Probably because of the GDPR. A lot of pages state that because of the GDPR, all people connecting have to agree to stuff (usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage) before they can access the page.
It can happen. A lot of people still use Bitcoin exchanges, even though history has seen many exchanges fall flat with their coins winding up in anonymous wallets. Other wallet apps can get compromised. One would hard-pressed to tell if a wallet's private key was generated with a re-creatable source of randomness versus a CSPRING like/dev/random.
The Bitcoin protocol in itself is pretty secure. However, the attacks made will always be at the endpoints. One could always make a wallet app that has the source code public, but the compiled version on the app store has a few routines not in the published code. Even something as simple as not using/dev/random, but using the milliseconds since the epoch would be all but untracable for wallet key generation.
I would say both sides are "right" in this case. Especially if one stores stuff in an exchange, and the exchange gets "hacked", with all the coins winding up transferred to an anonymous wallet.
We are at that spot already. To mine Bitcoin requires a hefty investment in ASICs, as well as a cheap, cheap energy source, either by building a hydroelectric or geothermal plant, or find a way to skirt around billing (have a BTC mining apparatus located somewhere with subsidized electricity.) Even at current prices, there isn't really that much financial incentive for people to buy dedicated BTC mining rigs, and if Bitcoin hits a certain threshold, it won't be worth the energy to mine.
When no new coins hit the market, coupled with the fact that transactions can take an indefinite amount of time because of no new miners, this could be a show stopper.
Probably because Bitcoin was the first cryptocurrency to hit the mass market. There were many cryptocurrencies before it (Chaum's eCash, for example.) However, when the local TV station needs filler material, this is the first thing of its ilk mentioned that has mindshare with Joe Sixpack.
Bitcoin is a great 1.0 currency, but there are many others, ideally ones that use proof of storage or perhaps proof of protein-folding, so the energy used for calculating stuff isn't wasted.
Blockchain based lawkeeping. Can't argue with that, because it would at least show what laws got passed/modified/repealed. Hell, Git is one small step away from being a blockchain, it just needs some crypto signatures for every commit, modification and push to the repository.
And this technology has been misused. An Austin used car dealership had remote immobilization tech in their cars to ensure people paid their bill. A disgruntled ex-employee used another person's account, logged in, and disabled every single car in their system, where the engine stalled, and the horn would honk until the battery died.
With the prevalence of espionage, combined with the lackadaisical attitude of the private sector where "security has no ROI", there is no such thing as a back door. In the real world it is called a show-stopping vulnerability.
How about Samsung actually adds a significant feature, like an unlockable bootloader? There are still people who use firewalls to guard privacy, and use rooted applications.
More work on Linux-On-Galaxy would be nice as well. This way, the phone can be used for other stuff, similar to how the Motorola Atrix could get a decent Linux distro on it for use in a pinch.
Of course, virtualization would be nice, to separate work and home environments completely.
One of the selling points is that he did not take backups, so the data never left the root account.
However, what he should have done, assuming he was using AWS, was at least pop snapshots on a daily/weekly/monthly level, with a guarantee that they would be deleted, perhaps with code that deletes the snapshot of a client VM when the client deletes the snapshot, using crypto keys to ensure the data is not readable.
I don't see how a blockchain is better than just an item database with a log of what items were created, with what statistics, how they were modified and used, and if/when they were destroyed (sold to a NPC merchant, junked, deleted with a character, etc.) It seems a lot more work as opposed to just having a solid journal mechanism, especially if the only people using it are company internal. However, a blockchain might be useful to guard against internal tampering.
I can see one place where blockchain tech would be useful in a MMO: Giving players the ability to export (and delete) in-game items or even their characters if they hit the limit. This way, they don't have to worry about permanent deletions, and since things character is tied to the account, having the player possess the archived items/characters doesn't mean they can be traded or sold.
It is default deny. In the past, you were presented with the option of making it private or public on bucket creation. Now, it defaults to private. I think people got confused, set it to public, assuming that was what was needed to give other members of their AWS account access.
I wouldn't say this is Amazon's fault. It would be like a mini storage company selling padlocks with every unit, offering the units with the padlocks in place on them. Then, users unlocking the padlocks, and leaving the garage door thrown open for anyone to walk up and pick through.
Having a product F/OSS can be a deal maker or a deal breaker. For example, in a previous life, I worked for a company ran by old-school CS guys that considered code as an asset, and that if an application didn't have open source, or a way to get to the source, it would not be used, because they didn't want to deal with it. Worst case, if a product is abandoned, they could fork it and support it.
It isn't like F/OSS doesn't make money. RedHat wasn't snapped up at insanely high prices by IBM for a losing business model.
In my experience, and I had a time where I bounced among a number of companies, the person with AWS access often times has no clue what they are doing, is likely using the root account itself, rather than a sub account with admin privs, and just needs things to work so the dev team can get their code going. Their goal is to get stuff up and running, even if it means ignoring security issues, since the SCRUM master and their boss is going to call them out on missed deliverables on a daily basis, but security guidelines missed and S3 buckets left public won't be something that the developer would be facing direct consequences for their actions.
This is an absolute no brainer, and IMHO, a must have. Log onto AWS, go to S3, check four checkboxes, type in "confirm", hit OK, and not worry about public buckets again, unless someone explicitly logs in as a root/admin user and unchecks them.
First, chips are often obsoleted. The bits on HID proxy cards go up to handle attacks and business needs. I would not want something implanted where my next employer would demand version 1.0.0.0.1b of the chip and I have 1.0.0.1a.
Plus, look at IoT vendor reputation as a whole. I wouldn't trust these people to make a secure Wi-Fi light bulb that wouldn't get pwned. Would I trust them with something that I'm stuck with for life? Nope.
We already have biometrics. Why do we need some startup's chip, other than to give that startup a windfall profit?
What would be an ideal is a UL-like entity, but for IoT stuff. This entity would have standard security measurements, and would enforce security [1] updates for "x" amount of time, perhaps with some surety presented if a company fails to live up to their promises.
[1] Security as in protection from remote attacks, not just jailbreak resistance, which often get confounded. In general, IoT makers love jailbreak resistance, but hate having to work on protection from remote attacks, since it means fewer features.
That is an interesting idea. There are a lot of advantages of this. Especially if the device would know that it would be updated to a certain time/date, then from there, it is on its own.
I do see a few faults, knowing IoT vendors, and their callous attitude:
This can be used as a denial of service attack, if an device is isolated from the mother ship somehow, goes into fail-secure mode, and loses functionality. Or, it is used to ensure devices have an always-on Internet connection for slurping telemetry 24/7 for something else to sell.
This would force customers to have to buy new IoT devices. Instead of being able to run unsecured, the devices would pretty much shut down and be useless. There are a lot of IoT companies who would loved guaranteed, timed obsolesce, forcing people to buy new devices every few years, or even every few months.
IoT makers would use this "functionality" to start to charge for updates, just so people would have to pay them in order to use their own devices.
I like the idea of going into a "fail secure" mode, but I just fear the abuse, especially by so many companies who just do not care about security whatsoever.
Sometimes I wonder if Microsoft, or Google would be an ideal suitor for Canonical. Since Ubuntu is one of the defaults in both WSL, and Hyper-V, it would be ideal.
I do have my reservations about IBM and RedHat. On one side, I know IBM wants some revenue after buying RH, as they didn't buy it for altruism. However, for a big company, it is a good match, since IBM has been selling RedHat on a lot of their POWER and zSeries line for a while.
The GDPR is nowhere near perfect. It has given websites the excuse to demand you click and accept an EULA (which you can't read because their popover covers it) before you visit.
However, it is a start. Right now, a company getting hacked actually can make the top brass rich, just because the CxOs can short their stock before the announcement, and most people forget about the intrusion, so stock bobs back up in a few months. The GDPR actually makes companies actually be concerned about security to actually consider throwing money at it.
Of course, it has its flaws, but it could have been far worse.
One step at a time, as they say. Maybe, someday, we will see such laws enacted in the US.
Chaum's DigiCash was the first "widespread" cryptocurrency. It is primitive by today's standards, but hell... there wasn't even AES out then, and the best out was maybe MD4 for hashes and at best, triple DES for encryption. Keys might be 384 to 512 bit RSA if that.
The currency is well designed, especially with the anonymity built in.
In the enterprise, AV is there because FERPA, HIPAA, and other regulations mandate it. Does it actually stop viruses? At best, maybe an older Trojan horse. However, the best front-line thing is a good ad-blocker, second best is separating your stuff into VMs. QubesOS is definitely the best way of doing things, to ensure stuff cannot touch each other.
You want a firewall on Android, ideally something running as root. This is arguably the best way to deal with rogue apps. If they can't phone home, even though their manifest allows them to, they can't do damage... well, until they subvert another utility to go out.
One interesting item with the POWER9 is Turbo Core mode. This disables have the CPUs, but lets the remaining ones use the disabled CPUs' caches, and allows the clock speed on the chip to be increased by a significant amount. The main reason this is done is because of certain DB vendors licensing by CPU, and because the computer reports half the cores, it saves a lot of money. Ironically, the performance loss from the halving of the cores is not as bad as one would expect.
I also have a Mac of 2008 vintage. Battery has long since expanded and died, the hard drive has been replaced by a SSD, and it is slow as dirt. However, it does run virtualization nicely, and I always use VMs for web browsing, so if something exited the VM and nailed the hypervisor, my main stuff would be untouched.
Nothing wrong with using older equipment, as they have their place. Worst case, a Git or a Wiki server for storing misc notes, or code.
This has a double-edged sword though. The bad is when Apple stops supporting this machine, you can't just slap Ubuntu on it and continue using it, but you get to choose between keeping using an obsolete OS with security issues, going with Windows, or chucking the machine entirely.
I personally have tested this. At first, I set the security level to "none", booted Ubuntu, because I do a blkdiscard on the SSD to ensure that there is absolutely nothing on the drive before I install macOS. Lo and behold no drives, not via NVMe, not SATA.
I hope this is just an oversight. I would be surprised and extremely diappointed if Apple actually did not want Linux to run on their product by actively barring the UEFI shim needed to load RedHat, Ubuntu, and others.
As of now, using virtualization software is a solution, although Parallels is "meh" at best, VirtualBox has gotchas, so your best bet is VMWare Fusion Pro, which isn't cheap, but well worth it.
Slashdot Mirror
Probably because of the GDPR. A lot of pages state that because of the GDPR, all people connecting have to agree to stuff (usually, no-sue arbitration, all data can be used however the website feels like, user gives up all rights, usual legal garbage) before they can access the page.
It can happen. A lot of people still use Bitcoin exchanges, even though history has seen many exchanges fall flat with their coins winding up in anonymous wallets. Other wallet apps can get compromised. One would hard-pressed to tell if a wallet's private key was generated with a re-creatable source of randomness versus a CSPRING like /dev/random.
The Bitcoin protocol in itself is pretty secure. However, the attacks made will always be at the endpoints. One could always make a wallet app that has the source code public, but the compiled version on the app store has a few routines not in the published code. Even something as simple as not using /dev/random, but using the milliseconds since the epoch would be all but untracable for wallet key generation.
I would say both sides are "right" in this case. Especially if one stores stuff in an exchange, and the exchange gets "hacked", with all the coins winding up transferred to an anonymous wallet.
We are at that spot already. To mine Bitcoin requires a hefty investment in ASICs, as well as a cheap, cheap energy source, either by building a hydroelectric or geothermal plant, or find a way to skirt around billing (have a BTC mining apparatus located somewhere with subsidized electricity.) Even at current prices, there isn't really that much financial incentive for people to buy dedicated BTC mining rigs, and if Bitcoin hits a certain threshold, it won't be worth the energy to mine.
When no new coins hit the market, coupled with the fact that transactions can take an indefinite amount of time because of no new miners, this could be a show stopper.
Probably because Bitcoin was the first cryptocurrency to hit the mass market. There were many cryptocurrencies before it (Chaum's eCash, for example.) However, when the local TV station needs filler material, this is the first thing of its ilk mentioned that has mindshare with Joe Sixpack.
Bitcoin is a great 1.0 currency, but there are many others, ideally ones that use proof of storage or perhaps proof of protein-folding, so the energy used for calculating stuff isn't wasted.
Blockchain based lawkeeping. Can't argue with that, because it would at least show what laws got passed/modified/repealed. Hell, Git is one small step away from being a blockchain, it just needs some crypto signatures for every commit, modification and push to the repository.
I can't argue with this.
Here is the Wired article. Yes, it is relatively old, but it does show that this technology can be misused.
And this technology has been misused. An Austin used car dealership had remote immobilization tech in their cars to ensure people paid their bill. A disgruntled ex-employee used another person's account, logged in, and disabled every single car in their system, where the engine stalled, and the horn would honk until the battery died.
With the prevalence of espionage, combined with the lackadaisical attitude of the private sector where "security has no ROI", there is no such thing as a back door. In the real world it is called a show-stopping vulnerability.
How about Samsung actually adds a significant feature, like an unlockable bootloader? There are still people who use firewalls to guard privacy, and use rooted applications.
More work on Linux-On-Galaxy would be nice as well. This way, the phone can be used for other stuff, similar to how the Motorola Atrix could get a decent Linux distro on it for use in a pinch.
Of course, virtualization would be nice, to separate work and home environments completely.
One of the selling points is that he did not take backups, so the data never left the root account.
However, what he should have done, assuming he was using AWS, was at least pop snapshots on a daily/weekly/monthly level, with a guarantee that they would be deleted, perhaps with code that deletes the snapshot of a client VM when the client deletes the snapshot, using crypto keys to ensure the data is not readable.
I don't see how a blockchain is better than just an item database with a log of what items were created, with what statistics, how they were modified and used, and if/when they were destroyed (sold to a NPC merchant, junked, deleted with a character, etc.) It seems a lot more work as opposed to just having a solid journal mechanism, especially if the only people using it are company internal. However, a blockchain might be useful to guard against internal tampering.
I can see one place where blockchain tech would be useful in a MMO: Giving players the ability to export (and delete) in-game items or even their characters if they hit the limit. This way, they don't have to worry about permanent deletions, and since things character is tied to the account, having the player possess the archived items/characters doesn't mean they can be traded or sold.
It is default deny. In the past, you were presented with the option of making it private or public on bucket creation. Now, it defaults to private. I think people got confused, set it to public, assuming that was what was needed to give other members of their AWS account access.
I wouldn't say this is Amazon's fault. It would be like a mini storage company selling padlocks with every unit, offering the units with the padlocks in place on them. Then, users unlocking the padlocks, and leaving the garage door thrown open for anyone to walk up and pick through.
Having a product F/OSS can be a deal maker or a deal breaker. For example, in a previous life, I worked for a company ran by old-school CS guys that considered code as an asset, and that if an application didn't have open source, or a way to get to the source, it would not be used, because they didn't want to deal with it. Worst case, if a product is abandoned, they could fork it and support it.
It isn't like F/OSS doesn't make money. RedHat wasn't snapped up at insanely high prices by IBM for a losing business model.
In my experience, and I had a time where I bounced among a number of companies, the person with AWS access often times has no clue what they are doing, is likely using the root account itself, rather than a sub account with admin privs, and just needs things to work so the dev team can get their code going. Their goal is to get stuff up and running, even if it means ignoring security issues, since the SCRUM master and their boss is going to call them out on missed deliverables on a daily basis, but security guidelines missed and S3 buckets left public won't be something that the developer would be facing direct consequences for their actions.
This is an absolute no brainer, and IMHO, a must have. Log onto AWS, go to S3, check four checkboxes, type in "confirm", hit OK, and not worry about public buckets again, unless someone explicitly logs in as a root/admin user and unchecks them.
Hopefully more AWS customers do this.
First, chips are often obsoleted. The bits on HID proxy cards go up to handle attacks and business needs. I would not want something implanted where my next employer would demand version 1.0.0.0.1b of the chip and I have 1.0.0.1a.
Plus, look at IoT vendor reputation as a whole. I wouldn't trust these people to make a secure Wi-Fi light bulb that wouldn't get pwned. Would I trust them with something that I'm stuck with for life? Nope.
We already have biometrics. Why do we need some startup's chip, other than to give that startup a windfall profit?
What would be an ideal is a UL-like entity, but for IoT stuff. This entity would have standard security measurements, and would enforce security [1] updates for "x" amount of time, perhaps with some surety presented if a company fails to live up to their promises.
[1] Security as in protection from remote attacks, not just jailbreak resistance, which often get confounded. In general, IoT makers love jailbreak resistance, but hate having to work on protection from remote attacks, since it means fewer features.
That is an interesting idea. There are a lot of advantages of this. Especially if the device would know that it would be updated to a certain time/date, then from there, it is on its own.
I do see a few faults, knowing IoT vendors, and their callous attitude:
This can be used as a denial of service attack, if an device is isolated from the mother ship somehow, goes into fail-secure mode, and loses functionality. Or, it is used to ensure devices have an always-on Internet connection for slurping telemetry 24/7 for something else to sell.
This would force customers to have to buy new IoT devices. Instead of being able to run unsecured, the devices would pretty much shut down and be useless. There are a lot of IoT companies who would loved guaranteed, timed obsolesce, forcing people to buy new devices every few years, or even every few months.
IoT makers would use this "functionality" to start to charge for updates, just so people would have to pay them in order to use their own devices.
I like the idea of going into a "fail secure" mode, but I just fear the abuse, especially by so many companies who just do not care about security whatsoever.
Sometimes I wonder if Microsoft, or Google would be an ideal suitor for Canonical. Since Ubuntu is one of the defaults in both WSL, and Hyper-V, it would be ideal.
I do have my reservations about IBM and RedHat. On one side, I know IBM wants some revenue after buying RH, as they didn't buy it for altruism. However, for a big company, it is a good match, since IBM has been selling RedHat on a lot of their POWER and zSeries line for a while.
The GDPR is nowhere near perfect. It has given websites the excuse to demand you click and accept an EULA (which you can't read because their popover covers it) before you visit.
However, it is a start. Right now, a company getting hacked actually can make the top brass rich, just because the CxOs can short their stock before the announcement, and most people forget about the intrusion, so stock bobs back up in a few months. The GDPR actually makes companies actually be concerned about security to actually consider throwing money at it.
Of course, it has its flaws, but it could have been far worse.
One step at a time, as they say. Maybe, someday, we will see such laws enacted in the US.
Chaum's DigiCash was the first "widespread" cryptocurrency. It is primitive by today's standards, but hell... there wasn't even AES out then, and the best out was maybe MD4 for hashes and at best, triple DES for encryption. Keys might be 384 to 512 bit RSA if that.
The currency is well designed, especially with the anonymity built in.
In the enterprise, AV is there because FERPA, HIPAA, and other regulations mandate it. Does it actually stop viruses? At best, maybe an older Trojan horse. However, the best front-line thing is a good ad-blocker, second best is separating your stuff into VMs. QubesOS is definitely the best way of doing things, to ensure stuff cannot touch each other.
You want a firewall on Android, ideally something running as root. This is arguably the best way to deal with rogue apps. If they can't phone home, even though their manifest allows them to, they can't do damage... well, until they subvert another utility to go out.
One interesting item with the POWER9 is Turbo Core mode. This disables have the CPUs, but lets the remaining ones use the disabled CPUs' caches, and allows the clock speed on the chip to be increased by a significant amount. The main reason this is done is because of certain DB vendors licensing by CPU, and because the computer reports half the cores, it saves a lot of money. Ironically, the performance loss from the halving of the cores is not as bad as one would expect.
I also have a Mac of 2008 vintage. Battery has long since expanded and died, the hard drive has been replaced by a SSD, and it is slow as dirt. However, it does run virtualization nicely, and I always use VMs for web browsing, so if something exited the VM and nailed the hypervisor, my main stuff would be untouched.
Nothing wrong with using older equipment, as they have their place. Worst case, a Git or a Wiki server for storing misc notes, or code.
This has a double-edged sword though. The bad is when Apple stops supporting this machine, you can't just slap Ubuntu on it and continue using it, but you get to choose between keeping using an obsolete OS with security issues, going with Windows, or chucking the machine entirely.
I personally have tested this. At first, I set the security level to "none", booted Ubuntu, because I do a blkdiscard on the SSD to ensure that there is absolutely nothing on the drive before I install macOS. Lo and behold no drives, not via NVMe, not SATA.
I hope this is just an oversight. I would be surprised and extremely diappointed if Apple actually did not want Linux to run on their product by actively barring the UEFI shim needed to load RedHat, Ubuntu, and others.
As of now, using virtualization software is a solution, although Parallels is "meh" at best, VirtualBox has gotchas, so your best bet is VMWare Fusion Pro, which isn't cheap, but well worth it.