now its almost as pathetic as "THIS IS THE YEAR OF LINUX!"
Yeah, go tell that to your smartphone (a huge proportion are running Android, which is running on Linux, though not on GNU userland), and/or your tablet, and to the wireless router/modem they are connecting to (it's almost impossible to find one which is not running Linux + Busybox nowadays). Not even speaking about your TV set (most SmartTV firmwares are running Linux). Even the Intel Management Engine (the small always-on microcontroller inside the motherboard of your laptop/worktation that is used to remote adminsitration in enterprises) runs some Linux variants.
You're literally interacting daily with dozens of devices running the Linux kernel without even noticing it.
Seriously, it's been the "year of linux on everything except your desktop" for ages ago.
I swear "NINTENDO IS FINISHED! 3RD PARTY WHEN?" yet, here they are still making consoles.
Even if they are not droping their still very profitable console business, Nintendo is slowly expending to other hardware. (See their "Pokemon" IP showing up on smartphone apps - though this one was done through an external studio, Nintendo basically only providing the IP)
Austin Powers-references besides, that's actually a good idea:
- 75k USD is actually indeed a very small sum. So small that Apple's PR department can easily cough it up (there are probably rounding error on Apple's marketing budget that are bigger than that) without it even going noticed in Apple's finances. i.e.: It's pretty cheap for Apple to hand the money just to make them shut up and get them out of mind.
- 75k USD can actually means a lot in Turkey (if the hacker group are truks, as they claim) given the local buying power. The sum might seem ridiculously small to the US/. audience, but it might be comfortable enough for the hacker.
- The hackers have even said that they would accept 75k in iTunes card. That's money that will eventually get spent on Apple goods and services anyway. Apple's tax evasion special...^H financists will probably find a way to write it of as a loss and still profite out of it.
If I create some original digital content should I not have the right to set the terms of use and distribution?
Nope. You should not.
In the grand scheme of things, what you should have the right to, is to be paid for the act of creation of the content. (you should get remuneration for your work. not be entitled to use it as a rent)
But for historical reasons, the point at which money got collected was traditionally at the distribution, because back at the time when copyright laws were emerging, duplicating and distributing content was hard (if not the hardest part of the pipeline). And thus it was a happy chance that it could also help finance upstream creation.
But nowadays, once we're out of the dark ages and into the information age, with everything going digital, duplication and distribution is boringly trivial and can't be justified any more. Artists still need to get paid to create (They need to eat, after all), but the point at which the money is collected doesn't make a fucking sense anymore in the modern setting.
(Also note that a few small indie artists are moving out of this business model, and going back to older concepts of patronage. See platforms like Patreon, Tipee, etc.)
There's a new better photovoltaic cell, that is actually produced by an actual manufacturer (Kaneka) and could soon be matched by other actual manufacturer making real cells in the real world (Panasonic and Tesla mentioned), and not simply one of those "small research team in some university lab make a small breakthrough that could increase cell effenciency. In theory. Probably within 25 years when the discovery finally reach actual production at a real-world manufacturer".
And all you people bicker about how the numbers are presented in the summary ?
What's next ? Going ape-shit crazy about some shirt that a scientist is wearing, instead of paying attention that he's announcing that they managed to land a probe on...
Is that it has no immediate practical military applications.
Whereas : -...landing a team of human on the moon (the things brought out of Earth low orbit, capsule+landing module etc = 25 tons) -...landing a very small probe on mars -...launching a huge communication satellite into earth orbit.
All require a big rocket powerful enough to lift 25ton into orbit. A rocket with very practical military application : -...it is strong enough to put a big spy satellite (the classified cousins of Hubble telescope) in low orbit. -...it is strong enough to launch the biggest nuclear warhead ever (see Tsar bomba) and reach any point on the globe.
So government is sure to throw a lot of money into it. Both sides of the iron curtain did it during the cold war. The race to space / to the moon, wasn't as much a race to reach space as a covert way to show off "I can nuke any point of the globe".
In the meantime, being able to launch a human-carrying capsule all the way to Mars needs a much more powerful rocket (heavier mass to launch than a probe / or further to launch than to the moon), which doesn't make any sense from a military point of view : you're not going to pack several Tsar-bomba-class nukes to the same destination.
Alternatives are using several normal launchers to slowly build step by step an interplanetary vehicle in Earth orbit and use that to shuttle people around to/from Mars. That's the thing which makes the most sense in a civilian point of view (re-use existing proven launcher technology, and tons of further scientific discoveries and potential applications of developing an "orbital shipyard / construction site" capability). But again no concrete immediate advantage for the military (what's the point of having a huge space borne platform ? dropping rods from space ? When you can already simply nuke any point on earth ?)
So you can't easily get government money for that. So the NASA, SpaceX, and co will need a way to finance these kind of "for Science !" projects privately.
I would guess that the difference is that a satnav device gives you step-by-step instruction that you can blindly follow. ("Turn left, turn right, stay on the left lane, etc.") the information is very low level and simple. Almost giving you direct instruction about what to input on the control interface of the car. (i.e.: you're mostly thinking about turning the wheel, pushing the pedals and fiddling with the transmission stick)
Whereas a passenger with a map will *communicate* with you. You'd be having a discussion about where you're going. The passenger might give much more higher level instruction : ("See that traffic light at the end of the street? You'll need to turn left there" vs. "Stay in left lane. [pause] Turn left"). You and your passenger are communicating about your spacial environment. And therefore your brain needs to think in term of spacial location in order to parse and process the informations given by your passenger. (i.e.: you are still thinking spatially, because you need to process speech about spatial cues).
Now although IAAD, I'm not a neuro psychiatrist so the above guess might be wrong.
There's a huge difference between "portable" and "I can comfortably hold this with one hand for an extended period of time".
Again, we're not speaking about something shaped like a brick.
We're speaking about 6.1mm vs 7.5mm. i.e.: differences in the mm range, in a object that's less than 1cm thick.
What weird shape does a hand have so that a 6.1mm thick object can comfortably fit for an extended period of time, but a 7.5mm thick object suddenly can't anymore ?! I just can't get why people are paying so much attention to mm differences in objects that are thin enough for nearly all most common use cases...
Do you really need that much to be able to cut cheese with your tablet ?!
I understand that it's preferable for gadgets not to weight 1 metric ton, and not to be as fat as a cinderblock, but as long as they are portable does it really make sense to chase after every last millimetre ?
The password here (i.e.: the word that is spoken) isn't what plays the role of password (it's not the actual word itself that unlocks the machine). As mentionned, this technology doesn't use any voice recognition.
The thing which acts as a password (the thing which decides to unlock or not) is the particular way in which your mouths moves when composing the sound of the word. The word only plays the role of a mnemonic : a thing that helps you remember the combination of elements - i.e.: the order of mouth movement that you need to do to unlock the session.
You could try to do the same motion noiselessly if you want (and if you actually manage to do the same lip motions).
---
Now, there's a strong correlation between sounds and lip motions, and somebody over hearing you would have a good starting point at trying to guess what your camera sees.
These kind of "biometrics unlock" (like also a fingerprint scan) are used as a quick way to unlock instead of having to input a strong password. They're the equivalent of a PIN code, not the equivalent of a 16-characters long strong password.
So if you can't lip/mouth your biometric pass, you simply do as you would if your finger was unavailable (= harmed, and covered with a band-aid) for fingerprint scans: you type instead the strong unlocking password to log-in.
Now the problem is that you probably use your PIN-like biometric because it's faster and easier, and thus avoid using the strong password. And thus by never using it, there's a risk that you'll forget it.
Seriously, how many people around here know the PUK to unlock their SIM card, as opposed to the PIN ?
The point is don't try and sell this as a "combined" security model when one half of the system is essentially compromised, simply by using it as intended. Unfortunately, the other half of this system will ensure the entire thing is marketed as the best "multi" factor authentication solution in the entire universe.
From a pureley technical point of view, it *is* a multifactor : - something you have/are : Your lips (or more precisely : their peculiar shape and your personal way to move them when making some sounds). - something you know : A certain order in which you present the above lips motions (though it's linked to the sound you're making, and if somebody can over-hear you, they have a decent starting point at guessing what motions you where doing with your mouth).
Currently, it's not being marketed *for being multi factor*. Currently, it's being marketed for the fact that you *can* change the "something you have/are" part. It's a changeable-type of password/biometric, which is unusual among other biometrics where you can't change the "something you are" part (you can't easily grow an extra finger with a new fingerprint whenever a previous one was compromised - using gumy bears or whatever).
There's a company called Everdreamsoft (I have a friend working there) that has a working prototype for in-game assets.
Buy (on a market place) or receive (in one of the games) an asset (usally cards for a card game), then you can use that asset in any other of the games that you play. A blockchain is used to keep track of who has what assets are in possession of which player. (No steam-like central authority).
And for the last time, bitcoin IS NOT DESIGNED with anonymity in mind.
It is designed for being a distributed system with no central authority (in theory at least). And this system works by replacing any central authority with a consensus among all the nodes of the network. Which is achieved by all (full) nodes of the network having, by design, a local copy of the whole ledger (= the blockchain).
That mean each of them can see any single transaction you did at any point of time. (Again, by design. That's how the bitcoin protocol can reach consensus and trust without needing any central authority to act as a reference).
That means that no, you're not anonymous, I can see all the transaction you ever did inside the blockchain on my own locally run node.
At best, bitcoin protocol provides pseudonymity. It's not Facebook require real names. Transaction aren't officially done in the name of your real identity, they are done in the name of some base64 encoded public key. And normal client are constantly shuffling sums around so there might be hundred of transaction between the time you received some amount of BTC and the time you spent them at an online shop where you order something to be mailed to you (and thus where some phyical world coordinates can be linked to your bitcoin identity).
That mostly prevent casual/accidental snooping. But that's not beyond the capability of data-mining any government-level agent. If your neighbour want to spy on you, he can't do it easily. If any three-letter agency wants to track you, they just need to spend some of their tremendous computational power.
Your are not anonymous on the bitcoin network (at least to to governments). And that's part of the design (it also help you trust the network without needing there to be a "Bitcoin Global Inc." to be held accountable).
Also, because the lack of central authority, nobody can prevent you to spend or receive any BTC money. Government can see you and track you in the global ledger, but they can't prevent you. There's no PayPal, Visa, or any other company that can block transactions. Transaction can happen between any end-points as long as they conform to the bitcoin protocol.
(And that is one of the big motivations behind the rise of bitcoin protocol : people getting fed up of their account getting frozen for any random reason. e.g.: see donations to WikiLeaks)
If you want (Relative) lack of control AND total anonymity, as suggest above : USE CASH.
And I just don't give a damn where a left the car. That's the problem for the next customer of the station-less car-sharing scheme. (And this next customer just uses the map in their app to find the nearest available parked shared car).
---
i.e.: systems where you take a car wherever you find it, and leave it wherever you want within the boundary of the zone where the scheme is in place. The car sharing company has an extremely wide-area parking pass that allows the car to be left parked nearly everywhere.
No specific stations where you need to return the car - like it's the case with classical car-sharing schemes.
No, the drives will have been imaged through a hardware device that blocks all attempts to write, and their work will be on their own computers running their forsensic software against the images of his drives, with his original drives safely in the evidence lockup. And if criminals start using drives with custom firmware to foil this
This is not a custom firmware. There is a thing on ATA protocols dating back when it didn't even have the initial "P" in front to contrast with SATA yet : HW access to the harddrive can be password protected. No password ? You can't even access the blocks on the device, it refuses to read them. I think I remember that the first X-Box did use something similar to try to protect the content of their disk.
Probably most modern SSD drive should be able to do it.
And if criminals start using drives with custom firmware to foil this (they've already read the first GB sequentially? return gibberish and erase everything!), the cops will then be removing the control boards and subsituting their own before they do the imaging.
A long long time ago, it used to be possible to swap the control boards of spinning rust media and still get something remotely meaningful if you squint enough at it. (The only thing you'd be losing by doing that, would be the mapping from the physical sectors on the actual disk platter to the logical block addresses (LBA) as seen by the computer on SATA bus as handled by the SMART running on the controller to remap old defective sectors).
With modern SSD, you'd be losing the layer of encryption that the controller board does on the fly when writing to the flash media (it's a standard protection feature of most controllers, with the exception of maybe a few dead-cheap no-names that you wouldn't be using for these kind of missions anyway), in addition to all the mapping (done by the flash-translation-layer, which is much more complicated than SMART because it handles all the wear levelling). Bascially a SSD, without the controller board that was used to write the data is just plain gibberish.
And that's *another* layer of gibbersih in addition to the whole-drive encryption done by the OS.
We must push back against misinformation by encouraging gatekeepers such as Google and Facebook to continue their efforts to combat the problem,
Notice the plural (emphasis mine)
while avoiding the creation of any central bodies to decide what is "true" or not.
That is literally what "gatekeeper" means, Tim.
There's a subtle difference : - Tim wants the companies (plural) spreading informations/news to do a little bit of work to help assess the reliability of facts in the links that people pass around. - Tim does not want a single central entity becoming the official authority on all truth (he doesn't want a central "Ministry of Truth").
They aren't contradictory. But without paying attention, there's a risk that one devolves into the other.
The host's virtual manager (e.g.: Virtual Box running on the Host GNU/Linux distro of your choice) is in charge of what happens. Windows 10 is installed on a virtual machine, that machine has no network device simulated at all, only a shared directory (Note: Under VirtualBox, shared directory don't work over the network, but use a dedicated separate API offered by VirtualBox. No need to expose the virtual image to the network in order to exchange data. Windows 10 can't phone home.)
It happens this laptop has wider radio capabilities than wi fi and there is no interface to see what the laptop radio is saying over what frequency,
Again, I'm speaking about a virtual machine. A VM will only have as much functionnality as your decide to make available to it. If that machine has no access to Wifi, nor Bluetooth (well technically to the USB bus on which a Bluetooth device is available. But in practice the result is the same : if you're not passing it to the VM, then the Windows 10 running on the VM can't do much).
The point is to be able to be online without danger, not to be completely isolated. Maybe Win 3.1 was fully isolated, but these new windows do not seem to be able to stop being in permanent conference.
Hence the idea : - use a normal decent OS to do the actual online work and which has an access to the internet. - for the things where you absolutely need Windows 10, keep a copy inside a VM that is completely isolated.
Whenever you need *that weird piece of software* that absolutely refuse to work under anything but Windows 10, then you can fire up the Windows 10 VM and run the software. For everything else, use a "Real Operating System (tm) " (most Unices will do)
And, somehow, Microsoft is responsible of the shit that NVIDA puts in its drivers, obviously.
Given that Microsoft is making the only platform where it is possible for Nvidia to show said slideshow of adds, yes, indeed, Microsoft might be sharing a bit of the responsibility.
(e.g.: under Linux you add the 3rd party repository from Nvidia containing the driver to you package manager, and then let the package manager handle the installation as with any other base or 3rd party package. At most, some package manager can show *textual* release notes or licensing information.)
(on the other hand: - the official market for NVidia on Linux is professional users who use the cards for art rendering, scientific computations, etc. They pay already premium for the card. And there might not even be a human user to see the ads during the upgrade of some node on the compute cluster. - the biggest market for Nvidia on Windows is mostly gamers. So shove as much ads as possible down their throats to get them to buy even more extra useless gizmos. And don't be afraid, they'll come back to the (overfilled with ads) installer next week, when they need the latest patch with hacks for optimise that week's new game.)
The fallacy in your line of reasoning is that there is somehow only a limited set of such rules that anyone could feasibly apply. There is not
Yes, in theory, there are countless ways to apply the rules, thus giving a combinatorial explosion in the search space for hackers And you are probably one of these precious snowflakes who actually apply these rules as needed.
But in practice, because most of the people are lazy, they tend in general to follow only a handful of patterns. In the experience of security researcher : when considering a huge treasure trove of passwords, most of them will follow one of the very few ultra popular and ultra simple patterns (like "if asked to use mixed case : simply capitalize the 1st letter. Put the required number at the end [and don't be original, just use the current year]. Put a '!' after the number if required to use punctuation").
To give an example : let's say you ask people a color and a tool. in theory you could get tons of esoteric combination, like "tangerine" and "tuning fork". in practice, when pressed for speed, a huge number of people will pick "red" and "hammer".
For example, let's say I use a rule where a specific sequence of word {...}
Yes, your unicorn of a password might be both secure and follow the rules at the same time.
But in practice the vast majority of people will be lazy and won't produce something original. They'll end up chosing something simple and obvious. They are bored by the rules and will chose the easiest solution.
and the date that I last changed the password, for example
and that's far from being rare. Guess how many people will pick (parts of) the current date (most of the time they year, in 2 or 4 digits) when required to use digits by the rules ? A lot of them. You might use a complex word association pattern to ecode it, most of the poeple will just slap it at the end.
but unless someone knows exactly what my thought process is on how I go about this,
Hacker don't target you specifically (usually). They don't think at the level of individual. They think on the scale of leaked database. when they have a collection of a million salted hashes, they won't try to get *your password* specifically. They'll try to get as many password as cheaply possible. And because people are lazy and stupid a very huge fraction of these password will have more or less followed the same though process, and generated a very simple pattern.
So while you're happy that your password was very personal, half a million of other passwords got cracked, because they were trivial (and were modified in a trivial to include the required extra characters) and are currently being tested for password re-use at critical sites (e.g.: banks ?)
Apple has always let the user decide when they want to install updates. {...} Apple will VERY OCCASIONALLY automatically push an extremely critical update to fix glaring security problems, but has done this very rarely.
The key point is that Apple's Mac OS X, on the simple ground of being an Unix (more or less BSD based) has a not so aweful security, and thus only need extremely critical update only very occasionally.
Microsoft's Windows editions are such catastrophy (very large attack surface) that Microsoft cannot allow end-users to disable update : some of that regular avalanche of patches and fixes might plug an exploitable hole. After a couple of weeks an unpatched Windows is pretty much sure to become a zombie in some botnet.
Yes, currently snapchat doesn't have much to monetize (at least not if they respect their promised privacy and ephemeral pictures).
BUT snapchat has still something valuable: it has *USERS*. Facebook might have tons of them, but they are mostly users who stayed around from before.
First there was Geocities, then there was MySpace, then there was Facebook... Zuckerberg knows the trend, he knows that Facebook isn't going to last forever. That's why he's been keeping an eye open on the social network market, in order to see in advance where the next trend is going so his company manages to stay relevant even if the crowd of users on Facebook gets older.
WhatsApp got popular, it menaced to become "the next facebook" just like Facebook managed to replace myspace... so Facebook bought them (now new WhatsApp users are in the end new users to the big goliath, and even if old age and attrition evefntually phases facebook out, the company will still relevant).
Same with Instagram : it got popular, Facebook phagocyted it.
Now comes Snapchat's. It the latest popular social app among the youngest generation (those who aren't part of some virtual social network yet. And whose parents and grand parants are on Facebook/WhatsApp/Instagram, so they definitely don't want to be on those... So they pick up the latest kid on the block which seem to be snapchat). So even if snapchat if far from being a dominant platform now, it is still gaining momentum and that's were the new users are going to... (And there are signs : it's got its first rising celebrities, its first scandals, etc.)
but Facebook has no way to buy that new "Facebook replacement wannabe". They don't see an immediate way to avoid becoming the "newly replaced MySpace".
It's not a question of whether Snapchat can be economically stable - and thus if there's enough data to mine right now. It's a question of where the new young users are going to - and how Zuckerberg's company can manage to stay relevant and not get eventually replaced one day the way MySpace was.
So for now Facebook is banking on aping as much feature as possible in a bet to remain attractive. and hoping than they'll be able to run Snap inc into the ground before it becomes sustainable enough and before it has attracted to many of the new "not yet on some social network" teens.
I'm kind of lazy to google all the sources by my self. The general approach is *pattern-based*. I pointed to a presentation on youtube but there are other independent research all arriving at the same conclusion. They are mostly done by applying pattern-based cracking either to leaked hashes databases or to hashes databases volunteered by organisations. so it's not theoretical works, it's mostly noticing what is happening in the wild when your try enforcing password rules.
doesn't mean they are totally BS. {...} But OBVIOUSLY password rules force the user to avoid the common pitfalls in password selection and will more likely cause your users to have passwords that are not easily cracked.
The problem, as discovered among other on the presentation in my previous post, is that by trying to avoid common pitfalls in password selection: - not enough variations if password are all lower-case only caracters (It's only 26 symbols per position) you do not actually avoid the pitfalls - if applied accurately that would give 26 lower + 26 upper + 10 digit + even more punctuation per position but push the people into a different set of pitfalls. - people are lazy. most of the time, it was discovered, they'll just upper-case the first letter and slap the required extra digits at the end. And add '!' afterthat if they can't get around punctuations. That's still 26 possibility per position, with a few more things (nearly negligiable) at the end.
So... what's easier to guess "password" or "Denver17!" ? I know what I'm going to bet gets broken first..
Both are in the "basically worthless" category. the first one is straight out of a word list. The second follows one of the most common patterns: "Llllll##?".
In theory, if a user used all possible characters at any position, you'd be getting "26 lower + 26 upper + 10 digit + 10punctuations" = ~approx 74 symbols per position. A 9 character long password would in theory get 74 ^ 9 or approximately 56bits of security. Not much, but still something. In practice, most password abiding the rule will be one of the few common pattern such as above. Without taking dictionary into account, only the symbols at each position of the pattern, the above is 26 ^ 6 * 100 * 10 or only 38bits of security. You lost about 18bits of theoretical security, just because your users are lazy as shit. There is about a dozen of such overwhelmingly common patterns (so you're looking at best at 41bits security. If you only use salted hashes in you password database and it gets leaked, the vast majority of your user passwords will get cracked appallingly fast).
And that's without factoring in dictionaries. (Look at all the 6 letter words that you can fill in the first part of the pattern, first use a few common combination for the numbers (current year, '13', '69', etc.) and you can basically go for '!' and leave the rest of the punctuation later). At that point, in case of a database leak, tons of password will get insta-cracked and the attackers can already start probing for password reuse even before the end users has had enough time to be alerted about the leak.
You want to stack the deck in your favor where you can, so if that means forcing your users to follow some rules in password selections gets you 50% more secure passwords.... Do it..
In practice , you only get marginally better security, because the users will resort to simple schemes just to get around the rules. People are lazy and will resort to the simplest pattern possible just to get around the rules.
In this case, I'm not inclined to believe password complexity rules are just bad,
Their are bad in that they push non-security-minded end users to do things which are nearly entirely predictable for the password cracker. i.e.: they are actually not adding any significant amount of securit
- It's generic (not GMail specific, should work on lots of webmail website, simply by encrypting/decrypting their TextArea) - It's multi-platform (Chrome Extension, Firefox plug-in, most OSes) - Enables PGP signing and encryption. - All the crypto is done locally on your computer inside the plug-in. The webmail site only sees encrypted blocks in the editor's input field.
It has a few shortcomings : - Only works on "textarea" form field, so won't work for encrypting attachments.
BUT: - You can still encrypt/decrypt files on your computer (this can be facilitated by by Mailvelope) and upload the *encrypted file* as an attachment. (This is a work around for GMail, Outlook, etc.) You get the security of encryption, at the cost of a few extra step. - Mailvelope provides an API and some provider (GMX.de) do integrate with the API and thus provide full support for attachment encryption (done by Mailvelope) without disturbing the end-user experience
With the GMail Add-On program, Mailvelope developers could implement the necessary things on the GMail side of things as a Gmail Add-On, so it will correctly cooperate with the Mailvelope extension and provide seamlessly encrypted files *without* needing Google to spend time integrating vanilla Gmail with Mailvelope's API (integration done at the Gmail Add-on level isntead).
Slashdot Mirror
now its almost as pathetic as "THIS IS THE YEAR OF LINUX!"
Yeah, go tell that to your smartphone (a huge proportion are running Android, which is running on Linux, though not on GNU userland), and/or your tablet, and to the wireless router/modem they are connecting to (it's almost impossible to find one which is not running Linux + Busybox nowadays). Not even speaking about your TV set (most SmartTV firmwares are running Linux).
Even the Intel Management Engine (the small always-on microcontroller inside the motherboard of your laptop/worktation that is used to remote adminsitration in enterprises) runs some Linux variants.
You're literally interacting daily with dozens of devices running the Linux kernel without even noticing it.
Seriously, it's been the "year of linux on everything except your desktop" for ages ago.
I swear "NINTENDO IS FINISHED! 3RD PARTY WHEN?" yet, here they are still making consoles.
Even if they are not droping their still very profitable console business, Nintendo is slowly expending to other hardware. (See their "Pokemon" IP showing up on smartphone apps - though this one was done through an external studio, Nintendo basically only providing the IP)
Austin Powers-references besides, that's actually a good idea:
- 75k USD is actually indeed a very small sum. So small that Apple's PR department can easily cough it up (there are probably rounding error on Apple's marketing budget that are bigger than that) without it even going noticed in Apple's finances.
i.e.: It's pretty cheap for Apple to hand the money just to make them shut up and get them out of mind.
- 75k USD can actually means a lot in Turkey (if the hacker group are truks, as they claim) given the local buying power. The sum might seem ridiculously small to the US /. audience, but it might be comfortable enough for the hacker.
- The hackers have even said that they would accept 75k in iTunes card. That's money that will eventually get spent on Apple goods and services anyway. Apple's tax evasion special...^H financists will probably find a way to write it of as a loss and still profite out of it.
If I create some original digital content should I not have the right to set the terms of use and distribution?
Nope. You should not.
In the grand scheme of things, what you should have the right to, is to be paid for the act of creation of the content.
(you should get remuneration for your work. not be entitled to use it as a rent)
But for historical reasons, the point at which money got collected was traditionally at the distribution, because back at the time when copyright laws were emerging, duplicating and distributing content was hard (if not the hardest part of the pipeline). And thus it was a happy chance that it could also help finance upstream creation.
But nowadays, once we're out of the dark ages and into the information age, with everything going digital, duplication and distribution is boringly trivial and can't be justified any more. Artists still need to get paid to create (They need to eat, after all), but the point at which the money is collected doesn't make a fucking sense anymore in the modern setting.
(Also note that a few small indie artists are moving out of this business model, and going back to older concepts of patronage. See platforms like Patreon, Tipee, etc.)
What's wrong with you ?
There's a new better photovoltaic cell, that is actually produced by an actual manufacturer (Kaneka) and could soon be matched by other actual manufacturer making real cells in the real world (Panasonic and Tesla mentioned), and not simply one of those "small research team in some university lab make a small breakthrough that could increase cell effenciency. In theory. Probably within 25 years when the discovery finally reach actual production at a real-world manufacturer".
And all you people bicker about how the numbers are presented in the summary ?
What's next ? Going ape-shit crazy about some shirt that a scientist is wearing, instead of paying attention that he's announcing that they managed to land a probe on...
oh, wait!
Is that it has no immediate practical military applications.
Whereas : ...landing a team of human on the moon (the things brought out of Earth low orbit, capsule+landing module etc = 25 tons) ...landing a very small probe on mars ...launching a huge communication satellite into earth orbit.
-
-
-
All require a big rocket powerful enough to lift 25ton into orbit. ...it is strong enough to put a big spy satellite (the classified cousins of Hubble telescope) in low orbit. ...it is strong enough to launch the biggest nuclear warhead ever (see Tsar bomba) and reach any point on the globe.
A rocket with very practical military application :
-
-
So government is sure to throw a lot of money into it. Both sides of the iron curtain did it during the cold war.
The race to space / to the moon, wasn't as much a race to reach space as a covert way to show off "I can nuke any point of the globe".
In the meantime, being able to launch a human-carrying capsule all the way to Mars needs a much more powerful rocket (heavier mass to launch than a probe / or further to launch than to the moon), which doesn't make any sense from a military point of view : you're not going to pack several Tsar-bomba-class nukes to the same destination.
Alternatives are using several normal launchers to slowly build step by step an interplanetary vehicle in Earth orbit and use that to shuttle people around to/from Mars.
That's the thing which makes the most sense in a civilian point of view (re-use existing proven launcher technology, and tons of further scientific discoveries and potential applications of developing an "orbital shipyard / construction site" capability).
But again no concrete immediate advantage for the military (what's the point of having a huge space borne platform ? dropping rods from space ? When you can already simply nuke any point on earth ?)
So you can't easily get government money for that.
So the NASA, SpaceX, and co will need a way to finance these kind of "for Science !" projects privately.
I would guess that the difference is that a satnav device gives you step-by-step instruction that you can blindly follow.
("Turn left, turn right, stay on the left lane, etc.") the information is very low level and simple. Almost giving you direct instruction about what to input on the control interface of the car.
(i.e.: you're mostly thinking about turning the wheel, pushing the pedals and fiddling with the transmission stick)
Whereas a passenger with a map will *communicate* with you. You'd be having a discussion about where you're going.
The passenger might give much more higher level instruction :
("See that traffic light at the end of the street? You'll need to turn left there" vs. "Stay in left lane. [pause] Turn left").
You and your passenger are communicating about your spacial environment.
And therefore your brain needs to think in term of spacial location in order to parse and process the informations given by your passenger.
(i.e.: you are still thinking spatially, because you need to process speech about spatial cues).
Now although IAAD, I'm not a neuro psychiatrist so the above guess might be wrong.
There's a huge difference between "portable" and "I can comfortably hold this with one hand for an extended period of time".
Again, we're not speaking about something shaped like a brick.
We're speaking about 6.1mm vs 7.5mm.
i.e.: differences in the mm range, in a object that's less than 1cm thick.
What weird shape does a hand have so that a 6.1mm thick object can comfortably fit for an extended period of time, but a 7.5mm thick object suddenly can't anymore ?!
I just can't get why people are paying so much attention to mm differences in objects that are thin enough for nearly all most common use cases...
Do you really need that much to be able to cut cheese with your tablet ?!
I understand that it's preferable for gadgets not to weight 1 metric ton, and not to be as fat as a cinderblock, but as long as they are portable does it really make sense to chase after every last millimetre ?
The password here (i.e.: the word that is spoken) isn't what plays the role of password (it's not the actual word itself that unlocks the machine).
As mentionned, this technology doesn't use any voice recognition.
The thing which acts as a password (the thing which decides to unlock or not) is the particular way in which your mouths moves when composing the sound of the word.
The word only plays the role of a mnemonic : a thing that helps you remember the combination of elements - i.e.: the order of mouth movement that you need to do to unlock the session.
You could try to do the same motion noiselessly if you want (and if you actually manage to do the same lip motions).
---
Now, there's a strong correlation between sounds and lip motions, and somebody over hearing you would have a good starting point at trying to guess what your camera sees.
These kind of "biometrics unlock" (like also a fingerprint scan) are used as a quick way to unlock instead of having to input a strong password.
They're the equivalent of a PIN code, not the equivalent of a 16-characters long strong password.
So if you can't lip/mouth your biometric pass, you simply do as you would if your finger was unavailable (= harmed, and covered with a band-aid) for fingerprint scans:
you type instead the strong unlocking password to log-in.
Now the problem is that you probably use your PIN-like biometric because it's faster and easier, and thus avoid using the strong password.
And thus by never using it, there's a risk that you'll forget it.
Seriously, how many people around here know the PUK to unlock their SIM card, as opposed to the PIN ?
The point is don't try and sell this as a "combined" security model when one half of the system is essentially compromised, simply by using it as intended.
Unfortunately, the other half of this system will ensure the entire thing is marketed as the best "multi" factor authentication solution in the entire universe.
From a pureley technical point of view, it *is* a multifactor :
- something you have/are : Your lips (or more precisely : their peculiar shape and your personal way to move them when making some sounds).
- something you know : A certain order in which you present the above lips motions (though it's linked to the sound you're making, and if somebody can over-hear you, they have a decent starting point at guessing what motions you where doing with your mouth).
Currently, it's not being marketed *for being multi factor*.
Currently, it's being marketed for the fact that you *can* change the "something you have/are" part. It's a changeable-type of password/biometric, which is unusual among other biometrics where you can't change the "something you are" part (you can't easily grow an extra finger with a new fingerprint whenever a previous one was compromised - using gumy bears or whatever).
There's a company called Everdreamsoft (I have a friend working there) that has a working prototype for in-game assets.
Buy (on a market place) or receive (in one of the games) an asset (usally cards for a card game), then you can use that asset in any other of the games that you play. A blockchain is used to keep track of who has what assets are in possession of which player.
(No steam-like central authority).
Still missing a way to cram the word "Organic, gluten-free, equal gender representation" into the title.
And for the last time,
bitcoin IS NOT DESIGNED with anonymity in mind.
It is designed for being a distributed system with no central authority (in theory at least).
And this system works by replacing any central authority with a consensus among all the nodes of the network.
Which is achieved by all (full) nodes of the network having, by design, a local copy of the whole ledger (= the blockchain).
That mean each of them can see any single transaction you did at any point of time.
(Again, by design. That's how the bitcoin protocol can reach consensus and trust without needing any central authority to act as a reference).
That means that no, you're not anonymous, I can see all the transaction you ever did inside the blockchain on my own locally run node.
At best, bitcoin protocol provides pseudonymity.
It's not Facebook require real names.
Transaction aren't officially done in the name of your real identity, they are done in the name of some base64 encoded public key.
And normal client are constantly shuffling sums around so there might be hundred of transaction between the time you received some amount of BTC and the time you spent them at an online shop where you order something to be mailed to you (and thus where some phyical world coordinates can be linked to your bitcoin identity).
That mostly prevent casual/accidental snooping.
But that's not beyond the capability of data-mining any government-level agent.
If your neighbour want to spy on you, he can't do it easily.
If any three-letter agency wants to track you, they just need to spend some of their tremendous computational power.
Your are not anonymous on the bitcoin network (at least to to governments).
And that's part of the design (it also help you trust the network without needing there to be a "Bitcoin Global Inc." to be held accountable).
Also, because the lack of central authority, nobody can prevent you to spend or receive any BTC money.
Government can see you and track you in the global ledger, but they can't prevent you.
There's no PayPal, Visa, or any other company that can block transactions.
Transaction can happen between any end-points as long as they conform to the bitcoin protocol.
(And that is one of the big motivations behind the rise of bitcoin protocol : people getting fed up of their account getting frozen for any random reason.
e.g.: see donations to WikiLeaks)
If you want (Relative) lack of control AND total anonymity, as suggest above : USE CASH.
And I just don't give a damn where a left the car.
That's the problem for the next customer of the station-less car-sharing scheme.
(And this next customer just uses the map in their app to find the nearest available parked shared car).
---
i.e.: systems where you take a car wherever you find it, and leave it wherever you want within the boundary of the zone where the scheme is in place.
The car sharing company has an extremely wide-area parking pass that allows the car to be left parked nearly everywhere.
No specific stations where you need to return the car - like it's the case with classical car-sharing schemes.
No, the drives will have been imaged through a hardware device that blocks all attempts to write, and their work will be on their own computers running their forsensic software against the images of his drives, with his original drives safely in the evidence lockup.
And if criminals start using drives with custom firmware to foil this
This is not a custom firmware.
There is a thing on ATA protocols dating back when it didn't even have the initial "P" in front to contrast with SATA yet :
HW access to the harddrive can be password protected.
No password ? You can't even access the blocks on the device, it refuses to read them.
I think I remember that the first X-Box did use something similar to try to protect the content of their disk.
Probably most modern SSD drive should be able to do it.
And if criminals start using drives with custom firmware to foil this (they've already read the first GB sequentially? return gibberish and erase everything!), the cops will then be removing the control boards and subsituting their own before they do the imaging.
A long long time ago, it used to be possible to swap the control boards of spinning rust media and still get something remotely meaningful if you squint enough at it.
(The only thing you'd be losing by doing that, would be the mapping from the physical sectors on the actual disk platter to the logical block addresses (LBA) as seen by the computer on SATA bus as handled by the SMART running on the controller to remap old defective sectors).
With modern SSD, you'd be losing the layer of encryption that the controller board does on the fly when writing to the flash media (it's a standard protection feature of most controllers, with the exception of maybe a few dead-cheap no-names that you wouldn't be using for these kind of missions anyway), in addition to all the mapping (done by the flash-translation-layer, which is much more complicated than SMART because it handles all the wear levelling).
Bascially a SSD, without the controller board that was used to write the data is just plain gibberish.
And that's *another* layer of gibbersih in addition to the whole-drive encryption done by the OS.
You wanted "a version of raid for use with servers".
Which is exactly what DRBD and Mars datablock devices are doing.
But they only to RAID1 (replication) accross servers.
For RAID5/6 (1/2 parity out of N-total) isn't supported yet by any direct approach.
Doing software RAID5/6 over iSCSI seems the closest doable with current technologies.
We must push back against misinformation by encouraging gatekeepers such as Google and Facebook to continue their efforts to combat the problem,
Notice the plural (emphasis mine)
while avoiding the creation of any central bodies to decide what is "true" or not.
That is literally what "gatekeeper" means, Tim.
There's a subtle difference :
- Tim wants the companies (plural) spreading informations/news to do a little bit of work to help assess the reliability of facts in the links that people pass around.
- Tim does not want a single central entity becoming the official authority on all truth (he doesn't want a central "Ministry of Truth").
They aren't contradictory.
But without paying attention, there's a risk that one devolves into the other.
WHERE do you find an area with no signal?
The whole point is *VIRTUAL*.
The host's virtual manager (e.g.: Virtual Box running on the Host GNU/Linux distro of your choice) is in charge of what happens.
Windows 10 is installed on a virtual machine, that machine has no network device simulated at all, only a shared directory (Note: Under VirtualBox, shared directory don't work over the network, but use a dedicated separate API offered by VirtualBox. No need to expose the virtual image to the network in order to exchange data. Windows 10 can't phone home.)
It happens this laptop has wider radio capabilities than wi fi and there is no interface to see what the laptop radio is saying over what frequency,
Again, I'm speaking about a virtual machine. A VM will only have as much functionnality as your decide to make available to it.
If that machine has no access to Wifi, nor Bluetooth (well technically to the USB bus on which a Bluetooth device is available. But in practice the result is the same : if you're not passing it to the VM, then the Windows 10 running on the VM can't do much).
The point is to be able to be online without danger, not to be completely isolated. Maybe Win 3.1 was fully isolated, but these new windows do not seem to be able to stop being in permanent conference.
Hence the idea :
- use a normal decent OS to do the actual online work and which has an access to the internet.
- for the things where you absolutely need Windows 10, keep a copy inside a VM that is completely isolated.
Whenever you need *that weird piece of software* that absolutely refuse to work under anything but Windows 10, then you can fire up the Windows 10 VM and run the software.
For everything else, use a "Real Operating System (tm) "
(most Unices will do)
And, somehow, Microsoft is responsible of the shit that NVIDA puts in its drivers, obviously.
Given that Microsoft is making the only platform where it is possible for Nvidia to show said slideshow of adds, yes, indeed, Microsoft might be sharing a bit of the responsibility.
(e.g.: under Linux you add the 3rd party repository from Nvidia containing the driver to you package manager, and then let the package manager handle the installation as with any other base or 3rd party package. At most, some package manager can show *textual* release notes or licensing information.)
(on the other hand:
- the official market for NVidia on Linux is professional users who use the cards for art rendering, scientific computations, etc.
They pay already premium for the card. And there might not even be a human user to see the ads during the upgrade of some node on the compute cluster.
- the biggest market for Nvidia on Windows is mostly gamers.
So shove as much ads as possible down their throats to get them to buy even more extra useless gizmos.
And don't be afraid, they'll come back to the (overfilled with ads) installer next week, when they need the latest patch with hacks for optimise that week's new game.)
The fallacy in your line of reasoning is that there is somehow only a limited set of such rules that anyone could feasibly apply. There is not
Yes, in theory, there are countless ways to apply the rules, thus giving a combinatorial explosion in the search space for hackers
And you are probably one of these precious snowflakes who actually apply these rules as needed.
But in practice, because most of the people are lazy, they tend in general to follow only a handful of patterns.
In the experience of security researcher : when considering a huge treasure trove of passwords, most of them will follow one of the very few ultra popular and ultra simple patterns (like "if asked to use mixed case : simply capitalize the 1st letter. Put the required number at the end [and don't be original, just use the current year]. Put a '!' after the number if required to use punctuation").
To give an example :
let's say you ask people a color and a tool.
in theory you could get tons of esoteric combination, like "tangerine" and "tuning fork".
in practice, when pressed for speed, a huge number of people will pick "red" and "hammer".
For example, let's say I use a rule where a specific sequence of word {...}
Yes, your unicorn of a password might be both secure and follow the rules at the same time.
But in practice the vast majority of people will be lazy and won't produce something original. They'll end up chosing something simple and obvious.
They are bored by the rules and will chose the easiest solution.
and the date that I last changed the password, for example
and that's far from being rare. Guess how many people will pick (parts of) the current date (most of the time they year, in 2 or 4 digits) when required to use digits by the rules ? A lot of them.
You might use a complex word association pattern to ecode it, most of the poeple will just slap it at the end.
but unless someone knows exactly what my thought process is on how I go about this,
Hacker don't target you specifically (usually).
They don't think at the level of individual.
They think on the scale of leaked database.
when they have a collection of a million salted hashes, they won't try to get *your password* specifically. They'll try to get as many password as cheaply possible. And because people are lazy and stupid a very huge fraction of these password will have more or less followed the same though process, and generated a very simple pattern.
So while you're happy that your password was very personal, half a million of other passwords got cracked, because they were trivial (and were modified in a trivial to include the required extra characters) and are currently being tested for password re-use at critical sites (e.g.: banks ?)
Apple has always let the user decide when they want to install updates. {...} Apple will VERY OCCASIONALLY automatically push an extremely critical update to fix glaring security problems, but has done this very rarely.
The key point is that Apple's Mac OS X, on the simple ground of being an Unix (more or less BSD based) has a not so aweful security, and thus only need extremely critical update only very occasionally.
Microsoft's Windows editions are such catastrophy (very large attack surface) that Microsoft cannot allow end-users to disable update : some of that regular avalanche of patches and fixes might plug an exploitable hole. After a couple of weeks an unpatched Windows is pretty much sure to become a zombie in some botnet.
Yes, currently snapchat doesn't have much to monetize (at least not if they respect their promised privacy and ephemeral pictures).
BUT snapchat has still something valuable: it has *USERS*.
Facebook might have tons of them, but they are mostly users who stayed around from before.
First there was Geocities, then there was MySpace, then there was Facebook... Zuckerberg knows the trend, he knows that Facebook isn't going to last forever.
That's why he's been keeping an eye open on the social network market, in order to see in advance where the next trend is going so his company manages to stay relevant even if the crowd of users on Facebook gets older.
WhatsApp got popular, it menaced to become "the next facebook" just like Facebook managed to replace myspace... so Facebook bought them
(now new WhatsApp users are in the end new users to the big goliath, and even if old age and attrition evefntually phases facebook out, the company will still relevant).
Same with Instagram : it got popular, Facebook phagocyted it.
Now comes Snapchat's. It the latest popular social app among the youngest generation (those who aren't part of some virtual social network yet. And whose parents and grand parants are on Facebook/WhatsApp/Instagram, so they definitely don't want to be on those... So they pick up the latest kid on the block which seem to be snapchat).
So even if snapchat if far from being a dominant platform now, it is still gaining momentum and that's were the new users are going to...
(And there are signs : it's got its first rising celebrities, its first scandals, etc.)
but Facebook has no way to buy that new "Facebook replacement wannabe".
They don't see an immediate way to avoid becoming the "newly replaced MySpace".
It's not a question of whether Snapchat can be economically stable - and thus if there's enough data to mine right now.
It's a question of where the new young users are going to - and how Zuckerberg's company can manage to stay relevant and not get eventually replaced one day the way MySpace was.
So for now Facebook is banking on aping as much feature as possible in a bet to remain attractive.
and hoping than they'll be able to run Snap inc into the ground before it becomes sustainable enough and before it has attracted to many of the new "not yet on some social network" teens.
What study?
I'm kind of lazy to google all the sources by my self.
The general approach is *pattern-based*.
I pointed to a presentation on youtube but there are other independent research all arriving at the same conclusion.
They are mostly done by applying pattern-based cracking either to leaked hashes databases or to hashes databases volunteered by organisations.
so it's not theoretical works, it's mostly noticing what is happening in the wild when your try enforcing password rules.
doesn't mean they are totally BS. {...} But OBVIOUSLY password rules force the user to avoid the common pitfalls in password selection and will more likely cause your users to have passwords that are not easily cracked.
The problem, as discovered among other on the presentation in my previous post, is that by trying to avoid common pitfalls in password selection:
- not enough variations if password are all lower-case only caracters (It's only 26 symbols per position)
you do not actually avoid the pitfalls
- if applied accurately that would give 26 lower + 26 upper + 10 digit + even more punctuation per position
but push the people into a different set of pitfalls.
- people are lazy. most of the time, it was discovered, they'll just upper-case the first letter and slap the required extra digits at the end. And add '!' afterthat if they can't get around punctuations. That's still 26 possibility per position, with a few more things (nearly negligiable) at the end.
So... what's easier to guess "password" or "Denver17!" ? I know what I'm going to bet gets broken first..
Both are in the "basically worthless" category.
the first one is straight out of a word list.
The second follows one of the most common patterns: "Llllll##?".
In theory, if a user used all possible characters at any position, you'd be getting "26 lower + 26 upper + 10 digit + 10punctuations" = ~approx 74 symbols per position. A 9 character long password would in theory get 74 ^ 9 or approximately 56bits of security. Not much, but still something.
In practice, most password abiding the rule will be one of the few common pattern such as above.
Without taking dictionary into account, only the symbols at each position of the pattern, the above is 26 ^ 6 * 100 * 10 or only 38bits of security.
You lost about 18bits of theoretical security, just because your users are lazy as shit.
There is about a dozen of such overwhelmingly common patterns (so you're looking at best at 41bits security. If you only use salted hashes in you password database and it gets leaked, the vast majority of your user passwords will get cracked appallingly fast).
And that's without factoring in dictionaries. (Look at all the 6 letter words that you can fill in the first part of the pattern, first use a few common combination for the numbers (current year, '13', '69', etc.) and you can basically go for '!' and leave the rest of the punctuation later). At that point, in case of a database leak, tons of password will get insta-cracked and the attackers can already start probing for password reuse even before the end users has had enough time to be alerted about the leak.
You want to stack the deck in your favor where you can, so if that means forcing your users to follow some rules in password selections gets you 50% more secure passwords.... Do it..
In practice , you only get marginally better security, because the users will resort to simple schemes just to get around the rules.
People are lazy and will resort to the simplest pattern possible just to get around the rules.
In this case, I'm not inclined to believe password complexity rules are just bad,
Their are bad in that they push non-security-minded end users to do things which are nearly entirely predictable for the password cracker.
i.e.: they are actually not adding any significant amount of securit
Have a look at Mailvelope.
- It's generic (not GMail specific, should work on lots of webmail website, simply by encrypting/decrypting their TextArea)
- It's multi-platform (Chrome Extension, Firefox plug-in, most OSes)
- Enables PGP signing and encryption.
- All the crypto is done locally on your computer inside the plug-in. The webmail site only sees encrypted blocks in the editor's input field.
It has a few shortcomings :
- Only works on "textarea" form field, so won't work for encrypting attachments.
BUT:
- You can still encrypt/decrypt files on your computer (this can be facilitated by by Mailvelope) and upload the *encrypted file* as an attachment.
(This is a work around for GMail, Outlook, etc.) You get the security of encryption, at the cost of a few extra step.
- Mailvelope provides an API and some provider (GMX.de) do integrate with the API and thus provide full support for attachment encryption (done by Mailvelope) without disturbing the end-user experience
With the GMail Add-On program, Mailvelope developers could implement the necessary things on the GMail side of things as a Gmail Add-On, so it will correctly cooperate with the Mailvelope extension and provide seamlessly encrypted files *without* needing Google to spend time integrating vanilla Gmail with Mailvelope's API (integration done at the Gmail Add-on level isntead).