Although I'm no fan of LastPass, at least the only thing you get with the sync is an encrypted blob; it means the attacker both has to compromise your account and then brute force your master password.
Firefox's sync is less secure than that, but it's encrypted on their servers and requires an email verification to use, so the attacker has to compromise both your Firefox account and then your email account.
I take it from TFA that Opera's sync database wasn't hashed, which is orders of magnitude worse than LastPass and Firefox. If anyone's still using Opera, this should be an alarm to switch to something else.
For your average workstation, the easy way to lock it down is by examining all of the vectors that malware can take. From there it's usually simple.
Probably about 95% of malware comes through malicious websites. Solution: use tools like NoScript and an adblocker. Also use SELinux/AppArmor/grsecurity etc. to make sure that whatever slips by cannot do anything that your browser doesn't have permission to do. If you want to be really safe, only run your browser in a virtual machine (this is the premise of Qubes OS, by the way).
Also apply SELinux (or whatever you're using) to any programs that have listening Internet ports, like SSH and CUPS.
If you use a local email client instead of webmail, don't be dumb and allow your client to auto-execute JavaScript or attachments in emails. Also, don't be dumb and mount random peoples' portable drives without some precautions.
If I buy a Nexus device it will come pre-baked with Google crapware, 90% of which I'll never use. And then every 3 days or so notify me that 9 of those applications have been updated. Is MS Office inherently more evil than the Google suite if you want to open a Word attachment on your phone?
If privacy is your thing, buy a generic device, and flash cyanogenmod with f-droid.
FWIW, I use Outlook on Android because Google can't write an email client. first aosp, then GMail and now some concept interface with Inbox - they all suck.
On a Nexus device you can disable all of the bloatware except for the Google App itself. (I get around that by using a firewall to drop all its packets, which renders it mostly inert.)
Correct me if I'm wrong, but it seems as though this streaming service doesn't use the GPU or any of its corresponding APIs; it mentions the only requirements being a fast CPU and fast enough Internet connection.
That being the case, why the hell is this Windows exclusive? Why not open it to Macs and desktop Linux?
There is absolutely no reason there couldn't be a file system that is universally readable by all OSs. Microsoft is doing this for the patent tax, and if you think otherwise, you're naive.
I just wonder how many customers do care about security updates at the very least -- I'm not saying about new OS releases for your two years old smartphone.
If you ask them, "do you care about security updates?" they might say no. But they're more likely to say yes if you ask "are you OK knowing that all of your messages and banking transactions from your phone can be snooped on by a third party because [Verizon/Lenovo/whomever] is trying to force you to buy phones more often?"
I really don't want Google to have a stranglehold over Android in the same way Microsoft and Apple have a hold over their platforms, its openness is its biggest advantage. Also, I really don't care if my phone gets the latest bling, so long as it's getting security patches.
So IMO the optimal solution is all or some of the following:
1) Legally compel vendors to make known the minimum date of their phone/tablet's last security patch before the customer buys the product. That way, you'll be able to see that some phone will never receive updates before you buy it.
2) Hit carriers and OEMs that impede upstream security patches (i.e. the ones Google push to AOSP) with massive fines.
3) Make it illegal to sell any devices that don't offer security patches up to at least 1-2 years after they are taken off the shelves.
The problem is that non-tech savvy people will have considerable difficulty reformatting an SD card out of the box so it works on their phones/tablets.
1. Create file system.
2. Use monopolistic weight to force manufacturers to ship with this file system.
3. Use patent on aforementioned file system to charge a toll for anybody who wants compatibility with the hostage-taken manufacturers.
To me, that's not far removed from a law firm buying a patent on left-turn signals and then using patent suits to force every car manufacturer to pay a tax to them, but OK.
It's not patent trolling. Patent trolling is about buying up abandoned (or just generally useless) patents and suing everything that makes money claiming infringement.
These are patents Microsoft owns, filed, and has every legal and moral right to demand be honored.
Maybe some day you will grow up and realize the world is not cleanly divided into two groups of "people who give LichtSpektren stuff for free" and "trolls."
Don't be daft. Microsoft forces SD card manufacturers to sell their cards pre-formatted only with Microsoft-patented file systems. It's monopolistic abuse and there's "every legal and moral right" to punish them for it, only nobody will because they've greased enough politicians' palms to avoid most infractions.
I don't think you can call it patent trolling when Android is a direct competitor to a line of business they've continuously had for a couple of decades.
Oh, I see then. So if I own an ice cream shop, and you open an ice cream shop too, I can use some frivolous patent to force you to give me pennies for every scoop you sell, since you're my competitor, right?
So? As long as they are uninstallable taking a $10 line item out of the cost of the devices works better for the consumers.
You're missing the problem. I don't care that Lenovo is mitigating the problem with bloatware; I've already decided to boycott them over Superfish and the lack of security updates for their phones.
The problem is that Microsoft is adding ~$10 to the cost of every Android device with their patent trolling.
My thoughts as well, but actually, you are pretty much tied in to what Canonical makes available on their apt repository (or whatever) unless you have a bit of technical ability.
Nonsense. Whatever you want to install just needs to be put into a.DEB package. For example, installing Steam from Valve's website is just a matter of "download and double-click."
Lenovo/Motorola aren't going along with this because they legitimately think customers want Microsoft bloatware. They're doing this to avoid the ~$10 patent tax that Microsoft extracts from Android OEMs so that SD cards will work out-of-the-box (their patent on the exFAT file system, to be precise).
I got that from you: "Granted, OEMs and carriers are probably blocking those from getting to 99% of peoples' phones,". Duh.
Yeah, there's a huge difference between "99% of phones don't have all requisite security patches" and "99% of phones are pwned".
After a vulnerability is discovered, it needs to be weaponized in the form of an exploit, and then it has to execute on a vulnerable phone.
The vast majority of Android vulnerabilities require installing a malicious app. Since only a minuscule few of those slip through the Google Play Store, that means a user has to change their default setting of disallowing third-party apps from being installed. I doubt the vast majority (or even a significant portion) of users do this, so 99% of phones without security patches does not instantly translate to a botnet of billions.
The only vulnerability I'm aware of that doesn't require installing a malicious app is Stagefreight, which can be executed with an MMS. But lots of texting apps have gone ahead and mitigated that without an Android patch, and furthermore it doesn't appear anybody has succeeded in automatizing it for mass attacks.
I don't know and there's no point in baseless speculation. I would guess it would be something like a security chip in the Nexus 5 isn't compatible with the new secure boot mechanism, but again, I have no idea.
Even if it were a secure boot issue that is also an arbitrary business decision. Secure boot could be a feature only supported on devices with a compatible security chip. It is not a technical decision as "not enough RAM" would be.
"Not enough RAM" is an equally arbitrary restriction -- they could only change the OS in ways that don't use additional system resources.
I am not going to comment other than to say I will allow a "do over" and pretend you never typed that.
I stand by what I wrote. Suppose my guess was right and incompatibility with the new boot features is why the Nexus 5 won't get Nougat; that's just as much of an arbitrary reason as an iPhone 4 not getting iOS 10 because it doesn't have enough RAM. The hardware won't support all the features, so why give a half-assed update?
I agree with you, I would appreciate a law to that effect. But for the time being, here's why iOS looks to be in better shape than Android: because any OEM can put an ancient version of Android on any piece of crap hardware and never update it, whereas you're going to get Psystar'd by Apple if you attempt to do the same thing with iOS.
If we're going to be fair in an Android vs. iOS battle, we should really keep the price point in mind. iPhones receive official updates longer than Nexus phones, but (a) Nexus phones are roughly half the price, and (b) you can flash Cyanogenmod on a Nexus phone and have it last longer than an iPhone does.
Slashdot Mirror
Then use a local password manager that doesn't connect to the Internet.
I store everything in KeePassX. To breach that, you'd have to be able to both keylog me and arbitrarily access the files on my drives.
Although I'm no fan of LastPass, at least the only thing you get with the sync is an encrypted blob; it means the attacker both has to compromise your account and then brute force your master password.
Firefox's sync is less secure than that, but it's encrypted on their servers and requires an email verification to use, so the attacker has to compromise both your Firefox account and then your email account.
I take it from TFA that Opera's sync database wasn't hashed, which is orders of magnitude worse than LastPass and Firefox. If anyone's still using Opera, this should be an alarm to switch to something else.
Obscurity can be an effective additional layer of defense. On its own it's insufficient.
For your average workstation, the easy way to lock it down is by examining all of the vectors that malware can take. From there it's usually simple.
Probably about 95% of malware comes through malicious websites. Solution: use tools like NoScript and an adblocker. Also use SELinux/AppArmor/grsecurity etc. to make sure that whatever slips by cannot do anything that your browser doesn't have permission to do. If you want to be really safe, only run your browser in a virtual machine (this is the premise of Qubes OS, by the way).
Also apply SELinux (or whatever you're using) to any programs that have listening Internet ports, like SSH and CUPS.
If you use a local email client instead of webmail, don't be dumb and allow your client to auto-execute JavaScript or attachments in emails. Also, don't be dumb and mount random peoples' portable drives without some precautions.
Thank you, I was about to post the same thing.
People want control of their devices. OEMs and carriers blocking updates is one type of forfeiture of control. Microsoft forcing updates is another.
If I buy a Nexus device it will come pre-baked with Google crapware, 90% of which I'll never use. And then every 3 days or so notify me that 9 of those applications have been updated. Is MS Office inherently more evil than the Google suite if you want to open a Word attachment on your phone?
If privacy is your thing, buy a generic device, and flash cyanogenmod with f-droid.
FWIW, I use Outlook on Android because Google can't write an email client. first aosp, then GMail and now some concept interface with Inbox - they all suck.
On a Nexus device you can disable all of the bloatware except for the Google App itself. (I get around that by using a firewall to drop all its packets, which renders it mostly inert.)
Mandatory: https://xkcd.com/134/
Correct me if I'm wrong, but it seems as though this streaming service doesn't use the GPU or any of its corresponding APIs; it mentions the only requirements being a fast CPU and fast enough Internet connection.
That being the case, why the hell is this Windows exclusive? Why not open it to Macs and desktop Linux?
There is absolutely no reason there couldn't be a file system that is universally readable by all OSs. Microsoft is doing this for the patent tax, and if you think otherwise, you're naive.
I just wonder how many customers do care about security updates at the very least -- I'm not saying about new OS releases for your two years old smartphone.
If you ask them, "do you care about security updates?" they might say no. But they're more likely to say yes if you ask "are you OK knowing that all of your messages and banking transactions from your phone can be snooped on by a third party because [Verizon/Lenovo/whomever] is trying to force you to buy phones more often?"
I really don't want Google to have a stranglehold over Android in the same way Microsoft and Apple have a hold over their platforms, its openness is its biggest advantage. Also, I really don't care if my phone gets the latest bling, so long as it's getting security patches.
So IMO the optimal solution is all or some of the following:
1) Legally compel vendors to make known the minimum date of their phone/tablet's last security patch before the customer buys the product. That way, you'll be able to see that some phone will never receive updates before you buy it.
2) Hit carriers and OEMs that impede upstream security patches (i.e. the ones Google push to AOSP) with massive fines.
3) Make it illegal to sell any devices that don't offer security patches up to at least 1-2 years after they are taken off the shelves.
The problem is that non-tech savvy people will have considerable difficulty reformatting an SD card out of the box so it works on their phones/tablets.
Tell me how you classify the following behavior:
1. Create file system.
2. Use monopolistic weight to force manufacturers to ship with this file system.
3. Use patent on aforementioned file system to charge a toll for anybody who wants compatibility with the hostage-taken manufacturers.
To me, that's not far removed from a law firm buying a patent on left-turn signals and then using patent suits to force every car manufacturer to pay a tax to them, but OK.
Microsoft products are almost universally spyware these days.
If you can't disable them from within Android, use a firewall to deny them any Wifi or cellular data.
It's not patent trolling. Patent trolling is about buying up abandoned (or just generally useless) patents and suing everything that makes money claiming infringement.
These are patents Microsoft owns, filed, and has every legal and moral right to demand be honored.
Maybe some day you will grow up and realize the world is not cleanly divided into two groups of "people who give LichtSpektren stuff for free" and "trolls."
Don't be daft. Microsoft forces SD card manufacturers to sell their cards pre-formatted only with Microsoft-patented file systems. It's monopolistic abuse and there's "every legal and moral right" to punish them for it, only nobody will because they've greased enough politicians' palms to avoid most infractions.
I don't think you can call it patent trolling when Android is a direct competitor to a line of business they've continuously had for a couple of decades.
Oh, I see then. So if I own an ice cream shop, and you open an ice cream shop too, I can use some frivolous patent to force you to give me pennies for every scoop you sell, since you're my competitor, right?
So? As long as they are uninstallable taking a $10 line item out of the cost of the devices works better for the consumers.
You're missing the problem. I don't care that Lenovo is mitigating the problem with bloatware; I've already decided to boycott them over Superfish and the lack of security updates for their phones.
The problem is that Microsoft is adding ~$10 to the cost of every Android device with their patent trolling.
My thoughts as well, but actually, you are pretty much tied in to what Canonical makes available on their apt repository (or whatever) unless you have a bit of technical ability.
Nonsense. Whatever you want to install just needs to be put into a .DEB package. For example, installing Steam from Valve's website is just a matter of "download and double-click."
My submission was clearer about this: https://slashdot.org/submissio...
Lenovo/Motorola aren't going along with this because they legitimately think customers want Microsoft bloatware. They're doing this to avoid the ~$10 patent tax that Microsoft extracts from Android OEMs so that SD cards will work out-of-the-box (their patent on the exFAT file system, to be precise).
I got that from you: "Granted, OEMs and carriers are probably blocking those from getting to 99% of peoples' phones,". Duh.
Yeah, there's a huge difference between "99% of phones don't have all requisite security patches" and "99% of phones are pwned".
After a vulnerability is discovered, it needs to be weaponized in the form of an exploit, and then it has to execute on a vulnerable phone.
The vast majority of Android vulnerabilities require installing a malicious app. Since only a minuscule few of those slip through the Google Play Store, that means a user has to change their default setting of disallowing third-party apps from being installed. I doubt the vast majority (or even a significant portion) of users do this, so 99% of phones without security patches does not instantly translate to a botnet of billions.
The only vulnerability I'm aware of that doesn't require installing a malicious app is Stagefreight, which can be executed with an MMS. But lots of texting apps have gone ahead and mitigated that without an Android patch, and furthermore it doesn't appear anybody has succeeded in automatizing it for mass attacks.
Microsoft has made it clear that Windows 10 phones won't allow the OS to be changed due to SecureBoot in the near future.
Samsung allows you to unlock the bootloader, but they frown on it. I don't doubt that they'd perma-lock it if they could.
I don't know and there's no point in baseless speculation. I would guess it would be something like a security chip in the Nexus 5 isn't compatible with the new secure boot mechanism, but again, I have no idea.
Even if it were a secure boot issue that is also an arbitrary business decision. Secure boot could be a feature only supported on devices with a compatible security chip. It is not a technical decision as "not enough RAM" would be.
"Not enough RAM" is an equally arbitrary restriction -- they could only change the OS in ways that don't use additional system resources.
I am not going to comment other than to say I will allow a "do over" and pretend you never typed that.
I stand by what I wrote. Suppose my guess was right and incompatibility with the new boot features is why the Nexus 5 won't get Nougat; that's just as much of an arbitrary reason as an iPhone 4 not getting iOS 10 because it doesn't have enough RAM. The hardware won't support all the features, so why give a half-assed update?
I agree with you, I would appreciate a law to that effect. But for the time being, here's why iOS looks to be in better shape than Android: because any OEM can put an ancient version of Android on any piece of crap hardware and never update it, whereas you're going to get Psystar'd by Apple if you attempt to do the same thing with iOS.
If we're going to be fair in an Android vs. iOS battle, we should really keep the price point in mind. iPhones receive official updates longer than Nexus phones, but (a) Nexus phones are roughly half the price, and (b) you can flash Cyanogenmod on a Nexus phone and have it last longer than an iPhone does.
And not a cited fact was to be seen....