Their app for iOS (Dolphin HD) got updated today with the following changelog "some bug fixing.", that is not transparency.
Regardless of the whole webzine thing, I'm concerned this developer was sending URL date of any site visited (banking, corporate, email etc ) in plain text to a server in China. There is a lot of data mining that can be done with URL data, specially older websites that stuff private date into URL.
The problem is that El Goog has almost no existing customer support service. If your account is compromised and or disabled by Google itself, there is no place to seek help. The only place you could ask for help would be the Google support forum, which is actually run by users, no one hangs around there that can do administrative level work.
The next issue is that G+ has automated real name identification system and account an suspension system based on several automated features, currently due there is almost no way to appeal an account suspension due to a non-existing customer support system. To test this system try changing your name (preferably on a throwaway account) multiple times, you'd find out that it would automatically suspend access to your account once that passes a certain threshold.
The biggest issue is that once someone creates a G+ account, all their existing Google content comes under that account, thus a suspension of the G+ account means goodbye to gmail, YouTube, blogger, Calendar and so on.. all content is disabled and it's almost impossible to get it back (unless you are a celebrity or your story gets published in media).
The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device. And.... best of all it can be adapted to work on even physical keyboards. Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress.. or a keyboard with backlight etc). IMO that would be more impressive.
As I said before, if you read the PDF, he claims he started on this project cause the masked password entry was way too robust by default to exploit. I didn't feel that was the case as my own observation is different from what he claimed. The rest of what he did was excellent, not saying anything about that, I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.
Can you show a screen of the iOS you run and password entry? I'd rather he showed these videos but it doesn't fit his article.
I'm sorry you feel that way.
Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?). Also It's already been claimed this is iOS 4.3.x above. No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.
I'm sorry are you the person behind this video? Yes, I do like to pull an article apart to see the validity of the claims. As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that. Yes, I admit the keyboard thing was an err on my part, as I was reading his PDF I realized this was about non-simple passcode entry. As far as the password showing up, it doesn't happen on mine (and as others said doesn't happen on their iPad's as well). The letters that show up are huge, it's very very easy to read it off, and they stick around for quite a bit, I could take two screenshots of a given passcode letter before it becomes a mask. I do like what he made, it's cool. But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).
Come over to here. We are having the same conversation in two branches. I'm on 4.3.3, default settings with non-simple password entry as I said before.
No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate (see the h). For some reason their iPad is not doing this:) Which is the case for the rest of their experiment.
Yes, I tested it all out, there was no need for this extensive demonstration, as the assertion that password masking is completely hidden by default is incorrect (which is why they did the 2nd method). Their video's password entry does not work as it does on default on my iPad. On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.
Ah, let me point out what came out bogus to me when I read the PDF.
The person claims this on page 3:
We have long realized the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rate to find an application that fails to mask passwords on screen. Even the iDevices (which we examine below) mask passwords by default. We take the fact that password masking is so ubiquitous as the obvious acknowledgement of the shoulder surfing as a viable attack method.
Wait... This is where I have a problem, they claim that iOS masks the passwords by default and thus they have to use this other compelx method of capturing what keys are pressed. My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.
If you meant the non simple passcode entry, then why would anyone even need this App.
The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.
I'm a strong believer in having people use their real names in social networks, this I find is useful in weeding out a lot of strange interactions online. Having to use your real name and or easily identifiable account seem to make people post more cautiously than they would anonymously.
Having said that, I still feel the current enforcement of Google+'s real name policy and data deletion is not up to par with any type of decent policies I would expect Google to come up with. As this is a test phase, I hope this would be ironed out. Even a strike system ( like France's 3 strike or ISP's 6 strike) would be more agreeable instead of the current implementation.
I would suggest people test Google+ with Google accounts that do not contain a lot of sensitive or valuable data.
I'm sorry, in this case they have already implemented such a policy.
In the case of the name scenario. A warning appears that if you do follow with the change to your name, all information in your account would be deleted and account access would be blocked. Test it out on a throw away account. This harsh warning/implementation would probably be changed at a latter time, but right now I do not feel linking my content to a service that can quickly delete it.
I left Google+ due to their data deletion policies, Google+ would blanket delete your entire Google existence without warnings if you even innocently did something that they did not like on Google+. Which such a policy, I do not feel comfortable having Google+ linked to the rest of my Google data.
I am a content creator, and I would not like having things on my various accounts deleted cause of a simple policy violation. I figure they still have to iron out the legal issues to do with this, but till they figure it out, I'm out.
For example: If you change your name 5 times (or just correct it), Google says it would delete all your information. I kid you not. Saw this dialog and felt Google+ was not for me. As a content creator, I already deal with similar issues on YouTube, at least there you can appeal.
I make original game video on my YouTube channel, even then I get my video's claimed by people like "IMG Media UK" (google them) weekly, basically they go around throwing DMCA on video they find just to have people subscribe to them. To the point videos that aren't disputed are removed from YT.
A few months ago another copyright troll (Kanobu Networks) tried doing this on a bunch of my videos that they ripped from my channel (Yes they ripped my video, re-posted it and claimed copyright on the original video). Frustrated with a lack of option to deal with this type of copyright troll, I looked around for other victims of Kanobu and had them protest on Kanobu's YT channel (since google does nothing to stop copyright trolls). Eventually Kanobu got so much negative comments that they stopped claiming copyright on other people's YT videos and apologized. Kanobu too was trying to get subscription to their channel.
This guy gets 20 years, meanwhile the US solider proudly defend our freedom in Iraq (according to his parents), by hunting/killing civilians, cutting their body parts and filming it gets out in 8 years.
Straight clones should still be possible as long as redhat complies with the GPL, the main things their changes to kernel packaging will do it
1: make it harder for unrelated distros (e.g. debian) to pigyback of redhats long term support work for kernel releases
2: make it harder for anyone else to provide high quality support for redhats patched kernels by making it much harder for them to answer the question when something goes wrong of "what did redhat change and why".
Debian does not use Redhat kernels. Two different distributions, packing systems and philosophies.
Here is a better explanation of what happened by Danny O'Brien (http://twitter.com/mala)
---- posted in verbatim for/. proof ----
Theres been a lot of alarming but rather brief statements in the past few days about Haystack, the anti-censorship software connected with the Iranian Green Movement. Austin Heap, the co-creator of Haystack and co-founder of parent non-profit, the Censorship Research Center, stated that it had halted ongoing testing of Haystack in Iran; EFF made a short announcement urging people to stop using the client software; the Washington Post wrote about unnamed engineers who said that lax security in the Haystack program could hurt users in Iran.
A few smart people asked the obvious, unanswered question here: What exactly happened? With all that light and fury, there is little public info about why the worlds view of Haystack should switch from it being a step forward for activists working in repressive environments that provides completely uncensored access to the internet from Iran while simultaneously protecting the users identity to being something that no-one should consider using.
Obviously, some security flaw in Haystack had become apparent, but why was the flaw not more widely documented? And why now?
As someone who knows a bit of the back story, Ill give as much information as I can. Firstly, let me say I am frustrated that I cannot provide all the details. After all, I believe the problem with Haystack all along has been due to explanations denied, either because its creators avoided them, or because those who publicized it failed to demand one. I hope I can convey why we still have one more incomplete explanation to attach to Haystacks name.
(Those whod like to read the broader context for what follows should look to the discussions on the Liberation Technology mailing list. Its an open and public mailing list, but it with moderated subscriptions and with the archives locked for subscribers only. Im hoping to get permission to publish the core of the Haystack discussion more publicly.)
First, the question that I get asked most often: why make such a fuss, when the word on the street is that a year on from its original announcement, the Haystack service was almost completely nonexistant, restricted to only a few test users, all of whom were in continuous contact with its creators?
One of the things that the external investigators of Haystack, led by Jacob Appelbaum and Evgeny Morozov, learned in the past few days is that there were more users of Haystack software than Haystacks creators knew about. Despite the lack of a public executable for examination, versions of the Haystack binary were being passed around, just like unofficial copies of Windows (or videos of Iranian political violence) get passed around. Copying: its how the Internet works.
We were also told that Haystack had a centralized, server-based model for providing the final leg of the censorship circumvention. We were assured that Haystack had a high granularity of control over usage. Surely those servers could control rogue copies, and ensure that bootleg Haystacks were exc
Slashdot Mirror
Their app for iOS (Dolphin HD) got updated today with the following changelog "some bug fixing.", that is not transparency.
Regardless of the whole webzine thing, I'm concerned this developer was sending URL date of any site visited (banking, corporate, email etc ) in plain text to a server in China. There is a lot of data mining that can be done with URL data, specially older websites that stuff private date into URL.
The problem is that El Goog has almost no existing customer support service. If your account is compromised and or disabled by Google itself, there is no place to seek help. The only place you could ask for help would be the Google support forum, which is actually run by users, no one hangs around there that can do administrative level work. The next issue is that G+ has automated real name identification system and account an suspension system based on several automated features, currently due there is almost no way to appeal an account suspension due to a non-existing customer support system. To test this system try changing your name (preferably on a throwaway account) multiple times, you'd find out that it would automatically suspend access to your account once that passes a certain threshold. The biggest issue is that once someone creates a G+ account, all their existing Google content comes under that account, thus a suspension of the G+ account means goodbye to gmail, YouTube, blogger, Calendar and so on.. all content is disabled and it's almost impossible to get it back (unless you are a celebrity or your story gets published in media).
The problem with his article is sensationalism. This isn't an issue that's unique to the Apple iPad or iPhone, this application (and the core derivative) would work on any smart phone/tablet device. And.... best of all it can be adapted to work on even physical keyboards. Instead of taking the iOS tangent, he should have stuck with the movie theory and actually showed how this is possible using a physical keyboard (differential lighting on keypress .. or a keyboard with backlight etc). IMO that would be more impressive.
As I said before, if you read the PDF, he claims he started on this project cause the masked password entry was way too robust by default to exploit. I didn't feel that was the case as my own observation is different from what he claimed. The rest of what he did was excellent, not saying anything about that, I'm just saying his initial assertion that password entry masking was safe on iOS is invalid.
Can you show a screen of the iOS you run and password entry? I'd rather he showed these videos but it doesn't fit his article.
I'm sorry you feel that way. Could you show me a screenshot of your iPad with iOS 5 and the same screen (and which beta?). Also It's already been claimed this is iOS 4.3.x above. No offense, but I did my best to show you how this looked on my screen, I liked the study and the little application they made, but the whole thing has holes in it as said above.
I'm sorry are you the person behind this video? Yes, I do like to pull an article apart to see the validity of the claims. As far as I can see, this person's iPad is not behaving as mine does by default. I'm not sure if that's cause he has iOS5.0 as I do not use that. Yes, I admit the keyboard thing was an err on my part, as I was reading his PDF I realized this was about non-simple passcode entry. As far as the password showing up, it doesn't happen on mine (and as others said doesn't happen on their iPad's as well). The letters that show up are huge, it's very very easy to read it off, and they stick around for quite a bit, I could take two screenshots of a given passcode letter before it becomes a mask. I do like what he made, it's cool. But I wonder if he went this far on an assertion that was not completely true (ie. masked passwords cannot be read).
I'm not sure if the video is doctored or not or if it's iOS5, why would they do an experiment like this on a non-production OS? background for anon
Come over to here. We are having the same conversation in two branches. I'm on 4.3.3, default settings with non-simple password entry as I said before.
No, that's not how it works. If you are observing the iPad, you can easily figure out what is typed by looking at the key that is being pressed, let me demonstrate (see the h). For some reason their iPad is not doing this :) Which is the case for the rest of their experiment.
Yes, I tested it all out, there was no need for this extensive demonstration, as the assertion that password masking is completely hidden by default is incorrect (which is why they did the 2nd method). Their video's password entry does not work as it does on default on my iPad. On mine when I press a key, the key is momentarily shown on the line above before turning into a masked entry.
Ah, let me point out what came out bogus to me when I read the PDF.
The person claims this on page 3:
We have long realized the danger of having passwords stolen through shoulder surfing attacks which is why it is truly rate to find an application that fails to mask passwords on screen. Even the iDevices (which we examine below) mask passwords by default. We take the fact that password masking is so ubiquitous as the obvious acknowledgement of the shoulder surfing as a viable attack method.
Wait... This is where I have a problem, they claim that iOS masks the passwords by default and thus they have to use this other compelx method of capturing what keys are pressed. My problem with this video demonstration is that they didn't have to go that far, they just had to capture the password, but they assert it is already masked.
If you meant the non simple passcode entry, then why would anyone even need this App. The black keyboard given on there, actually echo whatever you type up on the empty line above, there is no need to capture keys. What you type is flashed right above in the white row over they keyboard.
The iPad keyboard does not look like the one linked in the article, it's Apple grey/white.
I'm a strong believer in having people use their real names in social networks, this I find is useful in weeding out a lot of strange interactions online. Having to use your real name and or easily identifiable account seem to make people post more cautiously than they would anonymously.
Having said that, I still feel the current enforcement of Google+'s real name policy and data deletion is not up to par with any type of decent policies I would expect Google to come up with. As this is a test phase, I hope this would be ironed out. Even a strike system ( like France's 3 strike or ISP's 6 strike) would be more agreeable instead of the current implementation.
I would suggest people test Google+ with Google accounts that do not contain a lot of sensitive or valuable data.
I'm sorry, in this case they have already implemented such a policy. In the case of the name scenario. A warning appears that if you do follow with the change to your name, all information in your account would be deleted and account access would be blocked. Test it out on a throw away account. This harsh warning/implementation would probably be changed at a latter time, but right now I do not feel linking my content to a service that can quickly delete it.
I left Google+ due to their data deletion policies, Google+ would blanket delete your entire Google existence without warnings if you even innocently did something that they did not like on Google+. Which such a policy, I do not feel comfortable having Google+ linked to the rest of my Google data.
I am a content creator, and I would not like having things on my various accounts deleted cause of a simple policy violation. I figure they still have to iron out the legal issues to do with this, but till they figure it out, I'm out.
For example: If you change your name 5 times (or just correct it), Google says it would delete all your information. I kid you not. Saw this dialog and felt Google+ was not for me. As a content creator, I already deal with similar issues on YouTube, at least there you can appeal.
Looks more like an advertisement for Yahoo! mail.
I make original game video on my YouTube channel, even then I get my video's claimed by people like "IMG Media UK" (google them) weekly, basically they go around throwing DMCA on video they find just to have people subscribe to them. To the point videos that aren't disputed are removed from YT.
A few months ago another copyright troll (Kanobu Networks) tried doing this on a bunch of my videos that they ripped from my channel (Yes they ripped my video, re-posted it and claimed copyright on the original video). Frustrated with a lack of option to deal with this type of copyright troll, I looked around for other victims of Kanobu and had them protest on Kanobu's YT channel (since google does nothing to stop copyright trolls). Eventually Kanobu got so much negative comments that they stopped claiming copyright on other people's YT videos and apologized. Kanobu too was trying to get subscription to their channel.
Well, apparently Comodo systems are so secure that they are hacker proof.
This guy gets 20 years, meanwhile the US solider proudly defend our freedom in Iraq (according to his parents), by hunting/killing civilians, cutting their body parts and filming it gets out in 8 years.
Straight clones should still be possible as long as redhat complies with the GPL, the main things their changes to kernel packaging will do it
1: make it harder for unrelated distros (e.g. debian) to pigyback of redhats long term support work for kernel releases 2: make it harder for anyone else to provide high quality support for redhats patched kernels by making it much harder for them to answer the question when something goes wrong of "what did redhat change and why".
Debian does not use Redhat kernels. Two different distributions, packing systems and philosophies.
This seems to be their YT channel - http://www.youtube.com/user/XxxxETAxxxX
That's about 5-7 years of NPR funding right there.
She must have got the whole IRC idea from Numb3rs' description of IRC.
---- posted in verbatim for /. proof ----
Theres been a lot of alarming but rather brief statements in the past few days about Haystack, the anti-censorship software connected with the Iranian Green Movement. Austin Heap, the co-creator of Haystack and co-founder of parent non-profit, the Censorship Research Center, stated that it had halted ongoing testing of Haystack in Iran; EFF made a short announcement urging people to stop using the client software; the Washington Post wrote about unnamed engineers who said that lax security in the Haystack program could hurt users in Iran.
A few smart people asked the obvious, unanswered question here: What exactly happened? With all that light and fury, there is little public info about why the worlds view of Haystack should switch from it being a step forward for activists working in repressive environments that provides completely uncensored access to the internet from Iran while simultaneously protecting the users identity to being something that no-one should consider using.
Obviously, some security flaw in Haystack had become apparent, but why was the flaw not more widely documented? And why now?
As someone who knows a bit of the back story, Ill give as much information as I can. Firstly, let me say I am frustrated that I cannot provide all the details. After all, I believe the problem with Haystack all along has been due to explanations denied, either because its creators avoided them, or because those who publicized it failed to demand one. I hope I can convey why we still have one more incomplete explanation to attach to Haystacks name.
(Those whod like to read the broader context for what follows should look to the discussions on the Liberation Technology mailing list. Its an open and public mailing list, but it with moderated subscriptions and with the archives locked for subscribers only. Im hoping to get permission to publish the core of the Haystack discussion more publicly.)
First, the question that I get asked most often: why make such a fuss, when the word on the street is that a year on from its original announcement, the Haystack service was almost completely nonexistant, restricted to only a few test users, all of whom were in continuous contact with its creators?
One of the things that the external investigators of Haystack, led by Jacob Appelbaum and Evgeny Morozov, learned in the past few days is that there were more users of Haystack software than Haystacks creators knew about. Despite the lack of a public executable for examination, versions of the Haystack binary were being passed around, just like unofficial copies of Windows (or videos of Iranian political violence) get passed around. Copying: its how the Internet works.
We were also told that Haystack had a centralized, server-based model for providing the final leg of the censorship circumvention. We were assured that Haystack had a high granularity of control over usage. Surely those servers could control rogue copies, and ensure that bootleg Haystacks were exc