Gimme a break. Cell phone makers target most of the market, which ranges from 8 year old brats to serious business users. And now that we have decent touch screens, many people seem to prefer those over physical keyboards that take up a lot of space
You know what takes up a lot more space? On-screen keyboards.
One of the hazards that long duration space travelers will face is radiation. The Earth's magnetic field draws incoming particles to the poles, thus protecting us.
Miles of atmosphere between earthly peeps and space stops most of it. Earths atmosphere provides equivalent protection of about 33 ft of water.
He needs to hire people who have the skills and experience addressing specific vulnerabilities. Ideally those people got that outside of TS work. He is the rainmaker that opens doors.
Judging by his cozy reception at last Defcon this shouldn't be a problem at all.
Salts do provide protection against that. Salts are secret if you want them to be
You are playing word games. A "secret salt" is a "key" not a "salt" while clearly ignoring relevant context of PCI DSS requirements.
Other relevant bullet items in sec 3.4 were:
* Index tokens and pads (pads must be securely stored)
* Strong cryptography with associated key-management processes and procedures.
If that is not enough of a hint to understand what they are talking about when they say one-way hash the "Note" section spells out exactly what they mean.
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
If a huge "secret salt" is expected then truncation warnings would be irrelevant.
All of the so called "alternatives" listed in TFA basically operate on the same crappy model of your gear connecting to vendor owned servers over the Internet to facilitate access.
When a vendor decides to change their terms of service, change service pricing model, go out of business or EOL product no longer worth their time supporting your screwed to say nothing of potential risks involved should vendor's systems become compromised...which... never happens... regularly...
If I can't connect directly to manage my own gear I paid for without vendor being involved then no sale.
As more people leave insanely overpriced and content deprived cable service behind in total disgust I invite the entire industry to enjoy it's victory and go back to sleep.
Due to a fundamentally much better design architecture, Linux and to some degree Android either don't or can't suffer with many of the problems Windows has in the first place. Those that do happen also get fixed much quicker due to a much more active developer base.
You know back in the day this was sort of true. Throw up a server on Linux and it just worked, do the same on Windows and it worked for a little while until it didn't. It was not that code quality or general architecture was drastically different it was simply unix fork()s worker processes in separate memory spaces which disappear when finished... On the flipside windows lacking fork() and associated culture relied heavily on thread pools and or async hence effects of same programming flaws tended to accumulate to global effect vs being cleared automatically upon forked process exit...but enough of the past.
Today windows phone architecturally is quite good with security advantages over Android in form of choosers to facilitate access to global data and resources.
More specifically I can't consider Android secure when apps are readily available to root your phone and crack boot loaders by exploiting vulnerabilities that persist for years. Even if patches exist upstream vendors are too lazy, clueless or otherwise wanting of device replacement revenue to push them out to their customers.
Meanwhile frustratingly no root exploits are publically known to exist for WP8 nokia.
Microsoft has made plenty of stupid decisions yet they are hardly alone.. if you ask me all the major smartphone OS vendors are wholly unworthy of any praise. They all universally and intentionally place users under unnecessary risk for benefit of themselves, app vendors and carriers.
I would most likely own a Microsoft phone today if the platform was more like normal windows (pre 8), windows mobile or unfucked android where users actually have control over their devices and software environment which were not constantly engaged in copying everything to vendor servers... for the love of everything holy it is not even possible to maintain a local contact database in WP8.
As it is now I refuse to support morally bankrupt visions of computing where privacy is continuously frivolously violated and all execution centrally curated. WP and iPhone both operate under walled gardens. Android is at least for the most part open source where the many people who give a shit are able to work to provide viable solutions to counter crap from Google (Of Ap Ops was a mistake fame) and app vendors.
Um, the standard is fine. The phrase "One-way hashes based on strong cryptography" means (to any professional in the business) that one must salt the hash with sufficient entropy to make brute-forcing the input space impossible. So 16 digit CC has little entry, but add a 16-byte hash and you've somewhere.
This is the second time 'use salts' has been mentioned. Salts are not secret keys and only provide protection against creation of lookup tables to accelerate brute force of multiple items... they in no way address the underlying problem of insufficient entropy.
I don't know the exact figure last I looked into this space of every possible credit card that can be issued across all currently known issuers is well less than a trillion most likely in tens to hundreds of billions range... practically free by today's hardware standards.
Always assumed anywhere term "anonymized data" is used it is more likely than not to be companies and governments paying lip service to its customers... where data could easily be reversed into an identifiable way by either taking advantage of insufficient entropy or cross referencing datasets.
There is after all no cost for violating privacy or unnecessary risk exposure associated with disclosure.
One of my favorite examples of dangers of insufficient entropy stem from a PCI DSS requirement written by "experts" who should know better.
3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
One-way hashes based on strong cryptography, (hash must be of the entire PAN)...
Search space of typical 16-digit card numbers is no match for a modern CPU once you have taken check digit, card type, issuer and issuer specific numbering into account... "strong cryptography" can't fix stupid.
Outcomes from surveys where technology, sensor placement and encroachment of cities even if super careful have error bars on the same order of signals from multi-decade surveys... are... mostly... useless.
They always result in the same tired predictable rumblings of fools who see what they want.
All the while very important and relatively uncontested facts such as continued decrease of ocean pH and sea level rise are summarily ignored.
In an alternate reality where every packet is magically stamped with an identifier of person directly responsible for its generation by an infallible "packet fairy" would the world be better or worse off?
Personally I believe as long as humans continue to prove themselves incapable of handling power the more access and anonymity the better off on balance we all are.
Seems insufficient to consider only risks on one side of the ledger when weighing a course of action. At least RTFA's FAQ...
No doubt whoever came up with the name "fire phone" will continue to enjoy a long and prosperous career at amazon long after typing "fire phone" into Google and clicking image search.
Please please please, pretty please with a bow around it, do not build these plants in states voting for legislators who are hostile to climate science, hostile to green technology, hostile to EPA.
Hard to think of a better way to modulate local political views than construction of large solar plants employing sufficient quantity of voting tax payers.
I couldn't imagine the pain and suffering must be associated with selling devices and then losing the ability to control what software can be installed on them.
Well no shit it runs 20 hours a day when you want it 72 degrees.
Note to others, most Arizonans are a little more intelligent about energy usage so they usually keep their thermostats set to 80 or higher.
Most efficient scenario is the AC running all day to provide cooling to a given temperature whatever that may be. When your AC only goes on for short percentage of day when really hot out that means your gear is oversized and costing you money.
Unfortunately oversized AC's cost both owner and Slashdot dearly yet is such a common infliction most people think it is normal and proceed to scold others who actually have properly functioning systems.
A simple requirement to provide customer properly sized equipment is worth a heck of a lot more in conservation efforts than a STB industry policing itself by setting performance goals so low they would have to actively try not to meet them.
TFA seems to be intentionally designed to mislead the reader.
Electricity demand is growing far more slowly today, thanks to conservation over the last decade. But total use is still projected to grow 29% by 2040, according to the Energy Department
The reality is per-capita energy utilization has been *decreasing* year over year.. reader wouldn't know it by carefully cherry picked facts.
I should add making power utilization predictions for the year 2040 is a futile exercise.
Federal standards on refrigerators and televisions have driven down their energy use by 75%, even while the retail prices have dropped
Really? What about availability of technology and desire to reduce bill of materials? Did switched mode supplies catch on because they are more efficient or because they cost a lot less than copper they displace? What about integrated circuits? Was it government regulation that drove process improvements directly responsible for power efficiency gains or the desire to reduce per component cost?
What regulation was responsible for driving the invention of display panels needed to replace CRT?
While I think regulation in the form of consumer awareness is helpful most often regulatory pressure only brings up the rear of the pack rather than leading with standards necessitating or otherwise driving innovation.
I think overall point that efficiency is being left on the table in consumer electronics domains is a valid concern worthy of focus yet even if solved completely it won't have much of an impact in terms of overall consumption.
As a minimum if you don't encrypt it before tossing it out onto unknown public and private networks you don't control, you've already said you don't care who sees / reads / hears / metabolizes your data.
If you use an RF scanner to publish conversations overheard which are none of your business you can be held accountable under section 705 of communications act esp for "metabolization".
"No person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person. "
I don't accept the idea just because technical means to record conversation exists this somehow should automatically serve as a blanket grant for people to do whatever the hell they want just because they have the means.
I think parsing distinction between simply overhearing and using, profiting from or otherwise aggregating (stalking) is critically important.
However I much prefer technical solutions which deny undesirable capabilities vs reliance on legal regimes to enforce that which is guaranteed to ultimately be wielded by bottom feeders and or the state for less than noble reasons.
Most notably attempts by LEA to leverage "Wiretapping" statutes to prevent citizens from filming an arrest or other police actions.
Just create an app to aggregate tower data and funnel it thru a comparator to flag changes over time. For added bonus collect signal metrics with GPS location for flagged ID's to figure out exactly where these suckers are.
From previous disclosures usage had been sloppy with the same devices/identifiers reused as they are shipped all over the country. Detecting same stingray being moved from place to place should be cake with enough participants.
Stingrays would not be necessary if LEA's did their jobs and got a proper warrant. Dumber still use of these things cannot be concealed by the very nature of their operation... when you deploy this shit you unnecessarily run the risk of tipping off your adversaries.
In short LEAs who think stingrays are a good idea are idiots.
Amusing to sit on the sidelines and watch the marketeers at work pushing garbage nobody is predisposed to care about in the first place.
Apparently they refuse to understand home automation offers very little in the way of actual benefits to user where novelty of gimmick ridden... "look ma I can flush my toilet from my iphone"... get old quicker than 3-D glasses needed to view overpriced blue ray movies.
Gimmicks are the turd left behind when you are unwilling or unable to provide actual value to the consumer.
Slashdot Mirror
Gimme a break. Cell phone makers target most of the market, which ranges from 8 year old brats to serious business users. And now that we have decent touch screens, many people seem to prefer those over physical keyboards that take up a lot of space
You know what takes up a lot more space? On-screen keyboards.
One of the hazards that long duration space travelers will face is radiation. The Earth's magnetic field draws incoming particles to the poles, thus protecting us.
Miles of atmosphere between earthly peeps and space stops most of it. Earths atmosphere provides equivalent protection of about 33 ft of water.
Restrictions are on commerce not travel.
You can go there as long as you don't spend any money.
He needs to hire people who have the skills and experience addressing specific vulnerabilities. Ideally those people got that outside of TS work. He is the rainmaker that opens doors.
Judging by his cozy reception at last Defcon this shouldn't be a problem at all.
Salts do provide protection against that. Salts are secret if you want them to be
You are playing word games. A "secret salt" is a "key" not a "salt" while clearly ignoring relevant context of PCI DSS requirements.
Other relevant bullet items in sec 3.4 were:
* Index tokens and pads (pads must be securely stored)
* Strong cryptography with associated key-management processes and procedures.
If that is not enough of a hint to understand what they are talking about when they say one-way hash the "Note" section spells out exactly what they mean.
Note: It is a relatively trivial effort for a malicious individual to reconstruct original PAN data if they have access to both the truncated and hashed version of a PAN. Where hashed and truncated versions of the same PAN are present in an entity's environment, additional controls should be in place to ensure that the hashed and truncated versions cannot be correlated to reconstruct the original PAN.
If a huge "secret salt" is expected then truncation warnings would be irrelevant.
At some point anyone with a half functioning brain quickly realizes they are total idiots who know nothing.
Those with fully functional brains should avoid bathrooms, strip clubs and always check the back seats before driving off.
All of the so called "alternatives" listed in TFA basically operate on the same crappy model of your gear connecting to vendor owned servers over the Internet to facilitate access.
When a vendor decides to change their terms of service, change service pricing model, go out of business or EOL product no longer worth their time supporting your screwed to say nothing of potential risks involved should vendor's systems become compromised...which ... never happens... regularly...
If I can't connect directly to manage my own gear I paid for without vendor being involved then no sale.
As more people leave insanely overpriced and content deprived cable service behind in total disgust I invite the entire industry to enjoy it's victory and go back to sleep.
Surprise surprise entire API controlled from Google servers.
Due to a fundamentally much better design architecture, Linux and to some degree Android either don't or can't suffer with many of the problems Windows has in the first place. Those that do happen also get fixed much quicker due to a much more active developer base.
You know back in the day this was sort of true. Throw up a server on Linux and it just worked, do the same on Windows and it worked for a little while until it didn't. It was not that code quality or general architecture was drastically different it was simply unix fork()s worker processes in separate memory spaces which disappear when finished... On the flipside windows lacking fork() and associated culture relied heavily on thread pools and or async hence effects of same programming flaws tended to accumulate to global effect vs being cleared automatically upon forked process exit...but enough of the past.
Today windows phone architecturally is quite good with security advantages over Android in form of choosers to facilitate access to global data and resources.
More specifically I can't consider Android secure when apps are readily available to root your phone and crack boot loaders by exploiting vulnerabilities that persist for years. Even if patches exist upstream vendors are too lazy, clueless or otherwise wanting of device replacement revenue to push them out to their customers.
Meanwhile frustratingly no root exploits are publically known to exist for WP8 nokia.
Microsoft has made plenty of stupid decisions yet they are hardly alone.. if you ask me all the major smartphone OS vendors are wholly unworthy of any praise. They all universally and intentionally place users under unnecessary risk for benefit of themselves, app vendors and carriers.
I would most likely own a Microsoft phone today if the platform was more like normal windows (pre 8), windows mobile or unfucked android where users actually have control over their devices and software environment which were not constantly engaged in copying everything to vendor servers... for the love of everything holy it is not even possible to maintain a local contact database in WP8.
As it is now I refuse to support morally bankrupt visions of computing where privacy is continuously frivolously violated and all execution centrally curated. WP and iPhone both operate under walled gardens. Android is at least for the most part open source where the many people who give a shit are able to work to provide viable solutions to counter crap from Google (Of Ap Ops was a mistake fame) and app vendors.
Um, the standard is fine. The phrase "One-way hashes based on strong cryptography" means (to any professional in the business) that one must salt the hash with sufficient entropy to make brute-forcing the input space impossible. So 16 digit CC has little entry, but add a 16-byte hash and you've somewhere.
This is the second time 'use salts' has been mentioned. Salts are not secret keys and only provide protection against creation of lookup tables to accelerate brute force of multiple items... they in no way address the underlying problem of insufficient entropy.
I don't know the exact figure last I looked into this space of every possible credit card that can be issued across all currently known issuers is well less than a trillion most likely in tens to hundreds of billions range... practically free by today's hardware standards.
Adding a salt is a trivial way of fixing this.
No it aint.
Always assumed anywhere term "anonymized data" is used it is more likely than not to be companies and governments paying lip service to its customers... where data could easily be reversed into an identifiable way by either taking advantage of insufficient entropy or cross referencing datasets.
There is after all no cost for violating privacy or unnecessary risk exposure associated with disclosure.
One of my favorite examples of dangers of insufficient entropy stem from a PCI DSS requirement written by "experts" who should know better.
3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
One-way hashes based on strong cryptography, (hash must be of the entire PAN) ...
Search space of typical 16-digit card numbers is no match for a modern CPU once you have taken check digit, card type, issuer and issuer specific numbering into account... "strong cryptography" can't fix stupid.
Outcomes from surveys where technology, sensor placement and encroachment of cities even if super careful have error bars on the same order of signals from multi-decade surveys... are... mostly... useless.
They always result in the same tired predictable rumblings of fools who see what they want.
All the while very important and relatively uncontested facts such as continued decrease of ocean pH and sea level rise are summarily ignored.
In an alternate reality where every packet is magically stamped with an identifier of person directly responsible for its generation by an infallible "packet fairy" would the world be better or worse off?
Personally I believe as long as humans continue to prove themselves incapable of handling power the more access and anonymity the better off on balance we all are.
Seems insufficient to consider only risks on one side of the ledger when weighing a course of action. At least RTFA's FAQ...
No doubt whoever came up with the name "fire phone" will continue to enjoy a long and prosperous career at amazon long after typing "fire phone" into Google and clicking image search.
Please please please, pretty please with a bow around it, do not build these plants in states voting for legislators who are hostile to climate science, hostile to green technology, hostile to EPA.
Hard to think of a better way to modulate local political views than construction of large solar plants employing sufficient quantity of voting tax payers.
Damn you just have to feel sorry for Nokia...
I couldn't imagine the pain and suffering must be associated with selling devices and then losing the ability to control what software can be installed on them.
Well no shit it runs 20 hours a day when you want it 72 degrees.
Note to others, most Arizonans are a little more intelligent about energy usage so they usually keep their thermostats set to 80 or higher.
Most efficient scenario is the AC running all day to provide cooling to a given temperature whatever that may be. When your AC only goes on for short percentage of day when really hot out that means your gear is oversized and costing you money.
Unfortunately oversized AC's cost both owner and Slashdot dearly yet is such a common infliction most people think it is normal and proceed to scold others who actually have properly functioning systems.
A simple requirement to provide customer properly sized equipment is worth a heck of a lot more in conservation efforts than a STB industry policing itself by setting performance goals so low they would have to actively try not to meet them.
TFA seems to be intentionally designed to mislead the reader.
Electricity demand is growing far more slowly today, thanks to conservation over the last decade. But total use is still projected to grow 29% by 2040, according to the Energy Department
The reality is per-capita energy utilization has been *decreasing* year over year.. reader wouldn't know it by carefully cherry picked facts.
I should add making power utilization predictions for the year 2040 is a futile exercise.
Federal standards on refrigerators and televisions have driven down their energy use by 75%, even while the retail prices have dropped
Really? What about availability of technology and desire to reduce bill of materials? Did switched mode supplies catch on because they are more efficient or because they cost a lot less than copper they displace? What about integrated circuits? Was it government regulation that drove process improvements directly responsible for power efficiency gains or the desire to reduce per component cost?
What regulation was responsible for driving the invention of display panels needed to replace CRT?
While I think regulation in the form of consumer awareness is helpful most often regulatory pressure only brings up the rear of the pack rather than leading with standards necessitating or otherwise driving innovation.
I think overall point that efficiency is being left on the table in consumer electronics domains is a valid concern worthy of focus yet even if solved completely it won't have much of an impact in terms of overall consumption.
This is what happens wherever we have allowed too much to be aggregated into the hands of the few.
As a minimum if you don't encrypt it before tossing it out onto unknown public and private networks you don't control, you've already said you don't care who sees / reads / hears / metabolizes your data.
If you use an RF scanner to publish conversations overheard which are none of your business you can be held accountable under section 705 of communications act esp for "metabolization".
"No person not being authorized by the sender shall intercept any radio communication and divulge or publish the existence, contents, substance, purport, effect, or meaning of such intercepted communication to any person. "
I don't accept the idea just because technical means to record conversation exists this somehow should automatically serve as a blanket grant for people to do whatever the hell they want just because they have the means.
I think parsing distinction between simply overhearing and using, profiting from or otherwise aggregating (stalking) is critically important.
However I much prefer technical solutions which deny undesirable capabilities vs reliance on legal regimes to enforce that which is guaranteed to ultimately be wielded by bottom feeders and or the state for less than noble reasons.
Most notably attempts by LEA to leverage "Wiretapping" statutes to prevent citizens from filming an arrest or other police actions.
Just create an app to aggregate tower data and funnel it thru a comparator to flag changes over time. For added bonus collect signal metrics with GPS location for flagged ID's to figure out exactly where these suckers are.
From previous disclosures usage had been sloppy with the same devices/identifiers reused as they are shipped all over the country. Detecting same stingray being moved from place to place should be cake with enough participants.
Stingrays would not be necessary if LEA's did their jobs and got a proper warrant. Dumber still use of these things cannot be concealed by the very nature of their operation... when you deploy this shit you unnecessarily run the risk of tipping off your adversaries.
In short LEAs who think stingrays are a good idea are idiots.
Amusing to sit on the sidelines and watch the marketeers at work pushing garbage nobody is predisposed to care about in the first place.
Apparently they refuse to understand home automation offers very little in the way of actual benefits to user where novelty of gimmick ridden ... "look ma I can flush my toilet from my iphone" ... get old quicker than 3-D glasses needed to view overpriced blue ray movies.
Gimmicks are the turd left behind when you are unwilling or unable to provide actual value to the consumer.
and this requires root, which is throwing out the baby with the bathwater. as soon as you root, the entire sandbox runtime model is out the window.
As soon as you root you have explicit control over what if anything gets to run as root.