Sure, bandwidth is easy when using UDP. When using TCP with high latency, your throughput is limited more by the latency than the bandwidth (1xmax_packet_size/RTT) due to having to ack every packet before the next will be sent.
But, there has been a Flatpak available for months, with all of the same benefits as a Snap, except also: - Supported by more distributions (including Ubuntu) - Not controlled by Canonical
"The question is not how much should I trust Cloudflare as a VPN... because that one is easy. The real question is do I trust Cloudflare more than AT&T."
Why are those ypur only options? Because you don't want to set up a recursive caching DNS service (or use some network appliance that does this for you)?
In my case, it's a choice between trusting an American company subject to American laws/secret letters etc. vs. my local telco/ISP (we have virtual ISPs that are effectively VPNs over the incumbent's DSL+GPON network, plus various open access fibre networks, plus some full-stack close fibre networks, I'm currently on DSL), owned locally, subject only to local laws, that keeps all meta-data in-country on hardware they own and control access to, vs. my local bind caching DNS server (yes, I should probably switch to unbound, but DNS isn't a performance problem atm) with DNSSEC validation enforced. Obviously I choose the last one, but the 2nd one (trust my ISP) is much better than the first (Cloudflare).
> * Other retailers must avoid Amazon Web Services, which raises their cloud computing costs (less competition for providing cloud computing services to them).
Why?
Amazon competitors (e.g. Netflix competing with Amazon Prime Video) happily use AWS where it makes sense. Why do other retailers need to avoid AWS if it provides the best value for certain services?
"while VMware's vSphere is used by Amazon Web Services"
VMWare's Hypervisor is VMWare ESX/ESXi. vSphere is the management software for managing ESX/ESXi.
Amazon doesn't use VMWare, but VMWare was the first customer of AWS's bare-metal instance type (i3.metal), allowing VMWare users/customers the ability to easily migrate VMWare VMs to AWS.
However, in theory, customers can run any x86_64 hypervisor they want on AWS using the EC2.metal instance types (in practice, there may be some work involved, and would be easier if an ENA driver is available.
AWS is known to run Xen, their own KVM-based hypervisor they call "Nitro", and their recently open-sourced MicroVM hypervisor (also using KVM), Firecracker ( https://github.com/firecracker... ).
As far as I know, AWS has never run customer instances on VMWare.
"To do this you could stage software inside and outside of Russia that attempted pings in each direction. You would track any pings actually received and track down the path they took. This could be coordinated with non-Internet based data connections."
Why would they go to that much effort for such poor info if they could just subscribe to BGPMon (bgpmon.net) for a month ($13)?
"Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigan"
But, if the 3rd-party browser makes it impossible for users (who have no problem with the company implementing the protections to its assets as outlined in policies the users accepted as conditions of employment) to do their job using that browser, said browser may just find themselves losing a large chunk of their diminishing market share.
To be clear, I have no problem with the following: - an indication in the address bar that the connection is/may be MitM'd - a warning that I can dismiss to the same effect - an error page, as long as there is an easy way to make it go away for the next year or lifetime of the internal CA cert used to sign imposter certs
However, if every site gives an error message I need to click through, or if any of these errors can't be clicked through, I will finally be forced to drop firefox for work.
It is bad enough that Firefox makes it so onerous to get into management interfaces on new installations of e.g. server management interfaces to do the minimal configuration to get them to enroll for real certs, but I have tolerated it.
I won't be able to tolerate it for every external site I visit from work on the work network with their computer.
Is Mozilla intentionally trying to get rid of all users who use Firefox at work?
So if I go to a cashless coffee shop with only cash on me (no card or smart phone), order coffee, if they don't make me pay before I drink it, I have established debt, and they would be required by law to allow me to settle my debt with legal tender (e.g. the cash).
I think someone should just do this and see what they do...
T-series instances are CPU-over-subscribed/burstable and use a cpu-credits system, where once you have used your credits, you will be throttled, or you muat choose to be billed more for credits (T2/T3-unlimited at $0.05 per vCPU-Hour for Linux, from lower down on the page you linked). So, you shouldn't directly compare instance-hour prices for T-series to other series, or you should include the T-unlimited pricing
Maybe AWS will introduce cpu-oversubscription for ARM, and then you can compare that.
For now, it's probably best/easiest to compare to C-series
ARM: a1.large 2 vCPU 4GiB RAM $0.0510/hour
x86: c5.large 2vCPU 4GiB RAM $0.085 per Hour
That is 40% cheaper for a1.large.
Disclaimer: I work for AWS/EC2 but am posting in my personal capacity.
"So having an option in Linux to disabled SMT is probably all that is needed. "
You do know that (boot with the noht flag) has existed since hyperthreading support landed, right? Or you can compile a kernel without hyperthreading support.
"In other words, not much risk on single-user systems where the primary user is also the administrator."
While many distros allow blanket passwordless sudo for the primary user, this isn't the only way privileges are managed.
For example, I set my systems up to allow only commonly used but safe commands that need root with passwordless sudo, if you want to run arbitrary commands, use the root password (which is stronger). Of course, remote root login with password is not enabled.
I would expect that a cloud vendor such as Microsoft or AWS would have multiple redundancies in place so that any one data center going down would not affect usage.
Why are you lumping AWS in with Microsoft here?
AWS has this redundancy multiple availability zones in every region, so that especially the data storage services offered can provide the kind of redundancy that would have been useful in this scenario, but which, according to the Azure status updates, Azure doesn't have:
"Engineers have restored access to storage resources for the majority of services, and most customers should be seeing signs of recovery."
This is the update almost 2 days into this incident.
When AWS had a power failure in a data centre this year (https://www.theregister.co.uk/2018/06/01/aws_outage/) there was minimal impact for a short time.
Maybe Azure shouldn't build one "massive data centre, and instead build a few large ones.
The equivalent to multi-AZ is pick the region - "Southern USA" is one of 54 different regions - when deploying a resource, one simply choose which region it goes to (different regions have different costs, different packet latency profiles, different data sovereignty and sometimes other restricted use cases.
1)If multi-AZ is "pick multiple regions", why is Azure starting (https://azure.microsoft.com/en-us/updates/azure-availability-zones-ga/ ) with multi-AZ regions? Maybe they realise AWS is onto something?
It looks like MS would bill you for inter-region traffic, where AWS doesn't bill you for intra-region (inter-AZ) traffic. Going multi-region on Azure looks much more expensive than multi-AZ on AWS...
2)54 different regions? You believe Microsoft's big number on the page, when it seems to be counting: - Regions not accessible to you (e.g. DoD) (2) - Regions that you aren't allow to use (US Gov) (4) - Regions that aren't built yet (10)
On their map, I count 35 public "regions", but only 2 of those are multi-AZ.
AWS has 18 public launched regions most of which have 3 public AZs (four regions are still 2-AZ and will be addressed in future like the others that were back-filled to 3 AZs in the past 2 years). That doesn't include the 3 public regions and one GovCloud region that are currently being built.
3)While multi-AZ should result in very few issues on AWS, if you need more availability, AWS has been building lots of multi-region tools (e.g. inter-region replication for S3, Dynamo DB, Aurora etc.). Does Azure have any real tooling for multi-region (on top of multi-AZ)?
For the GUI you have to give them that, they have a valid point. Everything else is just bollocks though.
Do you mean GUI libraries? That you mostly have on all platforms (there may be a default, but there are many non-default options, and defaults change and get deprecated on Mac OS and Windows).
Desktop environment? Nonsense. I have never had a real problem running any KDE apps on GNOME or Icewm or whatever else (or the other way around).
And many proprietary apps (Spotify, Skype, Visual Studio Code etc.) don't seem to have any problems with this...
Let's consider Adobe (and Photoshop). If Adobe wanted to port their industry-leading product to Linux, how do they do that? Do they spend the time developing support for ext4, btrfs, Ubuntu, Fedora, GNOME, Mate, KDE, systemd?
Dropbox has this problem with filesystems and encryption layered over filesystems because they want to be a filesystem. They don't seem to have a problem with systemd vs. upstart, or GNOME vs KDE, or Ubuntu vs Fedora.
Photoshop doesn't need to be a filesystem, so they should have 0 problems due to supposed "fragmentation", just like: * Gimp (https://flathub.org/apps/details/org.gimp.GIMP) * Darktable (https://flathub.org/apps/details/org.darktable.Darktable)
Oh, you want proprietary examples, well how about: * Slack (https://flathub.org/apps/details/com.slack.Slack) * Spotify (https://flathub.org/apps/details/com.spotify.Client) * Visual Studio Code (https://flathub.org/apps/details/com.visualstudio.code)
https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html "Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say"
Only mentions Huawei and ZTE. Xiaomi phones don't ship with the software mentioned.
http://securityaffairs.co/wordpress/27486/security/xiaomi-handset-usersdata.html Another
Heard of iCloud? Same thing. It isn't required for use of the phone, only if you want to backup contacts and messages etc. to the 'cloud', in which case it sends, you guessed it, contacts and messages to their cloud service. But you don't have to register, and now even if you have registered you can disable it.
http://securityaffairs.co/wordpress/34583/hacking/xiaomi-mi-4-preinstalled-malware.html Another
This looks like a supply-chain attack. Did they try flashing with an original Xiaomi image? No.
http://securityaffairs.co/wordpress/49346/hacking/xiaomi-smartphone-flaw.html Another
If this was intentional, why have they put in a lot of effort to fix their mistakes? These are all 2-year-old issues that the company addressed very quickly once they were reported. Please give us a recent (less than 1-year-old) example, you know, one that actually applies to the current version of the software they ship on current hand-sets.
My Samsung S6 came pre-installed with software not owned by Samsung which I cannot remove (e.g. Peel Remote). The new versions pushed by the developer contain more intrusive changes including video adverts that play when I unlock the phone, which I assume also leak private information to advertisers. So, in practice, Samsung allows *others* to deliver malware to my phone.
My wife's Xiaomi seems much more customer-friendly than my S6, and receives security updates more promptly.
At this stage, I am more in favour of Xiaomi than Samsung to replace my S6.
Xiaomi's justification for the analytics app, and their explanation of the signature-checking makes it quite apparent that their motivation is right, but they could (and have, e.g. switching to HTTPS in MUIU 7.3) improve the security.
However, I wouldn't call it a back-door, it's an auto-update mechanism (like Flash, Java etc. all do or have done on Windows), with no evidence that they have used it for anything malicious.
Microsoft *has* abused their auto-update mechanism intended for security and bugfixes to deliver software the users don't want, yet I don't see you complaining about that and claiming that WindowsUpdate is a back door.
Can't you just use an iPhone, and anonymize your searches with something like DuckDuckGo?
Does your iPhone have ad blocking? Have you disabled all Javascript, or can you block at least the following domains on your iPhone (in all HTTP clients, including RSS readers etc.): - *.google.com - *.googleapis.com - *.google-analytics.com - *.googleadservices.com - *.googlesyndication.com - *.googleapis.com - *.doubleclick.com - *.doubleclick.de - *.doubleclick.net - *.adsensecustomsearchads.com
If not, you're out of luck. Many websites use Google for advertising revenue, which means you are tracked. Many websites which are too lazy to implement their own stats/metrics use Google analytics. All of these feed Google enough information about your device and Geo-IP based location and sites you have visited that even if you don't directly use any Google services, Google knows more about you than anyone else (except Facebook, if you have Facebook on your iPhone).
Password and security question are ironically more secure. It's how they're implemented that sucks. You'll never find a password on any billing statement, yet in many cases companies will happily display it to their agents.
No personal information should be displayed un-masked unless there is a need to update it (which should be individually re-authenticated and logged), because it might be used to secure the customer's account at a different business entity.
Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.
You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!
Uh, the *primary* way SMS 2FS is insecure is 'SIM-swap fraud'. Here is an article from almost 5 years ago about the problem as it existed/exists where I currently live: https://mybroadband.co.za/news...
From the article:
A SIM swap typically happens using the following methods: * Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and * Stealing passwords from employees at the mobile operators or mobile dealers.
Telcos need to do a better job of customer authentication. At the ISP I used to work for, our new customer service portal required call centre agents to authenticate the customer by selecting the correct values (from the correct one value, and 4 random fictitious ones generated from a list of customer information we generated, presented in random order, and all masked so that only partial values are visible to the agent) for 4 out of 5 customer details (e.g. cellphone number, email address, physical address, national ID number, account number) in 2 attempts before the agent would be able to do anything on the customer's account. If the 2nd attempt failed, it would be logged, and if 2 failures were logged in 48 hours, a security ticket would be opened automatically. We were planning on adding an additional level of opt-in authentication for security-conscious customers. Escalation staff were able to bypass the customer validation, but they had to provide a reason (e.g. escalation ticket number), and this was also logged and reviewed by their managers.
Our system as-is would prevent/limit the 2nd method to perform sim-swaps listed above, but without the additional enhancements that were planned wouldn't have prevented the first one from being viable by well-prepared attacker.
Mobile operators really can do a much better job here, but they don't want the additional staff costs that would result from changes to these processes.
"Autodesk has published a support document announcing that it is stopping development of its Alias and VRED vertical market packages,"
No, this is not true, what is true is:
"Autodesk has published a support document announcing that it is stopping development of its Alias and VRED vertical market packages for macOS", or as the support document on their knowledge base says, "Discontinuation of Mac Support for Autodesk Alias and VRED".
In other words, development for other platforms that haven't deprecated OpenGL continues...
In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security.
details on the yubikey "zero security"? or do you mean NFC has zero security? because yeah, that's... why I leave NFC off when not in use.
Obviously NFC security, because there are many alternative U2F devices that don't have wireless (Bluetooth or NFC) support, including a number of open-source (hardware+software) dongles like u2fzero, but very few that have either NFC (mainly Yubikey Neo) or Bluetooth (mainly Fetian, but it seems pretty poor hardware).
Slashdot Mirror
"Bandwidth is easy. Latency is hard."
Sure, bandwidth is easy when using UDP. When using TCP with high latency, your throughput is limited more by the latency than the bandwidth (1xmax_packet_size/RTT) due to having to ack every packet before the next will be sent.
But, there has been a Flatpak available for months, with all of the same benefits as a Snap, except also:
- Supported by more distributions (including Ubuntu)
- Not controlled by Canonical
https://flathub.org/apps/detai...
"The question is not how much should I trust Cloudflare as a VPN... because that one is easy. The real question is do I trust Cloudflare more than AT&T."
Why are those ypur only options? Because you don't want to set up a recursive caching DNS service (or use some network appliance that does this for you)?
In my case, it's a choice between trusting an American company subject to American laws/secret letters etc. vs. my local telco/ISP (we have virtual ISPs that are effectively VPNs over the incumbent's DSL+GPON network, plus various open access fibre networks, plus some full-stack close fibre networks, I'm currently on DSL), owned locally, subject only to local laws, that keeps all meta-data in-country on hardware they own and control access to, vs. my local bind caching DNS server (yes, I should probably switch to unbound, but DNS isn't a performance problem atm) with DNSSEC validation enforced. Obviously I choose the last one, but the 2nd one (trust my ISP) is much better than the first (Cloudflare).
> * Other retailers must avoid Amazon Web Services, which raises their cloud computing costs (less competition for providing cloud computing services to them).
Why?
Amazon competitors (e.g. Netflix competing with Amazon Prime Video) happily use AWS where it makes sense. Why do other retailers need to avoid AWS if it provides the best value for certain services?
"while VMware's vSphere is used by Amazon Web Services"
VMWare's Hypervisor is VMWare ESX/ESXi. vSphere is the management software for managing ESX/ESXi.
Amazon doesn't use VMWare, but VMWare was the first customer of AWS's bare-metal instance type (i3.metal), allowing VMWare users/customers the ability to easily migrate VMWare VMs to AWS.
However, in theory, customers can run any x86_64 hypervisor they want on AWS using the EC2 .metal instance types (in practice, there may be some work involved, and would be easier if an ENA driver is available.
AWS is known to run Xen, their own KVM-based hypervisor they call "Nitro", and their recently open-sourced MicroVM hypervisor (also using KVM), Firecracker ( https://github.com/firecracker... ).
As far as I know, AWS has never run customer instances on VMWare.
"To do this you could stage software inside and outside of Russia that attempted pings in each direction. You would track any pings actually received and track down the path they took. This could be coordinated with non-Internet based data connections."
Why would they go to that much effort for such poor info if they could just subscribe to BGPMon (bgpmon.net) for a month ($13)?
Or just block it ...
"Yes, they do. They do not have any right whatsoever to expect that their employees will not notice, and even less right to expect that a 3rd party browser will help to hide their shenanigan"
But, if the 3rd-party browser makes it impossible for users (who have no problem with the company implementing the protections to its assets as outlined in policies the users accepted as conditions of employment) to do their job using that browser, said browser may just find themselves losing a large chunk of their diminishing market share.
To be clear, I have no problem with the following:
- an indication in the address bar that the connection is/may be MitM'd
- a warning that I can dismiss to the same effect
- an error page, as long as there is an easy way to make it go away for the next year or lifetime of the internal CA cert used to sign imposter certs
However, if every site gives an error message I need to click through, or if any of these errors can't be clicked through, I will finally be forced to drop firefox for work.
It is bad enough that Firefox makes it so onerous to get into management interfaces on new installations of e.g. server management interfaces to do the minimal configuration to get them to enroll for real certs, but I have tolerated it.
I won't be able to tolerate it for every external site I visit from work on the work network with their computer.
Is Mozilla intentionally trying to get rid of all users who use Firefox at work?
So if I go to a cashless coffee shop with only cash on me (no card or smart phone), order coffee, if they don't make me pay before I drink it, I have established debt, and they would be required by law to allow me to settle my debt with legal tender (e.g. the cash).
I think someone should just do this and see what they do ...
"I'm a little confused. Title mentions 45% lower cost, but for the same vCPU and memory, ARM instances cost more than x86 instances?
ARM:
a1.large 2 vCPU 4GiB RAM $0.0510/hour
x86
t3.medium 2vcpu 4Gib RAM $0.0416/hour "
T-series instances are CPU-over-subscribed/burstable and use a cpu-credits system, where once you have used your credits, you will be throttled, or you muat choose to be billed more for credits (T2/T3-unlimited at $0.05 per vCPU-Hour for Linux, from lower down on the page you linked). So, you shouldn't directly compare instance-hour prices for T-series to other series, or you should include the T-unlimited pricing
Maybe AWS will introduce cpu-oversubscription for ARM, and then you can compare that.
For now, it's probably best/easiest to compare to C-series
ARM:
a1.large 2 vCPU 4GiB RAM $0.0510/hour
x86:
c5.large 2vCPU 4GiB RAM $0.085 per Hour
That is 40% cheaper for a1.large.
Disclaimer: I work for AWS/EC2 but am posting in my personal capacity.
"So having an option in Linux to disabled SMT is probably all that is needed. "
You do know that (boot with the noht flag) has existed since hyperthreading support landed, right? Or you can compile a kernel without hyperthreading support.
"Not surprised the terminology is backwards. The majority of Open Sores stuff is incredibly ass backwards"
I believe this terminology pre-dates open-source X implementations, and is used by all proprietary X implementations.
Try harder next time you try and troll ...
"In other words, not much risk on single-user systems where the primary user is also the administrator."
While many distros allow blanket passwordless sudo for the primary user, this isn't the only way privileges are managed.
For example, I set my systems up to allow only commonly used but safe commands that need root with passwordless sudo, if you want to run arbitrary commands, use the root password (which is stronger). Of course, remote root login with password is not enabled.
I would expect that a cloud vendor such as Microsoft or AWS would have multiple redundancies in place so that any one data center going down would not affect usage.
Why are you lumping AWS in with Microsoft here?
AWS has this redundancy multiple availability zones in every region, so that especially the data storage services offered can provide the kind of redundancy that would have been useful in this scenario, but which, according to the Azure status updates, Azure doesn't have:
"Engineers have restored access to storage resources for the majority of services, and most customers should be seeing signs of recovery."
This is the update almost 2 days into this incident.
When AWS had a power failure in a data centre this year (https://www.theregister.co.uk/2018/06/01/aws_outage/) there was minimal impact for a short time.
Maybe Azure shouldn't build one "massive data centre, and instead build a few large ones.
If you have something that needs a ton of electricity, you put it where the rates are low and likely to remain low.
How easily can electricity be transported, compared to heat?
How much does the extra cooling contribute to electricity consumption, and does the lower electricity price compensate?
The equivalent to multi-AZ is pick the region - "Southern USA" is one of 54 different regions - when deploying a resource, one simply choose which region it goes to (different regions have different costs, different packet latency profiles, different data sovereignty and sometimes other restricted use cases.
1)If multi-AZ is "pick multiple regions", why is Azure starting (https://azure.microsoft.com/en-us/updates/azure-availability-zones-ga/ ) with multi-AZ regions? Maybe they realise AWS is onto something?
It looks like MS would bill you for inter-region traffic, where AWS doesn't bill you for intra-region (inter-AZ) traffic. Going multi-region on Azure looks much more expensive than multi-AZ on AWS ...
2)54 different regions? You believe Microsoft's big number on the page, when it seems to be counting:
- Regions not accessible to you (e.g. DoD) (2)
- Regions that you aren't allow to use (US Gov) (4)
- Regions that aren't built yet (10)
On their map, I count 35 public "regions", but only 2 of those are multi-AZ.
AWS has 18 public launched regions most of which have 3 public AZs (four regions are still 2-AZ and will be addressed in future like the others that were back-filled to 3 AZs in the past 2 years). That doesn't include the 3 public regions and one GovCloud region that are currently being built.
3)While multi-AZ should result in very few issues on AWS, if you need more availability, AWS has been building lots of multi-region tools (e.g. inter-region replication for S3, Dynamo DB, Aurora etc.). Does Azure have any real tooling for multi-region (on top of multi-AZ)?
For the GUI you have to give them that, they have a valid point. Everything else is just bollocks though.
Do you mean GUI libraries? That you mostly have on all platforms (there may be a default, but there are many non-default options, and defaults change and get deprecated on Mac OS and Windows).
Desktop environment? Nonsense. I have never had a real problem running any KDE apps on GNOME or Icewm or whatever else (or the other way around).
And many proprietary apps (Spotify, Skype, Visual Studio Code etc.) don't seem to have any problems with this ...
Let's consider Adobe (and Photoshop). If Adobe wanted to port their industry-leading product to Linux, how do they do that? Do they spend the time developing support for ext4, btrfs, Ubuntu, Fedora, GNOME, Mate, KDE, systemd?
Dropbox has this problem with filesystems and encryption layered over filesystems because they want to be a filesystem. They don't seem to have a problem with systemd vs. upstart, or GNOME vs KDE, or Ubuntu vs Fedora.
Photoshop doesn't need to be a filesystem, so they should have 0 problems due to supposed "fragmentation", just like:
* Gimp (https://flathub.org/apps/details/org.gimp.GIMP)
* Darktable (https://flathub.org/apps/details/org.darktable.Darktable)
Oh, you want proprietary examples, well how about:
* Slack (https://flathub.org/apps/details/com.slack.Slack)
* Spotify (https://flathub.org/apps/details/com.spotify.Client)
* Visual Studio Code (https://flathub.org/apps/details/com.visualstudio.code)
https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html
"Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say"
Only mentions Huawei and ZTE. Xiaomi phones don't ship with the software mentioned.
http://securityaffairs.co/wordpress/27486/security/xiaomi-handset-usersdata.html
Another
Heard of iCloud? Same thing. It isn't required for use of the phone, only if you want to backup contacts and messages etc. to the 'cloud', in which case it sends, you guessed it, contacts and messages to their cloud service. But you don't have to register, and now even if you have registered you can disable it.
http://securityaffairs.co/wordpress/34583/hacking/xiaomi-mi-4-preinstalled-malware.html
Another
This looks like a supply-chain attack. Did they try flashing with an original Xiaomi image? No.
http://securityaffairs.co/wordpress/49346/hacking/xiaomi-smartphone-flaw.html
Another
If this was intentional, why have they put in a lot of effort to fix their mistakes? These are all 2-year-old issues that the company addressed very quickly once they were reported. Please give us a recent (less than 1-year-old) example, you know, one that actually applies to the current version of the software they ship on current hand-sets.
My Samsung S6 came pre-installed with software not owned by Samsung which I cannot remove (e.g. Peel Remote). The new versions pushed by the developer contain more intrusive changes including video adverts that play when I unlock the phone, which I assume also leak private information to advertisers. So, in practice, Samsung allows *others* to deliver malware to my phone.
My wife's Xiaomi seems much more customer-friendly than my S6, and receives security updates more promptly.
At this stage, I am more in favour of Xiaomi than Samsung to replace my S6.
Xiaomi's justification for the analytics app, and their explanation of the signature-checking makes it quite apparent that their motivation is right, but they could (and have, e.g. switching to HTTPS in MUIU 7.3) improve the security.
However, I wouldn't call it a back-door, it's an auto-update mechanism (like Flash, Java etc. all do or have done on Windows), with no evidence that they have used it for anything malicious.
Microsoft *has* abused their auto-update mechanism intended for security and bugfixes to deliver software the users don't want, yet I don't see you complaining about that and claiming that WindowsUpdate is a back door.
Can't you just use an iPhone, and anonymize your searches with something like DuckDuckGo?
Does your iPhone have ad blocking? Have you disabled all Javascript, or can you block at least the following domains on your iPhone (in all HTTP clients, including RSS readers etc.):
- *.google.com
- *.googleapis.com
- *.google-analytics.com
- *.googleadservices.com
- *.googlesyndication.com
- *.googleapis.com
- *.doubleclick.com
- *.doubleclick.de
- *.doubleclick.net
- *.adsensecustomsearchads.com
If not, you're out of luck. Many websites use Google for advertising revenue, which means you are tracked. Many websites which are too lazy to implement their own stats/metrics use Google analytics. All of these feed Google enough information about your device and Geo-IP based location and sites you have visited that even if you don't directly use any Google services, Google knows more about you than anyone else (except Facebook, if you have Facebook on your iPhone).
Password and security question are ironically more secure. It's how they're implemented that sucks. You'll never find a password on any billing statement, yet in many cases companies will happily display it to their agents.
No personal information should be displayed un-masked unless there is a need to update it (which should be individually re-authenticated and logged), because it might be used to secure the customer's account at a different business entity.
Did you read the summary? AT&T happily rerouted his text messages, including security codes for use in two-factor authentication, to thieves who stole his cryptocurrency.
You can say "oh SMS two factor isn't secure" all you want, and there ARE ways it's insecure, but none of those ways mattered here because AT&T turned over the phone number to an unauthorized party!
Uh, the *primary* way SMS 2FS is insecure is 'SIM-swap fraud'. Here is an article from almost 5 years ago about the problem as it existed/exists where I currently live: https://mybroadband.co.za/news...
From the article:
A SIM swap typically happens using the following methods:
* Using identity theft to convince a SIM swap assistant that they are dealing with the account holder; and
* Stealing passwords from employees at the mobile operators or mobile dealers.
Telcos need to do a better job of customer authentication. At the ISP I used to work for, our new customer service portal required call centre agents to authenticate the customer by selecting the correct values (from the correct one value, and 4 random fictitious ones generated from a list of customer information we generated, presented in random order, and all masked so that only partial values are visible to the agent) for 4 out of 5 customer details (e.g. cellphone number, email address, physical address, national ID number, account number) in 2 attempts before the agent would be able to do anything on the customer's account. If the 2nd attempt failed, it would be logged, and if 2 failures were logged in 48 hours, a security ticket would be opened automatically. We were planning on adding an additional level of opt-in authentication for security-conscious customers. Escalation staff were able to bypass the customer validation, but they had to provide a reason (e.g. escalation ticket number), and this was also logged and reviewed by their managers.
Our system as-is would prevent/limit the 2nd method to perform sim-swaps listed above, but without the additional enhancements that were planned wouldn't have prevented the first one from being viable by well-prepared attacker.
Mobile operators really can do a much better job here, but they don't want the additional staff costs that would result from changes to these processes.
"Autodesk has published a support document announcing that it is stopping development of its Alias and VRED vertical market packages,"
No, this is not true, what is true is:
"Autodesk has published a support document announcing that it is stopping development of its Alias and VRED vertical market packages for macOS", or as the support document on their knowledge base says, "Discontinuation of Mac Support for Autodesk Alias and VRED".
In other words, development for other platforms that haven't deprecated OpenGL continues ...
In fact, the existing market alternative is a Yubikey with NFC support, which is zero security rather than minimal security.
details on the yubikey "zero security"? or do you mean NFC has zero security? because yeah, that's... why I leave NFC off when not in use.
Obviously NFC security, because there are many alternative U2F devices that don't have wireless (Bluetooth or NFC) support, including a number of open-source (hardware+software) dongles like u2fzero, but very few that have either NFC (mainly Yubikey Neo) or Bluetooth (mainly Fetian, but it seems pretty poor hardware).