenPGP packet can be sent on a file on a SD card, via E-mail, AIM, SMS, MMS, posted on a newsgroup or forum, or virtually any other means. There are people who bash OpenPGP, but oftentimes, they have their own solution, and have a vested interest in getting people to leave OpenPGP for a closed system.
OpenPGP fills a crucial need. Not just securing data over communications, but protecting data stashed away. Few encryption protocols can secure both data at rest, and data in motion.
There are also different keyservers. For example, Symantec has its own for its commercial PGP Desktop.
Then there is the need for a key for a transaction. For example, when helping a client out, he already had my key's fingerprint and ID, so there would be no need to publish that for an interchange that was just between the both of us.
Moxie might have a point... maybe it might be wise for some time to be spent improving the PGP/gpg keyserver network, adding more servers, working on better ways to propagate keys, adding code to defeat bogus keys being added in bulk, and so on.
It also is time to see about getting the OpenPGP into other projects. TrueCrypt and 7Zip come to mind. This way, there isn't an issue of having to use an encrypted keyfile or encrypt the entire archive using gnupg, when sending to multiple people and using their public keys.
The problem is that OpenPGP products fill a need, and adding additional, usable features is hard, other than new algorithms.
However, nothing fills the role OpenPGP does with as much reliability, interoperability, and trust. I can encrypt a message on AIX, sign it on a Solaris box, validate the signature on a FreeBSD box, then decrypt and read the file on a QNX embedded machine.
The problem with people bashing PGP and gnupg is that usually they have their own encryption solution they want to peddle. There isn't anything wrong with that... but it is in their interest to belittle the competition, and the one thing OpenPGP (PGP, GPG, NetPGP, etc.) has going for it, is that it is not tied to a single messaging platform. I can sign and send messages on E-mail, decode a message via FB PM, forward the message via AIM, or just send someone a small file via MMS.
This doesn't mean that OpenPGP utilities are "finished." There is a lot of code that can be cleaned up, UI tweaks, work on better WoT tools, new types of keyservers [1]. However, it just seems that people want to sell their own encryption solution, so OpenPGP at best winds up neglected.
[1]: The old style keyserver where keys can't be deleted, just revoked is the best. However, what would be a nice extension to the OpenPGP protocol is a date a private key expires off of keyservers. This is different from when the actual key expires (since one might want the key on keyservers a while longer so it can be used for validation), but this would help with long since outdated keys.
Bingo. Where I live, having more than four sex toys is an "obscenity" state jail felony as per Texas penal codes. So, they are sold as "teaching devices", "medical mockups", or other items.
This is a fight that doesn't need to be dealt with. Just call it a CNC mill, which is designed for fabricating automotive parts. Hoppes calls their #9 product, "lubricating oil", instead of "gun oil." Might as well not have to deal with a wedge issue when it comes to business if one doesn't have to.
The problem is that this employee data, which would be innocuous in the hands of a company, can easily leave the premises. e-Discovery and fishing expeditions are common, and that info can wind up in the hands of someone completely irrelevant.
Of course, there are always the criminal organizations who would love that info. They find that Joe Ducato is out on a long haul... grab his address, sell the info to a local gang, and they clean his home out. This hasn't been the case yet, but as time progresses and if the economy sours further, it wouldn't be surprising to have your local gangbangers swing deals with overseas organizations to buy dumps of potential victims and when their places will be empty. Right now, crime is relatively low, but that can easily swing up due to economic factors.
My philosophy is to use the least amount of data needed, and if has to be obtained, it be decentralized (for example, the AD servers are separate from the HID badge locks, which are separate from Exchange, which is separate from the CCTV room). If the data isn't present, it can't be slurped off overseas and sold.
Ideally, it should do both. One device would have an extremely large amount of bandwidth to play with if in range of the tower, but as more devices get handed off to the tower, there is less bandwidth per device, but all devices get some level of service until a threshold is reached where the tower cannot accept any more items, where even EDGE or GPRS speed cannot be maintained. This is especially important at sporting events or SXSW where there are tens to hundreds of thousands of people in one space. Assuming the tower has terabits of bandwidth available, it should at least provide 3G coverage, decent enough for people to pop selfies and upload them or tweet about how badly the band on stage sucks.
Usually purchase speed is in this order:
1: Debit card. (user swipes card, enters PIN, done.)
2: Credit card. (user swipes card, signs, done.)
3: Cash.
4: Checks.
From what I've seen at stores, people fumbling for their phones at stores is actually slower than the coupon-clipper with the checkbook.
If Google's mechanism goes via credit cards like Apple Pay, it would be useful, should I lose my wallet, as a backup mechanism. However, if it is ACH based like CurrenC... then I would avoid it at all costs, since all it takes is one bad transaction, and I'm cleaned out with no recourse.
It isn't cheap, but there are ways to use 3D printed parts to make "real" parts. For example, with a dissolvable filament, one can print out an intricate part, put it into sand, plaster, or one's preferred moldmaking substance (making sure you have a hole to pour in, and a vent hole), pour limonene in to get rid of the filament, then pour molten plastic or one's metal alloy of choice. Let cool, then separate (or break apart) the mold pieces. The result is a usable part made out of a material that is up to task.
It might be a part just may need improving. The turbo resonator on Mercedes Sprinter T1N models is one example. The original part was OK, but an aftermarket part would completely fix glitches with the item.
Another item might be RV door handles. There was a batch recalled that had breakage issues. If someone scanned the pieces and made identical items, except of a very tough Iconel, the same door handle would easily outlive the RV.
Right now, 3D printing is plateauing, because there is only so much one can do with plastic. However, if sintering, stereolithography, and other items which work with metal or ceramic become inexpensive, this can mean a lot of useful items.
My worry is that we start seeing DRM mandated for 3D printers. All it would take is having the print controller refuse to print any design unless it was signed with an approval certificate, with a number of parties on the Net that are set up to vet that some item isn't a copy of something.
Of course, DRM ends up an arms race, but ultimately, the victory goes to the deepest pockets. (For example, the PS4 and XBox One have yet to even have a dent made with them.)
I have given up on theaters except for the Alamo Drafthouse here in Austin. Where other theaters have the constant people prattling and tapping on their devices, I have seen the ADH ushers be pretty proactive at tossing the texters and the yakkers out.
Long term, with people's tempers already raw, I wonder how long it will take until brawls start happening because people end up just sick and tired of the phone zombies, be it the cretin with one finger in his ear, screaming into his phone, or the people expecting others to clear a trail for them on the road. It only is a matter of time before this starts rubbing people past their breaking point.
As for lanes... good luck with that as pedestrians, that is great in theory, but once you get the people walking 3-5 abreast, that idea is going to go out the window unless there is a physical barrier preventing people from doing that.
In my experience, the average person buying a system with crapware on this doesn't care about it, provided it doesn't slow their machine down. It is just like the people who spill their lives onto social networks. They don't care who reads it, so likely wouldn't care to be tracked by "marketing browser experience enhancement" software.
The real takeaway from this is for people to pack their own parachute -- image off the drive's original software (just in case), wipe the drive [1], then install the OS from clean media, and from there, install applications. Of course, it doesn't hurt to make a zero-level image after the machine is installed, updated, drivers loaded, and activated, so a complete "bare metal" reinstall is just reloading that image.
[1]: Boot a Linux CD, dd if=/dev/zero of=/dev/hdx if the drive is a HDD, blkdiscard -v /dev/hdx if the drive is a SSD.
My shopping experience is just fine without active MITM attacks.
The ironic thing is that Lenovo has had a good reputation. They inherited the Thinkpad name, and it used to be that it was the go to brand for laptops before Apple jumped in that market. Plus, business-line Thinkpads are pretty secure, be it a decent TPM implementation, fingerprint scanner, and other items.
I just hope they learn their lesson, and this doesn't pop up again, as their products are quite usable.
Ad injection is quite lucrative. This is what entire companies like Phorm which intercepts in-flight connections and inserts ads.
As for ad injection like this, I've seen a number of consumer level PCs route traffic through a local proxy, installing Web browser add-ons to keep the browser switched to the proxy and to inject their own SSL key. The fix was removal, and even then, there were processes that had to be stopped via autoruns, as well as blocked from phoning home via the Windows Firewall (so there wasn't a chance they could do damage even if restarted.)
The exception to this seems to be HP, which might have sample programs on it (Norton, for example), but no crapware that loads in Web browser add-ons. It actually was a shock seeing a new HP consumer laptop actually in a usable state out of the box, without having to go swinging at what starts up with the autoruns pickaxe.
The problem is that companies face zero negative consequences for adding intrusive software like this onto a machine. Joe Sixpack won't know or care that his search engine gets redirected through some no-name third party site so his google search page has flash ads. With the private key out, he won't realize that his banking stuff is compromised until his bank account gets drained.
The fix? As a consumer, either bring your own OS and completely wipe and reinstall the box, or buy a business-line version. Lenovo would not dare to try installing anything like this on the Thinkpad line, just like Dell's Latitude line, and HP's EliteBook line. Of course, there is always Apple, which seems expensive, but if one compares like for like, a MacBook Pro actually has a price advantage to a comparable business line HP or Dell with the same features and chipset.
I personally use a disk image utility to clone the drives before the machine ever boots for the first time, but almost all non-IT people end up losing the recovery disks, or just not making them in the first place. This is why having an OS image in ROM (or technically read-only SSD) would be useful.
The ideal would be both install media, as well as a recovery instance. This way, one could boot the machine, mount the volumes, and save off documents to external media in preparation for a complete format and reinstall. A recovery instance would also be useful for fixing boot issues, or even dealing with malware (although it is best to reinstall if malware is present.)
This is why you use VMs. If malware hits the disk, it is going to find a generic HDD, like a VMWare Virtual drive, and that vector of attack stops for good right there.
We are almost at a point where we should virtualize everything, and what sits at the bare metal is a hypervisor, where there is a definite layer of separation between the OS and devices. This way, a compromise on the OS level won't allow hardware to be tampered with. If there is a firmware update needed, then it should be made available for manual flashing that takes a deliberate set of actions by the user (or via remote, using some administrator certificate) to ensure that a firmware update is authorized.
In fact, virtualization on newer machines is more of a "why not?" item, than a "why?" item. For example, Windows 8 and Windows 8.1 have Hyper-V available with a switch setting and a reboot. With a little bit of work, one can have one instance of Windows just for Web browsing, and the browser would be a seamless application. The advantage of doing this is that if/when something nails the Web browser and gets a user context, rolling back to a snapshot/checkpoint is pretty easy.
A good example of this was when I was browsing in a VM a certain social network without an ad blocking extension in the browser... 10 minutes later, that VM was slammed by malware, likely from an ad server that was serving up exploits. The fix was two clicks and a confirmation dialog away. Of course, if malware isn't detected, that is another story, but for browsing the Web, it is wise to just roll the VM back every so often anyway (at least every month for Patch Tuesday's festivities.)
What would be nice is if PC makers could allow one's choice of hypervisor to be installed on a dedicated SSD that either is physically set read-only and read-write by a DIP switch (with preferences and system info stashed on a separate writable partition), or similar functionality. The advantage of this is that the hypervisor would be pretty much static except for occasional updates (and the update mechanism can be made decently secure), and hardware would be isolated from the VMs.
If a device does need a firmware upgrade, a mechanism at the hypervisor level would address this.
GM cars seem to be relatively rare in my neck of the woods. For college students, Kias, Hyundas, VWs and Mazdas have that market, with the Toyota models after that.
I really don't like GM's ability to disable any vehicle, anywhere. I'm reminded of an Austin dealer which installed devices to disable vehicles if the buyer didn't pay their loan payment... and a disgruntled ex-employee logged on as a valid employee, disabled all vehicles in the system and set them to honk until the batteries went dead. Wasn't a relatively big thing... but if someone did hack GM, the damage they could do with OnStar could be tremendous... for example, if there is a forest fire, hurricane or a disaster causing an evacuation, killing all GM vehicles in that area can turn the disaster into a catastrophe with extreme loss of life, just because the GM cars stalled would prevent movement of everything else.
For desktops, I end up doing similar, and building my own (for my personal use.) However, for laptops, it is good to go with a brand's business line (not consumer junk, but business tiers that actually will offer decent CS). Similar if one needs desktops for a company (since for accounting and auditing, it is good to have machines that have similar hardware or one easily trackable model ID.)
Of course, for personal laptops, there is always Apple. Even if one installs Windows on it (easy to do as it is a UEFI machine), the hardware is quite solid, and for individuals, Apple CS is quite good. Businesses and the enterprise, it is a different story.
tl;dr, there isn't really one fix for this, but in general, avoiding consumer-line stuff like the clap is the best thing one can do, either by building one's own machine, buying the business/enterprise tier, or going Apple.