We're getting there. Really, I think this is the most horrible part of all of the fictional dystopias. All too often, it's not all of humanity stuck in a cage sharing a common plight. The rest of humanity embraces the cage, they make up the cage, and you're all alone in feeling captive.
The mindless, unfocused anger this guy feels is not uncommon. He is stupid enough to let the people in Washington pick the targets of his rage, which isn't uncommon either. We've been building this world for a long time now.
Basically, your whole argument boils down to "they say...", "they say...", "they say...", but you're given no means to verify any of it. That's not how you do security.
Do you know the people running SpiderOak? Then why do you trust them so implicitly?
Even a layered approach, like TrueCrypt on Google's "encrypted" Cloud dilutes the trust you need to put in any one party. You're putting all of your eggs in one basket, which has exploitable holes, and trusting that basket entirely because of the basketmaker's advertising. That is not a fair strategy for proper security. That's the illusion of security.
Even if you don't access their site again, they still have your password in plaintext long enough to make a hash for the webserver to use. If you do ever use their site again (which many people might do: for instance, their site is the only way to buy more space), the login page on their site is a simple POST for the submission of the password so it's easy enough to snatch it there if they were compelled to. That's not even getting into their use of a closed source server and client and unverified crypto implementations (they toss out nice buzzwords on the site you mention, but you don't get to see how they implemented them).
I don't care about taking this up with them, as they have no real reason to address anything. I don't use their service for secure data storage. They state on their site that they are secure with "zero knowledge" and people give them money and post exaggerated inaccuracies about their 1337 security online. It sounds like a great business model to me.
I just want to make sure that everybody uses a little critical thinking when deciding to trust a third party with their data. The fact that their design has holes in it needs to weigh into the decision to use them, even though it's compelling to think that they're a champion for your online privacy.
That's an odd thing to say, since it's demonstrably not true. I just set up a new account with them, picked a password of "1" (which didn't didn't set off any warnings, even though that is the sole secret protecting all of the data), then logged into the website with that password.
Furthermore, you can't change one password separately from the other. As listed on their site:
NOTE - PASSWORD CHANGE: Due to our security measures, you may only change your password within the SpiderOak application. This ensures our zero-knowledge privacy environment. You may change your password within the application by opening the 'Account' section in the upper right corner.
SpiderOak derives your key from (only) the password that you log into the website with. That password is also stored as a hash on their webserver. Make sure you choose a good password, because that few bits of entropy are all that are protecting your data, and it's very probable that the NSA have ever-growing rainbow tables to bypass the hash.
But really, like all third parties, you have to take SpiderOak's claims at face value and decide whether you really want to trust a third party with sensitive data. You have to trust that their security implementations and policies are well-designed and followed properly. You have to trust that they will not cooperate with other agencies and betray you, which they could easily do without you knowing.
For example, you claim that "They. Don't. Have. The. KEY." but they could easily get it without your knowledge. They could capture the password as you enter it into their website or the client and then "They. Would. Have. The. KEY." If they were compelled to do so, as perhaps Lavabit was, then your data would no longer be secure and you wouldn't even know it.
If a CA issued a phony certificate for SpiderOak.com or the NSA got the private keys for the website, they could intercept the password when you log in and then "They. Would. Have. The. KEY."
I have no beef with SpiderOak (except that they aren't terrible upfront about the use of key derivation and reuse of the website password for it), but ultimately you are responsible for your own security and trusting a third party to do it for you (and trusting their unverified claims) does not clear you of that responsibility.
" I started playing with it on the bus on my way to work, and I accidentally impregnated the woman sitting next to me. " Lawrence Johnson | 12 reviewers made a similar statement
As he said above, "At distances less than about 1 wavelength, the primary effect is what's called "near field", commonly referred to as induction."
At 125 kHz, one wavelength is 2.4 km. Even at 13.56 Mhz (also used in proximity readers), one wavelength is 22 m. Even the reactive nearfield region for these frequencies is 380 m and 3.6 m, respectively. The range at which the cards work has more to do with the emitted power of the base station than near- or far- field effects.
It still seems pretty absurd, though. Especially since it's being pitched about to laymen all of the time. It's a very specific and arbitrary definition, and as OMF points out, the utility of it is questionable at best.
Why not an average of the last two quarters (or three quarters)? Or the trend of a rolling average across several years. That would address the example described above. There are many other different metrics that you could use that would actually have analytical utility. That we choose this one and make policy decisions and news headlines with it is somewhat absurd.
Which is exactly the point he was making. In the US, lower gun crime is not correlated with lower legal gun ownership.
If you look at the places in the US with high gun crime, they clearly have many other more prominent issues that motivate crime. When those places place heavy gun ownership restrictions in place, the gun crime doesn't significantly drop. Other places in the country, with both high and low gun ownership, don't share this prevalent gun crime rate (or overall violent crime rates) and also don't share the prominent issues mentioned above. Perhaps the factors that correlate with gun crime (and violent crime in general) are actually poverty, high population density, unemployment, gang participation (ie. social problems) and not gun ownership (especially legal gun ownership).
Thank the move away from requiring mens rea and toward strict liability in recent laws for this. Because, you know, it's easier to prosecute if the perp had no knowledge of, or intention of, committing a crime. We need to fill up those for-profit prisons, and disenfranchise as many voters as possible, and there are only so many actual criminals out there.
Physics doesn't change, but our understanding of it certainly does. I mean, power generation from nuclear fission was just as possible two thousand years ago as it is now. So why weren't they using it? There was also nothing stopping the Egyptians from using chemical rockets to launch artificial satellites into space, right, because physics doesn't change?
Fundamental scientific discoveries don't arrive on a schedule, and they don't arrive just because we've tried really hard. The next game-changing discovery is going to be just as surprising and exciting as all of the previous ones were, and there's no way to predict when we'll find it.
GPG will use keyservers, PKA (key publishing in DNS), and DNS CERT (another key publishing in DNS) by default.
What didn't happen was anybody at all caring enough to actually encrypt their email, and email clients including encryption by default without kludgy plugins.
The encryption key that secures your data is directly derived from (only) the same password you use to login to their website. At the very least, they have a hashed copy of your password, which can be turned over and brute forced. They don't mention this fact anywhere on their site, and don't warn users or do password strength tests when you create your website password (not knowing that this is all that protects your data). For instance, if you create an account with them and use a password of '1', there will not be a single warning that the poor password you chose will be all that secures your data.
Be warned that all of your data with SpiderOak is protected entirely by the strength of your password and the very few bits of entropy that a password contains. Pseudosecurity.
That takes resources, though, and is only likely to happen if you, personally, are under investigation. In that case, you also get the benefit of knowing that you are being investigated.
For routine, hoover-up-everything surveillance like PRISM, you remove one of the vulnerable endpoints and reduce the number of third parties you need to trust. It's the only scenario listed that does that much.
They all do. Generate your private key whereever and give them the certificate signing request (CSR). You should be using CSRs for any CA, regardless of the certificate you want signed. Their javascript (or whatever) key generator may be safe and secure, but it's foolish to trust them when you can generate the keys yourself.
If you deny zone transfers (which you should anyway), random people can't walk through your domain and find the addresses. You'll only be able to pull the appropriate rfc4398 records if you know what email address you're looking for.
Out of curiosity, what do you use on Android? The only thing I've found is K-9 Mail, but it only supports PGP-Inline (which has been depreciated for nearly twenty years) and won't even read PGP/MIME, which is what all modern mail clients default to sending.
The legitimacy of the the government set up by the Constitution flows from the people. If the people THINK that the 4th Amendment means something, but the government says that by LAW it means something else, then the people are right. If the US government doesn't have the support of the people, it is not a legitimate government at all.
We can find all sorts of court cases that twist the words of the Constitution and defy reason in doing so. Every one of those cases, while a treat to the authoritarian psychopaths that are attracted to positions of power, weakens the legitimacy of the US government.
The laws concerning whistleblowing don't exist in the same text when one is bound by security clearances and the rule of law when those clearances are breached are a whole different can of worms.
Care to cite them, or are they secret too?
...once again giving the world reason to hate us and mistrust us all the more.
If you care what people think of you, the solution isn't to hide that you're an evil asshole. The solution is clearly to stop being an evil asshole. If somebody exposes the truth about you, all fault still lies with you. "If you have nothing to hide..." after all, right?
Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. There are no binaries here for a good reason. Unless you're looking to experiment you should go use something that actually works.
Just FYI. Good encryption is not easy to do correctly. Join the project and help him out, but heed his warning if you need something that has been vetted and is thought to be actually secure.
With the use of SMTP over TLS (which is almost universally supported by MTAs), and assuming that a MitM attack isn't occurring, the ISP shouldn't be able to get any metadata from the email headers (they're encrypted, too). The most that they'll get is that one IP address connected to another IP address on port 25 (which is metadata, too, but not as specific as email headers).
Looking at my logs, SMTP over TLS is almost universally deployed, too, so I don't understand this particular argument. The endpoints are still vulnerable, which is what they should be concerned about (what with them being a "trusted" endpoint and all). Why are they complaining about SMTP?
Slashdot Mirror
So far as utility-scale renewables go, hydro is great (power-wise, not environmentally) but almost completely tapped.
Solar and geothermal are great for off-utility individual installations.
We're getting there. Really, I think this is the most horrible part of all of the fictional dystopias. All too often, it's not all of humanity stuck in a cage sharing a common plight. The rest of humanity embraces the cage, they make up the cage, and you're all alone in feeling captive.
The mindless, unfocused anger this guy feels is not uncommon. He is stupid enough to let the people in Washington pick the targets of his rage, which isn't uncommon either. We've been building this world for a long time now.
Basically, your whole argument boils down to "they say...", "they say...", "they say...", but you're given no means to verify any of it. That's not how you do security.
Do you know the people running SpiderOak? Then why do you trust them so implicitly?
Even a layered approach, like TrueCrypt on Google's "encrypted" Cloud dilutes the trust you need to put in any one party. You're putting all of your eggs in one basket, which has exploitable holes, and trusting that basket entirely because of the basketmaker's advertising. That is not a fair strategy for proper security. That's the illusion of security.
Even if you don't access their site again, they still have your password in plaintext long enough to make a hash for the webserver to use. If you do ever use their site again (which many people might do: for instance, their site is the only way to buy more space), the login page on their site is a simple POST for the submission of the password so it's easy enough to snatch it there if they were compelled to. That's not even getting into their use of a closed source server and client and unverified crypto implementations (they toss out nice buzzwords on the site you mention, but you don't get to see how they implemented them).
I don't care about taking this up with them, as they have no real reason to address anything. I don't use their service for secure data storage. They state on their site that they are secure with "zero knowledge" and people give them money and post exaggerated inaccuracies about their 1337 security online. It sounds like a great business model to me.
I just want to make sure that everybody uses a little critical thinking when deciding to trust a third party with their data. The fact that their design has holes in it needs to weigh into the decision to use them, even though it's compelling to think that they're a champion for your online privacy.
That's an odd thing to say, since it's demonstrably not true. I just set up a new account with them, picked a password of "1" (which didn't didn't set off any warnings, even though that is the sole secret protecting all of the data), then logged into the website with that password.
Furthermore, you can't change one password separately from the other. As listed on their site:
NOTE - PASSWORD CHANGE: Due to our security measures, you may only change your password within the SpiderOak application. This ensures our zero-knowledge privacy environment. You may change your password within the application by opening the 'Account' section in the upper right corner.
SpiderOak derives your key from (only) the password that you log into the website with. That password is also stored as a hash on their webserver. Make sure you choose a good password, because that few bits of entropy are all that are protecting your data, and it's very probable that the NSA have ever-growing rainbow tables to bypass the hash.
But really, like all third parties, you have to take SpiderOak's claims at face value and decide whether you really want to trust a third party with sensitive data. You have to trust that their security implementations and policies are well-designed and followed properly. You have to trust that they will not cooperate with other agencies and betray you, which they could easily do without you knowing.
For example, you claim that "They. Don't. Have. The. KEY." but they could easily get it without your knowledge. They could capture the password as you enter it into their website or the client and then "They. Would. Have. The. KEY." If they were compelled to do so, as perhaps Lavabit was, then your data would no longer be secure and you wouldn't even know it.
If a CA issued a phony certificate for SpiderOak.com or the NSA got the private keys for the website, they could intercept the password when you log in and then "They. Would. Have. The. KEY."
I have no beef with SpiderOak (except that they aren't terrible upfront about the use of key derivation and reuse of the website password for it), but ultimately you are responsible for your own security and trusting a third party to do it for you (and trusting their unverified claims) does not clear you of that responsibility.
Add DMSO and apply directly to the skin. It's the only way to be sure.
" I started playing with it on the bus on my way to work, and I accidentally impregnated the woman sitting next to me. "
Lawrence Johnson | 12 reviewers made a similar statement
As he said above, "At distances less than about 1 wavelength, the primary effect is what's called "near field", commonly referred to as induction."
At 125 kHz, one wavelength is 2.4 km. Even at 13.56 Mhz (also used in proximity readers), one wavelength is 22 m. Even the reactive nearfield region for these frequencies is 380 m and 3.6 m, respectively. The range at which the cards work has more to do with the emitted power of the base station than near- or far- field effects.
It still seems pretty absurd, though. Especially since it's being pitched about to laymen all of the time. It's a very specific and arbitrary definition, and as OMF points out, the utility of it is questionable at best.
Why not an average of the last two quarters (or three quarters)? Or the trend of a rolling average across several years. That would address the example described above. There are many other different metrics that you could use that would actually have analytical utility. That we choose this one and make policy decisions and news headlines with it is somewhat absurd.
Which is exactly the point he was making. In the US, lower gun crime is not correlated with lower legal gun ownership.
If you look at the places in the US with high gun crime, they clearly have many other more prominent issues that motivate crime. When those places place heavy gun ownership restrictions in place, the gun crime doesn't significantly drop. Other places in the country, with both high and low gun ownership, don't share this prevalent gun crime rate (or overall violent crime rates) and also don't share the prominent issues mentioned above. Perhaps the factors that correlate with gun crime (and violent crime in general) are actually poverty, high population density, unemployment, gang participation (ie. social problems) and not gun ownership (especially legal gun ownership).
His reelection is explained by his co-conspirator being Mitt Romney.
FTFY. They're both playing for the same team.
Thank the move away from requiring mens rea and toward strict liability in recent laws for this. Because, you know, it's easier to prosecute if the perp had no knowledge of, or intention of, committing a crime. We need to fill up those for-profit prisons, and disenfranchise as many voters as possible, and there are only so many actual criminals out there.
Physics doesn't change, but our understanding of it certainly does. I mean, power generation from nuclear fission was just as possible two thousand years ago as it is now. So why weren't they using it? There was also nothing stopping the Egyptians from using chemical rockets to launch artificial satellites into space, right, because physics doesn't change?
Fundamental scientific discoveries don't arrive on a schedule, and they don't arrive just because we've tried really hard. The next game-changing discovery is going to be just as surprising and exciting as all of the previous ones were, and there's no way to predict when we'll find it.
It should be built into mail clients by default, but plugins are readily available.
Enigmail for Thunderbird
GPGMail (mentioned in TFS) for Apple Mail.app
It did happen: The complete guide to publishing PGP keys in DNS
GPG will use keyservers, PKA (key publishing in DNS), and DNS CERT (another key publishing in DNS) by default.
What didn't happen was anybody at all caring enough to actually encrypt their email, and email clients including encryption by default without kludgy plugins.
SpiderOak is not as secure as they claim.
The encryption key that secures your data is directly derived from (only) the same password you use to login to their website. At the very least, they have a hashed copy of your password, which can be turned over and brute forced. They don't mention this fact anywhere on their site, and don't warn users or do password strength tests when you create your website password (not knowing that this is all that protects your data). For instance, if you create an account with them and use a password of '1', there will not be a single warning that the poor password you chose will be all that secures your data.
Be warned that all of your data with SpiderOak is protected entirely by the strength of your password and the very few bits of entropy that a password contains. Pseudosecurity.
That takes resources, though, and is only likely to happen if you, personally, are under investigation. In that case, you also get the benefit of knowing that you are being investigated.
For routine, hoover-up-everything surveillance like PRISM, you remove one of the vulnerable endpoints and reduce the number of third parties you need to trust. It's the only scenario listed that does that much.
They all do. Generate your private key whereever and give them the certificate signing request (CSR). You should be using CSRs for any CA, regardless of the certificate you want signed. Their javascript (or whatever) key generator may be safe and secure, but it's foolish to trust them when you can generate the keys yourself.
If you deny zone transfers (which you should anyway), random people can't walk through your domain and find the addresses. You'll only be able to pull the appropriate rfc4398 records if you know what email address you're looking for.
You can find these even for Android.
Out of curiosity, what do you use on Android? The only thing I've found is K-9 Mail, but it only supports PGP-Inline (which has been depreciated for nearly twenty years) and won't even read PGP/MIME, which is what all modern mail clients default to sending.
The legitimacy of the the government set up by the Constitution flows from the people. If the people THINK that the 4th Amendment means something, but the government says that by LAW it means something else, then the people are right. If the US government doesn't have the support of the people, it is not a legitimate government at all.
We can find all sorts of court cases that twist the words of the Constitution and defy reason in doing so. Every one of those cases, while a treat to the authoritarian psychopaths that are attracted to positions of power, weakens the legitimacy of the US government.
The laws concerning whistleblowing don't exist in the same text when one is bound by security clearances and the rule of law when those clearances are breached are a whole different can of worms.
Care to cite them, or are they secret too?
...once again giving the world reason to hate us and mistrust us all the more.
If you care what people think of you, the solution isn't to hide that you're an evil asshole. The solution is clearly to stop being an evil asshole. If somebody exposes the truth about you, all fault still lies with you. "If you have nothing to hide..." after all, right?
From the site linked:
Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. There are no binaries here for a good reason. Unless you're looking to experiment you should go use something that actually works.
Just FYI. Good encryption is not easy to do correctly. Join the project and help him out, but heed his warning if you need something that has been vetted and is thought to be actually secure.
With the use of SMTP over TLS (which is almost universally supported by MTAs), and assuming that a MitM attack isn't occurring, the ISP shouldn't be able to get any metadata from the email headers (they're encrypted, too). The most that they'll get is that one IP address connected to another IP address on port 25 (which is metadata, too, but not as specific as email headers).
Looking at my logs, SMTP over TLS is almost universally deployed, too, so I don't understand this particular argument. The endpoints are still vulnerable, which is what they should be concerned about (what with them being a "trusted" endpoint and all). Why are they complaining about SMTP?