no it is not. security is made of layers. you let UDP out (and actually for mosh you need UDP in, because unlike you, I tried), and anyone can use this to get a remote shell among other things. udp in makes this easier than that of course
but hey that ok, lets remove all firewalls, AC said its better.
the problem is that its not so simple since you've to figure where the data is sent to in order to block it and that it can have multiple addresses, that the name used can resolve to various ips and change over time, that updates can change it, that it be tied to whatever online service the tv needs to be fully functional (stores for example), and even so they could still hide it in legit-looking requests without afaik, (ianal), violating any law
That's an awesome idea, however, I fear that it will take a long time for people to be aware that this is good and needed. Energy Star worked because people are aware we should preserve energy (also it make their bill lower) They don't seem to figure out whats the issue with privacy yet (see FB, Twitter, preference cards in supermarkets/etc - list is huge)
you dont get it plugins have a stable api (napi) native addons can directly change FF's code (a lot of it is done in XUL a javascript UI/toolkit) changes in FF therefore always can impact native addons
OF COURSE there is a separate API (jetpack) that has a stable API (and provides restartless plugins too)
But!
- its like chrome's addon API aka it doesnt support as much (you can still do a lot) - previous plugins need rewrite, devs dont rewrite them
So yeah, Firefox has the proper solution, but has to carry the weight of its past.
actually that s not true. linux has more options to secure itself, which make more sense too, so "it is" more secure the thing is, those are rarely enabled/configured
otherwise, its all the same for win/osx/lin they're the same type of OS and kernel.
things like plan9 or singularity are much more secure by design
But would he actually look at all commits? Nope, hundred, thousands, you gotta trust where its coming from if it said signed off by .
But hey, there's more. We invented a way to make sure "signed off" is _actually_ the person who say they signed off. It's called a cryptographic signature. And it's generally implemented through GnuPG.
It happens that GIT now support per commit GPG signature for this reason (after telling me so many times "oh we don't see the point for implementing it"). Regardless, if everyone signs the commits and everyone checks the signatures locally via a list of people you trust for commits, any other commit will get rejected/you get a fat warning, etc.
The point with this is that you should be able to pull from anywhere, GitHub, a ssh server, anywhere, and be able to trust the commits. Otherwise, distributed development doesn't make sense security-wise. GitHub got "compromised" this time, it will be another host the next time (or them again), there is no "its fixed now". Bugs exist, bugs are there, bugs will be there too. You just haven't discovered them yet. So, do use commit signing.
Actually Google has a known track record. They kill apps easily if they don't bring profit. I think they cite buzz in the MS ad. There's many other Google services which went the way of the dodo. They change UI and features whenever they feel like it can be made better - which is not necessarily always the case for you. For example, many dislike the new gmail UI. They also have a peak in your data (i find that one scary).
That's the bad side. There's good sides. You have nearly zero maintenance for example, which is awesome of course. They've a pretty good record of getting things running, and relatively fast, too. Then, you get new features "for free".
I'd rather have something in between that and traditional software. Of course, that would require a company that isn't living solely for profit, which is, well, more than rare.
Err all the html apps you get on the chrome store are, chrome only. Stuff like gmail offline storage (reading emails offline) only works on chrome, despite the offline storage works on other browsers. NaCl of course only works on Chrome. It goes on and on.
Of course one could take Chrome and push it into their browser to be compatible, since most of it is open source, right? Well that's one of the point of the article actually: Google becoming the platform.
The only people in IT that know what they are doing are the "hackers".
Yes and no. Hackers hack each other rather often, making the other hacker look "dumb". But then the other hack hacks the first one back.
Then which one is better than the other uhm?
Well none. This stuff is just too darn complex to figure out all the variables at any point in time. You can just focus on some thing and make them better, or break them. Or focus on the general issues and try to manage/detect/solve issues on a larger scale.
Or, of course, be a true genius (true being the keyword here), or redesign your entire hardware and software stack (and i do mean entire, including the os, and so on). In fact, some attempted this at least on the software side, but since no software run on those, even if they're a lot more secure by design, it doesn't help much.
Slashdot Mirror
no it is not. security is made of layers.
you let UDP out (and actually for mosh you need UDP in, because unlike you, I tried), and anyone can use this to get a remote shell among other things.
udp in makes this easier than that of course
but hey that ok, lets remove all firewalls, AC said its better.
the problem is that its not so simple since you've to figure where the data is sent to in order to block it and that it can have multiple addresses, that the name used can resolve to various ips and change over time, that updates can change it, that it be tied to whatever online service the tv needs to be fully functional (stores for example), and even so they could still hide it in legit-looking requests without afaik, (ianal), violating any law
That's an awesome idea, however, I fear that it will take a long time for people to be aware that this is good and needed.
Energy Star worked because people are aware we should preserve energy (also it make their bill lower)
They don't seem to figure out whats the issue with privacy yet (see FB, Twitter, preference cards in supermarkets/etc - list is huge)
i know a lot of people taping the camera (also on laptops etc)
and actually, it make sense
can you link such a system you're describing?
you dont get it
plugins have a stable api (napi)
native addons can directly change FF's code (a lot of it is done in XUL a javascript UI/toolkit)
changes in FF therefore always can impact native addons
OF COURSE there is a separate API (jetpack) that has a stable API (and provides restartless plugins too)
But!
- its like chrome's addon API aka it doesnt support as much (you can still do a lot)
- previous plugins need rewrite, devs dont rewrite them
So yeah, Firefox has the proper solution, but has to carry the weight of its past.
pff next what, innocent until proven guilty?
its also not really all that secure.
actually that s not true. linux has more options to secure itself, which make more sense too, so "it is" more secure
the thing is, those are rarely enabled/configured
otherwise, its all the same for win/osx/lin they're the same type of OS and kernel.
things like plan9 or singularity are much more secure by design
man ssh
now that wasnt so hard, was it?
not buried. not long to read. precise, complete, concise and standard. you "really need to RTFM"
and thats why /. readers arestill better than the likes of HN (which has TFA once a week as top story)
heck some even just read man and that's that (holy cow all the secrets are clearly explained when you RTFM!)
http://pastebin.com/48XkG9sq
nice payload :P
but not very useful for exploiting the bug. lol.
Well you should start nmap then. I see 3389 open every-f-where. Seriously.
Just think web hosting on windows. That's not SSH. That's RDP. Everywhere.
But would he actually look at all commits? Nope, hundred, thousands, you gotta trust where its coming from if it said signed off by .
But hey, there's more. We invented a way to make sure "signed off" is _actually_ the person who say they signed off. It's called a cryptographic signature. And it's generally implemented through GnuPG.
It happens that GIT now support per commit GPG signature for this reason (after telling me so many times "oh we don't see the point for implementing it"). Regardless, if everyone signs the commits and everyone checks the signatures locally via a list of people you trust for commits, any other commit will get rejected/you get a fat warning, etc.
The point with this is that you should be able to pull from anywhere, GitHub, a ssh server, anywhere, and be able to trust the commits. Otherwise, distributed development doesn't make sense security-wise. GitHub got "compromised" this time, it will be another host the next time (or them again), there is no "its fixed now".
Bugs exist, bugs are there, bugs will be there too. You just haven't discovered them yet. So, do use commit signing.
"Secure" :)
I don't know about you, but I trust them more than our politicians - truthfully. Says enough.
Well you sure did good on that one, since Apple abandoned that stuff.
Actually Google has a known track record. They kill apps easily if they don't bring profit. I think they cite buzz in the MS ad. There's many other Google services which went the way of the dodo.
They change UI and features whenever they feel like it can be made better - which is not necessarily always the case for you. For example, many dislike the new gmail UI.
They also have a peak in your data (i find that one scary).
That's the bad side.
There's good sides. You have nearly zero maintenance for example, which is awesome of course. They've a pretty good record of getting things running, and relatively fast, too. Then, you get new features "for free".
I'd rather have something in between that and traditional software. Of course, that would require a company that isn't living solely for profit, which is, well, more than rare.
Or NoSQL 16 if that was Google. What a great joke.
Err all the html apps you get on the chrome store are, chrome only.
Stuff like gmail offline storage (reading emails offline) only works on chrome, despite the offline storage works on other browsers.
NaCl of course only works on Chrome.
It goes on and on.
Of course one could take Chrome and push it into their browser to be compatible, since most of it is open source, right? Well that's one of the point of the article actually: Google becoming the platform.
Hopefully Firefox mobile will get good enough that by then you wont want to switch ;-)
And I'm saying that because if we lose diversity on mobile the web will become very locked in again hehe.
mininova was a very good replacement, til it "died" :)
but yeah, suprnova will stay in every pirate's heart
The only people in IT that know what they are doing are the "hackers".
Yes and no. Hackers hack each other rather often, making the other hacker look "dumb".
But then the other hack hacks the first one back.
Then which one is better than the other uhm?
Well none. This stuff is just too darn complex to figure out all the variables at any point in time. You can just focus on some thing and make them better, or break them.
Or focus on the general issues and try to manage/detect/solve issues on a larger scale.
Or, of course, be a true genius (true being the keyword here), or redesign your entire hardware and software stack (and i do mean entire, including the os, and so on). In fact, some attempted this at least on the software side, but since no software run on those, even if they're a lot more secure by design, it doesn't help much.
im not that guy.
i think you got it all correctly :)