I won't buy phones with nonremovable batteries primarily because I can never be sure that the phone is off when I want it to be. Until this story broke, I'd never considered it a safety issue.
It's an interesting concept, but it goes too far... it would be trivially easy to have this thing delete the encryption key - just shake it around a bit and it, and all its data, become useless. The risk of data loss when using this "secure" computer would be so high, even by accident, that you'd need a backup close by somewhere.
So anytime someone is seen with a computer this secure, just target their backups instead. Considering the relatively high likelihood of accidntal erasure, they're sure to have them.
Besides, although the data stored on this is extremely secure, it isn't very available. It's opens up a huge attack surface by making it far to easy to destroy the data on this thing, limiting its effectiveness and market considerably.
The only smartwatch app I've ever really used (well, it's not really an app) is the vibrate functionality on them.
Noisy environments such as datacentres, construction or forestry sites where you can't hear your phone ring are prime uses for the smartwatch vibrate. It means you no longer need to have you phone on your person to to catch incoming messages - important in areas where the phone is subject to physical damage in your pocket or to external forces such as when working in forestry. Hell, I've even damaged the belt clip just getting out of the car. Some belt clips tend to insulate you from the vibration, too. With the smartwatch vibration, you can keep your phone in a lunchbox, a backpack, a glovebox, or anywhere you like, and be notified of messages by a vibrating wristwatch instead, given sufficient bluetooth range. (And as an added benefit, in jurisdictions like mine where using handheld devices is illegal while driving, it looks like you're checking the time! but I digress...)
Granted, it's the only use I've ever found for a smartwatch - aside from the aforementioned checking of incoming messages before deciding whether or not to act on them - but I have found it to be a "killer app", given specific conditions. That function alone makes a smartwatch worthwhile for me. Unfortunately, it could be accomplished with a $20 bluetooth gizmo but I need to buy a $300 watch for it.
So those with something "truly intelligent to say" do not deserve to be paid for their time?
There's nothing wrong with "monetizing" your work - original creative works should be fairly compensated for, not many people would object to that. Advertising is but one way to do that. Granted, advertising isn't their only source of revenue, but it is a major one.
Selling advertising is far from the best way to get paid for stuff like this, but it works. Until we come up with something better, it is, at least to me, an acceptable arrangement.
If I had been creating YouTube videos for years covering a vast array of topics, and had been earning my living doing that, and suddenly am told I can no longer cover subject X or Y if I am to be paid, I have been censored. Again, not in the strictest sense where my content is deleted or altered, but the spirit is the same. I am being told what I am allowed to say and what I am not allowed to say, and again, if I earn my living doing this, my hands are rather tied.
I suppose it depends on your definition of censorship (it's a loaded word). But either way, I think what YouTube is doing here is wrong.
It's not the fact that they're choosing who can earn money from advertising and who can't - they've always done that.
What's wrong about this, I think (I am not not a YouTube creator), is the sudden policy shift, with no warning, no notification, and seemingly no recourse.
And yes, this is still a form of censorship. People have been making money making YouTube videos. Now YouTube will decide who is to get paid and who is not to get paid - IOW, only those people who agree with YouTube's political stance can be paid for their work. Sure, it's a private company, but with a marketplace position like theirs, they're quite nearly a common carrier. People get upset when FaceBook selectively pushes certain news articles over others, yet FaceBook is a private company and can do as they please. We get upset when Twitter deletes tweets that may be "triggers". This is no different, save that people making a living off of YouTube (and no, I DO NOT begrudge anyone who does, through advertising or not) suddenly find it much more difficult. Yes, your content can still live there, but if you need that content to pay your rent, you have been censored.
Like it or not, folks, YouTube has become the de facto video publication and distribution platform of choice. They now hold significant power in that marketplace of ideas (if you call it that). They should be held to a higher standard, much like every Slashdotter seems to think Twitter and FaceBook should be.
He doesn't actually ask for donations. He provides a way to donate because people have repeatedly expressed strong desires to donate to the project for the service they receive. He doesn't mince words on the time investment required, though.
Why donate? Ok, so donations. Many people love this service and to my surprise, many have actually asked to donate. In all good conscience, I can't on the one hand write about how awesome and cost effective Azure is then on the other hand ask for donations to fund it. It's cheap — I've got it covered.
Let me instead talk about the sacrifices required to make a service like this work. It can be enormously time consuming and that's the real cost here. Plus there are a few services I pay for out of my own pocket to make the magic happen. If you want to kick in to help me cover those costs, that would be awesome. And no problem if you don't want to either; just share the love and help others make use of the service.
Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen
Not necessarily - I've always used password rotation as a method to expire inactive accounts also - because let's face it, some accounts will always slip through when they fall out of use (service accounts, vendor accounts, test/development accounts, etc...). Then, by requiring a physical presence to change a password (as in, it can't be done over a VPN or SSH or otherwise remotely), you're requiring an additional form of authentication to reactivate or re-age an account - your access tokens for the building. It's always been effective for me. By requiring a physical presence every six months or so to keep an account active I have been able to very effectively expire old accounts.
I've never really considered it to be a best practice. I've asked users how they remember passwords, and the paper cited is pretty much spot on, from my experience. Once a password is cracked it's pretty trivial to guess what it will be changed to in the future.
The most popular password policy I ever implemented was a simple 14 character requirement and 6 month aging, with no other special requirements. I was rather surprised myself to see how well that policy was accepted by users. We suggested using a phrase or a few words (a la correct horse battery staple), did a 15 minute training session over a lunch and learn, and we had users actually bragging to other people about their company password policy.
I don't force password changes as a password security measure - I use it as a method to expire old accounts automatically.
They could have messages sent directly between peers and not need to manage the replies at all. It's the relieance on a central server that is one of their biggest privacy weaknesses, the article is arguing.
You can also compile it from source yourself and verify the checksums. While you can't prove that nothing was changed from the given source code, you can prove that that same source code can produce an identical binary, and induce that nothing has been altered.
It's still good enough to eliminate the possibility of tampering, assuming someone is watching.
Not exactly. This is Wired covering the story - the same story that The Guardian covered two weeks ago showed up here on the 18th of this month.
It's the same story essentially. If you follow the research back far enough you'll find the same sources. But Wired does, IMHO, a far better job of covering it.
(Too bad they jumped on the anti-adblock bandwagon. Their reporting has always been top notch.)
The problem is that they are children. They do not yet understand the full legal and social ramifications of posting online in a public forum under their real name, and also have not fully developed higher-order reasoning skills. They may not understand that they are being watched like this. Couple this with the fact that the record of any investigation will remain in a police database for the rest of their lives, and these children are essentially facing consequences for actions which they do not fully understand, nor could be expected to. We allow children safe places to learn, mature, and experiment (we give them sandboxes, and then bicycles before cars), and online media should be no different.
Although, I do admit the practice of flagging content and only involving police at the behest of local schools is commendable - it at least requires some human judgement before the fact.
Still though, I cannot agree with the wholesale monitoring of the public discussions of schoolchildren.
Is this any different to kids saying stuff out loud in the real world, being overheard, and someone reporting it to the authorities?
Yes. That requires a real person to overhear the conversation, and is naturally limited by the human earpower available, and by distance. What we are talking about here is the wholesale monitoring of everything said in a particular place, recording it, and then analyzing it with algorithms which permit a far greater scale of surveillance than cops posing as SJWs in a protest march. It would be better comparable to police placing microphones on all the lampposts in a city, recording and analyzing everything said, and keeping it forever. But it's all said in a public place, right?
There is a natural expectation of some privacy, even in public places.
Slashdot Mirror
“The children now love luxury. They have bad manners, contempt for authority; they show disrespect for elders and love chatter in place of exercise.”
-- Socrates
You must be new here
(notices UID) err, now I'm just confused...
This has precisely nothing to do with the article, and your opinion has no impact on the security of VeraCrypt.
-1 Offtopic
Mod parent up.
I won't buy phones with nonremovable batteries primarily because I can never be sure that the phone is off when I want it to be. Until this story broke, I'd never considered it a safety issue.
Sure, they've been banned in baggage as well - but will that actually stop people from dropping them in there and hoping to get away with it?
Not all of them, I'd bet.
And hell, you don't even need an evil maid to ruin your day. You turn that setting on, and then a maid picks the thing up to dust the desk. Poof!
It's an interesting concept, but it goes too far... it would be trivially easy to have this thing delete the encryption key - just shake it around a bit and it, and all its data, become useless. The risk of data loss when using this "secure" computer would be so high, even by accident, that you'd need a backup close by somewhere.
So anytime someone is seen with a computer this secure, just target their backups instead. Considering the relatively high likelihood of accidntal erasure, they're sure to have them.
Besides, although the data stored on this is extremely secure, it isn't very available. It's opens up a huge attack surface by making it far to easy to destroy the data on this thing, limiting its effectiveness and market considerably.
The only smartwatch app I've ever really used (well, it's not really an app) is the vibrate functionality on them.
Noisy environments such as datacentres, construction or forestry sites where you can't hear your phone ring are prime uses for the smartwatch vibrate. It means you no longer need to have you phone on your person to to catch incoming messages - important in areas where the phone is subject to physical damage in your pocket or to external forces such as when working in forestry. Hell, I've even damaged the belt clip just getting out of the car. Some belt clips tend to insulate you from the vibration, too. With the smartwatch vibration, you can keep your phone in a lunchbox, a backpack, a glovebox, or anywhere you like, and be notified of messages by a vibrating wristwatch instead, given sufficient bluetooth range. (And as an added benefit, in jurisdictions like mine where using handheld devices is illegal while driving, it looks like you're checking the time! but I digress...)
Granted, it's the only use I've ever found for a smartwatch - aside from the aforementioned checking of incoming messages before deciding whether or not to act on them - but I have found it to be a "killer app", given specific conditions. That function alone makes a smartwatch worthwhile for me. Unfortunately, it could be accomplished with a $20 bluetooth gizmo but I need to buy a $300 watch for it.
So those with something "truly intelligent to say" do not deserve to be paid for their time?
There's nothing wrong with "monetizing" your work - original creative works should be fairly compensated for, not many people would object to that. Advertising is but one way to do that. Granted, advertising isn't their only source of revenue, but it is a major one.
Selling advertising is far from the best way to get paid for stuff like this, but it works. Until we come up with something better, it is, at least to me, an acceptable arrangement.
Respectfully, I disagree. (That was my writeup)
If I had been creating YouTube videos for years covering a vast array of topics, and had been earning my living doing that, and suddenly am told I can no longer cover subject X or Y if I am to be paid, I have been censored. Again, not in the strictest sense where my content is deleted or altered, but the spirit is the same. I am being told what I am allowed to say and what I am not allowed to say, and again, if I earn my living doing this, my hands are rather tied.
I suppose it depends on your definition of censorship (it's a loaded word). But either way, I think what YouTube is doing here is wrong.
It's not the fact that they're choosing who can earn money from advertising and who can't - they've always done that.
What's wrong about this, I think (I am not not a YouTube creator), is the sudden policy shift, with no warning, no notification, and seemingly no recourse.
And yes, this is still a form of censorship. People have been making money making YouTube videos. Now YouTube will decide who is to get paid and who is not to get paid - IOW, only those people who agree with YouTube's political stance can be paid for their work. Sure, it's a private company, but with a marketplace position like theirs, they're quite nearly a common carrier. People get upset when FaceBook selectively pushes certain news articles over others, yet FaceBook is a private company and can do as they please. We get upset when Twitter deletes tweets that may be "triggers". This is no different, save that people making a living off of YouTube (and no, I DO NOT begrudge anyone who does, through advertising or not) suddenly find it much more difficult. Yes, your content can still live there, but if you need that content to pay your rent, you have been censored.
Like it or not, folks, YouTube has become the de facto video publication and distribution platform of choice. They now hold significant power in that marketplace of ideas (if you call it that). They should be held to a higher standard, much like every Slashdotter seems to think Twitter and FaceBook should be.
Who cares
Dumb question. The submitter cares, obviously, as does anyone commenting on the story. Perhaps you meant to say "I don't care"?
He doesn't actually ask for donations. He provides a way to donate because people have repeatedly expressed strong desires to donate to the project for the service they receive. He doesn't mince words on the time investment required, though.
Why donate?
Ok, so donations. Many people love this service and to my surprise, many have actually asked to donate. In all good conscience, I can't on the one hand write about how awesome and cost effective Azure is then on the other hand ask for donations to fund it. It's cheap — I've got it covered.
Let me instead talk about the sacrifices required to make a service like this work. It can be enormously time consuming and that's the real cost here. Plus there are a few services I pay for out of my own pocket to make the magic happen. If you want to kick in to help me cover those costs, that would be awesome. And no problem if you don't want to either; just share the love and help others make use of the service.
Which is great, until you run into a shitty interface that won't let you paste a password.
Windows 7 RDC comes to mind as a huge problem in that regard...
Changing the password after someone has already gotten in is almost literally like locking the barn after the horse was stolen
Not necessarily - I've always used password rotation as a method to expire inactive accounts also - because let's face it, some accounts will always slip through when they fall out of use (service accounts, vendor accounts, test/development accounts, etc...). Then, by requiring a physical presence to change a password (as in, it can't be done over a VPN or SSH or otherwise remotely), you're requiring an additional form of authentication to reactivate or re-age an account - your access tokens for the building. It's always been effective for me. By requiring a physical presence every six months or so to keep an account active I have been able to very effectively expire old accounts.
I've never really considered it to be a best practice. I've asked users how they remember passwords, and the paper cited is pretty much spot on, from my experience. Once a password is cracked it's pretty trivial to guess what it will be changed to in the future.
The most popular password policy I ever implemented was a simple 14 character requirement and 6 month aging, with no other special requirements. I was rather surprised myself to see how well that policy was accepted by users. We suggested using a phrase or a few words (a la correct horse battery staple), did a 15 minute training session over a lunch and learn, and we had users actually bragging to other people about their company password policy.
I don't force password changes as a password security measure - I use it as a method to expire old accounts automatically.
"It is well that war is so terrible, otherwise we should grow too fond of it."
- Robert E. Lee
They could have messages sent directly between peers and not need to manage the replies at all. It's the relieance on a central server that is one of their biggest privacy weaknesses, the article is arguing.
You can also compile it from source yourself and verify the checksums. While you can't prove that nothing was changed from the given source code, you can prove that that same source code can produce an identical binary, and induce that nothing has been altered.
It's still good enough to eliminate the possibility of tampering, assuming someone is watching.
This was done, for example, with TrueCrypt.
Not exactly. This is Wired covering the story - the same story that The Guardian covered two weeks ago showed up here on the 18th of this month.
It's the same story essentially. If you follow the research back far enough you'll find the same sources. But Wired does, IMHO, a far better job of covering it.
(Too bad they jumped on the anti-adblock bandwagon. Their reporting has always been top notch.)
There may be no right to privacy in public places currently. There is, however, I would argue, a natural expectation of it.
Indeed, I do know that. However, I disagree with the practice regardless.
The problem is that they are children. They do not yet understand the full legal and social ramifications of posting online in a public forum under their real name, and also have not fully developed higher-order reasoning skills. They may not understand that they are being watched like this. Couple this with the fact that the record of any investigation will remain in a police database for the rest of their lives, and these children are essentially facing consequences for actions which they do not fully understand, nor could be expected to. We allow children safe places to learn, mature, and experiment (we give them sandboxes, and then bicycles before cars), and online media should be no different.
Although, I do admit the practice of flagging content and only involving police at the behest of local schools is commendable - it at least requires some human judgement before the fact.
Still though, I cannot agree with the wholesale monitoring of the public discussions of schoolchildren.
Is this any different to kids saying stuff out loud in the real world, being overheard, and someone reporting it to the authorities?
Yes. That requires a real person to overhear the conversation, and is naturally limited by the human earpower available, and by distance. What we are talking about here is the wholesale monitoring of everything said in a particular place, recording it, and then analyzing it with algorithms which permit a far greater scale of surveillance than cops posing as SJWs in a protest march. It would be better comparable to police placing microphones on all the lampposts in a city, recording and analyzing everything said, and keeping it forever. But it's all said in a public place, right?
There is a natural expectation of some privacy, even in public places.
(citiations needed)
1.21 Gigawatts.
Perhaps the judge has a point though, maybe he needs to be treated more fairly and equally. I say put him into general prison population...
And then do nothing?
I seem to remember a quote about idle hands, or all that is required for evil to triumph, or one of those...