I've had a HTC One (m8) since it came out (about 6 months ago). I keep mine in a case (SUPCASE Unicorn Beetle) and have it in my front pocket all the time.
It still lays perfectly flat, no bending.
Maybe having a hard rubber bumper and the hard plastic back of the case is enough, or this is not a big issue on the HTC units.
Eliminate that chain, work out a public exchange and verification program (something akin to bittorrent for
gpg signed certificates from other people you trust.) and plug that in in place of the current certificate authority
model and you're set.
DNSSEC + DANE
It limits the damage a lot more then the current "trust the CA completely" model. A rogue CA can only damage / MitM certificates that they have issued without raising red flags in the SSL stack.
Is DNSSEC+DANE perfect? No, it has some rough edges and possible corner cases, but it's far better then depending on the current CA model.
I'm amused that it has taken this long for people to start caring about encryption. I remember the mid-late 90s when PGP first came out and those in charge tried very hard to spread the lie that only bad people use encryption.
Regular people *started* to finally care, at least a little bit, once internet commerce became a thing, but even then SSL was only used to protect credit car numbers in transit.
The last few years have been interesting - a lot of people are starting to finally grasp the importance of using encryption everywhere.
Same, I used to have 3-4 servers in the home office, plus multiple desktops.
I now run a single server acting as the firewall, with VMs inside it for dedicated needs, a single laptop and a single desktop. Every few years the server gets a more powerful MB/CPU and double the RAM and larger hard drives. The server has (10) hot-swap 3.5 SAS/SATA bays. Virtualization and cheap RAM is what made the difference.
I also have a 4-bay USB 3.0 external enclosure which holds (4) 3.5 SATA drives which I use for onsite backups.
Anything that I don't need to keep online, gets written out to a pair of USB disk drives, labeled, and stuffed in a drawer.
Do Android phones automatically update to the latest version?
It varies by phone and carrier. The HTC One (m8) that I have was updated this week to a new Android version. I had to approve the install and could have declined, but I did at least get an updated version.
OTOH, my Asus tablet... is probably still running the original Android that it shipped with.
The primary reason to password protect and encrypt the phone is to protect against the mundane threat of someone who steals your phone, then tries to leverage that to gain access to your financial accounts or other accounts.
If you travel on any form of public transit, it's a risk. (Pickpockets, muggers, etc.)
Granted, most thieves are only after the phone for its hardware value. But others will dig into the phone and see what sort of personal information they can glean (emails, bank details, list of contacts, passwords) and then try and sell that to identity thieves.
For modern phones, storage encryption has minimal impact on battery life.
Having to enter a 4-10 digit number every time you unlock the phone is a minor hassle. However, there are tricks where you can tell the phone to only lock (after 15 minutes) if it can't see a certain bluetooth / wifi signal.
When you speak of 4096 bit encryption, you are generally talking about RSA keys. RSA keys do not share the same "strength per bit" as symmetric keys like AES-128.
Most folks say that AES-128 is about equivalent to RSA/3072, and Elliptic Curve would need to be 256 bits to be roughly equivalent to AES-128.
The big upcoming problem with RSA is that the number of bits needed per key goes up rapidly as you need to get to stronger key sizes. To get something equivalent to AES-256, you would need a 15360 bit RSA key. Which makes Elliptic Curve crypto more interesting because you only need about a 512 bit EC key to match AES-256 strength.
Generally speaking, the chance of it going airborne is about as likely as you getting hit by lightning tomorrow. Changing how it spreads is generally really, really, hard for any virus - it would have to morph into a completely different family of viruses, at which point it would no longer be Ebola.
The bigger issues is that this is going to set those countries back a few decades or more in their development. Which means lots of instability in the region, which tends to result in bad things happening (wars, societal breakdown, less education, more poverty). That's going to kill a lot more people then Ebola does.
SSDs under WinXP gradually degrade in performance, because XP doesn't support SSD TRIM. On Win7, this is not an issue, so you don't have to wipe / reset the SSD / restore the operating system once a year.
Graphics performance of video drivers - I gained 20-30% performance switching from XP 32bit to Win7 64bit on the same machine, maybe even doubled performance. This was back when I multi-boxed EVE Online - I went from struggling to run 3 windows (at least one would only get 15-20 FPS), to being able to have 5-6 open (all with 40+ FPS).
The 32bit limit of 3-something GB of RAM is a bit limiting when Firefox is chewing up 500-800MB, Thunderbird is chewing up another few hundred MB, and a handful of other background tasks chewing up 40-50MB each. Moving to Win7 meant I could put in 8GB of RAM on the box, and make use of it.
Multi-tasking performance is just better in Win7 when compared to XP. Less hiccups / pauses / other strange slowdowns.
The window preview as you hover over the tasks in the task bar is addictive. Being able to see thumbnails of each application window makes it easier to pick which window to bring forward (another bonus for multi-taskers).
A bit more resilient then XP to being infected - not perfect, but a definite step forward.
We run Linux on the servers, but I'm quite happy running either OS X or Win7 on the desktops. Both get the job done well enough and stay out of the way.
(Running Win7 on a 2007-era Thinkpad T series, 8GB RAM, pair of SSDs, and only a dual-core Intel CPU.)
I've long stated that the worst thing the US DoJ ever did to Microsoft - was failing to force them to break apart into separate companies.
Operating systems should have gone one way (at which point, I suspect that modern versions of Windows would be posix-based, probably on BSD). The application stack should have gone another way (MSOffice running on just about everything, instead of being limited in order to sell Microsoft Phones). The hardware stuff into a 3rd company.
Instead of being separate companies and competing - now they are all bound together, fighting for their little fiefdoms tooth and nail, and slowly sinking into obscurity.
You can, and I'd guesstimate that about 50% of legit SMTP connections to our server are encrypted with TLS. But that number could also be as low as 10-20% (the 90% of all connections being spam zombies makes it harder to estimate).
I have not tracked the value over time to see if it is going up/down. And our site is not particularly large, so we don't have a good sample to pull from.
From my reading, it's possible to be infected for two or three weeks without visible symptoms. This means that there's plenty of opportunity for somebody in Africa to get on a plane and go somewhere else, and then have ebola hit. I have no confidence in confining it to one continent.
You need to go back and read again.
Until you are symptomatic, you are not infectious.
(And it's highly unlikely, as in lightning-strike odds territory, to become able to infect via airborne methods. It will remain a touch bodily-fluids and be infected virus.)
For DYI, the choice really does boil down to either pfSense or IPFire depending on whether you want BSD or Linux underneath.
Personally, I went with a full blown CentOS with Shorewall / OpenVPN on top, but it was definitely not the easiest thing to setup. Next time around I'm strongly considering a firewall distro.
DANE is mostly to guard against rogue CAs. CA #1 cannot sign a certificate claiming to represent the domain that was actually certified by CA #2. So it limits the amount of damage that a rogue CA can get away with.
It may also eliminate the need for CAs and certificate altogether. You just store the public half of your certs in the DNS system.
Even if you don't do financial transactions on your site - consumers / customers / users are getting more savvy and want *any* personal information to be encrypted in transit. Login details are naturally something that should always be encrypted, but that also extends to things as mundane as URL history or search terms.
The bigger issue with MSAccess and where other tools fall flat is the ease of linking together multiple, disparate, data sources - without having to register dozens/hundreds of ODBC drivers - mashing the data together, then sending it off to yet another destination.
This is especially critical when you work with ad-hoc data sets that are somewhat or completely different from job to job, client to client, so putting that data into a proper database and writing proper SQL queries to massage it or slapping a web front end on it -- is not worth the time investment.
I've looked at OpenOffice/LibreOffice Base over the years. It's still an infant, not even equivalent to the old MSAccess 2.0 functionality yet. Import/Export of CSVs is difficult - it won't create the tables for you and create reasonable field definitions. Linking to another database requires an ODBC driver connection to be configured on the system.
Worse - it uses HSQLDB, where you have to put double quotes around all of your field/table identifiers. That makes it garbage - because you can not prototype a SQL query in Base, then copy/paste it to another SQL compliant database and get it to run without major changes.
I really cannot think of a reasonable workflow where that would make sense but I'm not trying to judge
The workflow is pretty much anyone who has to wear multiple hats during the day. Think of open tabs in background windows as short-term bookmarks.
One browser window with half a dozen tabs to keep an eye on the internal ticket system. Another window open with a dozen tabs to track stats on jobs in-progress across multiple days (so that you can just alt-tab to that window, glance through the tabs, rather then rummage for bookmarks or use the awesome-bar). Then typically one window per task / project with anywhere from 1-20 tabs.
As an example, let's say I need to look into GlusterFS. I can either re-purpose one of the my existing browser windows, or better, open a new one and keep all tabs relating to GlusterFS in a single window. I'll start with Google or the GlusterFS home page, then will start proliferating tabs as I find things that are interesting enough to be read, but I'm not ready to dive into that tab yet, nor is it something that I'll want as a long-term bookmark.
As I work through the various tabs, they either get bookmarked after I've read them or just closed.
Not hard to hit 100 tabs. Today is about average and I have 10 windows open, each has 1-15 tabs in it.
Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.
That's what GPG encrypted text files were invented for.
One text file per account, the contents are a GPG ASCII armored encryption block containing things like the site name, password, account name, answers to security questions, or anything else.
I then store those text files in a version control system, which makes it easy to share across multiple machines.
(The weak link in all of this is the GPG key - but there are options to strengthen that like smartcards.)
Encrypt the tablet / phone - use a 6-9 digit PIN (which is a lot better then just a 4-digit PIN). Have the device wipe after 10 bad attempts (the default on Android).
Most thieves, when presented with that obstacle - will just reformat the device for sale rather then try and steal information off of it.
As for apps, keypass / lastpass are frequently mentioned. My personal preference is a strong master password in Firefox, and just let it remember the 100s of secondary website account passwords (i.e. not my bank, webmail, or other financial sites). The best choices are those where you setup your own webdav cloud storage on your own hardware, and use that to keep things synchronized.
Four words, strung together, can be a key space as small as 3000^4 (roughly 46 bits of entropy), especially if they are chosen from the top 3000 words in the dictionary. That's nowhere near 6.2 * 10^36.
Misspellings can help a lot and make it a lot stronger (adding maybe 3-4 bits per word). Adding spaces or punctuation between them adds maybe 1 bit per word. Random capitalization of something other then the first letter adds 2 bits per word.
Basically, if you're using English language phrases / words without any munging, you're only getting about 2 bits per character. A bit lower if it's a grammatically correct phrase (~1.5 bits/character), a bit higher if it's random words strung together (~2.3 bits/character). That puts a 26 character phrase like you provided at somewhere between 39-60 bits (and it is always better to assume the lower bound).
Most attackers will assume 2-6 words strung together, from the top N lists. So just tacking words together is not safe. Or they'll use N-grams (sort of like Markov chains, but more general) and go after the most common phrases.
In comparison, an 8-character password, chosen from a field of 64 possibles per character (6 bits) is 48 bits strong. If you managed to use one of 90 possible characters per position, that is 52 bits strong (6.5 bits/char * 8 bits).
48-52 bits is just not a lot these days, if the attacker gains access to the hashed password and can attack it offline. Minimum bits of complexity really needs to be about 64 bits (10-12 characters, fully random) to deal with offline attacks, and 80 bits of entropy is far better.
Slashdot Mirror
Most terms (PuTTY/SecureCRT), it is better to use the traditional Shift+Delete, Shift+Ins and Ctrl+Insert - I've never heard of Ctrl+Shift+C before.
I've had a HTC One (m8) since it came out (about 6 months ago). I keep mine in a case (SUPCASE Unicorn Beetle) and have it in my front pocket all the time.
It still lays perfectly flat, no bending.
Maybe having a hard rubber bumper and the hard plastic back of the case is enough, or this is not a big issue on the HTC units.
Eliminate that chain, work out a public exchange and verification program (something akin to bittorrent for gpg signed certificates from other people you trust.) and plug that in in place of the current certificate authority model and you're set.
DNSSEC + DANE
It limits the damage a lot more then the current "trust the CA completely" model. A rogue CA can only damage / MitM certificates that they have issued without raising red flags in the SSL stack.
Is DNSSEC+DANE perfect? No, it has some rough edges and possible corner cases, but it's far better then depending on the current CA model.
I'm amused that it has taken this long for people to start caring about encryption. I remember the mid-late 90s when PGP first came out and those in charge tried very hard to spread the lie that only bad people use encryption.
Regular people *started* to finally care, at least a little bit, once internet commerce became a thing, but even then SSL was only used to protect credit car numbers in transit.
The last few years have been interesting - a lot of people are starting to finally grasp the importance of using encryption everywhere.
Bleeding from all orifices is actually one of the less common symptoms. It's just a headline grabber.
On the WHO site, it's listed as the last of possible symptoms with language indicating that it only occurs in some patients.
Same, I used to have 3-4 servers in the home office, plus multiple desktops.
I now run a single server acting as the firewall, with VMs inside it for dedicated needs, a single laptop and a single desktop. Every few years the server gets a more powerful MB/CPU and double the RAM and larger hard drives. The server has (10) hot-swap 3.5 SAS/SATA bays. Virtualization and cheap RAM is what made the difference.
I also have a 4-bay USB 3.0 external enclosure which holds (4) 3.5 SATA drives which I use for onsite backups.
Anything that I don't need to keep online, gets written out to a pair of USB disk drives, labeled, and stuffed in a drawer.
Do Android phones automatically update to the latest version?
It varies by phone and carrier. The HTC One (m8) that I have was updated this week to a new Android version. I had to approve the install and could have declined, but I did at least get an updated version.
OTOH, my Asus tablet... is probably still running the original Android that it shipped with.
The primary reason to password protect and encrypt the phone is to protect against the mundane threat of someone who steals your phone, then tries to leverage that to gain access to your financial accounts or other accounts.
If you travel on any form of public transit, it's a risk. (Pickpockets, muggers, etc.)
Granted, most thieves are only after the phone for its hardware value. But others will dig into the phone and see what sort of personal information they can glean (emails, bank details, list of contacts, passwords) and then try and sell that to identity thieves.
For modern phones, storage encryption has minimal impact on battery life.
Having to enter a 4-10 digit number every time you unlock the phone is a minor hassle. However, there are tricks where you can tell the phone to only lock (after 15 minutes) if it can't see a certain bluetooth / wifi signal.
When you speak of 4096 bit encryption, you are generally talking about RSA keys. RSA keys do not share the same "strength per bit" as symmetric keys like AES-128.
Most folks say that AES-128 is about equivalent to RSA/3072, and Elliptic Curve would need to be 256 bits to be roughly equivalent to AES-128.
The big upcoming problem with RSA is that the number of bits needed per key goes up rapidly as you need to get to stronger key sizes. To get something equivalent to AES-256, you would need a 15360 bit RSA key. Which makes Elliptic Curve crypto more interesting because you only need about a 512 bit EC key to match AES-256 strength.
Generally speaking, the chance of it going airborne is about as likely as you getting hit by lightning tomorrow. Changing how it spreads is generally really, really, hard for any virus - it would have to morph into a completely different family of viruses, at which point it would no longer be Ebola.
The bigger issues is that this is going to set those countries back a few decades or more in their development. Which means lots of instability in the region, which tends to result in bad things happening (wars, societal breakdown, less education, more poverty). That's going to kill a lot more people then Ebola does.
I can give you a few...
SSDs under WinXP gradually degrade in performance, because XP doesn't support SSD TRIM. On Win7, this is not an issue, so you don't have to wipe / reset the SSD / restore the operating system once a year.
Graphics performance of video drivers - I gained 20-30% performance switching from XP 32bit to Win7 64bit on the same machine, maybe even doubled performance. This was back when I multi-boxed EVE Online - I went from struggling to run 3 windows (at least one would only get 15-20 FPS), to being able to have 5-6 open (all with 40+ FPS).
The 32bit limit of 3-something GB of RAM is a bit limiting when Firefox is chewing up 500-800MB, Thunderbird is chewing up another few hundred MB, and a handful of other background tasks chewing up 40-50MB each. Moving to Win7 meant I could put in 8GB of RAM on the box, and make use of it.
Multi-tasking performance is just better in Win7 when compared to XP. Less hiccups / pauses / other strange slowdowns.
The window preview as you hover over the tasks in the task bar is addictive. Being able to see thumbnails of each application window makes it easier to pick which window to bring forward (another bonus for multi-taskers).
A bit more resilient then XP to being infected - not perfect, but a definite step forward.
We run Linux on the servers, but I'm quite happy running either OS X or Win7 on the desktops. Both get the job done well enough and stay out of the way.
(Running Win7 on a 2007-era Thinkpad T series, 8GB RAM, pair of SSDs, and only a dual-core Intel CPU.)
I've long stated that the worst thing the US DoJ ever did to Microsoft - was failing to force them to break apart into separate companies.
Operating systems should have gone one way (at which point, I suspect that modern versions of Windows would be posix-based, probably on BSD). The application stack should have gone another way (MSOffice running on just about everything, instead of being limited in order to sell Microsoft Phones). The hardware stuff into a 3rd company.
Instead of being separate companies and competing - now they are all bound together, fighting for their little fiefdoms tooth and nail, and slowly sinking into obscurity.
You can, and I'd guesstimate that about 50% of legit SMTP connections to our server are encrypted with TLS. But that number could also be as low as 10-20% (the 90% of all connections being spam zombies makes it harder to estimate).
I have not tracked the value over time to see if it is going up/down. And our site is not particularly large, so we don't have a good sample to pull from.
From my reading, it's possible to be infected for two or three weeks without visible symptoms. This means that there's plenty of opportunity for somebody in Africa to get on a plane and go somewhere else, and then have ebola hit. I have no confidence in confining it to one continent.
You need to go back and read again.
Until you are symptomatic, you are not infectious.
(And it's highly unlikely, as in lightning-strike odds territory, to become able to infect via airborne methods. It will remain a touch bodily-fluids and be infected virus.)
For DYI, the choice really does boil down to either pfSense or IPFire depending on whether you want BSD or Linux underneath.
Personally, I went with a full blown CentOS with Shorewall / OpenVPN on top, but it was definitely not the easiest thing to setup. Next time around I'm strongly considering a firewall distro.
There have been SD cards demonstrated that transfer 200-250 MB/s. Not sure why the larger card has a slower transfer rate, but there you go.
There's really only three Linux distros... Red Hat, Debian, everyone else.
Which is somewhat similar to the days where you had Windows 95/98 vs Windows NT - and you couldn't always run software from one on the other.
And really, once you get past the package manager, most of the differences between the distros are only skin-deep. It's all GNU/Linux underneath.
DANE is mostly to guard against rogue CAs. CA #1 cannot sign a certificate claiming to represent the domain that was actually certified by CA #2. So it limits the amount of damage that a rogue CA can get away with.
It may also eliminate the need for CAs and certificate altogether. You just store the public half of your certs in the DNS system.
Even if you don't do financial transactions on your site - consumers / customers / users are getting more savvy and want *any* personal information to be encrypted in transit. Login details are naturally something that should always be encrypted, but that also extends to things as mundane as URL history or search terms.
I just wish DANE was farther along (plus DNSSEC).
The bigger issue with MSAccess and where other tools fall flat is the ease of linking together multiple, disparate, data sources - without having to register dozens/hundreds of ODBC drivers - mashing the data together, then sending it off to yet another destination.
This is especially critical when you work with ad-hoc data sets that are somewhat or completely different from job to job, client to client, so putting that data into a proper database and writing proper SQL queries to massage it or slapping a web front end on it -- is not worth the time investment.
I've looked at OpenOffice/LibreOffice Base over the years. It's still an infant, not even equivalent to the old MSAccess 2.0 functionality yet. Import/Export of CSVs is difficult - it won't create the tables for you and create reasonable field definitions. Linking to another database requires an ODBC driver connection to be configured on the system.
Worse - it uses HSQLDB, where you have to put double quotes around all of your field/table identifiers. That makes it garbage - because you can not prototype a SQL query in Base, then copy/paste it to another SQL compliant database and get it to run without major changes.
I really cannot think of a reasonable workflow where that would make sense but I'm not trying to judge
The workflow is pretty much anyone who has to wear multiple hats during the day. Think of open tabs in background windows as short-term bookmarks.
One browser window with half a dozen tabs to keep an eye on the internal ticket system. Another window open with a dozen tabs to track stats on jobs in-progress across multiple days (so that you can just alt-tab to that window, glance through the tabs, rather then rummage for bookmarks or use the awesome-bar). Then typically one window per task / project with anywhere from 1-20 tabs.
As an example, let's say I need to look into GlusterFS. I can either re-purpose one of the my existing browser windows, or better, open a new one and keep all tabs relating to GlusterFS in a single window. I'll start with Google or the GlusterFS home page, then will start proliferating tabs as I find things that are interesting enough to be read, but I'm not ready to dive into that tab yet, nor is it something that I'll want as a long-term bookmark.
As I work through the various tabs, they either get bookmarked after I've read them or just closed.
Not hard to hit 100 tabs. Today is about average and I have 10 windows open, each has 1-15 tabs in it.
Of course, you should keep a record of those questions and answers so you can correctly answer them if the need arises.
That's what GPG encrypted text files were invented for.
One text file per account, the contents are a GPG ASCII armored encryption block containing things like the site name, password, account name, answers to security questions, or anything else.
I then store those text files in a version control system, which makes it easy to share across multiple machines.
(The weak link in all of this is the GPG key - but there are options to strengthen that like smartcards.)
Encrypt the tablet / phone - use a 6-9 digit PIN (which is a lot better then just a 4-digit PIN). Have the device wipe after 10 bad attempts (the default on Android).
Most thieves, when presented with that obstacle - will just reformat the device for sale rather then try and steal information off of it.
As for apps, keypass / lastpass are frequently mentioned. My personal preference is a strong master password in Firefox, and just let it remember the 100s of secondary website account passwords (i.e. not my bank, webmail, or other financial sites). The best choices are those where you setup your own webdav cloud storage on your own hardware, and use that to keep things synchronized.
Four words, strung together, can be a key space as small as 3000^4 (roughly 46 bits of entropy), especially if they are chosen from the top 3000 words in the dictionary. That's nowhere near 6.2 * 10^36.
Misspellings can help a lot and make it a lot stronger (adding maybe 3-4 bits per word). Adding spaces or punctuation between them adds maybe 1 bit per word. Random capitalization of something other then the first letter adds 2 bits per word.
Basically, if you're using English language phrases / words without any munging, you're only getting about 2 bits per character. A bit lower if it's a grammatically correct phrase (~1.5 bits/character), a bit higher if it's random words strung together (~2.3 bits/character). That puts a 26 character phrase like you provided at somewhere between 39-60 bits (and it is always better to assume the lower bound).
Most attackers will assume 2-6 words strung together, from the top N lists. So just tacking words together is not safe. Or they'll use N-grams (sort of like Markov chains, but more general) and go after the most common phrases.
In comparison, an 8-character password, chosen from a field of 64 possibles per character (6 bits) is 48 bits strong. If you managed to use one of 90 possible characters per position, that is 52 bits strong (6.5 bits/char * 8 bits).
48-52 bits is just not a lot these days, if the attacker gains access to the hashed password and can attack it offline. Minimum bits of complexity really needs to be about 64 bits (10-12 characters, fully random) to deal with offline attacks, and 80 bits of entropy is far better.
These days the password on your email account is more important then your bank account password...
Because if they can gain access to your email, they can do password resets to gain access to dozens / hundreds of your accounts.
Some of the web email providers have 2FA (two-factor authentication) - those are probably better choices if you don't run your own email server.