Open carry of swords was made legal as well in Texas as of last month. I see people with far more respect for their handguns and machete than they do with their smartphone, when it comes to being a hazard to others.
Only thing you really can do is what the Russians have learned -- have a dash cam on your vehicle and have one on your person. There is one that is being crowdfunded which looks interesting, as it can use a cell link to stream footage for safekeeping in realtime. That way, if there is an issue with the other party, you can show the local DA and others the footage, and that's that.
I have no idea with some USB-C ports what they do. How many PCI-E lanes do they pass with Thunderbolt, if any. Can they ramp up the power settings to 24 or 48 volts if needed? Can it support charging in either direction, so a charger can charge my laptop, and the laptop can charge my phone?
Ideally, it should do this all without complaint, but manufacturers, being manufacturers want to scrimp on those pennies, so you may never know what that port may support.
USB is a perfect example of "good enough". It is a lowest common denominator where a device can use the USB 1.1 protocol with cheap chips, and it will be acceptably working.
USB-C is a different animal. Because charge current can go either way (charger to a laptop, then from the laptop to a small port replicator), USB-C requires more sophisticated chips to handle the protocol. Chips that the Chinese lowest bidder OEMs/ODMs just don't want to pay for, so they cut corners.
HSMs can be compromised as well. There was one Linux maker which had an account on their signing HSM compromised, allowing an attacker to sign some Trojanized SSH install packages.
However, you are right. Oracle Wallet and transparent encryption is not tough to implement, and Microsoft SQL server can do transparent encryption as well as stash column master keys in HSMs as well. I don't get why this isn't done more, other than the fact that backing up a HSM can be tricky. Amazon's HSM requires one to have a Luna Data Backup HSM, for example.
I'm not surprised by the fact that large companies keep their database unencrypted for anyone to dump. At best, it might be stored on an encrypted volume. Mainly because it takes some pre-planning by the DBA to implement encryption right... and that isn't going to happen in an environment where people believe that security has no ROI.
Everquest 2 has/had a special server called Drunder, just for cheaters. That way, the cheaters and botters all wind up in one place. Interesting idea, but not sure how practical it is over the long run.
The fundamental truth is: You pay for those servers and hard drives, regardless if they are located at your place, or in an Amazon data center. Yes, some cloud provider storage costs are low, but if you access that data frequently, you will be paying a lot more than if you had a local SAN/NAS.
Is the cloud the enemy? It provides computing and storage on someone else's stuff. However, one issue is that an employee working for the cloud provider is definitely uninterested in the client's data. If something happens, the client is pretty much SOL. There may be SLAs, but they at best may credit a portion of the paid costs back... which is a relative pittance.
Then, there is the fact that if a cloud provider goes under, the servers can be sold to someone else, and all data on those servers is now free and clear to the new buyer. They can put an entire client's accounts receivable and payroll stuff on BitTorrent, and there is nothing, legally, the client of the previous cloud provider can do about it.
Right now, we have been lucky... there have been no publicized severe breaches. However, because there are so many eggs in one basket, cloud providers are definitely on the list of places that would be attacked, just because one major breach can compromise hundreds to thousands of companies.
The best thing to do is use cloud providers as a tool. Since tape drives are not feasible for a lot of businesses, backing up to the cloud is an option, provided one encrypts the backups. It is also wise keep a set of backups locally, and/or use multiple cloud providers, just in case one gets hacked and starts demanding a ransom for access to data.
More like, I wonder how long until this "feature" is included in every app out there, even if it is just 1% of CPU done over a time when someone isn't looking.
If you are doing any type of serious document processing or coding, you will be using a keyboard. A touch screen, even on a tablet, is an exercise in pain for more than trivial uses.
It may not be as prevalent, but like the role of a desktop/laptop computer, it isn't going away anytime soon.
I can see ad slingers adding mining "functionality" as well. Without a decent ad blocker, thing slow to a crawl anyway, so I wouldn't be surprised if mining software was stuffed in somewhere.
You would be surprised. The only reason I have a FB, LinkedIn, and Twitter account is that when I was interviewed and said that I didn't have one, the interview pretty much ended on the spot. To a lot of HR people, no FB or LinkedIn is like not having E-mail or a phone.
So, I got a Twitter account, followed some random big named companies... good enough. Similar with FB, and LinkedIn has some random ramblings on it pointing to my public Git repo.
You hit the nail on the head. Last year, I had a job interview where posts I made back in the early 1990s in sci.crypt, comp.sys.mac.*, alt.sex.cthulhu, and other newsgroups actually were questioned. Thankfully I got an offer, but went with another place. The Internet does not forget.
What gets me is that people remember this stuff forever. About fifteen years ago, I was hired on as a consultant to clean up after an admin was fired, and said admin left many logic bombs (custom compiled init daemons that checked files, and if the files that if were not manually touched every week or so, would start writing garbage on random drive sectors, as well as resetting encryption on backup tapes to passwords from/dev/urandom, ensuring the data backed up would be useless.) Years later, this guy came up during a job interview, and I asked him about his little tantrum and that how can I be sure that this won't happen again. His excuse was, "I was younger back then, and didn't know better." Needless to say, he didn't get past any more interview rounds.
Even if CFAA charges or civil charges are not brought, anyone who sees the person's name will remember them and tell other people. They may wind up getting a job somewhere, but eventually will be asked by a boss, "I heard about an incident sometime way back when...", or even just put on the chopping block without a word being said.
I'd say it is split between shoveling ads at you, and slurping as much analytics/telemetry/etc. as much as they can, until the EU laws come into effect that will seriously put some pain on them.
I wonder if stuff like this could be mitigated by BLU having the kernel drivers available, if not open-sourced, so people could make custom ROMs. Perhaps get LineageOS as a viable option on the devices?
That way, there would be some faith that the phones would have been shipped clean and decently secure.
I think it is better than ads. On desktops, it isn't a big deal. Portable devices where battery life is critical... different story. However, I would say that some CPU time spent mining coins for a site is a lot better deal than full page pop-up Flash ads with malware served underneath.
Since AV software requires kernel level access, or as close to it as possible, having AV software be a Trojan or a spying tool isn't surprising.
I just wonder why we even have AV in the first place. Scanning for signatures is a pointless task. The two biggest entry points for infection are Trojans (that invoice that was E-mailed with the CEO's name, even though the return header is from a Lower Elbonian site), and malvertising/weaknesses in the Web browser.
The browser issues are addressed by virtual machines (with their completely separate file system) and ad blocking, where signatures actually do work and are relevant.
Trojan executables will always be a threat, but what would help mitigate this are multiple signed repositories for programs. Not one, so there can't be a monopoly, but several big players to obtain programs from, and who actively curate what is offered there. Of course, the Dancing Bunnies attack can get a user to add a malicious repository, but outside of locking an OS down like iOS, there is little an OS maker can do to prevent that, other than having a stern warning about non mainstream repos.
AV software scanning can be useful, but it needs to be based around hash signatures and large databases similar to VirusTotal that can throw a lot of heuristic scanning at an executable, rather than just a single database.
As proof of this, I an point to AIX, Solaris, BSD, and Linux... all of which have never needed AV software, other than to make legal eagles happy.
AV is not necessary to the base functioning of a computer. It is poorly designed OS architectures and architectures brought forward from antediluvian hardware which made AV a need in the first place. In reality, you are far better off with a signed executable mechanism, an ad blocker, and your web browser in a VM or container than you ever will be with AV software. Mainly because AV doesn't catch the latest stuff.
Yes, AV sells, but it is more of a legal checkbox than something useful for an active defense.
I like the idea of a smart card that uses some type of PIN + biometrics, where the biometrics are used to associate a username, or as part of MFA, and a PIN used for unlocking the card. The card would then be a certificate store. Swipe the card at the bar, the pub knows you are over 21, so their butt is covered legally. They don't need your name or anything else. A job requires a degree? They get a cert from the university that is also signed by an accrediting agency showing that there was a B. S. awarded. A job requiring no criminal record? A cert that has a short expiration time that shows the person is not a felon, and has no pending charges.
Credit scores can be done similar. Financial institutions can sign that someone is in good standing, and either let the certs expire or be revoked.
This system is also robust to hacking. Yes, individual root CAs can get hacked and endpoints can get hacked, but there is no one database sitting there which is a big juicy target.
It sucks, but everyone does that now, be it Apple, Dell, Lenovo, or Microsoft, when it comes to these types of laptops.
Of course, I could get a larger one... but I've done trips with various sizes of laptops, from 12" MacBooks to 17" laptops that I could barely fit in my backpack that had multiple fans, multiple SATA bays, and such.
For what I need, if I am on the road and all I am doing is checking E-mail, logging into work via Citrix, or similar... a 12" laptop is a lot less of an issue after a long trip than a bigger one, even though the 12" model does have all its components soldered in. Even though it doesn't sound like much, after a day on the road, the difference in weight between a 12" laptop and a 15" can be noticeable.
This is a pretty expensive thin client. For a little bit more, I can buy a MacBook with 16 gigs of RAM, an i7, and 512 GB of SSD. It won't be a barnburner, but it definitely can do whatever tasks are needed when being remote. To boot, if I do not have Internet access, I'm still free to work offline without being tied to the cloud or running in a limited offline mode. I could buy a Surface laptop and at have similar functionality.
For me, Chromebooks have their spot... as Citrix clients and thin clients for the VDI. $1000 for what is basically a dumb terminal? I'll pass.
Only problem with flywheels are the bearings. If those seize or wear out, all that momentum has to go somewhere, and it isn't pretty when an object spinning at 20,000+ RPM hits something else.
It is nice to see someone who "gets" this. The card or token is mainly a cert holder. This could even be someone's smartphone, but there are times when one doesn't want a device that does 24/7/365 geolocation with them, so having a simple device that is presented, has some means of showing that the person claiming to be the person who the certificates apply to is truly that person, and maybe a few other features like showing/hiding certificates, as a barkeep doesn't need to know that you are a gold medal winner in last week's chainsaw fencing contest.
This is not perfect... but this model is a hell of a lot better than the current one. A compromised key can be revoked. A database chock full of people's info can't be "un-copied" once it its pastebin or torrent sites.
Perhaps this could be used similar to a MFA device in Duo. You have a hardware card, but you can also use your phone to show that you are whom you claim you are, provided the phone has some security mechanism so this is a relatively trustworthy way to do things.
Personal anecdote, but I have a former neighbor who still has PV panels up that he threw in his backyard back in the 1980s, and they are still running at their rated wattage, if not a little bit above it.
The nice thing about solar panels is the fact that once set up, assuming no active tracking system, you don't have to do much upkeep. No moving parts, everything is solid state, and if one has an on-grid system, there are no batteries to have to keep watered or replaced.
I really can't think of anything wrong with solar, other than the obvious... it only works a part of the day.
Slashdot Mirror
Open carry of swords was made legal as well in Texas as of last month. I see people with far more respect for their handguns and machete than they do with their smartphone, when it comes to being a hazard to others.
Only thing you really can do is what the Russians have learned -- have a dash cam on your vehicle and have one on your person. There is one that is being crowdfunded which looks interesting, as it can use a cell link to stream footage for safekeeping in realtime. That way, if there is an issue with the other party, you can show the local DA and others the footage, and that's that.
I have no idea with some USB-C ports what they do. How many PCI-E lanes do they pass with Thunderbolt, if any. Can they ramp up the power settings to 24 or 48 volts if needed? Can it support charging in either direction, so a charger can charge my laptop, and the laptop can charge my phone?
Ideally, it should do this all without complaint, but manufacturers, being manufacturers want to scrimp on those pennies, so you may never know what that port may support.
USB is a perfect example of "good enough". It is a lowest common denominator where a device can use the USB 1.1 protocol with cheap chips, and it will be acceptably working.
USB-C is a different animal. Because charge current can go either way (charger to a laptop, then from the laptop to a small port replicator), USB-C requires more sophisticated chips to handle the protocol. Chips that the Chinese lowest bidder OEMs/ODMs just don't want to pay for, so they cut corners.
HSMs can be compromised as well. There was one Linux maker which had an account on their signing HSM compromised, allowing an attacker to sign some Trojanized SSH install packages.
However, you are right. Oracle Wallet and transparent encryption is not tough to implement, and Microsoft SQL server can do transparent encryption as well as stash column master keys in HSMs as well. I don't get why this isn't done more, other than the fact that backing up a HSM can be tricky. Amazon's HSM requires one to have a Luna Data Backup HSM, for example.
I'm not surprised by the fact that large companies keep their database unencrypted for anyone to dump. At best, it might be stored on an encrypted volume. Mainly because it takes some pre-planning by the DBA to implement encryption right... and that isn't going to happen in an environment where people believe that security has no ROI.
Everquest 2 has/had a special server called Drunder, just for cheaters. That way, the cheaters and botters all wind up in one place. Interesting idea, but not sure how practical it is over the long run.
The fundamental truth is: You pay for those servers and hard drives, regardless if they are located at your place, or in an Amazon data center. Yes, some cloud provider storage costs are low, but if you access that data frequently, you will be paying a lot more than if you had a local SAN/NAS.
Is the cloud the enemy? It provides computing and storage on someone else's stuff. However, one issue is that an employee working for the cloud provider is definitely uninterested in the client's data. If something happens, the client is pretty much SOL. There may be SLAs, but they at best may credit a portion of the paid costs back... which is a relative pittance.
Then, there is the fact that if a cloud provider goes under, the servers can be sold to someone else, and all data on those servers is now free and clear to the new buyer. They can put an entire client's accounts receivable and payroll stuff on BitTorrent, and there is nothing, legally, the client of the previous cloud provider can do about it.
Right now, we have been lucky... there have been no publicized severe breaches. However, because there are so many eggs in one basket, cloud providers are definitely on the list of places that would be attacked, just because one major breach can compromise hundreds to thousands of companies.
The best thing to do is use cloud providers as a tool. Since tape drives are not feasible for a lot of businesses, backing up to the cloud is an option, provided one encrypts the backups. It is also wise keep a set of backups locally, and/or use multiple cloud providers, just in case one gets hacked and starts demanding a ransom for access to data.
More like, I wonder how long until this "feature" is included in every app out there, even if it is just 1% of CPU done over a time when someone isn't looking.
If you are doing any type of serious document processing or coding, you will be using a keyboard. A touch screen, even on a tablet, is an exercise in pain for more than trivial uses.
It may not be as prevalent, but like the role of a desktop/laptop computer, it isn't going away anytime soon.
I can see ad slingers adding mining "functionality" as well. Without a decent ad blocker, thing slow to a crawl anyway, so I wouldn't be surprised if mining software was stuffed in somewhere.
There are a lot of people would just grumble and chalk it up to a PC being flaky.
You would be surprised. The only reason I have a FB, LinkedIn, and Twitter account is that when I was interviewed and said that I didn't have one, the interview pretty much ended on the spot. To a lot of HR people, no FB or LinkedIn is like not having E-mail or a phone.
So, I got a Twitter account, followed some random big named companies... good enough. Similar with FB, and LinkedIn has some random ramblings on it pointing to my public Git repo.
You hit the nail on the head. Last year, I had a job interview where posts I made back in the early 1990s in sci.crypt, comp.sys.mac.*, alt.sex.cthulhu, and other newsgroups actually were questioned. Thankfully I got an offer, but went with another place. The Internet does not forget.
What gets me is that people remember this stuff forever. About fifteen years ago, I was hired on as a consultant to clean up after an admin was fired, and said admin left many logic bombs (custom compiled init daemons that checked files, and if the files that if were not manually touched every week or so, would start writing garbage on random drive sectors, as well as resetting encryption on backup tapes to passwords from /dev/urandom, ensuring the data backed up would be useless.) Years later, this guy came up during a job interview, and I asked him about his little tantrum and that how can I be sure that this won't happen again. His excuse was, "I was younger back then, and didn't know better." Needless to say, he didn't get past any more interview rounds.
Even if CFAA charges or civil charges are not brought, anyone who sees the person's name will remember them and tell other people. They may wind up getting a job somewhere, but eventually will be asked by a boss, "I heard about an incident sometime way back when...", or even just put on the chopping block without a word being said.
I'd say it is split between shoveling ads at you, and slurping as much analytics/telemetry/etc. as much as they can, until the EU laws come into effect that will seriously put some pain on them.
I wonder if stuff like this could be mitigated by BLU having the kernel drivers available, if not open-sourced, so people could make custom ROMs. Perhaps get LineageOS as a viable option on the devices?
That way, there would be some faith that the phones would have been shipped clean and decently secure.
I think it is better than ads. On desktops, it isn't a big deal. Portable devices where battery life is critical... different story. However, I would say that some CPU time spent mining coins for a site is a lot better deal than full page pop-up Flash ads with malware served underneath.
Since AV software requires kernel level access, or as close to it as possible, having AV software be a Trojan or a spying tool isn't surprising.
I just wonder why we even have AV in the first place. Scanning for signatures is a pointless task. The two biggest entry points for infection are Trojans (that invoice that was E-mailed with the CEO's name, even though the return header is from a Lower Elbonian site), and malvertising/weaknesses in the Web browser.
The browser issues are addressed by virtual machines (with their completely separate file system) and ad blocking, where signatures actually do work and are relevant.
Trojan executables will always be a threat, but what would help mitigate this are multiple signed repositories for programs. Not one, so there can't be a monopoly, but several big players to obtain programs from, and who actively curate what is offered there. Of course, the Dancing Bunnies attack can get a user to add a malicious repository, but outside of locking an OS down like iOS, there is little an OS maker can do to prevent that, other than having a stern warning about non mainstream repos.
AV software scanning can be useful, but it needs to be based around hash signatures and large databases similar to VirusTotal that can throw a lot of heuristic scanning at an executable, rather than just a single database.
As proof of this, I an point to AIX, Solaris, BSD, and Linux... all of which have never needed AV software, other than to make legal eagles happy.
AV is not necessary to the base functioning of a computer. It is poorly designed OS architectures and architectures brought forward from antediluvian hardware which made AV a need in the first place. In reality, you are far better off with a signed executable mechanism, an ad blocker, and your web browser in a VM or container than you ever will be with AV software. Mainly because AV doesn't catch the latest stuff.
Yes, AV sells, but it is more of a legal checkbox than something useful for an active defense.
I like the idea of a smart card that uses some type of PIN + biometrics, where the biometrics are used to associate a username, or as part of MFA, and a PIN used for unlocking the card. The card would then be a certificate store. Swipe the card at the bar, the pub knows you are over 21, so their butt is covered legally. They don't need your name or anything else. A job requires a degree? They get a cert from the university that is also signed by an accrediting agency showing that there was a B. S. awarded. A job requiring no criminal record? A cert that has a short expiration time that shows the person is not a felon, and has no pending charges.
Credit scores can be done similar. Financial institutions can sign that someone is in good standing, and either let the certs expire or be revoked.
This system is also robust to hacking. Yes, individual root CAs can get hacked and endpoints can get hacked, but there is no one database sitting there which is a big juicy target.
It sucks, but everyone does that now, be it Apple, Dell, Lenovo, or Microsoft, when it comes to these types of laptops.
Of course, I could get a larger one... but I've done trips with various sizes of laptops, from 12" MacBooks to 17" laptops that I could barely fit in my backpack that had multiple fans, multiple SATA bays, and such.
For what I need, if I am on the road and all I am doing is checking E-mail, logging into work via Citrix, or similar... a 12" laptop is a lot less of an issue after a long trip than a bigger one, even though the 12" model does have all its components soldered in. Even though it doesn't sound like much, after a day on the road, the difference in weight between a 12" laptop and a 15" can be noticeable.
This is a pretty expensive thin client. For a little bit more, I can buy a MacBook with 16 gigs of RAM, an i7, and 512 GB of SSD. It won't be a barnburner, but it definitely can do whatever tasks are needed when being remote. To boot, if I do not have Internet access, I'm still free to work offline without being tied to the cloud or running in a limited offline mode. I could buy a Surface laptop and at have similar functionality.
For me, Chromebooks have their spot... as Citrix clients and thin clients for the VDI. $1000 for what is basically a dumb terminal? I'll pass.
Ultracaps also use a physical mechanism for storing electricity, not chemical... so they don't really "wear out" as conventional batteries do.
Very snazzy setup. I'd love to see about having something similar for RV boondocking.
Only problem with flywheels are the bearings. If those seize or wear out, all that momentum has to go somewhere, and it isn't pretty when an object spinning at 20,000+ RPM hits something else.
It is nice to see someone who "gets" this. The card or token is mainly a cert holder. This could even be someone's smartphone, but there are times when one doesn't want a device that does 24/7/365 geolocation with them, so having a simple device that is presented, has some means of showing that the person claiming to be the person who the certificates apply to is truly that person, and maybe a few other features like showing/hiding certificates, as a barkeep doesn't need to know that you are a gold medal winner in last week's chainsaw fencing contest.
This is not perfect... but this model is a hell of a lot better than the current one. A compromised key can be revoked. A database chock full of people's info can't be "un-copied" once it its pastebin or torrent sites.
Perhaps this could be used similar to a MFA device in Duo. You have a hardware card, but you can also use your phone to show that you are whom you claim you are, provided the phone has some security mechanism so this is a relatively trustworthy way to do things.
Personal anecdote, but I have a former neighbor who still has PV panels up that he threw in his backyard back in the 1980s, and they are still running at their rated wattage, if not a little bit above it.
The nice thing about solar panels is the fact that once set up, assuming no active tracking system, you don't have to do much upkeep. No moving parts, everything is solid state, and if one has an on-grid system, there are no batteries to have to keep watered or replaced.
I really can't think of anything wrong with solar, other than the obvious... it only works a part of the day.