Without the Play Services, what do you actually use on the phone?
I don't spend a lot of time with apps.. I use it mostly for communication and tethering the laptop on the go.
Do you have a decent map application?
Yes, internal maps for whole country completely offline with automatic rerouting, TTS. 0 data usage. Love it. Also have 3D google earth app.
What email app?
I normally don't do email on my phone. I've used k-mail in the past just screwing around and it worked fine. Don't find on screen keyboards and tiny displays acceptable for any purpose other than writing short text message. I would never write an email on my smartphone unless I absolutely had to. There are enough real computers with usable sized screens and keyboards readily available to me.
Does it have push notifications?
Don't remember.. I'm not sure if it forwarded notifications from IMAP or just polled periodically.
I assume you don't use YouTube or any other streaming services either
Have youtube 2.0 application which predates GPS integration. Quite old but still works fine.
Do you huntdown and manually install all your apps?
Yes either using a Google app store downloader or third party app stores. I don't have a lot of apps yet I do have everything I want. Searching for apps on desktop and sideloading is easier in my view than doing the same from a painfully tiny screen. All commercial apps such as mapping application I have were purchased directly from the publisher not via an app store.
How many work without adsense or other google services?
All of them. Local only apps I have firewalled via iptables so they can't communicate with the outside world if they tried. To the extent any of them have ever tried to call home or download ads or telemetry they fail silently.
CyanogenMod was great, but without installing Gapps it seems a bit pointless to me. How many people honestly run a mobile device with no app store?
I don't care about popularity contests. Everyone has different opinions and requirements. If you need Google apps that's fine. I personally find the concept of pervasive stalking of entire populations by massive advertising agencies offensive/harmful and refuse to participate regardless of any perceived benefit. I will say battery life and data consumption are amazing without GPS.
The name is dead but the software itself isn't going anywhere. Ass kissing is only necessary to distribute Google Play Services (GPS)... a proprietary bundle of Google malware otherwise Android is open source and there isn't shit they can do about how you use it.
The only real competition Google has ever had with respect to GPS was from Amazon who operates their own app store separate from Google.
Personally I will never use an Android phone with Google Play Services installed. For me it isn't a choice between a custom mod and Google it is a choice between no GPS or nothing at all.
Is for people to finally stop making arguments that cannot be falsified:
âoeThat might seem outrageous because itâ(TM)s only 35 years away. But 35 years ago people thought homosexual marriage was outrageous,â Cheok said. âoeUntil the 1970s, some states didnâ(TM)t allow white and black people to marry each other. Society does progress and change very rapidly.â
I constantly see similar devices invoked to justify virtually anything. In 35 years from now when marriage to a wood chipper is still as "outrageous" as it is today this statement will be no more or less valid than it has ever been.
These arguments are all.. each and every one of them completely worthless no different than Slashdot linking to sites having simply ripped off someone else's story just to help them profit by a few extra hits.
What I described is a smart card.. something that has been widely used for over a decade.
The difference in not reinventing the wheel with U2F is you don't need to modify servers to support experimental channel binding extensions. This can be deployed without modifying existing servers.
"Google is very much a not-invented-here, build it ourselves culture." -Eric Schmidt
The problem with client certificates is that you have to install them on a device before using the device.
The browser can grab them from anywhere it can anytime it wants. It can also pass-thru cert validation to physical trinkets that look like USB sticks or credit cards the same as smart cards have been doing for ages.
So you can only login from a device you completely trust. This is just another form of something you know.
It's not a second factor.
No it is clearly something you have. Using trusted system is an implied baseline requirement. It isn't ever optional. This business of logging on from devices you don't trust = GIGO.
With U2F you can, in a pinch, login from say a computer in the library and
This limitation does not exist with my suggestion to just use client certs. There is no reason to assume browser is the entity that must offer a proof of possession to server. I just don't see the point of reinventing the wheel.
not worry that your certificate just got compromised.
Well there is that... I'm not sure what value this has to normal people who prefer criminals not transfer every penny out of their bank account or send all of their friends ransomware... but hey at least your certificate didn't get compromised.... hurray.
Well I've got to hand it to them at least this isn't just another tired old token passing scheme running over TLS. There appears to be something "ChannelID"? I don't really understand the specifics that seems to bind something from USB card with the underlying TLS session.
Still I have three comments.
1. If your going to do this why not deploy client certs and have your card store private keys for each site and just push all responsibility for interface (special standard for pkcs12 download, user attention..etc) to the browsers. If you did that you wouldn't need ANY low level server side changes at all to take advantage of it and browsers would have more freedom to manage key storage.
2. Better to enter "what you know" into "what you have" than entering them separately.
3. The problem with all of these schemes is they are a single point of failure. Lose, forget to bring or break your USB stick and your fucked as a result. I don't expect very many sites that are not banks or something really important to even go here. Nobody is honestly willing to deal with both "I forgot my password" and "I lost my key".. so you'll end up with some sort of bypass like password questions that ruins the security of the system while making people "feel" secure because of all of these other worthless hoops they are going through.
I still think a better (as in practically useful across the board in line with what users and operators are willing to accept) approach to web security after an initial account creation step is use of secure password authentication protocols instead of the crap we have now where passwords are entered into adhoc web forms.
Teaching people to enter passwords only into specific dialogues in their browsers at least would provide some hope of some people not getting owned by all of the lame phishing shit out there. TLS-SRP for example provides secure authentication without requiring certificates or leaking material that can be used for offline attack rendering connecting imposter sites both harmless and easy to recognize and since authentication is used to encrypt the underlying session PKI is optional although recommended to provide privacy protection against disclosing user identity in the clear during handshake. The patches necessary to enable this continue to collect dust in many of the major browser vendors ticketing systems.
Software vendors should act in their interests and not take illogical stands that smack of collusion.
You abandon a platform when either your customers abandon it or for some technical reason it becomes too cost prohibitive...NOT because a third party says so or pays you to do it.
Mozilla supports Linux with a pathetic 1/3rd of XPs market share.
They lump XP and Vista together rendering any technical justification unlikely.
Who honestly expects XP users who don't care/accept/understand security arguments to be convinced to upgrade to the current version of Microsoft's malware operating system because their browser is no longer updating? Find it impossible to understand how such policy can be spun to be in the users best interests when it is only guaranteed to make a bad situation much much worse.
If Mozilla wants to take the position they no longer care to support XP users this is a coherent argument. The PR statement on the other hand is pure bullshit.
I love how vendors are using "security" as a bludgeon to beat people into boarding upgrade trains as if it's somehow normal or acceptable for customers to accept software that is inherently dangerous to use without continuous patching. Such irresponsible behavior on the part of any vendor engaged in it should be illegal.
The 2% of people who switched to Mac and and 0.5% of people who switched to FLOSS desktops are totally acceptable costs.
They did this just right. If you're Microsoft, of course.
I sometimes ponder what percentage of people Microsoft needs to push to Linux would be sufficient for software and hardware vendors to notice they are leaving money on the table if they continue to ignore Linux paving the way for further lowering barriers of entry enabling even more users to contemplate switching?
Like Android vs Windows phone it isn't the operating system that matters it is everything that supports the operating system that makes a platform and moderates loyalty.
When you actively work to push customers to other platforms by turning your product into malware and resorting to underhanded tricks it isn't just those customers willing and able to leave right away that will eventually catch up to you.
Hopefully there is some small probability of downstream consequences to Microsoft's balance sheet following from more people choosing to spend money on solutions that don't revolve around Microsoft's platform.
If it's multiple bounces then it's a solar sail, not a photon rocket, and the thing other thing you're bouncing the laser off essentially forms reaction the mass. As you gain speed relative to your other mirror the efficiency will drop.
I guess I'm just stupid. I don't understand why this is relevant with regards to what is possible.
They're "allowed" to work, because they conserve energy and momentum, because there's a reaction mass.
What is the basis for the assumption EM drive is *required* to be any different to explain outcomes?
It's most likely pushing off the air or ambient magnetic field or something. That's neither useful nor interesting though.
There have been tests conducted in vacuum and testing in different positions to rule out similar possibilities specifically. I'm not claiming EM Drive actually works or doesn't work. I just don't get the assertion conservation laws are required to be violated to explain observed EM Drive outcomes assuming they are not just errors.
There isn't just magic stuff in space you can simply push off though. If there was, then it has interesting things to say about geocentrism!
If such magic were possible it could be sufficient to explain results without necessarily affecting conservation laws. There are other options besides assuming EM Drive is a free energy machine.
The big reason the EM Drive is attracting any interest at all is that it seems to be generating thrust per watt ratios at least an order of magnitude greater than theoretically possible with a photon rocket (i.e. shining a laser/flashlight/microwave/radio source out the back end), so there's no accepted theoretical basis for the thrust it's generating, unless maybe it's actually vaporizing itself and leaking pressurized metal gas out the back end
Except 3x that which has been claimed to have been observed with EM Drive has been demonstrated with photon rockets using mirrored surfaces.
Why does nobody bat an eye when photon rockets are shown to outperform EM drives?
Finally, conservation of energy (Ein=Eout + heat) could also be broken by a reactionless thruster as it's heavily dependent on speed. If the EmDrive generates a constant thrust for a constant energy input as it accelerates (completely untested), then its kinetic energy will increase at a steadily increasing rate, since energy increases with the square of velocity. At some point the incremental increase in kinetic energy will be larger than the incremental consumption of electrical energy, at which point you could theoretically attach it to the rim of a wheel turning a generator to produce more energy than you're consuming. (normal rockets don't face this issue since the exhaust is being slowed down while the rocket accelerates, so the total kinetic energy change remains constant.)
All photon rockets do this... efficiency goes to plaid above the relativistic threshold. Your just not accounting for total energy properly.
1. The EM drive works, which means there is a substantial gap in the laws of physics which have already passed very many far, far more stringent tests than the one in this article, implying thousands of other unrelated experiments were flawed in a consistent way.
What is so compelling about EM drive from a perspective of capabilities as measured thus far that requires substantial gaps in the laws of physics to explain?
Photon rockets with 3x that of the best EM drive results per watt have been demonstrated using mirrored surfaces simply by bouncing lasers thousands of times. Why are they allowed to work while EM drive is labeled "impossible".
Nobody really has a handle on what if anything EM drive is "pushing off" of. It is all just conjecturbation at this point.
One consistent performance problem I see across browsers is large tables take forever to render even with static column attributes. You can load an excel spreadsheet with tens of thousands of rows instantaneously.
The same data in a table pegs a core and consumes a GB or more of RAM with minutes or more delay. Often as the number of rows increase there is a huge corresponding drop-off in performance until it becomes practically unusable.
Otherwise I have no real issues with browser performance. Sure browsers like IE do the darndest things you've ever seen sometimes including getting so slow as to be unusable when display large ASCII text files. That's right.. not complex HTML but text rendered as TEXT.
Browsers are like everything else. The EE's give us incredible hardware and we go out of our way to waste it with lazy sloppy coding simply because it's cheaper not to care.
Browsers are the same way.. all kinds of hard work on fancy algorithms and optimizing performance... obliterated by "developers" who think HTML/JavaScript/CSS are "too hard" and instead insist on piling on layer upon layer, framework upon framework, widget after widget, piecemeal XMLHttpRequest after XMLHttpRequest, fill site with social media bugs, cross site trackers, ads/malware, use third party bugs to get web stats because you are too lazy to install a stats package to analyze your own access logs. Some sites just enjoy selling out their customers to stalking firms who often cross sell-out customers to other stalking firms leading to hilarious trees of connections when accessing a single page. Yet others are completely oblivious to what is going on behind the scenes.
Web sites written by people who care about wasting their users time load instantaneously. It's amazing. Never really had issues with browsers themselves not being responsive divorced from the bullshit occurring within them. I'm not really sure how what is being described by TFA is even possible given so much runs in separate process/memory space these days.
It's not the first time someone has bragged about their willful ignorance
As mentioned I stand willing to be enlightened. You seem more interested in throwing insults than supporting your position with merit based argument demonstrating value of HA. This is of course nothing new. Most HA proponents I've spoken to have taken this very tact.
Saying that there is no value proposition to HA is like saying there is no point in painting the walls different colors.
Your saying HA is not supposed to be functional but rather decorative?
If the extent of your lighting is limited to a single ceiling fixture in your room then lighting automation, as an example, is not valuable to you. This reflects more on your lack of sophistication than on HA's value proposition. HA is a tool to achieve desirable ends, not an end in itself, and the problem here is your lack of vision.
I'm not sophisticated. I don't live in a mansion and flicking on and off light switches is not something I chose to waste my time developing a "vision" for how to improve. Most people are in the same boat which explains the pathetic market share of these technologies despite having been around for decades.
A couple of sun timers and motion controlled light switches meets all of my "automation" needs.
The point of home automation is to (a) integrate various technologies around the home while (b) providing a convenient, intuitive, easy to use interface for doing so. I'm sure the same objections were made in the past about *every* technological advance... "Use fire to provide light at night? Just go to sleep, like everyone else does." "Cook your meat? Just eat it raw, like everyone else does." "Domesticate and ride a horse? Just walk, like everyone else does."
There are legitimate concerns when it comes to the hows and whys of home automation... but this reflexive nay-saying isn't among them. It's just lazy objection for objection's sake.
Your argument is the flipside of the same coin and cannot be falsified.
If you think this particular technology is valuable you are welcome to provide a merit based justification for your position. Just saying the same objections were made about everything is the same as saying nothing at all because the same argument can be applied without limit to justify ANYTHING.
Nobody in the HA crowd has ever been able to offer a coherent value proposition for how HA could improve *my* life that would in any way be useful to *me*. Until this changes I will continue to blindly assume HA is a pointless waste of time and money with increasingly massive malware/privacy issues.
The people I know of into HA are "gadget whores" who hardly view HA objectively... they just like to screw with shit because it's "cool" or for technologies sake which is a perfectly acceptable justification in and of itself. Everyone gets to decide for themselves what is and is not important to them.
Look, I use Firefox because I'm generally privacy-conscious. I don't want a browser that phones home to Google all the time. I definitely don't want a broken browser made by Microsoft. I use Firefox because it allows me to (provably) disable third-party communications, I can fine tune which features are enabled and turn off the ones I feel may pose a security threat, and it has a solid base of plugins to help create a more secure environment.
Firefox talks the talk about privacy but makes it virtually impossible to achieve. Sheer volume of "call home" excuses in Firefox is breathtaking. Their own expansive about:config privacy documentation tweak guide is as incomplete as it is ridiculously long and convoluted to follow.
If they really gave a shit they would provide usable privacy options as in options that mortal people can actually manage.
Such as:
"Never call home for any reason". "Ask me before calling home" "Automatically call home for x class of reasons"...etc.
The other major issue with Firefox is relatively poor code quality makes using Firefox more dangerous than other browsers.
Its truly astounding but on this one they actually worked closely with security researchers to make the technology not useful for tracking. The identification number is randomized every 5 minutes and it contains no information that can tie it to the vehicle's VIN.
This isn't real. You can't have a secure system without knowing who (basis of trust) you are talking to regardless of technology or algorithms employed.
It is either secure + privacy invasion or insecure. It is physically impossible to do both. You can create a knob and adjust from one extreme to the other yet it is always a tradeoff between the two.
You could for example create group keys that prevent individual vehicles from being discernible yet this also means any group member can emulate any other member and cause havoc that can only be traceable back to the group.
V2V is trying to introduce laser disc in the era of Blu-ray/streaming video.
V2V is teaching people to write in glyphs to make their scribbles readable by their palm pilots.
When V2V push started the technology for computers to monitor and respond to the world as it is in real-time didn't exist at a cost or form that was practical or affordable.
This is no longer the case. The world has moved while V2V is stubbornly stuck in the past. The only remaining benefits of V2V above CV based technologies which react to the world as it actually is was enrichment of those who lobbied and stand to profit massively from a government mandate and TLAs interested in mass surveillance.
V2V cannot be secured. V2V will be abused by criminal enterprise and governments. V2V will be abused by stalkers and kids with nothing better to do. V2V will be used to trigger bombs. It will be used to catalogue everywhere everyone goes en-masse in the same way AIS and ADS-B is currently abused for reasons having nothing to do with public safety.
Government figures on lives saved and benefits are worthless lies that don't consider competing technologies. Our choices are not either a 70's pinto or V2V.
While this has clear utility and in the long run it may save lives
In my view there is no basis upon which to concluded V2V is in any meaningful way helpful or necessary to improve public safety.
Sensor/CV based technologies such as AEB/CTA significantly overlap with stated benefits of V2V. There is no public information available which provides information on safety gains from V2V compared to deployment of sensors.
Government V2V literature and estimates assume V2V is evaluated in a vacuum against a 70's pinto. They don't consider alternatives already deployed commercially which don't require everyone to be equipped with a transceiver to reap benefits.
(U//FOUO) 'Can You See Me Now?' - GPS Enabled Technologies FROM: Gary Davis Technical Director, Joint Proforma Center (S2J34) Run Date: 04/27/2004 FROM: Gary Davis Technical Director, Joint Proforma Center (S2J34) (U//FOUO) Almost everyone is familiar with the cell phone catch phrase, "Can you hear me now?" The next era, "Can you see me now?", has arrived. Numerous devices using Global Positioning Systems (GPS) for determining their location have proliferated across every part of society. These devices are not only able to transmit their location information, but also receive location information from similar devices. Imagine being able to see where all of your buddies are located when planning a lunch. You could overlay the locations of Chinese restaurants in the area, select the best or closest one, and send that location to your buddies. Well, that time is already here. (U//FOUO) GPS-based systems, and similar technologies, enable us to know many things such as: where am I; where are my buddies; where is my car; where is my boat; where are other boats in my area. (U//FOUO) Obviously, these are just a few examples, and the amount of information from these types of devices has exploded recently, resulting in an "Information Tsunami." This huge wave of information is only going to grow larger. As costs of Global Positioning Systems become more affordable, these devices will be integrated into our daily life and become an increasingly invisible service that we come to rely on for even the simplest of tasks. (S//SI) One of the first examples of the global use of this type of technology is the ITU-R M.1371-1 recommendation jointly developed by the International Telecommunication Union (ITU) and International Maritime Organization (IMO) and known in the public domain as Automatic Identification System (AIS). AIS is a standard that governs the means for transmitting and receiving information on a ship's position, course, speed, name, type of cargo, size, destination, etc. It also provides a framework for extending the basic capability to include TELEX messages, ship way points, and gives vendors the capability to provide proprietary services to ships outfitted with its equipment. (S//SI) AIS-derived SIGINT is already available to the SIGINT production chain, with dissemination limited under interim OGC (Office of the General Counsel) guidance. Although significant legal and policy hurdles remain, SIGINT exploitation of AIS is already a success in terms of grappling with widespread self-disclosure technologies. Exploitation of AIS exemplifies how NSA, as a Combat Support Agency, can help assure information superiority by providing precise and timely geopositions far beyond the range of most tactical sensors -- allowing not only enhanced Force Protection but also setting the stage for automated correlation of unidentified commercial radar intercepts to specific vessels. (S//SI) And this is just the beginning. NSA's Joint PROFORMA Center (JPC) is the Executive Agent for developing these new technologies. The JPC is responsible for the technical analysis, oversight of the processor architecture, coordination of data dissemination, and is the Intelligence Community's SIGINT focal point for these systems. JPC will help provide an unprecedented level of detailed information on the location and movements of high value assets including people, ships, cargo, etc. for support in the global war on terrorism and support to military operations worldwide. For more detailed information please contact the Joint PROFORMA
Center ("go proforma" in your browser).
"(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet without the consent of S0121 (DL sid_comms)."
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS TOP SECRET// SI / TK// REL TO USA AUS CAN GBR NZL DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108
I have nothing against relational databases, but the Structured Query Language itself is an accident waiting to happen.
Agreed. Lost track of the number of times I've forgotten to type 'where' and all my conditions get tagged to the last join without something warning me about how much of a dumbass I am.
Yes, another obstacle to cross, but HTTP_REFERER also can be spoofed. You would effectively have to implement an authentication scheme with HTTP_REFERER to achieve anything but a temporary effect.
No it can't, not by your *BROWSER*. Any avenue to spoof is a security bug and has been treated as such for at least a decade.
My comments are not about absolute protection of router from local access by a malicious HTTP client it is about preventing CSRF the lowest hanging fruit out there.
Slashdot Mirror
Without the Play Services, what do you actually use on the phone?
I don't spend a lot of time with apps.. I use it mostly for communication and tethering the laptop on the go.
Do you have a decent map application?
Yes, internal maps for whole country completely offline with automatic rerouting, TTS. 0 data usage. Love it. Also have 3D google earth app.
What email app?
I normally don't do email on my phone. I've used k-mail in the past just screwing around and it worked fine. Don't find on screen keyboards and tiny displays acceptable for any purpose other than writing short text message. I would never write an email on my smartphone unless I absolutely had to. There are enough real computers with usable sized screens and keyboards readily available to me.
Does it have push notifications?
Don't remember.. I'm not sure if it forwarded notifications from IMAP or just polled periodically.
I assume you don't use YouTube or any other streaming services either
Have youtube 2.0 application which predates GPS integration. Quite old but still works fine.
Do you huntdown and manually install all your apps?
Yes either using a Google app store downloader or third party app stores. I don't have a lot of apps yet I do have everything I want. Searching for apps on desktop and sideloading is easier in my view than doing the same from a painfully tiny screen. All commercial apps such as mapping application I have were purchased directly from the publisher not via an app store.
How many work without adsense or other google services?
All of them. Local only apps I have firewalled via iptables so they can't communicate with the outside world if they tried. To the extent any of them have ever tried to call home or download ads or telemetry they fail silently.
CyanogenMod was great, but without installing Gapps it seems a bit pointless to me. How many people honestly run a mobile device with no app store?
I don't care about popularity contests. Everyone has different opinions and requirements. If you need Google apps that's fine. I personally find the concept of pervasive stalking of entire populations by massive advertising agencies offensive/harmful and refuse to participate regardless of any perceived benefit. I will say battery life and data consumption are amazing without GPS.
The name is dead but the software itself isn't going anywhere. Ass kissing is only necessary to distribute Google Play Services (GPS)... a proprietary bundle of Google malware otherwise Android is open source and there isn't shit they can do about how you use it.
The only real competition Google has ever had with respect to GPS was from Amazon who operates their own app store separate from Google.
Personally I will never use an Android phone with Google Play Services installed. For me it isn't a choice between a custom mod and Google it is a choice between no GPS or nothing at all.
Is for people to finally stop making arguments that cannot be falsified:
âoeThat might seem outrageous because itâ(TM)s only 35 years away. But 35 years ago people thought homosexual marriage was outrageous,â Cheok said. âoeUntil the 1970s, some states didnâ(TM)t allow white and black people to marry each other. Society does progress and change very rapidly.â
I constantly see similar devices invoked to justify virtually anything. In 35 years from now when marriage to a wood chipper is still as "outrageous" as it is today this statement will be no more or less valid than it has ever been.
These arguments are all.. each and every one of them completely worthless no different than Slashdot linking to sites having simply ripped off someone else's story just to help them profit by a few extra hits.
I can't wait to install the latest malware and try all of the new exciting features!
Congratulations, you've just described U2F!
What I described is a smart card .. something that has been widely used for over a decade.
The difference in not reinventing the wheel with U2F is you don't need to modify servers to support experimental channel binding extensions. This can be deployed without modifying existing servers.
"Google is very much a not-invented-here, build it ourselves culture."
-Eric Schmidt
The problem with client certificates is that you have to install them on a device before using the device.
The browser can grab them from anywhere it can anytime it wants. It can also pass-thru cert validation to physical trinkets that look like USB sticks or credit cards the same as smart cards have been doing for ages.
So you can only login from a device you completely trust. This is just another form of something you know.
It's not a second factor.
No it is clearly something you have. Using trusted system is an implied baseline requirement. It isn't ever optional. This business of logging on from devices you don't trust = GIGO.
With U2F you can, in a pinch, login from say a computer in the library and
This limitation does not exist with my suggestion to just use client certs. There is no reason to assume browser is the entity that must offer a proof of possession to server. I just don't see the point of reinventing the wheel.
not worry that your certificate just got compromised.
Well there is that... I'm not sure what value this has to normal people who prefer criminals not transfer every penny out of their bank account or send all of their friends ransomware... but hey at least your certificate didn't get compromised.... hurray.
Well I've got to hand it to them at least this isn't just another tired old token passing scheme running over TLS. There appears to be something "ChannelID"? I don't really understand the specifics that seems to bind something from USB card with the underlying TLS session.
Still I have three comments.
1. If your going to do this why not deploy client certs and have your card store private keys for each site and just push all responsibility for interface (special standard for pkcs12 download, user attention..etc) to the browsers. If you did that you wouldn't need ANY low level server side changes at all to take advantage of it and browsers would have more freedom to manage key storage.
2. Better to enter "what you know" into "what you have" than entering them separately.
3. The problem with all of these schemes is they are a single point of failure. Lose, forget to bring or break your USB stick and your fucked as a result. I don't expect very many sites that are not banks or something really important to even go here. Nobody is honestly willing to deal with both "I forgot my password" and "I lost my key".. so you'll end up with some sort of bypass like password questions that ruins the security of the system while making people "feel" secure because of all of these other worthless hoops they are going through.
I still think a better (as in practically useful across the board in line with what users and operators are willing to accept) approach to web security after an initial account creation step is use of secure password authentication protocols instead of the crap we have now where passwords are entered into adhoc web forms.
Teaching people to enter passwords only into specific dialogues in their browsers at least would provide some hope of some people not getting owned by all of the lame phishing shit out there. TLS-SRP for example provides secure authentication without requiring certificates or leaking material that can be used for offline attack rendering connecting imposter sites both harmless and easy to recognize and since authentication is used to encrypt the underlying session PKI is optional although recommended to provide privacy protection against disclosing user identity in the clear during handshake. The patches necessary to enable this continue to collect dust in many of the major browser vendors ticketing systems.
Software vendors should act in their interests and not take illogical stands that smack of collusion.
You abandon a platform when either your customers abandon it or for some technical reason it becomes too cost prohibitive...NOT because a third party says so or pays you to do it.
Mozilla supports Linux with a pathetic 1/3rd of XPs market share.
They lump XP and Vista together rendering any technical justification unlikely.
Who honestly expects XP users who don't care/accept/understand security arguments to be convinced to upgrade to the current version of Microsoft's malware operating system because their browser is no longer updating? Find it impossible to understand how such policy can be spun to be in the users best interests when it is only guaranteed to make a bad situation much much worse.
If Mozilla wants to take the position they no longer care to support XP users this is a coherent argument. The PR statement on the other hand is pure bullshit.
I love how vendors are using "security" as a bludgeon to beat people into boarding upgrade trains as if it's somehow normal or acceptable for customers to accept software that is inherently dangerous to use without continuous patching. Such irresponsible behavior on the part of any vendor engaged in it should be illegal.
The 2% of people who switched to Mac and and 0.5% of people who switched to FLOSS desktops are totally acceptable costs.
They did this just right. If you're Microsoft, of course.
I sometimes ponder what percentage of people Microsoft needs to push to Linux would be sufficient for software and hardware vendors to notice they are leaving money on the table if they continue to ignore Linux paving the way for further lowering barriers of entry enabling even more users to contemplate switching?
Like Android vs Windows phone it isn't the operating system that matters it is everything that supports the operating system that makes a platform and moderates loyalty.
When you actively work to push customers to other platforms by turning your product into malware and resorting to underhanded tricks it isn't just those customers willing and able to leave right away that will eventually catch up to you.
Hopefully there is some small probability of downstream consequences to Microsoft's balance sheet following from more people choosing to spend money on solutions that don't revolve around Microsoft's platform.
If it's multiple bounces then it's a solar sail, not a photon rocket, and the thing other thing you're bouncing the laser off essentially forms reaction the mass. As you gain speed relative to your other mirror the efficiency will drop.
I guess I'm just stupid. I don't understand why this is relevant with regards to what is possible.
They're "allowed" to work, because they conserve energy and momentum, because there's a reaction mass.
What is the basis for the assumption EM drive is *required* to be any different to explain outcomes?
It's most likely pushing off the air or ambient magnetic field or something. That's neither useful nor interesting though.
There have been tests conducted in vacuum and testing in different positions to rule out similar possibilities specifically. I'm not claiming EM Drive actually works or doesn't work. I just don't get the assertion conservation laws are required to be violated to explain observed EM Drive outcomes assuming they are not just errors.
There isn't just magic stuff in space you can simply push off though. If there was, then it has interesting things to say about geocentrism!
If such magic were possible it could be sufficient to explain results without necessarily affecting conservation laws. There are other options besides assuming EM Drive is a free energy machine.
The big reason the EM Drive is attracting any interest at all is that it seems to be generating thrust per watt ratios at least an order of magnitude greater than theoretically possible with a photon rocket (i.e. shining a laser/flashlight/microwave/radio source out the back end), so there's no accepted theoretical basis for the thrust it's generating, unless maybe it's actually vaporizing itself and leaking pressurized metal gas out the back end
Except 3x that which has been claimed to have been observed with EM Drive has been demonstrated with photon rockets using mirrored surfaces.
Why does nobody bat an eye when photon rockets are shown to outperform EM drives?
Finally, conservation of energy (Ein=Eout + heat) could also be broken by a reactionless thruster as it's heavily dependent on speed. If the EmDrive generates a constant thrust for a constant energy input as it accelerates (completely untested), then its kinetic energy will increase at a steadily increasing rate, since energy increases with the square of velocity. At some point the incremental increase in kinetic energy will be larger than the incremental consumption of electrical energy, at which point you could theoretically attach it to the rim of a wheel turning a generator to produce more energy than you're consuming. (normal rockets don't face this issue since the exhaust is being slowed down while the rocket accelerates, so the total kinetic energy change remains constant.)
All photon rockets do this... efficiency goes to plaid above the relativistic threshold. Your just not accounting for total energy properly.
1. The EM drive works, which means there is a substantial gap in the laws of physics which have already passed very many far, far more stringent tests than the one in this article, implying thousands of other unrelated experiments were flawed in a consistent way.
What is so compelling about EM drive from a perspective of capabilities as measured thus far that requires substantial gaps in the laws of physics to explain?
Photon rockets with 3x that of the best EM drive results per watt have been demonstrated using mirrored surfaces simply by bouncing lasers thousands of times. Why are they allowed to work while EM drive is labeled "impossible".
Nobody really has a handle on what if anything EM drive is "pushing off" of. It is all just conjecturbation at this point.
One consistent performance problem I see across browsers is large tables take forever to render even with static column attributes. You can load an excel spreadsheet with tens of thousands of rows instantaneously.
The same data in a table pegs a core and consumes a GB or more of RAM with minutes or more delay. Often as the number of rows increase there is a huge corresponding drop-off in performance until it becomes practically unusable.
Otherwise I have no real issues with browser performance. Sure browsers like IE do the darndest things you've ever seen sometimes including getting so slow as to be unusable when display large ASCII text files. That's right.. not complex HTML but text rendered as TEXT.
Browsers are like everything else. The EE's give us incredible hardware and we go out of our way to waste it with lazy sloppy coding simply because it's cheaper not to care.
Browsers are the same way.. all kinds of hard work on fancy algorithms and optimizing performance ... obliterated by "developers" who think HTML/JavaScript/CSS are "too hard" and instead insist on piling on layer upon layer, framework upon framework, widget after widget, piecemeal XMLHttpRequest after XMLHttpRequest, fill site with social media bugs, cross site trackers, ads/malware, use third party bugs to get web stats because you are too lazy to install a stats package to analyze your own access logs. Some sites just enjoy selling out their customers to stalking firms who often cross sell-out customers to other stalking firms leading to hilarious trees of connections when accessing a single page. Yet others are completely oblivious to what is going on behind the scenes.
Web sites written by people who care about wasting their users time load instantaneously. It's amazing. Never really had issues with browsers themselves not being responsive divorced from the bullshit occurring within them. I'm not really sure how what is being described by TFA is even possible given so much runs in separate process/memory space these days.
It's not the first time someone has bragged about their willful ignorance
As mentioned I stand willing to be enlightened. You seem more interested in throwing insults than supporting your position with merit based argument demonstrating value of HA. This is of course nothing new. Most HA proponents I've spoken to have taken this very tact.
Saying that there is no value proposition to HA is like saying there is no point in painting the walls different colors.
Your saying HA is not supposed to be functional but rather decorative?
If the extent of your lighting is limited to a single ceiling fixture in your room then lighting automation, as an example, is not valuable to you. This reflects more on your lack of sophistication than on HA's value proposition. HA is a tool to achieve desirable ends, not an end in itself, and the problem here is your lack of vision.
I'm not sophisticated. I don't live in a mansion and flicking on and off light switches is not something I chose to waste my time developing a "vision" for how to improve. Most people are in the same boat which explains the pathetic market share of these technologies despite having been around for decades.
A couple of sun timers and motion controlled light switches meets all of my "automation" needs.
The point of home automation is to (a) integrate various technologies around the home while (b) providing a convenient, intuitive, easy to use interface for doing so. I'm sure the same objections were made in the past about *every* technological advance...
"Use fire to provide light at night? Just go to sleep, like everyone else does."
"Cook your meat? Just eat it raw, like everyone else does."
"Domesticate and ride a horse? Just walk, like everyone else does."
There are legitimate concerns when it comes to the hows and whys of home automation... but this reflexive nay-saying isn't among them. It's just lazy objection for objection's sake.
Your argument is the flipside of the same coin and cannot be falsified.
If you think this particular technology is valuable you are welcome to provide a merit based justification for your position. Just saying the same objections were made about everything is the same as saying nothing at all because the same argument can be applied without limit to justify ANYTHING.
Nobody in the HA crowd has ever been able to offer a coherent value proposition for how HA could improve *my* life that would in any way be useful to *me*. Until this changes I will continue to blindly assume HA is a pointless waste of time and money with increasingly massive malware/privacy issues.
The people I know of into HA are "gadget whores" who hardly view HA objectively... they just like to screw with shit because it's "cool" or for technologies sake which is a perfectly acceptable justification in and of itself. Everyone gets to decide for themselves what is and is not important to them.
Win10 is not even on my radar. As long as it is loaded with malware and forced updates feature set is irrelevant.
Look, I use Firefox because I'm generally privacy-conscious. I don't want a browser that phones home to Google all the time. I definitely don't want a broken browser made by Microsoft. I use Firefox because it allows me to (provably) disable third-party communications, I can fine tune which features are enabled and turn off the ones I feel may pose a security threat, and it has a solid base of plugins to help create a more secure environment.
Firefox talks the talk about privacy but makes it virtually impossible to achieve. Sheer volume of "call home" excuses in Firefox is breathtaking. Their own expansive about:config privacy documentation tweak guide is as incomplete as it is ridiculously long and convoluted to follow.
If they really gave a shit they would provide usable privacy options as in options that mortal people can actually manage.
Such as:
"Never call home for any reason". ...etc.
"Ask me before calling home"
"Automatically call home for x class of reasons"
The other major issue with Firefox is relatively poor code quality makes using Firefox more dangerous than other browsers.
Its truly astounding but on this one they actually worked closely with security researchers to make the technology not useful for tracking. The identification number is randomized every 5 minutes and it contains no information that can tie it to the vehicle's VIN.
This isn't real. You can't have a secure system without knowing who (basis of trust) you are talking to regardless of technology or algorithms employed.
It is either secure + privacy invasion or insecure. It is physically impossible to do both. You can create a knob and adjust from one extreme to the other yet it is always a tradeoff between the two.
You could for example create group keys that prevent individual vehicles from being discernible yet this also means any group member can emulate any other member and cause havoc that can only be traceable back to the group.
V2V is trying to introduce laser disc in the era of Blu-ray/streaming video.
V2V is teaching people to write in glyphs to make their scribbles readable by their palm pilots.
When V2V push started the technology for computers to monitor and respond to the world as it is in real-time didn't exist at a cost or form that was practical or affordable.
This is no longer the case. The world has moved while V2V is stubbornly stuck in the past. The only remaining benefits of V2V above CV based technologies which react to the world as it actually is was enrichment of those who lobbied and stand to profit massively from a government mandate and TLAs interested in mass surveillance.
V2V cannot be secured. V2V will be abused by criminal enterprise and governments. V2V will be abused by stalkers and kids with nothing better to do. V2V will be used to trigger bombs. It will be used to catalogue everywhere everyone goes en-masse in the same way AIS and ADS-B is currently abused for reasons having nothing to do with public safety.
Government figures on lives saved and benefits are worthless lies that don't consider competing technologies. Our choices are not either a 70's pinto or V2V.
While this has clear utility and in the long run it may save lives
In my view there is no basis upon which to concluded V2V is in any meaningful way helpful or necessary to improve public safety.
Sensor/CV based technologies such as AEB/CTA significantly overlap with stated benefits of V2V. There is no public information available which provides information on safety gains from V2V compared to deployment of sensors.
Government V2V literature and estimates assume V2V is evaluated in a vacuum against a 70's pinto. They don't consider alternatives already deployed commercially which don't require everyone to be equipped with a transceiver to reap benefits.
What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?
Ask little Bobby Tables, he'll tell you: https://xkcd.com/327/
There is sadly widespread belief SQLi is caused by failure to perform data validation/sanitization. This belief is both incorrect and dangerous.
(U//FOUO) 'Can You See Me Now?' - GPS Enabled Technologies
FROM: Gary Davis
Technical Director, Joint Proforma Center (S2J34)
Run Date: 04/27/2004
FROM: Gary Davis
Technical Director, Joint Proforma Center (S2J34)
(U//FOUO) Almost everyone is familiar with the cell phone catch phrase, "Can you hear me
now?" The next era, "Can you see me now?", has arrived. Numerous devices using Global
Positioning Systems (GPS) for determining their location have proliferated across every part of
society. These devices are not only able to transmit their location information, but also receive
location information from similar devices. Imagine being able to see where all of your buddies
are located when planning a lunch. You could overlay the locations of Chinese restaurants in the
area, select the best or closest one, and send that location to your buddies. Well, that time is
already here.
(U//FOUO) GPS-based systems, and similar technologies, enable us to know many things such
as:
where am I;
where are my buddies;
where is my car;
where is my boat;
where are other boats in my area.
(U//FOUO) Obviously, these are just a few examples, and the amount of information from these
types of devices has exploded recently, resulting in an "Information Tsunami." This huge wave
of information is only going to grow larger. As costs of Global Positioning Systems become more
affordable, these devices will be integrated into our daily life and become an increasingly
invisible service that we come to rely on for even the simplest of tasks.
(S//SI) One of the first examples of the global use of this type of technology is the ITU-R
M.1371-1 recommendation jointly developed by the International Telecommunication Union
(ITU) and International Maritime Organization (IMO) and known in the public domain as
Automatic Identification System (AIS). AIS is a standard that governs the means for
transmitting and receiving information on a ship's position, course, speed, name, type of cargo,
size, destination, etc. It also provides a framework for extending the basic capability to include
TELEX messages, ship way points, and gives vendors the capability to provide proprietary
services to ships outfitted with its equipment.
(S//SI) AIS-derived SIGINT is already available to the SIGINT production chain, with
dissemination limited under interim OGC (Office of the General Counsel) guidance. Although
significant legal and policy hurdles remain, SIGINT exploitation of AIS is already a success in
terms of grappling with widespread self-disclosure technologies. Exploitation of AIS exemplifies
how NSA, as a Combat Support Agency, can help assure information superiority by providing
precise and timely geopositions far beyond the range of most tactical sensors -- allowing not
only enhanced Force Protection but also setting the stage for automated correlation of
unidentified commercial radar intercepts to specific vessels.
(S//SI) And this is just the beginning. NSA's Joint PROFORMA Center (JPC) is the Executive
Agent for developing these new technologies. The JPC is responsible for the technical analysis,
oversight of the processor architecture, coordination of data dissemination, and is the
Intelligence Community's SIGINT focal point for these systems. JPC will help provide an
unprecedented level of detailed information on the location and movements of high value assets
including people, ships, cargo, etc. for support in the global war on terrorism and support to
military operations worldwide. For more detailed information please contact the Joint PROFORMA
Center ("go proforma" in your browser).
"(U//FOUO) SIDtoday articles may not be republished or reposted outside NSANet
without the consent of S0121 (DL sid_comms)."
DYNAMIC PAGE -- HIGHEST POSSIBLE CLASSIFICATION IS // SI / TK // REL TO USA AUS CAN GBR NZL
TOP SECRET
DERIVED FROM: NSA/CSSM 1-52, DATED 08 JAN 2007 DECLASSIFY ON: 20320108
I have nothing against relational databases, but the Structured Query Language itself is an accident waiting to happen.
Agreed. Lost track of the number of times I've forgotten to type 'where' and all my conditions get tagged to the last join without something warning me about how much of a dumbass I am.
"The hack used an SQL injection flaw. . ."
Jesus wept...excuse me while I execute a nuclear-grade facepalm. Have none of these people ever heard of sanitizing data?
What does sanitizing data have to do with preventing "SQL injection flaw" besides absolutely nothing?
Yes, another obstacle to cross, but HTTP_REFERER also can be spoofed. You would effectively have to implement an authentication scheme with HTTP_REFERER to achieve anything but a temporary effect.
No it can't, not by your *BROWSER*. Any avenue to spoof is a security bug and has been treated as such for at least a decade.
My comments are not about absolute protection of router from local access by a malicious HTTP client it is about preventing CSRF the lowest hanging fruit out there.