Not just China, other countries either have Great Firewalls in place, or will. The Aussies have one, Iran does, and I'm sure there are many others. By keeping the attackers limited to what is physically in the country, this cuts down greatly on what attacks can be done, and what succeed.
The US's worst problem is that C-levels of corporations can greatly profit when their companies are hacked. This will ensure that breaches, and egregious ones, will continue for a long time to come. The top company brass finds about the hack, short their stock, makes an announcement that their customers are hosed, and laugh all the way to the bank.
Perhaps more cryptocurrencies should be based on other concepts, like proof-of-storage, rather than proof-of-work. Proof-of-storage would be useful, as it would likely drive down the price of SSDs, benefiting everyone, in the long term.
I also receive data. The E-mail message gets read, and auto-archived on my encrypted IMAP server VM. Unless Google changes IMAP to have expiration dates and forces Dovecot to respect that, the message is going to remain.
Usually I see two ways of having disappearing E-mail work. One is that the E-mail stays with the provider. This works, but once a protocol like IMAP, POP, or another snarfs the E-mail and copies/moves it, that protection is useless. Another way is requiring a special extension, be it a web app, or the content only viewable in some specific program. That also works, but in the age of ransomware, who trusts running a content viewer?
Bitcoin itself is not the issue. It is the exchanges where people store their coins, and endpoint compromise.
One of the shortcomings to cryptocurrencies is that some people want standard "banks" to store their stuff. Of course, someone is going to provide this service, but sooner or later, the "bank" gets sacked, most of the currency lost, and in some cases, the top brass of the exchange all walk away quite wealthy for some odd reason. Cryptocurrencies take some getting used to, and there are no bank protections, be it stop payments or credit card fraud reverses. Once the transaction is signed by the relevant parties and propagated to the blockchain, it is done and forever. This is brutal, but this is part of the game.
This is a Wild West field. Arguably, the best thing is to have multiple wallets. One online that one can frequently access, and if compromised, doesn't have much currency in it, and one offline (paper, Trezorit, offline PC) which is used for the big currency storage.
I'm absolutely not surprised by this. Routers are computers too, with storage (albeit limited), RAM, CPU, and other I/O. If someone pwns a router, there is a lot they can do with it, be it having a staging ground for attacks to dropping packets at random to cause consternation on the target's network, to even MITM-ing internal HTTP web traffic and adding malware payloads.
How to fix? Just as with anything security related, there is no magic bullet. Router makers are going to have to go back to the drawing board when it comes to security to keep their good names, ensuring unauthorized modifications of the router OS are protected against. Companies should start looking at policies like having critical internal machines have OS firewalls in addition to network firewalling and segmenting.
I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.
What about small tritium gas vial, size used in wristwatch numbers (like a Trigalight) coupled with a detector? Couple that with some high speed flip-flops or as stated above, noise in a NP junction, and that should produce cryptographically secure random numbers, especially if the CPU had a built in pool with a "stirring" mechanism so anything periodic would be dispersed among the bits fairly quickly.
What might be useful is a UPS that has charging thresholds, where it charges the batteries when they reach a certain percentage charge, and the charge lasts for a random duration. Add a little bit of random variation, like plus or minus 3-5% SoC level on the batteries before the charger turns on, and this would pretty much take care of this type of attack.
I once was at an auction of a startup that was bankrupt and was selling their assets. Part of what they were selling was a motor/generator combo. I thought it was a joke, but its function was to completely isolate power coming from either way before the power went to an online UPS (where the batteries were always drawn from, and mains power was there to keep the batteries topped off.) From what I was told, it worked well to keep communication via power from happening on either side, especially coupled with the fact that mains power was not actively coupled to power inside the building due to the UPS.
I'm not afraid of data exfilteration this way for a number of reasons. It is relatively easy (although not dirt cheap) to have a battery charger/battery/inverter to isolate power, even grounds. $1500 gets you a Goal Zero power station that does all this.
Because what he does impacts the US economy so greatly, he basically is given the same treatment as a head of state. He was never put under oath, so he is free to say anything he wants.
For $10 a month, I can watch YouTube Red and use the YouTube Music app, which seems to have more bands that are not carried by Spotify. Plus, what sets them apart from Google Music or Apple Music, either of which I wouldn't require additional software to work?
True, but the perfect is the enemy of the good in this case, and one has to start somewhere. It would be nice if everything can be made in the US, but one only can do so much, and this is a lot better than just buying something from a Chinese OEM/ODM and "badge engineering" the product.
What we need is a MFA standard, similar to the open source Google Authenticator/RFC 6238/RFC4226 standard, but instead of a shared secret, it uses a public key, so of an attacker slurps the list of 2FA info from a company, they won't receive anything that would benefit them, as opposed to a shared secret key that they could use later on to attack specific accounts.
We already have biometrics for authentication. My Lastpass 2FA app has the option of setting a fingerprint before it will show codes. Similar with other programs like mSecure, Codebook, SafeInCloud, 1Password, and EnPass.
It boils down to exactly that: Companies will pay more for the data than individuals will pay to keep the data from being distributed.
What needs to be done is to decentralize social networks, with usable connections between others. I have a bunch of people in a local area with one interest. Someone on my social network wants to keep track of what someone else is doing on a social network in another town. This wouldn't be difficult to implement, especially with age-old protocols like NNTP, and authentication protocols like OpenID.
I know this is dumb, but why are sites trusting FB to do their gatekeeping for them? FB doesn't have any certifications or compliance. They do not sell themselves as this, but other companies use them for this purpose. We don't even know if FB does password hashing.
About a year ago, Facebook licensed Signal's technology to do direct device to device communication with Messenger, with all messages supposedly encrypted. I am curious if this is watched and copied as well.
Moral of the story: Want secure communication, use something like Signal, and avoid FB like the plague.
Depends on what they mean as "affordable". A $250-500 handset would definitely have a market in the US, especially a Pixel brand that has an unlocked/unlockable bootloader. Not everyone here in the US can shell out a grand or more for an iPhone X, especially when there are midrange to entry level Android devices which can do everything a person wants or needs.
Midrange phones can be decent. They may not have the latest, start of the art animoji or the latest gigapixel camera, but they will work just as well on a daily basis as a flagship phone, especially for most people who are not using it for extreme gaming.
As for "price sensitive" countries, I would say that the US is becoming that way, especially if one doesn't live in SF, Austin, Seattle, or NYC.
We went through an era of tons and tons of CPUs. An open source CPU is very nice, and would be useful for it to be adopted, but is there something wrong about ARM based CPUs that they couldn't be used for this task? ARM is no slouch when it comes to performance, and it it is pretty thrifty when it comes to wattage.
Is there something ARM can't do that a whole new CPU design is needed?
There are only a certain amount of coins that are coming out per unit time. If fewer people are mining, coins become less difficult to mine. If more people are mining at the same time, the difficulty goes up.
One may be better off mining another cryptocurrency and trading for BTC if you absolute just have to have that currency. Other currencies give more bang for buck and have other advantages.
Ultimately, a Bitcoin 2.0 currency is going to show up. Bitcoin has a number of shortcomings, especially how expensive transactions are, coupled with the need to go through 160 gigs of blockchain to check if you are not double-spent (of course, you can trust some exchange... but we know how reliable exchanges can be.) It is only a matter of time before another currency becomes the de facto flagbearer.
Maybe I'm just cynical, but I really wonder if anything will really happen long term. I think people will shake their fist, there will be some gripings in Congress, but in reality, since Facebook is so big, and the US tends to prioritize businesses over almost anything else, there will be little or nothing done, and FB will be pretty much unaffected this time next year.
Where people are actually standing up and doing things is in Europe. I wonder if the entire GDPR was created, just to deal with companies like Facebook and others whose entire business is slurping up data to sell. Other countries are also stepping in. China has already banned Facebook.
In reality, with cynicism aside, will anything really happen to Facebook after all this blows over, and people are drawn to the next news story?
If truly worried, I'd just have a dedicated machine where the sensitive OS runs in a VM. You can even set up some secure remote access so you don't have to lug two machines around everywhere. In fact, I'd consider multiple separate VMs, one for each client, so a compromise doesn't mean everything is lost, just whatever is opened at the time.
Attacks where something jumping across or out of VMs is extremely rare. It can happen, but this is not a big attack vector, relatively.
Plus, if you store your VM on an eSATA or USB 3.1 drive, when done with it, just unplug the drive and toss it somewhere secure. $200 buys you a FIPS compliant external SSD with hardware encryption from Apricorn. This takes care of the DAR (data at test) element, regardless of the OS. From there, a PC with VirtualBox, Hyper-V, VMWare, or Parallels can run the VM.
I can't believe anyone wants this type of appliance in their place. First, if you want decent sound, you need two speakers, and none of these support that. Apple will in a future update, but not right now. Second, do I need another privacy violating device? Not really. My desktop machine doesn't have a mic or camera on it unless I plug in a headset, and that is fine with me.
What does this device give someone? If I want Siri or whatnot, my phone can handle that. If I want music, I have good Yamaha monitors that can be cranked, and give a far more accurate reproduction of sound than what Bluetooth can do. There isn't anything that this device gives that is worth having the extreme invasions of privacy that go with them. Plus, they are not cheap. For the price of one, I can get a decent set of decent speakers.
I have been using both Apple and Android fingerprint scanners for years, and have found them quite reliable, regardless of conditions. Not just for unlocking the phone, but for unlocking apps like my 2FA authenticator app, which basically adds another layer of authentication without much fuss.
FaceID isn't really new. I have an old HTC device that could unlock just by looking at it, and it had the option to not unlock until you blinked for added security. I'd rather see a below the glass fingerprint scanner than additional sensors for more FaceID like authentication, but I'm sure there are many others who think the opposite.
Facebook's main staying power is that two apps handle everything. Groups, messaging, calendaring, blogs, file downloads, movies, pictures, and many other items.
None of this was invented by them. Messaging could be done by XMPP, IRC, or many other ways. Groups could be handled by a web forum. Calendaring, similar. File downloads could be done by the usual means. Movies, pictures, etc, could be done by websites, even easy to use packages like WordPress. However, what FB does is bring all that together, where it is the standard as the "watering hole" everyone goes to.
There are other social networks, be it Diaspora or MeWe. However, people don't want to have a ton of social media apps; they just want one, and someone isn't on it, that person is persona non grata.
This isn't to say Facebook isn't original. Their zstd compression algorithm is a very top notch achievement, and almost is as good as lzma, with a fraction of the CPU usage. However, were it not for the fact that even businesses depend on it for communication, it can be superseded, just like Myspace was.
Slashdot Mirror
Not just China, other countries either have Great Firewalls in place, or will. The Aussies have one, Iran does, and I'm sure there are many others. By keeping the attackers limited to what is physically in the country, this cuts down greatly on what attacks can be done, and what succeed.
The US's worst problem is that C-levels of corporations can greatly profit when their companies are hacked. This will ensure that breaches, and egregious ones, will continue for a long time to come. The top company brass finds about the hack, short their stock, makes an announcement that their customers are hosed, and laugh all the way to the bank.
Perhaps more cryptocurrencies should be based on other concepts, like proof-of-storage, rather than proof-of-work. Proof-of-storage would be useful, as it would likely drive down the price of SSDs, benefiting everyone, in the long term.
I also receive data. The E-mail message gets read, and auto-archived on my encrypted IMAP server VM. Unless Google changes IMAP to have expiration dates and forces Dovecot to respect that, the message is going to remain.
Usually I see two ways of having disappearing E-mail work. One is that the E-mail stays with the provider. This works, but once a protocol like IMAP, POP, or another snarfs the E-mail and copies/moves it, that protection is useless. Another way is requiring a special extension, be it a web app, or the content only viewable in some specific program. That also works, but in the age of ransomware, who trusts running a content viewer?
Bitcoin itself is not the issue. It is the exchanges where people store their coins, and endpoint compromise.
One of the shortcomings to cryptocurrencies is that some people want standard "banks" to store their stuff. Of course, someone is going to provide this service, but sooner or later, the "bank" gets sacked, most of the currency lost, and in some cases, the top brass of the exchange all walk away quite wealthy for some odd reason. Cryptocurrencies take some getting used to, and there are no bank protections, be it stop payments or credit card fraud reverses. Once the transaction is signed by the relevant parties and propagated to the blockchain, it is done and forever. This is brutal, but this is part of the game.
This is a Wild West field. Arguably, the best thing is to have multiple wallets. One online that one can frequently access, and if compromised, doesn't have much currency in it, and one offline (paper, Trezorit, offline PC) which is used for the big currency storage.
I'm absolutely not surprised by this. Routers are computers too, with storage (albeit limited), RAM, CPU, and other I/O. If someone pwns a router, there is a lot they can do with it, be it having a staging ground for attacks to dropping packets at random to cause consternation on the target's network, to even MITM-ing internal HTTP web traffic and adding malware payloads.
How to fix? Just as with anything security related, there is no magic bullet. Router makers are going to have to go back to the drawing board when it comes to security to keep their good names, ensuring unauthorized modifications of the router OS are protected against. Companies should start looking at policies like having critical internal machines have OS firewalls in addition to network firewalling and segmenting.
I am surprised that HTC is on the 3-4 list. I've had very good luck with them ensuring that patches come out on time. Even though they are not a "tier 1" maker like Samsung, they produce decent phones that may not have the latest bells and whistles... but they do the job and do it well. They also allow for bootloader unlocking, which is a make or break thing, as a root firewall is a must these days.
What about small tritium gas vial, size used in wristwatch numbers (like a Trigalight) coupled with a detector? Couple that with some high speed flip-flops or as stated above, noise in a NP junction, and that should produce cryptographically secure random numbers, especially if the CPU had a built in pool with a "stirring" mechanism so anything periodic would be dispersed among the bits fairly quickly.
Chi-squared test comes close.
What might be useful is a UPS that has charging thresholds, where it charges the batteries when they reach a certain percentage charge, and the charge lasts for a random duration. Add a little bit of random variation, like plus or minus 3-5% SoC level on the batteries before the charger turns on, and this would pretty much take care of this type of attack.
I once was at an auction of a startup that was bankrupt and was selling their assets. Part of what they were selling was a motor/generator combo. I thought it was a joke, but its function was to completely isolate power coming from either way before the power went to an online UPS (where the batteries were always drawn from, and mains power was there to keep the batteries topped off.) From what I was told, it worked well to keep communication via power from happening on either side, especially coupled with the fact that mains power was not actively coupled to power inside the building due to the UPS.
I'm not afraid of data exfilteration this way for a number of reasons. It is relatively easy (although not dirt cheap) to have a battery charger/battery/inverter to isolate power, even grounds. $1500 gets you a Goal Zero power station that does all this.
Because what he does impacts the US economy so greatly, he basically is given the same treatment as a head of state. He was never put under oath, so he is free to say anything he wants.
For $10 a month, I can watch YouTube Red and use the YouTube Music app, which seems to have more bands that are not carried by Spotify. Plus, what sets them apart from Google Music or Apple Music, either of which I wouldn't require additional software to work?
True, but the perfect is the enemy of the good in this case, and one has to start somewhere. It would be nice if everything can be made in the US, but one only can do so much, and this is a lot better than just buying something from a Chinese OEM/ODM and "badge engineering" the product.
What we need is a MFA standard, similar to the open source Google Authenticator/RFC 6238/RFC4226 standard, but instead of a shared secret, it uses a public key, so of an attacker slurps the list of 2FA info from a company, they won't receive anything that would benefit them, as opposed to a shared secret key that they could use later on to attack specific accounts.
We already have biometrics for authentication. My Lastpass 2FA app has the option of setting a fingerprint before it will show codes. Similar with other programs like mSecure, Codebook, SafeInCloud, 1Password, and EnPass.
It boils down to exactly that: Companies will pay more for the data than individuals will pay to keep the data from being distributed.
What needs to be done is to decentralize social networks, with usable connections between others. I have a bunch of people in a local area with one interest. Someone on my social network wants to keep track of what someone else is doing on a social network in another town. This wouldn't be difficult to implement, especially with age-old protocols like NNTP, and authentication protocols like OpenID.
The Diaspora Project looks interesting, possibly.
In any case, decentralization is key.
I know this is dumb, but why are sites trusting FB to do their gatekeeping for them? FB doesn't have any certifications or compliance. They do not sell themselves as this, but other companies use them for this purpose. We don't even know if FB does password hashing.
About a year ago, Facebook licensed Signal's technology to do direct device to device communication with Messenger, with all messages supposedly encrypted. I am curious if this is watched and copied as well.
Moral of the story: Want secure communication, use something like Signal, and avoid FB like the plague.
Depends on what they mean as "affordable". A $250-500 handset would definitely have a market in the US, especially a Pixel brand that has an unlocked/unlockable bootloader. Not everyone here in the US can shell out a grand or more for an iPhone X, especially when there are midrange to entry level Android devices which can do everything a person wants or needs.
Midrange phones can be decent. They may not have the latest, start of the art animoji or the latest gigapixel camera, but they will work just as well on a daily basis as a flagship phone, especially for most people who are not using it for extreme gaming.
As for "price sensitive" countries, I would say that the US is becoming that way, especially if one doesn't live in SF, Austin, Seattle, or NYC.
We went through an era of tons and tons of CPUs. An open source CPU is very nice, and would be useful for it to be adopted, but is there something wrong about ARM based CPUs that they couldn't be used for this task? ARM is no slouch when it comes to performance, and it it is pretty thrifty when it comes to wattage.
Is there something ARM can't do that a whole new CPU design is needed?
There are only a certain amount of coins that are coming out per unit time. If fewer people are mining, coins become less difficult to mine. If more people are mining at the same time, the difficulty goes up.
One may be better off mining another cryptocurrency and trading for BTC if you absolute just have to have that currency. Other currencies give more bang for buck and have other advantages.
Ultimately, a Bitcoin 2.0 currency is going to show up. Bitcoin has a number of shortcomings, especially how expensive transactions are, coupled with the need to go through 160 gigs of blockchain to check if you are not double-spent (of course, you can trust some exchange... but we know how reliable exchanges can be.) It is only a matter of time before another currency becomes the de facto flagbearer.
Maybe I'm just cynical, but I really wonder if anything will really happen long term. I think people will shake their fist, there will be some gripings in Congress, but in reality, since Facebook is so big, and the US tends to prioritize businesses over almost anything else, there will be little or nothing done, and FB will be pretty much unaffected this time next year.
Where people are actually standing up and doing things is in Europe. I wonder if the entire GDPR was created, just to deal with companies like Facebook and others whose entire business is slurping up data to sell. Other countries are also stepping in. China has already banned Facebook.
In reality, with cynicism aside, will anything really happen to Facebook after all this blows over, and people are drawn to the next news story?
If truly worried, I'd just have a dedicated machine where the sensitive OS runs in a VM. You can even set up some secure remote access so you don't have to lug two machines around everywhere. In fact, I'd consider multiple separate VMs, one for each client, so a compromise doesn't mean everything is lost, just whatever is opened at the time.
Attacks where something jumping across or out of VMs is extremely rare. It can happen, but this is not a big attack vector, relatively.
Plus, if you store your VM on an eSATA or USB 3.1 drive, when done with it, just unplug the drive and toss it somewhere secure. $200 buys you a FIPS compliant external SSD with hardware encryption from Apricorn. This takes care of the DAR (data at test) element, regardless of the OS. From there, a PC with VirtualBox, Hyper-V, VMWare, or Parallels can run the VM.
I can't believe anyone wants this type of appliance in their place. First, if you want decent sound, you need two speakers, and none of these support that. Apple will in a future update, but not right now. Second, do I need another privacy violating device? Not really. My desktop machine doesn't have a mic or camera on it unless I plug in a headset, and that is fine with me.
What does this device give someone? If I want Siri or whatnot, my phone can handle that. If I want music, I have good Yamaha monitors that can be cranked, and give a far more accurate reproduction of sound than what Bluetooth can do. There isn't anything that this device gives that is worth having the extreme invasions of privacy that go with them. Plus, they are not cheap. For the price of one, I can get a decent set of decent speakers.
Everyone has their different style.
I have been using both Apple and Android fingerprint scanners for years, and have found them quite reliable, regardless of conditions. Not just for unlocking the phone, but for unlocking apps like my 2FA authenticator app, which basically adds another layer of authentication without much fuss.
FaceID isn't really new. I have an old HTC device that could unlock just by looking at it, and it had the option to not unlock until you blinked for added security. I'd rather see a below the glass fingerprint scanner than additional sensors for more FaceID like authentication, but I'm sure there are many others who think the opposite.
Facebook's main staying power is that two apps handle everything. Groups, messaging, calendaring, blogs, file downloads, movies, pictures, and many other items.
None of this was invented by them. Messaging could be done by XMPP, IRC, or many other ways. Groups could be handled by a web forum. Calendaring, similar. File downloads could be done by the usual means. Movies, pictures, etc, could be done by websites, even easy to use packages like WordPress. However, what FB does is bring all that together, where it is the standard as the "watering hole" everyone goes to.
There are other social networks, be it Diaspora or MeWe. However, people don't want to have a ton of social media apps; they just want one, and someone isn't on it, that person is persona non grata.
This isn't to say Facebook isn't original. Their zstd compression algorithm is a very top notch achievement, and almost is as good as lzma, with a fraction of the CPU usage. However, were it not for the fact that even businesses depend on it for communication, it can be superseded, just like Myspace was.