To be fair, if you are capable of checking plausibility, there is a lot of good information on the web. But it can be tricky to filter it out, some independent general intelligence required. And while supposedly everybody had that, a lot of people seem to chose not to use it.
For example, Amazon reviews are very helpful if you read them right. Always read a few high and a few really low ratings. This usually gives you a pretty good picture. You can have exactly the same overall rating for two products were one is really bad and one is really good. For example with one thing I bought last week, the high ratings said that you really need to read the manual to get good results. The low ratings just said "does not work". Or you can have great unspecific ratings and the low ones describe exactly what is wrong.
You can to backups with RAID though, for example removing a drive from RAID1, and keeping that one as backup. But the RAID is just the tool here, it is not the backup and does not do backups by itself.
In the same way, chroot can be part of a security mechanism, but it does not absolve you from knowing what you are doing. Which is pretty much the real problem with security: Too many people that have no real clue what they are doing with regards to security. Unless that is fixed, software will remain insecure. It is not a problem technology can fix, despite a whole lot of misguided attempts to do so. In the end the next security hype just makes management hire even more clueless and cheaper "coders", because they are now protected by magic technology xyz, right?
There is no replacement for insight, understanding and experience in engineering. The problem with security is that you can still have a working product when security sucks. This means even more insight, understanding and experience is needed to get it right.
Your security always depends on something being "well crafted", namely your application software. Everything else is just fools trying to patch their bad software engineering in ways that do not really work.
Unless said CPU-level features have bugs themselves. Like, I don't know, Specter? A kernel running containers may well mitigate that, but a VM layer may negate that mitigation again.
Not necessarily and very much not "by definition". You overlook KISS here. VMs are complex and offer a nice, large attack surface all by themselves. A container can very well be more secure, for example if the hypervisor creates attack vectors not present in a container running on a proper, non-virtualized system.
Now, I am not saying this is always the case or even regularly. But the question does not have a simple answer.
Indeed. And on the other hand, write better software. There is a lot of things sandboxes cannot do, for example protecting the data the application works with. So use proper privilege separation and drop, use input validation, etc. and make very sure you understand what you are doing. Especially the last thing is the one thing that really helps and that is missing so often these days.
VLANs are not a security technology. They make managing a network easier, but as soon as you compromise one network device, you have access to everything. Proper isolation means different cables.
Containers and VMs are not really security tech. Nobody in their right mind would call using a dedicated machine a "security technology", VMs and Containers are not either. They serve to partition a machine and, to a limited degree, they can achieve that. But as soon as somebody breaks into a container or a VM, they can usually do what they want anyways, just the same as with a dedicated system: Send spam, hack other machines using the identity of the container of VM, steal local data, etc.
What both containers and VMs give you is _less_ security compared to a dedicated machine, since in addition to all the normal security problems, you also get possible attacks on the isolation layer and on other containers or VMs running on the same hardware. That means overall, you are _less_ secure.
Looks actually like pretty good science to me. The effect is explained nicely and the cooling of the LED (where the additional light-energy comes from) gives a possible application.
Social media is real-time entertainment; not to be taken seriously.
I am a bit younger than you, but there was no Internet until I went to University. I see this clearly. But younger generations seem to be lacking the comparison. When you have read a well-written newspaper for a few years, you will not ever think that social media is in the business of serious news. But what if you lack that? Or what if you are one of those that would not have read said newspaper before the Internet either? I think the problem may not even be made worse by social media, it is made only a lot more visible.
And this is how Democracy dies: If you can manipulate what people see, read and hear, you could stop having elections altogether, because only very few can actually check the stories they are fed for plausibility. The rest will just believe. This is not the first time this has happened either, it is more the process of reestablishing a status that was true to most of human history. I think we can safely assume the Enlightenment has failed, and that humans as a group have no appreciation of facts and truth. For a moment there, I was hopeful with the Internet and easy access to information for everybody, but apparently that was vastly overoptimistic.
I don't thinks so. Take Trump for example: Clearly a narcissist, clearly a (bad) liar, clearly not very smart, but a psychopath? I don't think so. But look at the ones that voted for him and the many that still cheer him on and think he is doing a good job. These are far too many to be psychopaths. Also clearly too many to be intentionally evil and proud of it. But what are they? I think they are just unable to see reality and unable to see the evil they are supporting. That makes them idiots, but not intentionally evil or destructive.
Are you an idiot? Because it sounds very much like you are. (Or course, you would be unaware of that, so this is a retorical question....)
First, do you really think anybody except a very experienced mathematical cryptographer _can_ actually evaluate s-boxes? If so, you are utterly delusional.
Second, if they outlaw, say, AES, they would outlaw home brew ciphers at the same time. They tried this already, and you should know unless you have no knowledge of the history of cryptography. And if they do and you just cannot get implementations anymore, in what way would just re-implementing AES be inferior to cooking your own thing? Of course, you may not actually have the standard lying around. I do.
Seriously, you are making all the clueless-crypto-nerd mistakes and you are giving really bad advice. Stop.
It is completely useless though. No modern carefully and publicly reviewed cipher has been broken in the practical sense in a long, long time. (Note that "publicly reviewed" also means that actual experts did take an interest.) However, a lot of implementation mistakes _have_ been used to do successful attacks. You are barking up the wrong tree.
There is also a risk-management angle here: If, say, AES has a backdoor, it would not be a "nobus" backdoor, as these basically do not work for block-ciphers. Nobody would take the risk of putting something in there that an attacker can also find. If you distrust ciphers, then distrust ECC with curves where you cannot verify how they were generated. ECC very much does allows "nobus" backdoors.
I am going with Hanlon's razor here. Of course, there is a lot of people that gladly would cheer in fascism for all the great benefits to society it brings in their minds and some of them will not even admit being wrong when it ends in utter catastrophe (as fascism sooner or later always does). Are these people stupid or malicious?
When looking at the details, this question gets really difficult to answer. I like to think these people are defect in some way and really cannot see how evil their acts are. They are unable to learn from history or experience and, at the same time, are convinced they have it all figured out.
People that are evil, know it and are fine with it are really rare. Almost all evil people have some rationalization, like "protecting the country" or "fighting the bad guys" or "giving the master-race the place it deserves" and the like and typically lack the mental ability to see that these are just excuses for something else.
BTW, "be restricted"? That is some very uncommon use of language in civilian society. Are you a fed or with some other TLA? Would explain why you are maliciously trying to get people to shoot themselves in the foot. Anyways, you are pretty clearly part of the problem here.
Hehehehe, I know enough to know how difficult it is to actually get right as it comes very much down to the details. Just throwing a few s-boxes that look good into a Feistel-network will _not_ cut it. Puts me far ahead of you, apparently. But I also have enough understanding to see how even absolute experts can fail at it. As examples, the AES competition or the password hashing challenge were quite instructive.
At this time, rolling your own crypto (unless you are one of maybe 100 people on the planet that really know how to do it) is a pretty sure way to failure. Recommending to people to do it is active sabotage and can only be called malicious. The other thing is that it is useless to do so anyways, because what are you going to use it for? For communication it has no worth, because others would need to use it as well. That would automatically make it a target for those that want to break it. For file/disk-encryption, if you are concerned, just layer a few algorithms with independent keys. If you actually knew how this works, you would know that there is no way in hell to break into something like this (done right of course).
Spoken like a true amateur that failed (or never had) Crypto 101. You know why most home-brew crypto is never broken? Because the people that can do it do not want to waste the little time that usually takes. This situation changes when somebody is willing to pay for it, but you do not read about it in the scientific literature, because nobody cares.
Home-brew crypto stopped to be an option a few decades back.
They keep talking about "compromise" as if Tim Cook and Larry Page have everyone's encryption keys in a file on their laptops that they refuse to hand over for convicted mobsters. That sort of mindset just does not reflect the nature of the situation.
These people have no understanding of reality. They are fanatics. They live in a fantasy-world where the powerful dictate reality and reality complies. They have no understanding of what a "fact" is and think they can just threaten it long enough and it will change.
The thing is that people like this guy have no clue what a "fact" is. He thinks it all comes down to power and that, given enough power, a certain "reality" can be enforced. It is a typical mental defect found in basically any fanatics. A still very instructive example of that is when the catholic church tried to force the world to be flat. They had absolutely no understanding that the shape of the planet did not care about them one bit and that all their power had zero influence on reality.
Still, people like that in position of power is a sign of a sick society. It is a severe problem.
Slashdot Mirror
Indeed. And is not a well-developed capability in most people in the first place. Not that the US is unique in that regard.
To be fair, if you are capable of checking plausibility, there is a lot of good information on the web. But it can be tricky to filter it out, some independent general intelligence required. And while supposedly everybody had that, a lot of people seem to chose not to use it.
For example, Amazon reviews are very helpful if you read them right. Always read a few high and a few really low ratings. This usually gives you a pretty good picture. You can have exactly the same overall rating for two products were one is really bad and one is really good. For example with one thing I bought last week, the high ratings said that you really need to read the manual to get good results. The low ratings just said "does not work". Or you can have great unspecific ratings and the low ones describe exactly what is wrong.
You can to backups with RAID though, for example removing a drive from RAID1, and keeping that one as backup. But the RAID is just the tool here, it is not the backup and does not do backups by itself.
In the same way, chroot can be part of a security mechanism, but it does not absolve you from knowing what you are doing. Which is pretty much the real problem with security: Too many people that have no real clue what they are doing with regards to security. Unless that is fixed, software will remain insecure. It is not a problem technology can fix, despite a whole lot of misguided attempts to do so. In the end the next security hype just makes management hire even more clueless and cheaper "coders", because they are now protected by magic technology xyz, right?
There is no replacement for insight, understanding and experience in engineering. The problem with security is that you can still have a working product when security sucks. This means even more insight, understanding and experience is needed to get it right.
Your security always depends on something being "well crafted", namely your application software. Everything else is just fools trying to patch their bad software engineering in ways that do not really work.
Unless said CPU-level features have bugs themselves. Like, I don't know, Specter? A kernel running containers may well mitigate that, but a VM layer may negate that mitigation again.
Not necessarily and very much not "by definition". You overlook KISS here. VMs are complex and offer a nice, large attack surface all by themselves. A container can very well be more secure, for example if the hypervisor creates attack vectors not present in a container running on a proper, non-virtualized system.
Now, I am not saying this is always the case or even regularly. But the question does not have a simple answer.
Indeed. And on the other hand, write better software. There is a lot of things sandboxes cannot do, for example protecting the data the application works with. So use proper privilege separation and drop, use input validation, etc. and make very sure you understand what you are doing. Especially the last thing is the one thing that really helps and that is missing so often these days.
Bug density is a somewhat useless metric for software quality. When it comes to security, it is utterly meaningless.
VLANs are not a security technology. They make managing a network easier, but as soon as you compromise one network device, you have access to everything. Proper isolation means different cables.
Containers and VMs are not really security tech. Nobody in their right mind would call using a dedicated machine a "security technology", VMs and Containers are not either. They serve to partition a machine and, to a limited degree, they can achieve that. But as soon as somebody breaks into a container or a VM, they can usually do what they want anyways, just the same as with a dedicated system: Send spam, hack other machines using the identity of the container of VM, steal local data, etc.
What both containers and VMs give you is _less_ security compared to a dedicated machine, since in addition to all the normal security problems, you also get possible attacks on the isolation layer and on other containers or VMs running on the same hardware. That means overall, you are _less_ secure.
Looks actually like pretty good science to me. The effect is explained nicely and the cooling of the LED (where the additional light-energy comes from) gives a possible application.
Social media is real-time entertainment; not to be taken seriously.
I am a bit younger than you, but there was no Internet until I went to University. I see this clearly. But younger generations seem to be lacking the comparison. When you have read a well-written newspaper for a few years, you will not ever think that social media is in the business of serious news. But what if you lack that? Or what if you are one of those that would not have read said newspaper before the Internet either? I think the problem may not even be made worse by social media, it is made only a lot more visible.
And this is how Democracy dies: If you can manipulate what people see, read and hear, you could stop having elections altogether, because only very few can actually check the stories they are fed for plausibility. The rest will just believe. This is not the first time this has happened either, it is more the process of reestablishing a status that was true to most of human history. I think we can safely assume the Enlightenment has failed, and that humans as a group have no appreciation of facts and truth. For a moment there, I was hopeful with the Internet and easy access to information for everybody, but apparently that was vastly overoptimistic.
I don't thinks so. Take Trump for example: Clearly a narcissist, clearly a (bad) liar, clearly not very smart, but a psychopath? I don't think so. But look at the ones that voted for him and the many that still cheer him on and think he is doing a good job. These are far too many to be psychopaths. Also clearly too many to be intentionally evil and proud of it. But what are they? I think they are just unable to see reality and unable to see the evil they are supporting. That makes them idiots, but not intentionally evil or destructive.
For the purpose at hand, it really does not matter whether they though the earth was flat or whether it was the center of the universe.
Are you an idiot? Because it sounds very much like you are. (Or course, you would be unaware of that, so this is a retorical question....)
First, do you really think anybody except a very experienced mathematical cryptographer _can_ actually evaluate s-boxes? If so, you are utterly delusional.
Second, if they outlaw, say, AES, they would outlaw home brew ciphers at the same time. They tried this already, and you should know unless you have no knowledge of the history of cryptography. And if they do and you just cannot get implementations anymore, in what way would just re-implementing AES be inferior to cooking your own thing? Of course, you may not actually have the standard lying around. I do.
Seriously, you are making all the clueless-crypto-nerd mistakes and you are giving really bad advice. Stop.
It is completely useless though. No modern carefully and publicly reviewed cipher has been broken in the practical sense in a long, long time. (Note that "publicly reviewed" also means that actual experts did take an interest.) However, a lot of implementation mistakes _have_ been used to do successful attacks. You are barking up the wrong tree.
There is also a risk-management angle here: If, say, AES has a backdoor, it would not be a "nobus" backdoor, as these basically do not work for block-ciphers. Nobody would take the risk of putting something in there that an attacker can also find. If you distrust ciphers, then distrust ECC with curves where you cannot verify how they were generated. ECC very much does allows "nobus" backdoors.
I am going with Hanlon's razor here. Of course, there is a lot of people that gladly would cheer in fascism for all the great benefits to society it brings in their minds and some of them will not even admit being wrong when it ends in utter catastrophe (as fascism sooner or later always does). Are these people stupid or malicious?
When looking at the details, this question gets really difficult to answer. I like to think these people are defect in some way and really cannot see how evil their acts are. They are unable to learn from history or experience and, at the same time, are convinced they have it all figured out.
People that are evil, know it and are fine with it are really rare. Almost all evil people have some rationalization, like "protecting the country" or "fighting the bad guys" or "giving the master-race the place it deserves" and the like and typically lack the mental ability to see that these are just excuses for something else.
BTW, "be restricted"? That is some very uncommon use of language in civilian society. Are you a fed or with some other TLA? Would explain why you are maliciously trying to get people to shoot themselves in the foot. Anyways, you are pretty clearly part of the problem here.
Hehehehe, I know enough to know how difficult it is to actually get right as it comes very much down to the details. Just throwing a few s-boxes that look good into a Feistel-network will _not_ cut it. Puts me far ahead of you, apparently. But I also have enough understanding to see how even absolute experts can fail at it. As examples, the AES competition or the password hashing challenge were quite instructive.
At this time, rolling your own crypto (unless you are one of maybe 100 people on the planet that really know how to do it) is a pretty sure way to failure. Recommending to people to do it is active sabotage and can only be called malicious. The other thing is that it is useless to do so anyways, because what are you going to use it for? For communication it has no worth, because others would need to use it as well. That would automatically make it a target for those that want to break it. For file/disk-encryption, if you are concerned, just layer a few algorithms with independent keys. If you actually knew how this works, you would know that there is no way in hell to break into something like this (done right of course).
PowerShell is a command line. Not a good one, but its nature is not in dispute.
Spoken like a true amateur that failed (or never had) Crypto 101. You know why most home-brew crypto is never broken? Because the people that can do it do not want to waste the little time that usually takes. This situation changes when somebody is willing to pay for it, but you do not read about it in the scientific literature, because nobody cares.
Home-brew crypto stopped to be an option a few decades back.
They keep talking about "compromise" as if Tim Cook and Larry Page have everyone's encryption keys in a file on their laptops that they refuse to hand over for convicted mobsters. That sort of mindset just does not reflect the nature of the situation.
These people have no understanding of reality. They are fanatics. They live in a fantasy-world where the powerful dictate reality and reality complies. They have no understanding of what a "fact" is and think they can just threaten it long enough and it will change.
The thing is that people like this guy have no clue what a "fact" is. He thinks it all comes down to power and that, given enough power, a certain "reality" can be enforced. It is a typical mental defect found in basically any fanatics. A still very instructive example of that is when the catholic church tried to force the world to be flat. They had absolutely no understanding that the shape of the planet did not care about them one bit and that all their power had zero influence on reality.
Still, people like that in position of power is a sign of a sick society. It is a severe problem.
Google has not been an US company for a very long time. They are a global company.