2. The GNU/RMS fanbois are so zealot about keeping it open that there are not enough popular distributions that include 3rd party drivers because such companies are unwilling or unable to make such tools GNU
You're talking out of your ass. Most distros use the regular Linux kernel, only a handful use Linux-libre (i.e. with all of the closed source drivers stripped out).
It wouldn't surprise me if that wrecked the entire TCP/IP stack.
Keep in mind that this is Microsoft. The company that wrote an OS where the only way to check for, download, and install updates is through the web browser, to avoid accusations of monopolistic abuse against Netscape.
A riveting game where Microsoft plays an omnipotent checkpoint inspector that interrogates, strip searches, and anal probes the Player Character before he's allowed to continue.
When you download the Linux binary, it comes with lots of proprietary drivers with no source available. You have to use Linux-libre to have a fully FOSS kernel.
Anyway, the problem isn't bad hardware support. The main problem is video game companies foregoing Linux support, or making it really shoddy as an afterthought.
If I understand correctly, your question is if Windows 10 has some self-destruct sequence if it's gone a certain amount of time without contacting a certain domain.
I would think not, since there's plenty of legitimate reasons to have a permanent offline computer besides avoiding the surveillance. It would open up a lot of nasty lawsuits on Microsoft's end.
In some ways this is more honest, it's been demonstrated that the OS will talk to 107 domains whether or not some switches are toggled in the Control Panel to give the illusion of privacy.
Any list of those so I can set them to 127.0.0.1 in my Hosts file?
However it won't work because Windows bypasses its own hosts file for its own purposes. You'll have to block it from your router or other external firewall.
In some ways this is more honest, it's been demonstrated that the OS will talk to 107 domains whether or not some switches are toggled in the Control Panel to give the illusion of privacy.
I wish Microsoft would've been more up front about this last year, and not two days before the "free" "upgrade" is scheduled to be concluded.
I think TFS is saying that the feature can be backported to 2.3 or newer. Granted, I don't know what phones out there are on Gingerbread and still getting updates... (Maybe the point of this is so that legislation can mandate it, thus compelling carriers and OEMs to issue a patch, but that's unlikely.)
Not everyone is Microsoft, the company fixed it overnight.
But that's the problem. I have to *trust* that they'll proactively and competently fix security holes. That's the inherent flaw in proprietary security patches.
It's not Google's choice. Vendors want the ability to make customizations to the OS, to "add value".
Wrong! It IS Google's choice.
I'm sure that "Vendors" wanted the ability to make "Customizations" to the iPhone, too. It's just that Google COULDN'T CARE LESS about anything other than Datamining. Every Android install is nothing more to them than more Click-bait, more Datamining, more Privacy incursions.
Google could end this RIGHT NOW. But they won't.
Ever ask yourself why?
No, it's not Google's choice. Android is FOSS which means anybody can make an Android phone. If macOS were FOSS, then anybody could sell a Hackintosh and not update it, and it would be the same thing.
As far as I'm concerned, so long as Google's own products (Nexus/Pixels) get security updates, I'm not mad at them for what other people do. But if you're going to cry that Google is bad because they don't heavily restrict their OS, well, good luck with that: the reason I prefer Android is BECAUSE of the freedom that comes with it, even if that means the freedom to be bad (like Motorola).
The password manager shouldn't connect to the Internet in the first place. But you're wrong that the LastPass client is the only attack surface; somebody can compromise my account. And I don't know what the LastPass company (LogMeIn) does to keep my account information safe.
A password vault like KeePass can utilize both a key file and a master password. Even if my password is keylogged, I have another layer of security insofar that the attacker needs to also be able to access my local drive. The hasher doesn't have this sort of 2FA.
This problem isn't specific to LastPass. If a bogus site is masquerading as the real site, any system that doesn't have extensive site validation checks will fail, including and especially, remembering passwords.
The vulnerability isn't just phishing somebody's login. It's exploiting a bug in the LastPass client that allows you to compromise the user's account after phishing for just an individual site password.
"To reiterate from the last KeePass post, KeePass is not “bad” or “vulnerable” – it’s a much better solution than what we see in many environments, and the developers did pretty much everything right when coding it (including strong in-memory protections and DPAPI). Still, some admins/companies sometimes tend to see solutions like this as a silver bullet, so one point of this post is to (again) show that practical attack vectors against KeePass and similar vaults are not unrealistic. Our intention is not to convince anyone NOT to use a password manager (we believe you definitely SHOULD use a password manager), but rather to combat the false sense of security it may give some users."
Besides, the attack they're using requires being able to access your computer's memory. If you're already compromised to that degree, you're pretty screwed.
You're a dumbass. But I expect nothing else from a millennial. Closed source is one layer of security along with memorizing passwords and encryption. Removing any layer of security is stupid. Opening up the source so anyone can find vulnerabilities and exploit them is as stupid as removing encryption and storing passwords plaintext. You millennial snowflakes really are pretty stupid.
All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.
Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...
True story: somebody told me once that he made all of his passwords his social security number, because he was tired of remembering so many. If the site required letters in addition to numbers, he would suffix it with his initials.
Even more horrifying than that, his email address was his full name and birth year @ hotmail.com...
Slashdot Mirror
Has anyone verified if that actually works? i.e. open up Wireshark and those domains are no longer being contacted?
I have no idea what you're talking about. Those are the domains that you can see be contacted when you use Wireshark.
2. The GNU/RMS fanbois are so zealot about keeping it open that there are not enough popular distributions that include 3rd party drivers because such companies are unwilling or unable to make such tools GNU
You're talking out of your ass. Most distros use the regular Linux kernel, only a handful use Linux-libre (i.e. with all of the closed source drivers stripped out).
It wouldn't surprise me if that wrecked the entire TCP/IP stack.
Keep in mind that this is Microsoft. The company that wrote an OS where the only way to check for, download, and install updates is through the web browser, to avoid accusations of monopolistic abuse against Netscape.
Papers, Please.
A riveting game where Microsoft plays an omnipotent checkpoint inspector that interrogates, strip searches, and anal probes the Player Character before he's allowed to continue.
When you download the Linux binary, it comes with lots of proprietary drivers with no source available. You have to use Linux-libre to have a fully FOSS kernel.
Anyway, the problem isn't bad hardware support. The main problem is video game companies foregoing Linux support, or making it really shoddy as an afterthought.
If I understand correctly, your question is if Windows 10 has some self-destruct sequence if it's gone a certain amount of time without contacting a certain domain.
I would think not, since there's plenty of legitimate reasons to have a permanent offline computer besides avoiding the surveillance. It would open up a lot of nasty lawsuits on Microsoft's end.
Then again, it's certainly not impossible.
In some ways this is more honest, it's been demonstrated that the OS will talk to 107 domains whether or not some switches are toggled in the Control Panel to give the illusion of privacy.
Any list of those so I can set them to 127.0.0.1 in my Hosts file?
Here you go: https://github.com/WindowsLies...
However it won't work because Windows bypasses its own hosts file for its own purposes. You'll have to block it from your router or other external firewall.
No, it's not Google's choice. Android is FOSS
From what I have read on this site, Android is "F/OSS" for very limited values of "F/OSS". IOW, it really ISN'T F/OSS in a PRACTICAL sense.
Sure it is. Anybody can package their own Android ROM and install it if they feel like it. Ask Psystar how that worked out for them and Hackintosh.
or install Windows 10 Enterprise LTSB, which got none of this nonsense.
Easier said than done, Microsoft doesn't sell Windows Enterprise off the shelf. You have to negotiate a licensing plan with them.
It leads to password reuse, very weak passwords, written down passwords, forgetting to change your passwords at least yearly, etc.
Only if your memory is complete shit. Maybe you should lay off of the drugs.
I take it you have 30+ instances of stuff like P8i*SDz=!E4i^\4#b}~A45kcHf^^S remembered?
In some ways this is more honest, it's been demonstrated that the OS will talk to 107 domains whether or not some switches are toggled in the Control Panel to give the illusion of privacy.
I wish Microsoft would've been more up front about this last year, and not two days before the "free" "upgrade" is scheduled to be concluded.
I think TFS is saying that the feature can be backported to 2.3 or newer. Granted, I don't know what phones out there are on Gingerbread and still getting updates... (Maybe the point of this is so that legislation can mandate it, thus compelling carriers and OEMs to issue a patch, but that's unlikely.)
YHBT (twice). YHL. HAND.
I'm aware he's trolling, but if it gives me an opportunity to open up the discussion to people reading the thread, why not take advantage of it?
...After all, why use something FOSS that you can patch in minutes when you can wait for your vendor to take their time and do it for you?
Not everyone is Microsoft, the company fixed it overnight.
But that's the problem. I have to *trust* that they'll proactively and competently fix security holes. That's the inherent flaw in proprietary security patches.
No. It uses a standard, well known encryption algorithm - specifically https://en.wikipedia.org/wiki/... and https://en.wikipedia.org/wiki/... as stated here https://lastpass.com/how-it-wo... so the encryption technique isn't security by obscurity. That took a total of 10 minutes to find out, and that isn't what was broken.
I wasn't talking about LastPass, I was responding to the person arguing that closed source is inherently more secure.
Compromising the account only gets them an encrypted blob -- only the client can decrypt it.
(Now, nothing says LastPass can't publish a subverted client, I've never heard how that is protected against).
Somebody can brute force your master password once they have your encrypted vault.
It's not Google's choice. Vendors want the ability to make customizations to the OS, to "add value".
Wrong! It IS Google's choice. I'm sure that "Vendors" wanted the ability to make "Customizations" to the iPhone, too. It's just that Google COULDN'T CARE LESS about anything other than Datamining. Every Android install is nothing more to them than more Click-bait, more Datamining, more Privacy incursions. Google could end this RIGHT NOW. But they won't. Ever ask yourself why?
No, it's not Google's choice. Android is FOSS which means anybody can make an Android phone. If macOS were FOSS, then anybody could sell a Hackintosh and not update it, and it would be the same thing.
As far as I'm concerned, so long as Google's own products (Nexus/Pixels) get security updates, I'm not mad at them for what other people do. But if you're going to cry that Google is bad because they don't heavily restrict their OS, well, good luck with that: the reason I prefer Android is BECAUSE of the freedom that comes with it, even if that means the freedom to be bad (like Motorola).
Maybe LG's been good about timely security updates. I wouldn't know. But it's certainly better than Motorola and Sony, I'll tell you that much....
The password manager shouldn't connect to the Internet in the first place. But you're wrong that the LastPass client is the only attack surface; somebody can compromise my account. And I don't know what the LastPass company (LogMeIn) does to keep my account information safe.
A password vault like KeePass can utilize both a key file and a master password. Even if my password is keylogged, I have another layer of security insofar that the attacker needs to also be able to access my local drive. The hasher doesn't have this sort of 2FA.
This problem isn't specific to LastPass. If a bogus site is masquerading as the real site, any system that doesn't have extensive site validation checks will fail, including and especially, remembering passwords.
The vulnerability isn't just phishing somebody's login. It's exploiting a bug in the LastPass client that allows you to compromise the user's account after phishing for just an individual site password.
KeePass is not necessarily safer: http://www.harmj0y.net/blog/re...
Why don't you read the article you quoted?
"To reiterate from the last KeePass post, KeePass is not “bad” or “vulnerable” – it’s a much better solution than what we see in many environments, and the developers did pretty much everything right when coding it (including strong in-memory protections and DPAPI). Still, some admins/companies sometimes tend to see solutions like this as a silver bullet, so one point of this post is to (again) show that practical attack vectors against KeePass and similar vaults are not unrealistic. Our intention is not to convince anyone NOT to use a password manager (we believe you definitely SHOULD use a password manager), but rather to combat the false sense of security it may give some users."
Besides, the attack they're using requires being able to access your computer's memory. If you're already compromised to that degree, you're pretty screwed.
You're a dumbass. But I expect nothing else from a millennial. Closed source is one layer of security along with memorizing passwords and encryption. Removing any layer of security is stupid. Opening up the source so anyone can find vulnerabilities and exploit them is as stupid as removing encryption and storing passwords plaintext. You millennial snowflakes really are pretty stupid.
That's funny, I didn't know Bruce Schneier was a millennial. Oh well. Use closed source security solutions if you like. After all, why use something FOSS that you can patch in minutes when you can wait for your vendor to take their time and do it for you?
All millennials suck. I hate millennial snowflakes. Just remember your damn passwords and you'll have no trouble. Fuck millennials and their lazy security. Die in a fire.
Yea guys we millennials should remember our 200 passwords the same way the tech savvy Gen X people do...make them all the same! Or better yet, do what I already see everyone else doing and write them all in a notebook and keep in your top desk drawer. Sooo much better than us millennials and our lazy security...
True story: somebody told me once that he made all of his passwords his social security number, because he was tired of remembering so many. If the site required letters in addition to numbers, he would suffix it with his initials.
Even more horrifying than that, his email address was his full name and birth year @ hotmail.com...