We don't all have Carte blanche options on what phones we can buy.
Then your days of rooting are coming to an end. They may already have come to an end; it's possible that your Galaxy S6 will never have a workable rooting method.
Something doesn't add up. Aside from the question of whether Microsoft's licensing of patents to Android OEMs has any impact on whatever else they may do with open source, I find it hard to believe that Microsoft is successfully extracting billions annually from "bogus" patents.
Yes, litigation is difficult, expensive and time-consuming. But if the patents really are bogus, it's well worth spending a few hundred million over a few years in order to stop paying billions annually. Samsung et al, may not wish to take on the risk directly, but surely they could find some small OEM and say "We'd like you to fight Microsoft's patents. We'll fund your legal battle and cover your losses, if any, plus pay you a premium". Or if they can't find one, establish one just for the purpose.
I think the only reasonable conclusion is that at least some of the patents look like they'll stand up in court, so the OEMs are paying rather than fighting because they think they'll lose.
"The iCloud information is not at risk of being breached or otherwise observed by the ultimate owners of the platforms it resides on because of the very heavy encryption and partitioning technologies used,"
While I have no doubt it is possible to do this, is it really secure?
Assuming Apple doesn't make any newbie mistakes, it's as secure as the keys used to encrypt it.
So, you're wrong. Users also want root methods for Android because carriers and manufacturers keep locking the damn bootloader
If you want to root, why did you buy a locked phone? In the short term that's the only way you'll be able to do it reliably. In the long term that's the only way you'll be able to do it at all. As we keep tightening the security model exploits are going to get both rarer and less effective (SELinux is making it damned hard today to convert system exploits to root exploits).
Perhaps more importantly, by choosing to buy an unlockable phone you're sending a message to OEMs, telling them that unlockability is important to you. The only message they'll really listen to, actually.
Nest = Google = Android so you're asking does the left side of your brain trust the right?
Pretty much. And Google is under pretty strict scrutiny from a privacy perspective, including regular FTC audits as a result of the Buzz consent decree. Google would have to be really, really stupid to collect data that users have told it not to collect. The FTC could well catch them at it, and beyond whatever the government did to them for violating the consent decree, it would become public knowledge, which would be an even larger hit.
(Disclosure: If you didn't know, I'm a Google engineer. I work on Android.)
A new nearly-universal root method is always handy.
To attackers wanting to steal your data, sure.
For users, this is a bad thing. If you want to root your device, buy one that is unlockable and you won't need exploits. Meanwhile, OEMs need to keep their devices patched so that problems like this don't reduce the security of hundreds of millions of devices.
That said, it's worth pointing out that Stagefright appears to have turned out to be much ado about nothing. AFAIK (and I work on the Android security team, so there's a high probability that I would know), no one, anywhere, has seen an example of Stagefright, v1 or v2, being exploited in the wild. That's not to say that these things don't need to be fixed, but the risk is often overstated in the press by reporters looking for clickbaity headlines.
Nope, On Android I can't at least yet natively disable location services, Nest's new app requires it.
Nonsense.
Open Nest app. Tap the "gear" icon in the upper right corner. Tap "Home/Away Assist". Scroll down and tap "What decides if you're home". Under "Use phone location" you'll see a list of devices that are set up to provide location. Tap yours. Tap the button to turn it off.
Alternatively, on Android M or N, go to Settings, then Apps. Scroll down to the Nest app and tap it. Tap "Permissions". Tap the button on "location" to deny the Nest app permission to your location.
This assumes that you've already turned location ON in the Nest app, and told Android to give it permission see see location. You had to do those (well, the second is implicit on pre-Marshmallow devices) in order for it to report your location.
Actually I'm probably now going to rip the fucking things off the wall and resell them on Craigslist. They're not saving me much of anything.
Mine save me a fair amount, I think. A dumb, but programmable thermostat would do as well, but wouldn't be as good at figuring out what time to turn the furnace on in the morning so that the temperature is right when it's time to get up, neither sooner (heat wakes me up before I need to) or later (makes me want to stay in bed because the house is cold).
Twitter at least can have it's location services disabled and I'm sorry If I sound a bit harsh but I want more coarse grained control from my mobile operating systems. It shouldn't be app by app If I don't want you tracking my location, my rectal temperature or anything I can disable it.
On Android, go to Settings, then Location, then tap the button to disable it. Done. It's off for everything. Or if your device has quick toggles (stock on Android since at least Lollipop), then you should just be able to swipe down and tap to turn it off, or on.
Sure when using a Nav App I want to have real time location tracking but that's it.
So you *do* want fine-grained control. Fine. On M and N you can disable location for everything except your navigation app.
I want to be able to send/receive calls, access apps on the Internet that's the basics anything should be explicitly and optionally controllable by me, the guy who bought the retarded device in the first place.
Buy an intelligent thermostat they said, it'll save money and make you more comfortable they said.
Now they want to track when I'm anywhere "to help determine if I'm away."
Well, the purpose of using your phone location is to save you money, and you certainly don't have to opt in. The Nest thermostat does try to use its motion sensor and data from Nest cameras and fire alarms (if you have them), but "no one has been seen to be moving in the house in the last hour" is a much weaker indication of an empty house than "all occupants have mobile phones which have reported being more than 20 miles away from the house in the last five minutes."
For my house scaling back energy usage when no one is home is a nice theory, but the house is almost never empty. So even though I have a Nest thermostat and everyone living in the house has a mobile phone, I haven't bothered to turn on the location feature.
Now they want to analyze my tweets and use my location data to see where I am?!?!?
Not an issue if you don't use Twitter, or another social network that shares your location data. Of course, you may have other services that track your location, so if you don't want to be tracked you'd better check it. Personally, I have Google location history turned on because I like being able to go back to any day and see where I was, and when, and I don't worry about Google knowing that. YMMV, obviously.
Google, er, Alphabet didnt really get a rock in their shoe about encryption until Edward Snowden
While I think we should all be very grateful for Snowden's revelations, that's not true. Google was really serious about encrypting everything long before Snowden's revelations.
For example, Gmail was the first major webmail service to provide users the option of only using SSL, back in 2008 or so. Google turned on SSL for web searches in 2011. The design of SPDY, later adopted by the IETF as HTTP2, started around 2010 and from the beginning had no unencrypted mode (though the IETF insisted on adding one).
Once it was revealed that the US government had placed secret taps on links between google datacenters
Google actually started work on encrypting all of those data center links long before Snowden's information came out, though Snowden definitely did light a fire under the project, causing it to get fully deployed very quickly. Snowden probably also had a lot to do with Google's decision to completely disable non-TLS traffic for many of their services (IIRC it was 2014 when gmail and search went TLS-only).
Google owns a browser, so that browser adopted SSL, then TLS as a mandatory connection parameter for google services.
Chrome supported SSL and TLS before Snowden, and ownership of Chrome had nothing to do with making encryption mandatory for Google services, which was done in a browser-agnostic way. Chrome did provide a platform for Google to experiment with other improvements, though, such as certificate pinning, SPDY and QUIC. SPDY and QUIC are mostly about performance, but as I mentioned above Google build encryption into them from the ground up and never even bothered with unencrypted versions.
after a year, the titty got tougher and HSTS was the norm on some of the largest web content providers on the internet.
HSTS also predated Snowden, and Google even started using it for some services before Snowden. But, yes, again Snowden spurred much wider adoption. Which is awesome.
But slashdot, its only getting good.
Indeed. All new Internet protocols and standards now specifically address anti-surveillance in their designs, and lots of academic research is focused on new technologies to make surveillance hard. This is actually an even bigger change than the TLS push, etc., indicates. Prior to Snowden, preventing surveillance was not a design goal. If it happened, it happened by accident. No more. It's now a design goal for much of the tech industry.
Doesn't "perfect forward secrecy" already do this? This is already available in all modern browsers, it's just up to the servers to implement it. SSL labs only gives A/A+ to servers that implement it.
PFS is a step beyond what the AC suggested. The suggestion was that randomized session keys be exchanged for each session, and that is done even without PFS. Without PFS an attacker who records the communication and later obtains the private key of the server can use the private key and the recorded data stream to recover the random session key, and then decrypt the data. With PFS, the attacker must have the private key of the server (or a private key and a corresponding cert that appears to be from that server) and perform a real-time man in the middle attack in order to get the data.
That's why it's "forward" secrecy. If the attacker can't get in during the communication, he won't be able to get it at any time in the future (unless he can somehow recover the ephemeral key the client used, but clients should destroy those).
That is why the two functions should be separated. Authentication and encryption are two different things. The certificate should only be used to establish identity and then exchange randomized encryption keys, used for this session only.
That is how it's done in TLS.
The problem is that a bad cert allows an attacker to "prove" they're the person you want to talk to. So then you exchange random encryption keys with the attacker and proceed to send data. Oops.
HTTPS isn't that safe. Any agency that can coerce one of the numerous CA's can snoop traffic quite easily.
While your concerns are real, I think they're overstated.
A coerced CA cert does allow MITM attacks, but they have to be used very carefully and on a targeted basis, because if they're used too broadly it will be noticed. A TLS MITM attack is very noticeable to anyone who is looking. Google Chrome has caught a few subverted CAs now, thanks to certificate pinning of intermediates for Google, Verisign, GeoTrust and some others. Firefox pins large numbers of intermediates, for lots of domains. I think other browsers are also getting into it.
Of course Eric Schmidt is an avid fan of the surveillance society so thats why they weren't going to back anything less centralised than CA-based HTTPS
Nice cheap shot. In fact Google has a couple of significant projects to address the shortcomings of the CA system. One is to increase pinning, but that's kind of a hack. The other is the Certificate Transparency project, which aims to ensure that any certificate produced by any CA for any domain is visible to the owner of that domain. If that succeeds covert certificate issuance will be impossible.
At bottom, the problem with the CA isn't centralization, it's more complicated than that. The CA system is decentralized in the sense that there are many CAs... but that makes every one of them a single point of failure. In some ways we'd be safer with a truly centralized CA system, because then we'd have one single point of failure rather than a few hundred. The semi-decentralized system we have is pretty decent... if we can enable the world to easily recognize improperly-issued certificates. Certificate Transparency is one good way to do that. I'm also a fan of the Convergence system, but in addition to the existing CA system, rather than as a replacement.
In any case, although the CA system has some issues, and we have seen a handful of cases where they've been exploited, by and large it works very well, securing more connections and more data than anything else ever has. We'd be foolish to replace it, but augmenting it to address the problems is a good idea.
The entire "computer security industry" is little more than scammers selling nothing but snake oil, i.e., security products which themselves are full of exploitable vulnerabilities and in many cares are very close to being malware.
This argument is why terms need to be defined. You and the GPP are defining "computer security industry" as the set of people and companies that build and sell security products. Even with that definition, the accusation of snake oil is overly broad; there are a few security products which are actually useful. The GP is defining "computer security industry" as the set of people and companies that work on and around computer security, including security researchers that find vulnerabilities, and engineers that fix them and design and build secure systems.
The computer security industry includes a lot of crap, but it also includes a lot of good people and organizations doing good work. Tavis Ormandy is a part of that industry.
The plaintext version of slashdot uses http 301 (moved permanently), which causes the browser to simply skip connecting to the plaintext version the next time and connect directly to the redirected https URL.
Google.com however, uses http 302 (moved), which does not cause this caching to occur, and will work just fine for this purpose.
Heh. I should have looked to see how they were doing the redirect. You're right, it shouldn't work.
German Government: "We will fine you until you comply with the order giving us access to the servers."
Deutsche Telekom: "Fuck you, Microsoft, take your servers back."
Sure, if a German court orders the data to be provided, Deutsche Telekom would comply. So? The problem Microsoft is trying to solve is solved.
So I always start by connecting to Slashdot, because it's not https. Now I'm going to have to find a different non-https web site.
Slashdot should still work fine for that. When you type "slashdot.org" into your browser it goes to the HTTP site first and gets redirected to the HTTPS version. The coffee shops, etc., will intercept that first request and do their thing there. You won't get the redirect until you actually make a connection to http://slashdot.org./
Personally, I use http://google.com/ for that same purpose. It has redirected to HTTTPS for quite some time now, but it still works fine, for the same reason.
I have a 4K HDR Dolby Atmos dedicated theater in my basement. Sure a 100 foot screen is great and all, but I have better sound and video on my 133" screen than any theater within a 18 hour drive. I would gladly pay that fee, it would be cheaper than me and my wife going because of the cost of a sitter.
Also... if it's a movie for the kids too, $50 can easily be cheaper. I took my kids and my wife to see Zootopia last night and spent $52.50 on six tickets, plus another $45.40 on overprices sodas and popcorn, not to mention gas. The theater is a little better experience in some ways, worse in others, but all in all I'd consider my home theater a reasonable alternative, and for the whole family $50 is much cheaper.
Of course, we could also wait a few months and buy or rent it on Google Play, Amazon, etc. for between $4 and $20, depending. But we're probably not going to do that.
However, I don't think I'd use this to see movies with my wife even if it were cheaper (which for us it wouldn't be; we don't need a sitter). The point of date night is getting out of the house and doing something together, and without the kids around. The theater is far better for that, even if it costs more.
The summary isn't very clear about the nature of the problem. The CVE report is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.
The moral of this story is: bugs happen, updates are crucial for security.
I pay 7 cents per kWh for my office power and 10 cents per kWh for my house power, both coal.
That's dirt cheap, among the cheapest in the country. In fact, it's below the average for Texas, which is 11.5 cents. And, are you sure that's the total rate? Most utilities do a tiering system where usage above certain thresholds costs more. For example where I live (Utah, which also has very cheap power, coal and hydro), I pay 8.9 cents per kWh for the first 400 kWh, 11.6 cents for the next 600 kWh and 14.5 cents above that (perhaps there are more tiers; that's as high as I've gone, even in a hot summer and with an electric car charging in the garage).
My payback period, assuming rates are unchanged, would be about 12 years. Without the government subsidies, it jumps to 15, but the system I looked at is warrantied for 25 years (equipment and labor). That unsubsidized payback is marginal, but not bad, assuming good financing and a lowish discount rate. I think it may make even more sense to install just enough solar to ensure that I never buy any power at the 14.5 cent tier, and knock out a chunk of the 11.6 cent tier.
People living on both coasts are paying closer to 20 cents per kWh, and in areas with peak/off-peak pricing it can go as high as 35 cents per kWh on-peak -- which is when the solar panels are generating the most. In those areas solar is a no-brainer even without any subsidies. Given decent financing terms, those peoples' monthly solar loan/lease payment will be lower than their monthly electric bill from day one, and after the system is paid off their power is free.
So... even unsubsidized, solar is a clear win for a huge swath of the population (most of the population lives on the coasts) right now. It's less clear for the rest of the country, but I think carefully-constructed deals can still be a win with subsidies and perhaps without. As solar prices continue dropping and efficiencies continue increasing it will soon be a clear win for almost everyone.
At that point things are going to get really interesting, because the fixed costs of operating and maintaining the grid will start to become a much more significant portion of the utility companies' costs, and all of those grid-connected solar-powered homes will become a drag on the utilities' finances. They'll have to introduce high monthly connection fees which will make solar less attractive. Maybe by then storage will be cheap enough that people will choose to disconnect from the grid, making the utilities' problems even worse, requiring even higher connection fees. State and local government may end up requiring that all residences be connected to the grid and pay the connection fees, or start collecting monies for grid maintenance as part of the property taxes or something.
Nowadays there's a web app version of almost everything. A thin client can do a lot of 2016. When you consider the fact that 90% of the human race just wants to use social media, write emails, shop and watch videos, it's not a bad sell.
Or write documents, build spreadsheets, make presentations, etc. Chromebooks are quite good for the sort of productivity work most people do. I have the option of getting a Pixel2 for work, and it would meet 100% of my work needs, including writing code[*]. Honestly, the only reason I have a Macbook is because I also use it for personal photo and video editing. Oh, and I prefer a local app for tracking my personal finances. I think there are some perfectly adequate online financial management programs, but I don't trust any online service to know everything about my money. However, now that I look, there are several personal finance apps on the Chrome web store... it looks like they store data on Google's servers, but only in encrypted form, and everything of substance happens locally. That could work, too. I'll have to see if any of them are decent.
I've recommended Chromebooks to lots of college students and they've all been very happy with the choice. My son (in college) has both a Chromebook and a Windows laptop. He uses the Windows laptop for playing games, but prefers the Chromebook for all of his school work, as well as surfing. He likes the Chromebook better.
[*] Note that in large part this is because company policy doesn't allow code to be stored on laptops anyway. We have fairly good cloud-based tools for editing, building, testing, reviewing and submitting code changes in a web browser, and where those are inadequate we use Chrome Remote Desktop to work remotely on our desktop machines. Without those constraints a regular laptop would be better. Mostly. I work on Android and building it on a laptop is painful to the point of infeasible, so I'd want to use my 64-core behemoth of a desktop anyway.
It really doesn't matter much what *I* choose, but if you must, I choose an interpretation that is revised in the light of the 14th amendment, just as the rest of the Bill of Right has been. An individual right which may not be abrogated by federal, state or local government, and which may be removed only via the amendment process.
If you want to understand the relationship between the pre- and post-Reconstruction Bill of Rights, including the 2A, I highly recommend Ahkil Reed Amar's book "The Bill of Rights: Creation and Reconstruction".
Slashdot Mirror
We don't all have Carte blanche options on what phones we can buy.
Then your days of rooting are coming to an end. They may already have come to an end; it's possible that your Galaxy S6 will never have a workable rooting method.
Something doesn't add up. Aside from the question of whether Microsoft's licensing of patents to Android OEMs has any impact on whatever else they may do with open source, I find it hard to believe that Microsoft is successfully extracting billions annually from "bogus" patents.
Yes, litigation is difficult, expensive and time-consuming. But if the patents really are bogus, it's well worth spending a few hundred million over a few years in order to stop paying billions annually. Samsung et al, may not wish to take on the risk directly, but surely they could find some small OEM and say "We'd like you to fight Microsoft's patents. We'll fund your legal battle and cover your losses, if any, plus pay you a premium". Or if they can't find one, establish one just for the purpose.
I think the only reasonable conclusion is that at least some of the patents look like they'll stand up in court, so the OEMs are paying rather than fighting because they think they'll lose.
"The iCloud information is not at risk of being breached or otherwise observed by the ultimate owners of the platforms it resides on because of the very heavy encryption and partitioning technologies used,"
While I have no doubt it is possible to do this, is it really secure?
Assuming Apple doesn't make any newbie mistakes, it's as secure as the keys used to encrypt it.
So, you're wrong. Users also want root methods for Android because carriers and manufacturers keep locking the damn bootloader
If you want to root, why did you buy a locked phone? In the short term that's the only way you'll be able to do it reliably. In the long term that's the only way you'll be able to do it at all. As we keep tightening the security model exploits are going to get both rarer and less effective (SELinux is making it damned hard today to convert system exploits to root exploits).
Perhaps more importantly, by choosing to buy an unlockable phone you're sending a message to OEMs, telling them that unlockability is important to you. The only message they'll really listen to, actually.
Nest = Google = Android so you're asking does the left side of your brain trust the right?
Pretty much. And Google is under pretty strict scrutiny from a privacy perspective, including regular FTC audits as a result of the Buzz consent decree. Google would have to be really, really stupid to collect data that users have told it not to collect. The FTC could well catch them at it, and beyond whatever the government did to them for violating the consent decree, it would become public knowledge, which would be an even larger hit.
(Disclosure: If you didn't know, I'm a Google engineer. I work on Android.)
Why would you trust Android and not Nest?
You apparently didn't read past the first sentence of my post.
A new nearly-universal root method is always handy.
To attackers wanting to steal your data, sure.
For users, this is a bad thing. If you want to root your device, buy one that is unlockable and you won't need exploits. Meanwhile, OEMs need to keep their devices patched so that problems like this don't reduce the security of hundreds of millions of devices.
That said, it's worth pointing out that Stagefright appears to have turned out to be much ado about nothing. AFAIK (and I work on the Android security team, so there's a high probability that I would know), no one, anywhere, has seen an example of Stagefright, v1 or v2, being exploited in the wild. That's not to say that these things don't need to be fixed, but the risk is often overstated in the press by reporters looking for clickbaity headlines.
Nope, On Android I can't at least yet natively disable location services, Nest's new app requires it.
Nonsense.
Open Nest app. Tap the "gear" icon in the upper right corner. Tap "Home/Away Assist". Scroll down and tap "What decides if you're home". Under "Use phone location" you'll see a list of devices that are set up to provide location. Tap yours. Tap the button to turn it off.
Alternatively, on Android M or N, go to Settings, then Apps. Scroll down to the Nest app and tap it. Tap "Permissions". Tap the button on "location" to deny the Nest app permission to your location.
This assumes that you've already turned location ON in the Nest app, and told Android to give it permission see see location. You had to do those (well, the second is implicit on pre-Marshmallow devices) in order for it to report your location.
Actually I'm probably now going to rip the fucking things off the wall and resell them on Craigslist. They're not saving me much of anything.
Mine save me a fair amount, I think. A dumb, but programmable thermostat would do as well, but wouldn't be as good at figuring out what time to turn the furnace on in the morning so that the temperature is right when it's time to get up, neither sooner (heat wakes me up before I need to) or later (makes me want to stay in bed because the house is cold).
Twitter at least can have it's location services disabled and I'm sorry If I sound a bit harsh but I want more coarse grained control from my mobile operating systems. It shouldn't be app by app If I don't want you tracking my location, my rectal temperature or anything I can disable it.
On Android, go to Settings, then Location, then tap the button to disable it. Done. It's off for everything. Or if your device has quick toggles (stock on Android since at least Lollipop), then you should just be able to swipe down and tap to turn it off, or on.
Sure when using a Nav App I want to have real time location tracking but that's it.
So you *do* want fine-grained control. Fine. On M and N you can disable location for everything except your navigation app.
I want to be able to send/receive calls, access apps on the Internet that's the basics anything should be explicitly and optionally controllable by me, the guy who bought the retarded device in the first place.
Ummm...
Buy an intelligent thermostat they said, it'll save money and make you more comfortable they said. Now they want to track when I'm anywhere "to help determine if I'm away."
Well, the purpose of using your phone location is to save you money, and you certainly don't have to opt in. The Nest thermostat does try to use its motion sensor and data from Nest cameras and fire alarms (if you have them), but "no one has been seen to be moving in the house in the last hour" is a much weaker indication of an empty house than "all occupants have mobile phones which have reported being more than 20 miles away from the house in the last five minutes."
For my house scaling back energy usage when no one is home is a nice theory, but the house is almost never empty. So even though I have a Nest thermostat and everyone living in the house has a mobile phone, I haven't bothered to turn on the location feature.
Now they want to analyze my tweets and use my location data to see where I am?!?!?
Not an issue if you don't use Twitter, or another social network that shares your location data. Of course, you may have other services that track your location, so if you don't want to be tracked you'd better check it. Personally, I have Google location history turned on because I like being able to go back to any day and see where I was, and when, and I don't worry about Google knowing that. YMMV, obviously.
Google, er, Alphabet didnt really get a rock in their shoe about encryption until Edward Snowden
While I think we should all be very grateful for Snowden's revelations, that's not true. Google was really serious about encrypting everything long before Snowden's revelations.
For example, Gmail was the first major webmail service to provide users the option of only using SSL, back in 2008 or so. Google turned on SSL for web searches in 2011. The design of SPDY, later adopted by the IETF as HTTP2, started around 2010 and from the beginning had no unencrypted mode (though the IETF insisted on adding one).
Once it was revealed that the US government had placed secret taps on links between google datacenters
Google actually started work on encrypting all of those data center links long before Snowden's information came out, though Snowden definitely did light a fire under the project, causing it to get fully deployed very quickly. Snowden probably also had a lot to do with Google's decision to completely disable non-TLS traffic for many of their services (IIRC it was 2014 when gmail and search went TLS-only).
Google owns a browser, so that browser adopted SSL, then TLS as a mandatory connection parameter for google services.
Chrome supported SSL and TLS before Snowden, and ownership of Chrome had nothing to do with making encryption mandatory for Google services, which was done in a browser-agnostic way. Chrome did provide a platform for Google to experiment with other improvements, though, such as certificate pinning, SPDY and QUIC. SPDY and QUIC are mostly about performance, but as I mentioned above Google build encryption into them from the ground up and never even bothered with unencrypted versions.
after a year, the titty got tougher and HSTS was the norm on some of the largest web content providers on the internet.
HSTS also predated Snowden, and Google even started using it for some services before Snowden. But, yes, again Snowden spurred much wider adoption. Which is awesome.
But slashdot, its only getting good.
Indeed. All new Internet protocols and standards now specifically address anti-surveillance in their designs, and lots of academic research is focused on new technologies to make surveillance hard. This is actually an even bigger change than the TLS push, etc., indicates. Prior to Snowden, preventing surveillance was not a design goal. If it happened, it happened by accident. No more. It's now a design goal for much of the tech industry.
Doesn't "perfect forward secrecy" already do this? This is already available in all modern browsers, it's just up to the servers to implement it. SSL labs only gives A/A+ to servers that implement it.
PFS is a step beyond what the AC suggested. The suggestion was that randomized session keys be exchanged for each session, and that is done even without PFS. Without PFS an attacker who records the communication and later obtains the private key of the server can use the private key and the recorded data stream to recover the random session key, and then decrypt the data. With PFS, the attacker must have the private key of the server (or a private key and a corresponding cert that appears to be from that server) and perform a real-time man in the middle attack in order to get the data.
That's why it's "forward" secrecy. If the attacker can't get in during the communication, he won't be able to get it at any time in the future (unless he can somehow recover the ephemeral key the client used, but clients should destroy those).
That is why the two functions should be separated. Authentication and encryption are two different things. The certificate should only be used to establish identity and then exchange randomized encryption keys, used for this session only.
That is how it's done in TLS.
The problem is that a bad cert allows an attacker to "prove" they're the person you want to talk to. So then you exchange random encryption keys with the attacker and proceed to send data. Oops.
HTTPS isn't that safe. Any agency that can coerce one of the numerous CA's can snoop traffic quite easily.
While your concerns are real, I think they're overstated.
A coerced CA cert does allow MITM attacks, but they have to be used very carefully and on a targeted basis, because if they're used too broadly it will be noticed. A TLS MITM attack is very noticeable to anyone who is looking. Google Chrome has caught a few subverted CAs now, thanks to certificate pinning of intermediates for Google, Verisign, GeoTrust and some others. Firefox pins large numbers of intermediates, for lots of domains. I think other browsers are also getting into it.
Of course Eric Schmidt is an avid fan of the surveillance society so thats why they weren't going to back anything less centralised than CA-based HTTPS
Nice cheap shot. In fact Google has a couple of significant projects to address the shortcomings of the CA system. One is to increase pinning, but that's kind of a hack. The other is the Certificate Transparency project, which aims to ensure that any certificate produced by any CA for any domain is visible to the owner of that domain. If that succeeds covert certificate issuance will be impossible.
At bottom, the problem with the CA isn't centralization, it's more complicated than that. The CA system is decentralized in the sense that there are many CAs... but that makes every one of them a single point of failure. In some ways we'd be safer with a truly centralized CA system, because then we'd have one single point of failure rather than a few hundred. The semi-decentralized system we have is pretty decent... if we can enable the world to easily recognize improperly-issued certificates. Certificate Transparency is one good way to do that. I'm also a fan of the Convergence system, but in addition to the existing CA system, rather than as a replacement.
In any case, although the CA system has some issues, and we have seen a handful of cases where they've been exploited, by and large it works very well, securing more connections and more data than anything else ever has. We'd be foolish to replace it, but augmenting it to address the problems is a good idea.
He may be inarticulate, but he's not wrong.
The entire "computer security industry" is little more than scammers selling nothing but snake oil, i.e., security products which themselves are full of exploitable vulnerabilities and in many cares are very close to being malware.
This argument is why terms need to be defined. You and the GPP are defining "computer security industry" as the set of people and companies that build and sell security products. Even with that definition, the accusation of snake oil is overly broad; there are a few security products which are actually useful. The GP is defining "computer security industry" as the set of people and companies that work on and around computer security, including security researchers that find vulnerabilities, and engineers that fix them and design and build secure systems.
The computer security industry includes a lot of crap, but it also includes a lot of good people and organizations doing good work. Tavis Ormandy is a part of that industry.
The plaintext version of slashdot uses http 301 (moved permanently), which causes the browser to simply skip connecting to the plaintext version the next time and connect directly to the redirected https URL. Google.com however, uses http 302 (moved), which does not cause this caching to occur, and will work just fine for this purpose.
Heh. I should have looked to see how they were doing the redirect. You're right, it shouldn't work.
German Government: "We will fine you until you comply with the order giving us access to the servers." Deutsche Telekom: "Fuck you, Microsoft, take your servers back."
Sure, if a German court orders the data to be provided, Deutsche Telekom would comply. So? The problem Microsoft is trying to solve is solved.
So I always start by connecting to Slashdot, because it's not https. Now I'm going to have to find a different non-https web site.
Slashdot should still work fine for that. When you type "slashdot.org" into your browser it goes to the HTTP site first and gets redirected to the HTTPS version. The coffee shops, etc., will intercept that first request and do their thing there. You won't get the redirect until you actually make a connection to http://slashdot.org./
Personally, I use http://google.com/ for that same purpose. It has redirected to HTTTPS for quite some time now, but it still works fine, for the same reason.
I have a 4K HDR Dolby Atmos dedicated theater in my basement. Sure a 100 foot screen is great and all, but I have better sound and video on my 133" screen than any theater within a 18 hour drive. I would gladly pay that fee, it would be cheaper than me and my wife going because of the cost of a sitter.
Also... if it's a movie for the kids too, $50 can easily be cheaper. I took my kids and my wife to see Zootopia last night and spent $52.50 on six tickets, plus another $45.40 on overprices sodas and popcorn, not to mention gas. The theater is a little better experience in some ways, worse in others, but all in all I'd consider my home theater a reasonable alternative, and for the whole family $50 is much cheaper.
Of course, we could also wait a few months and buy or rent it on Google Play, Amazon, etc. for between $4 and $20, depending. But we're probably not going to do that.
However, I don't think I'd use this to see movies with my wife even if it were cheaper (which for us it wouldn't be; we don't need a sitter). The point of date night is getting out of the house and doing something together, and without the kids around. The theater is far better for that, even if it costs more.
The summary isn't very clear about the nature of the problem. The CVE report is a little better. The problem is a bug in the Qualcomm "performance component", which is in a Linux kernel module. So, it's essentially a driver bug, which is nothing remotely new or surprising. The only noteworthy bit here is that it's a bug in a driver that is used on a huge number of devices, many of which aren't easy to update.
The moral of this story is: bugs happen, updates are crucial for security.
I pay 7 cents per kWh for my office power and 10 cents per kWh for my house power, both coal.
That's dirt cheap, among the cheapest in the country. In fact, it's below the average for Texas, which is 11.5 cents. And, are you sure that's the total rate? Most utilities do a tiering system where usage above certain thresholds costs more. For example where I live (Utah, which also has very cheap power, coal and hydro), I pay 8.9 cents per kWh for the first 400 kWh, 11.6 cents for the next 600 kWh and 14.5 cents above that (perhaps there are more tiers; that's as high as I've gone, even in a hot summer and with an electric car charging in the garage).
My payback period, assuming rates are unchanged, would be about 12 years. Without the government subsidies, it jumps to 15, but the system I looked at is warrantied for 25 years (equipment and labor). That unsubsidized payback is marginal, but not bad, assuming good financing and a lowish discount rate. I think it may make even more sense to install just enough solar to ensure that I never buy any power at the 14.5 cent tier, and knock out a chunk of the 11.6 cent tier.
People living on both coasts are paying closer to 20 cents per kWh, and in areas with peak/off-peak pricing it can go as high as 35 cents per kWh on-peak -- which is when the solar panels are generating the most. In those areas solar is a no-brainer even without any subsidies. Given decent financing terms, those peoples' monthly solar loan/lease payment will be lower than their monthly electric bill from day one, and after the system is paid off their power is free.
So... even unsubsidized, solar is a clear win for a huge swath of the population (most of the population lives on the coasts) right now. It's less clear for the rest of the country, but I think carefully-constructed deals can still be a win with subsidies and perhaps without. As solar prices continue dropping and efficiencies continue increasing it will soon be a clear win for almost everyone.
At that point things are going to get really interesting, because the fixed costs of operating and maintaining the grid will start to become a much more significant portion of the utility companies' costs, and all of those grid-connected solar-powered homes will become a drag on the utilities' finances. They'll have to introduce high monthly connection fees which will make solar less attractive. Maybe by then storage will be cheap enough that people will choose to disconnect from the grid, making the utilities' problems even worse, requiring even higher connection fees. State and local government may end up requiring that all residences be connected to the grid and pay the connection fees, or start collecting monies for grid maintenance as part of the property taxes or something.
Nowadays there's a web app version of almost everything. A thin client can do a lot of 2016. When you consider the fact that 90% of the human race just wants to use social media, write emails, shop and watch videos, it's not a bad sell.
Or write documents, build spreadsheets, make presentations, etc. Chromebooks are quite good for the sort of productivity work most people do. I have the option of getting a Pixel2 for work, and it would meet 100% of my work needs, including writing code[*]. Honestly, the only reason I have a Macbook is because I also use it for personal photo and video editing. Oh, and I prefer a local app for tracking my personal finances. I think there are some perfectly adequate online financial management programs, but I don't trust any online service to know everything about my money. However, now that I look, there are several personal finance apps on the Chrome web store... it looks like they store data on Google's servers, but only in encrypted form, and everything of substance happens locally. That could work, too. I'll have to see if any of them are decent.
I've recommended Chromebooks to lots of college students and they've all been very happy with the choice. My son (in college) has both a Chromebook and a Windows laptop. He uses the Windows laptop for playing games, but prefers the Chromebook for all of his school work, as well as surfing. He likes the Chromebook better.
[*] Note that in large part this is because company policy doesn't allow code to be stored on laptops anyway. We have fairly good cloud-based tools for editing, building, testing, reviewing and submitting code changes in a web browser, and where those are inadequate we use Chrome Remote Desktop to work remotely on our desktop machines. Without those constraints a regular laptop would be better. Mostly. I work on Android and building it on a laptop is painful to the point of infeasible, so I'd want to use my 64-core behemoth of a desktop anyway.
It really doesn't matter much what *I* choose, but if you must, I choose an interpretation that is revised in the light of the 14th amendment, just as the rest of the Bill of Right has been. An individual right which may not be abrogated by federal, state or local government, and which may be removed only via the amendment process.
If you want to understand the relationship between the pre- and post-Reconstruction Bill of Rights, including the 2A, I highly recommend Ahkil Reed Amar's book "The Bill of Rights: Creation and Reconstruction".
So... you have no substantive response. Got it.
I've already addressed this (incorrect) response in another post in this thread.