The definition of personal data is broad and should be carefully reviewed in this case. Them knowing what you clicked and the failure attached to the series of action is hardly personal data that anybody truly cares to protect.
I care deeply about it and will take any action necessary to deny any OS vendor this capability. None of their goddamn business period.
Same goes for hardware specs. If anything, most users would be happy to hand over that data to help their favored platform become more stable.
It is nice they are given a choice... oh wait those ever forgetful levers in the privacy settings don't actually stop anything now do they?
The situation is still the same. What is the collected data? last time MS responded, the data collected was no more than what you search engine collects.
None of Microsoft's business what I do or where I search.
It was definitively less harmful than the data your GPS or cell phone carrier collects.
Is Microsoft the same company whose Windows 10 mobile platform collects your GPS location without your consent or any ability to stop it whenever you want to use your GPS locally?
Christ, your credit card, your bank and your air miles card have far more important data and they use it in whatever way they see fit (within the confine of the law).
No fuck that. If someone steals my credit card I don't give a shit. The card company will just issue me a new one.
If someone exfiltrated confidential data or trade secrets from my system which Microsoft grants itself the capability to do by default when Windows 10 is installed there is nobody I can call to get it back or put the genie back in its bottle.
For reference to where Microsoft openly admits to installing and activating a remote access Trojan with Windows 10 by default please see following:
So long as a first grader can be taught to encode and decode messages no intelligence agency can intercept armed with only a pen and pencil.
So long as people are able to meet and develop signals, code words and languages.
There will be end to end private communication. E2E has been with us since the very beginning of civilization . Not just the last few decades or the last few centuries but the last several thousand years.
These laws are designed for one thing and one thing only. To deny the masses secure communications regardless of the fact anyone with a specific need or desire for E2E will have it easily no matter what. The result is everyone continues to suffer from insecure systems because crappy governments have fear/power/legitimacy issues while only the most lazy and disorganized of bad actors are affected.
Oculus 1.3 runtime for the Rift was released with async timewarp. When it was released DK2 users used to earlier runtimes without it were all over the boards with phrases like "holy shit" and "DK3" to explain how ATW changed everything for them. Jitter issues magically disappeared overnight with only a simple software update.
More generally there is one and only one "trick" for improving VR quality going forward and that is foveated rendering. This technology is absolutely critical to any serious vision of future HMDs.
To provide some context cones of our eyes cover a massive (cough cough) 15 degrees of arc. That's it. You can't even lean back and read 1/4 of what is on your monitor without moving your eyeballs around to do it. 4k is overkill.. 1080 is overkill... The future in VR is entirely locked up in sensing eye orientation and optical and or electronic steering of relatively low resolution displays in response.
I stopped buying from Amazon as they have grown to the point where playing games to cow people into joining their little club is more important to than competing on merit.
Try buying star wars from Amazon without a Prime membership. Oh right you can't. Persistent harassment to join "prime" complete with confusing UX tricks. Deliberate plays to artificially delay shipping and enforce minimum orders to artificially manipulate consumer behavior.
As a customer I refuse to accept or support Amazon's behavior and have taken my business elsewhere.
Perhaps, but the problem is that if those systems are in fact coming in the near to medium future (and there's "no affirmative evidence of any kind" that it *isn't* true) then they'll absolutely *destroy* most forms of encryption currently in use.
If in fact hostile space aliens (or pancake monsters from the 5th dimension) are coming in the near to medium future then they'll absolutely *destroy* most forms of encryption and everything else currently in use.
Why shouldn't Google care equally about this threat too given the consequences are much worse and there is no affirmative evidence it isn't true? Where does hedging against completely baseless nonsense end? Are there any limits? At all? Of any kind? Only when you can prove a negative?
Google decided that the high risk outweighed the low chance. Plus their work goes towards research which will, eventually, be beneficial.
Merely selecting algorithms OTHERS created is hardly what I would consider to be research. There are literally hundreds of cipher suites available in TLS.. adding new ones isn't a particularly noteworthy exercise.
The core problem with pushing "post quantum" crypto into production is you are essentially making choices in the blind based exclusively on fear and *baseless* speculation. There is no affirmative evidence of any kind Quantum computers with the capability to crack crypto are even possible let alone expected in the near to medium term.
I can't help but wonder if at least some of those pushing "post quantum" crypto are intentionally making a play to nerf security more than it already is.
There are a million practical things Google could elect to do to improve real world practical security starting with not reading everyone's email to applying TLS-SRP patches to enable secure password authentication to making Android less of a security joke. Time spent on post quantum crap is time not spent addressing actual threats we know for sure exist in the real world.
as someone who works in the entertainment industry, i have to say this is more about keeping the populace paranoid than preventing terrorism.
most of the audio they are liable to pick up will be garbage. directional mikes can only pick up so much legible speech before being overrun by ambient noise.
However, I can never understand the concern about video/audio surveillance of public places. When you're in a public place you can have no expectations of privacy to begin with because you're generally surrounded by people.
Public and private are mutually exclusive, so you cannot expect privacy in a public place. I therefore don't understand the outrage.
Can someone explain this one to me?
It isn't about one bus or one street as it is about canvassing everything everywhere and employing computer algorithms to automatically stitch and compile government stalking files on everyone.
If someone sat 24x7 parked in front of your home waiting for you to leave, tailed you everywhere you went, followed you to every "public" place and recorded all of your "public" conversations. If when you left they got up and followed you to your car parked just in front of their stalker mobile and followed you to your next destination... I think you would begin to understand the limits of the "public" excuse. Very few people would put up with this type of behavior. Just because you can't see the stalker creep tailing you doesn't make it any more ok.
While I generally have a positive opinion historically of Netscape/Mozilla/Firefox I find them to be a little two faced at times.
They claim prominently on their website to care about privacy yet make it extraordinarily difficult to configure the browser not to continuously call home. Even when you follow their expansive instructions it still doesn't stop it and the sheer volume of reasons or excuses implemented in the browser and enabled by default is comically mind boggling.
Then there is the matter of "We follow the Rust Code of Conduct." which essentially codifies coddling, censorship and intolerance.
It is nice to see them doing *something* about the ease of discovering exploits in their current codebase. If it works without downsides it will be awesome for users.
Apple has sold out humanity to lizard like aliens who lack appreciation for wasting power on cloaking fields 24x7 just to avoid being documented by every Dick, Jane, and with a camera phone in their pocket.
AMT allows anyone who can broadcast DHCP and legitimately purchase a certificate from a CA to own your system while if it isn't even turned on.
If there is a defect (as if the above isn't bad enough) they won't bother to fix their bugs once they have decided your hardware is no longer worth their time to support... same as IPMI vendors and all the rest.
Even when you turn off "AMT" in bios if you are lucky enough to even have that option which I do not... it is STILL there listening. The only way I've found to limit this unnecessary and unwanted system within a system madness is to disable the hardware virtualization feature which prevents sharing of hardware with IME and operating system.
They keep fucking up and acting like a bunch of pricks. Arbitrary minimum orders, intentionally sitting on orders for days before eventually shipping them so they don't to quote a CSR "go out too soon". Insane power trips designed to cow people into submitting to prime subscriptions... Try ordering Star Wars of all things FFS without a Prime subscription from Amazon.
When you finally do order something they will completely hide your order from the order history, not bother to ship when they say and not provide any explanation as to why.
But hey at least they are cutting labor costs with robots... I get infinitely better service ordering from humans on eBay and will never waste my time with Amazon again.
Current state of the art if you have been following dogma is to include key stretching based on algorithms such as scrypt intentionally designed to be costly to run on massively parallel commodity hardware. You don't even bother with this which puts you at an extreme disadvantage.
It isn't that salting or key stretching is in any way bad or not worth doing. It is the checking of the box and then falling asleep thinking you solved something when in fact you have done no such thing that is the issue at hand.
These things in practice are worthless against any sizable password cache of any worth.
This is based on my experience writing software which has handled hundreds of millions of login attempts over the last fifteen years.
Exactly this kind of Hubris is what is going to get everyone hacked. You have demonstrated by your "Life Lock" play you don't even understand the problem. It isn't about *YOUR* password it is about everyone else's. If you think passwords can be meaningfully protected by this crap you are dangerous mistaken.
For the life of me I can't figure out why all of these tunneling/transition protocols are enabled by default in Windows. Who uses automatic IPv6 transition schemes in 2016? They certainly are not now nor have they ever been sufficiently reliable for production use and TTL for IPv6 amateur hour has long since expired. Why is this worth the massive security headaches these things invite?
Have a script that I run on any new windows boxes. Part of it does the following.
netsh interface teredo set state disabled netsh interface isatap set state disabled netsh interface 6to4 set state disabled
I'm honestly perplexed and dumbfounded why Microsoft is (still) doing this.
If they are properly salted, they aren't easy to to crack.
Compared to what?
Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.
So with 45 million accounts it should take a million years to get the first million passwords... is this what I am supposed to believe?
How is enforcing complex passwords sufficient to stave off today and tomorrows computers going? Is it working? Do humans accept passwords with sufficient entropy to survive brute force attack by dedicated cracking hardware and botnets with hundreds of thousands to millions of nodes?
UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to be attacked individually, one at a time.
So what if the cracking isn't free? People were having quite a lot of success before rainbow tables ever existed on hardware thousands of times less capable than what we have today. What is the actual effect of this in the real world?
On a related note, here's how to get SHA256 salted hashes on a Linux system: crypt(PASSWORD, '$5$' . SALT . '$')
In MySQL it's called ENCRYPT(): ENCRYPT(?, CONCAT('$5$', ?, '$')) execute(password, randomsalt)
Enclosing the salt in $5$...$ causes crypt() to use sha256.
All this accomplishes is repeating the same failures again and again and again and again.
First MD5 is NOT broke for this purpose and offers no meaningful disadvantage to other hash algorithms.
Salts and key stretching only make it n-times more expensive to brute force plaintext. While this sounds good even if n is measured in the millions and really does require attackers to expend more resources to accomplish the same result these expenditures amount to an unresolvable spec of dust compared to having a secret with sufficient entropy... a luxury that does not exist in the real world.
There are two major problems with the way industry in general is handling passwords and authentication.
1. Reliance on hashes as a good enough solution rather than protecting password stores with reversible encryption preferably by a split system where keys are only in the possession of an authenticator whose one and only job is to assert identity to applications. It is tractable to secure a low complexity single purpose system while virtually impossible to protect your typical infinitely complex and often poorly designed web stack. The problem with hashes is people don't use good enough passwords to survive offline attack regardless of salt + amplification bullshit everyone throws around as a "solution". Just ignoring this basic fact or thinking your going to force people to use better passwords is a proven delusion with a long long history of total failure.
2. Encrypting the channel and sending plaintext over it is stupidity of the highest order. What we need are authentication protocols that don't suck and by that I mean allow mutual proof of possession and binding proof to encrypted session without leaking shit that enables brute force attack in the progress. We don't need new CHAP schemes upgraded with latest and greatest SHA-Infinity or Kerberos or houses of cards the size of the earth a hundred times over (PKI). We don't need the world thinking it is OK enter credentials into random web forms.
There are numerous so called "zero knowledge" systems that do exactly this. To this day exactly none of them are supported by any major browser despite patches languishing in the projects ticketing system and despite all of the supporting infrastructure in terms of standards and baked in support by major encryption libraries.
We are doing it wrong and much of the popular dogma I'm hearing on how to do it right is also wrong.
Why would NSA piss away capability on something as trivial and unimportant as this? If I were an NSA goon I would do what I do best... LIE.. encryption...what's that? Way over our heads...
It was already widely believe odds of finding anything of importance on iPhone were slim going in and surprise nothing was found. The whole exercise was primarily FBI making a political statement in a case where they believed they would have maximal political advantage. Would have been disappointed in NSA if they gave FBI anything.
As you have already called out, what the code does is trigger an ETW event which, when itâ(TM)s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs)
Microsoft by default includes and enables Remote Access Trojan in Windows 10 with capability of exfiltration of anything from your system without your explicit knowledge or consent. https://web.archive.org/web/20...
Microsoft doesn't provide paying customers an option to stop persistent cyber stalking of their systems and activities.
Microsoft constructs intentionally misleading interfaces and systems designed to intentionally leak personal information and trick people into submitting to things they don't want.
Now they are collecting "telemetry" from software compiled with visual studio...until...oops we got caught.
There is a new culture in the industry fueled by disrespecting your customers in every way you can possibly get away with and then some. It is part of a concerted top down conspiracy to put PC as an open platform genie back in the bottle. It is about supporting a post ownership vision of the future where customers are the product and vendors are all powerful kings.
Hopefully the cumulative effect will be enough interest into use and development of alternatives to eventually push Microsoft into bankruptcy. This is what they deserve.
I work for a company that does R&D that CARB uses to make decisions on new regulations for vehicles sold in California. For the past 6 months or so we have been testing a platform for real-time centralized monitoring of emission systems in both passenger and commercial vehicles.
In this platform, connected vehicles send real-time diagnostic information from the OBD system to CARB via a GSM link. CARB can then identify vehicles that have emissions problems and notify owners, prevent the vehicles starting, and if necessary, automatically levy fines for non-compliant commercial vehicles.
Overall this is a wonderful system that will help vehicle owners keep their cars and trucks compliant with CARB regulations, reduce health effects of fossil fuel use, keep our children healthier and safer, and capture lost noncompliance revenue, which is estimated to be millions of dollars every year.
Compliance is big business. From lobbying to get your shit mandated to massive windfall you and your supply chain makes when all of those dollars backed by the states monopoly on violence start rolling in.
The use cases and cost benefit analysis in California particularly are sometimes laughably absurd because the goal is often not really public safety or helping everyone. The goal is the creation of new markets and self enrichment.
You don't need a real-time data link to enable a check engine light or implement an effective vehicle emissions inspection regime. Single vehicles are irrelevant in terms of air quality and bulk emissions can be accurately predicted and managed with policy and statistical models but don't let that stop you from lobbying for mandates.
The only peoples children this is going to help are the ones with parents involved in these schemes. Everyone else's will have less disposable income and reap the "benefits" of mass surveillance and omnipresent real-time policing.
Very common for "Apps" to be nothing more than software firing up a browser control to display a website while running malware at your expense in the background.
The reason UK government is confused is because they look at this and immediately recognize it to be redundant, pointless and dumb... which while technically true is besides the point.
The reason you create an "App" on someone's device is because you then get to do things and exfiltrate all kinds of information no sane browser would dream of enabling access to by default. This was never about saving money or perusing a logical course of action. It for the most part is simply about p0wning your audience because fucking people over because you can get away with it is the way this industry rolls these days.
These complaints are coming from the same noisy minority who will ignorantly blame Microsoft or anyone else when their computer is infected by some exploit that would have been prevented had they kept it up to date.
Windows operating system is dying while Microsoft stumbles around drunk on cloud Kool-Aid. You can't make this shit up. batshit insanity. A company that lives or dies on TRUST keeps attacking their customers with one underhanded shady maneuver after another.
Vast majority of ownage comes from social engineering attacks requiring no unintentional software defects to succeed. Vast majority of Windows security patches are irrelevant to users who do not participate in a multi-user environments and do not expose any services to the network.
At this point given recent history of last few years using a third party browser and disabling windows update wholesale while sprinting to get yourselves the heck off Windows seems like the only rational course of action remaining.
The big data will revolutionize medicine meme has been going strong for over two decades and counting.
I often hear this rhetoric about high technology and innovative companies like 'Google' and 'Facebook'.. in many cases the same biological breakthrough meme is inevitably invoked in some way.
Just last week CNN's Fareed Zakaria ran a promotional interview with a toll from Linked In of all places with the very same nonsense about technological innovation, medical breakthroughs and all almost verbatim.
Actual worth in terms of "positive" contributions to society of these advertising firms seems to me to be completely overblown and divorced from reality.
APs failure to understand difference between the Internet and an internet is far from surprising. These failures have become so commonplace the definition of Journalism (US) effective tomorrow has officially changed to more accurately reflect present day usage.
journalism (ËjÉ(TM)r-na-ËOEli-zam) Noun. "Process of bumbling basic facts, hyperbole and trolling for profit"
Slashdot Mirror
If you turn off autopilot mode on or off it has no effect on AEB. AEB is always on by default and can only be temporarily disabled.
They are advertised as logically separate features to the end user.
The definition of personal data is broad and should be carefully reviewed in this case. Them knowing what you clicked and the failure attached to the series of action is hardly personal data that anybody truly cares to protect.
I care deeply about it and will take any action necessary to deny any OS vendor this capability. None of their goddamn business period.
Same goes for hardware specs. If anything, most users would be happy to hand over that data to help their favored platform become more stable.
It is nice they are given a choice... oh wait those ever forgetful levers in the privacy settings don't actually stop anything now do they?
The situation is still the same. What is the collected data? last time MS responded, the data collected was no more than what you search engine collects.
None of Microsoft's business what I do or where I search.
It was definitively less harmful than the data your GPS or cell phone carrier collects.
Is Microsoft the same company whose Windows 10 mobile platform collects your GPS location without your consent or any ability to stop it whenever you want to use your GPS locally?
Christ, your credit card, your bank and your air miles card have far more important data and they use it in whatever way they see fit (within the confine of the law).
No fuck that. If someone steals my credit card I don't give a shit. The card company will just issue me a new one.
If someone exfiltrated confidential data or trade secrets from my system which Microsoft grants itself the capability to do by default when Windows 10 is installed there is nobody I can call to get it back or put the genie back in its bottle.
For reference to where Microsoft openly admits to installing and activating a remote access Trojan with Windows 10 by default please see following:
https://web.archive.org/web/20...
https://web.archive.org/web/20...
So long as a first grader can be taught to encode and decode messages no intelligence agency can intercept armed with only a pen and pencil.
So long as people are able to meet and develop signals, code words and languages.
There will be end to end private communication. E2E has been with us since the very beginning of civilization . Not just the last few decades or the last few centuries but the last several thousand years.
These laws are designed for one thing and one thing only. To deny the masses secure communications regardless of the fact anyone with a specific need or desire for E2E will have it easily no matter what. The result is everyone continues to suffer from insecure systems because crappy governments have fear/power/legitimacy issues while only the most lazy and disorganized of bad actors are affected.
Oculus 1.3 runtime for the Rift was released with async timewarp. When it was released DK2 users used to earlier runtimes without it were all over the boards with phrases like "holy shit" and "DK3" to explain how ATW changed everything for them. Jitter issues magically disappeared overnight with only a simple software update.
More generally there is one and only one "trick" for improving VR quality going forward and that is foveated rendering. This technology is absolutely critical to any serious vision of future HMDs.
To provide some context cones of our eyes cover a massive (cough cough) 15 degrees of arc. That's it. You can't even lean back and read 1/4 of what is on your monitor without moving your eyeballs around to do it. 4k is overkill.. 1080 is overkill... The future in VR is entirely locked up in sensing eye orientation and optical and or electronic steering of relatively low resolution displays in response.
I stopped buying from Amazon as they have grown to the point where playing games to cow people into joining their little club is more important to than competing on merit.
Try buying star wars from Amazon without a Prime membership. Oh right you can't. Persistent harassment to join "prime" complete with confusing UX tricks. Deliberate plays to artificially delay shipping and enforce minimum orders to artificially manipulate consumer behavior.
As a customer I refuse to accept or support Amazon's behavior and have taken my business elsewhere.
Perhaps, but the problem is that if those systems are in fact coming in the near to medium future (and there's "no affirmative evidence of any kind" that it *isn't* true) then they'll absolutely *destroy* most forms of encryption currently in use.
If in fact hostile space aliens (or pancake monsters from the 5th dimension) are coming in the near to medium future then they'll absolutely *destroy* most forms of encryption and everything else currently in use.
Why shouldn't Google care equally about this threat too given the consequences are much worse and there is no affirmative evidence it isn't true? Where does hedging against completely baseless nonsense end? Are there any limits? At all? Of any kind? Only when you can prove a negative?
Google decided that the high risk outweighed the low chance. Plus their work goes towards research which will, eventually, be beneficial.
Merely selecting algorithms OTHERS created is hardly what I would consider to be research. There are literally hundreds of cipher suites available in TLS.. adding new ones isn't a particularly noteworthy exercise.
The core problem with pushing "post quantum" crypto into production is you are essentially making choices in the blind based exclusively on fear and *baseless* speculation. There is no affirmative evidence of any kind Quantum computers with the capability to crack crypto are even possible let alone expected in the near to medium term.
I can't help but wonder if at least some of those pushing "post quantum" crypto are intentionally making a play to nerf security more than it already is.
There are a million practical things Google could elect to do to improve real world practical security starting with not reading everyone's email to applying TLS-SRP patches to enable secure password authentication to making Android less of a security joke. Time spent on post quantum crap is time not spent addressing actual threats we know for sure exist in the real world.
as someone who works in the entertainment industry, i have to say this is more about keeping the populace paranoid than preventing terrorism.
most of the audio they are liable to pick up will be garbage. directional mikes can only pick up so much legible speech before being overrun by ambient noise.
https://www.schneier.com/blog/...
However, I can never understand the concern about video/audio surveillance of public places. When you're in a public place you can have no expectations of privacy to begin with because you're generally surrounded by people.
Public and private are mutually exclusive, so you cannot expect privacy in a public place. I therefore don't understand the outrage.
Can someone explain this one to me?
It isn't about one bus or one street as it is about canvassing everything everywhere and employing computer algorithms to automatically stitch and compile government stalking files on everyone.
If someone sat 24x7 parked in front of your home waiting for you to leave, tailed you everywhere you went, followed you to every "public" place and recorded all of your "public" conversations. If when you left they got up and followed you to your car parked just in front of their stalker mobile and followed you to your next destination... I think you would begin to understand the limits of the "public" excuse. Very few people would put up with this type of behavior. Just because you can't see the stalker creep tailing you doesn't make it any more ok.
While I generally have a positive opinion historically of Netscape/Mozilla/Firefox I find them to be a little two faced at times.
They claim prominently on their website to care about privacy yet make it extraordinarily difficult to configure the browser not to continuously call home. Even when you follow their expansive instructions it still doesn't stop it and the sheer volume of reasons or excuses implemented in the browser and enabled by default is comically mind boggling.
Then there is the matter of "We follow the Rust Code of Conduct." which essentially codifies coddling, censorship and intolerance.
It is nice to see them doing *something* about the ease of discovering exploits in their current codebase. If it works without downsides it will be awesome for users.
Apple has sold out humanity to lizard like aliens who lack appreciation for wasting power on cloaking fields 24x7 just to avoid being documented by every Dick, Jane, and with a camera phone in their pocket.
AMT allows anyone who can broadcast DHCP and legitimately purchase a certificate from a CA to own your system while if it isn't even turned on.
If there is a defect (as if the above isn't bad enough) they won't bother to fix their bugs once they have decided your hardware is no longer worth their time to support... same as IPMI vendors and all the rest.
Even when you turn off "AMT" in bios if you are lucky enough to even have that option which I do not... it is STILL there listening. The only way I've found to limit this unnecessary and unwanted system within a system madness is to disable the hardware virtualization feature which prevents sharing of hardware with IME and operating system.
They keep fucking up and acting like a bunch of pricks. Arbitrary minimum orders, intentionally sitting on orders for days before eventually shipping them so they don't to quote a CSR "go out too soon". Insane power trips designed to cow people into submitting to prime subscriptions ... Try ordering Star Wars of all things FFS without a Prime subscription from Amazon.
When you finally do order something they will completely hide your order from the order history, not bother to ship when they say and not provide any explanation as to why.
But hey at least they are cutting labor costs with robots... I get infinitely better service ordering from humans on eBay and will never waste my time with Amazon again.
Yes, modern hashes, salted, work extremely well.
Current state of the art if you have been following dogma is to include key stretching based on algorithms such as scrypt intentionally designed to be costly to run on massively parallel commodity hardware. You don't even bother with this which puts you at an extreme disadvantage.
It isn't that salting or key stretching is in any way bad or not worth doing. It is the checking of the box and then falling asleep thinking you solved something when in fact you have done no such thing that is the issue at hand.
These things in practice are worthless against any sizable password cache of any worth.
This is based on my experience writing software which has handled hundreds of millions of login attempts over the last fifteen years.
Exactly this kind of Hubris is what is going to get everyone hacked. You have demonstrated by your "Life Lock" play you don't even understand the problem. It isn't about *YOUR* password it is about everyone else's. If you think passwords can be meaningfully protected by this crap you are dangerous mistaken.
For the life of me I can't figure out why all of these tunneling/transition protocols are enabled by default in Windows. Who uses automatic IPv6 transition schemes in 2016? They certainly are not now nor have they ever been sufficiently reliable for production use and TTL for IPv6 amateur hour has long since expired. Why is this worth the massive security headaches these things invite?
Have a script that I run on any new windows boxes. Part of it does the following.
netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled
I'm honestly perplexed and dumbfounded why Microsoft is (still) doing this.
If they are properly salted, they aren't easy to to crack.
Compared to what?
Depending on the hardware, the salted MD5 hash of a 10-character password should take roughly a year to crack.
So with 45 million accounts it should take a million years to get the first million passwords... is this what I am supposed to believe?
How is enforcing complex passwords sufficient to stave off today and tomorrows computers going? Is it working? Do humans accept passwords with sufficient entropy to survive brute force attack by dedicated cracking hardware and botnets with hundreds of thousands to millions of nodes?
UNsalted, many passwords will crack almost instantly by use of MD5 rainbow tables, and an attacker can attack all of them in parallel. The 8-character salt used by default with MD5 and crypt() means each entry has to be attacked individually, one at a time.
So what if the cracking isn't free? People were having quite a lot of success before rainbow tables ever existed on hardware thousands of times less capable than what we have today. What is the actual effect of this in the real world?
On a related note, here's how to get SHA256 salted hashes on a Linux system:
crypt(PASSWORD, '$5$' . SALT . '$')
In MySQL it's called ENCRYPT():
ENCRYPT(?, CONCAT('$5$', ?, '$'))
execute(password, randomsalt)
Enclosing the salt in $5$...$ causes crypt() to use sha256.
All this accomplishes is repeating the same failures again and again and again and again.
First MD5 is NOT broke for this purpose and offers no meaningful disadvantage to other hash algorithms.
Salts and key stretching only make it n-times more expensive to brute force plaintext. While this sounds good even if n is measured in the millions and really does require attackers to expend more resources to accomplish the same result these expenditures amount to an unresolvable spec of dust compared to having a secret with sufficient entropy... a luxury that does not exist in the real world.
There are two major problems with the way industry in general is handling passwords and authentication.
1. Reliance on hashes as a good enough solution rather than protecting password stores with reversible encryption preferably by a split system where keys are only in the possession of an authenticator whose one and only job is to assert identity to applications. It is tractable to secure a low complexity single purpose system while virtually impossible to protect your typical infinitely complex and often poorly designed web stack. The problem with hashes is people don't use good enough passwords to survive offline attack regardless of salt + amplification bullshit everyone throws around as a "solution". Just ignoring this basic fact or thinking your going to force people to use better passwords is a proven delusion with a long long history of total failure.
2. Encrypting the channel and sending plaintext over it is stupidity of the highest order. What we need are authentication protocols that don't suck and by that I mean allow mutual proof of possession and binding proof to encrypted session without leaking shit that enables brute force attack in the progress. We don't need new CHAP schemes upgraded with latest and greatest SHA-Infinity or Kerberos or houses of cards the size of the earth a hundred times over (PKI). We don't need the world thinking it is OK enter credentials into random web forms.
There are numerous so called "zero knowledge" systems that do exactly this. To this day exactly none of them are supported by any major browser despite patches languishing in the projects ticketing system and despite all of the supporting infrastructure in terms of standards and baked in support by major encryption libraries.
We are doing it wrong and much of the popular dogma I'm hearing on how to do it right is also wrong.
Why would NSA piss away capability on something as trivial and unimportant as this? If I were an NSA goon I would do what I do best... LIE.. encryption...what's that? Way over our heads...
It was already widely believe odds of finding anything of importance on iPhone were slim going in and surprise nothing was found. The whole exercise was primarily FBI making a political statement in a case where they believed they would have maximal political advantage. Would have been disappointed in NSA if they gave FBI anything.
As you have already called out, what the code does is trigger an ETW event which, when itâ(TM)s turned on, will emit timestamps and module loads events. The event data can only be interpreted if a customer gives us symbol information (i.e. PDBs)
Microsoft by default includes and enables Remote Access Trojan in Windows 10 with capability of exfiltration of anything from your system without your explicit knowledge or consent.
https://web.archive.org/web/20...
Microsoft doesn't provide paying customers an option to stop persistent cyber stalking of their systems and activities.
https://web.archive.org/web/20...
Microsoft constructs intentionally misleading interfaces and systems designed to intentionally leak personal information and trick people into submitting to things they don't want.
Now they are collecting "telemetry" from software compiled with visual studio...until...oops we got caught.
There is a new culture in the industry fueled by disrespecting your customers in every way you can possibly get away with and then some. It is part of a concerted top down conspiracy to put PC as an open platform genie back in the bottle. It is about supporting a post ownership vision of the future where customers are the product and vendors are all powerful kings.
Hopefully the cumulative effect will be enough interest into use and development of alternatives to eventually push Microsoft into bankruptcy. This is what they deserve.
I work for a company that does R&D that CARB uses to make decisions on new regulations for vehicles sold in California. For the past 6 months or so we have been testing a platform for real-time centralized monitoring of emission systems in both passenger and commercial vehicles.
In this platform, connected vehicles send real-time diagnostic information from the OBD system to CARB via a GSM link. CARB can then identify vehicles that have emissions problems and notify owners, prevent the vehicles starting, and if necessary, automatically levy fines for non-compliant commercial vehicles.
Overall this is a wonderful system that will help vehicle owners keep their cars and trucks compliant with CARB regulations, reduce health effects of fossil fuel use, keep our children healthier and safer, and capture lost noncompliance revenue, which is estimated to be millions of dollars every year.
Compliance is big business. From lobbying to get your shit mandated to massive windfall you and your supply chain makes when all of those dollars backed by the states monopoly on violence start rolling in.
The use cases and cost benefit analysis in California particularly are sometimes laughably absurd because the goal is often not really public safety or helping everyone. The goal is the creation of new markets and self enrichment.
You don't need a real-time data link to enable a check engine light or implement an effective vehicle emissions inspection regime. Single vehicles are irrelevant in terms of air quality and bulk emissions can be accurately predicted and managed with policy and statistical models but don't let that stop you from lobbying for mandates.
The only peoples children this is going to help are the ones with parents involved in these schemes. Everyone else's will have less disposable income and reap the "benefits" of mass surveillance and omnipresent real-time policing.
Very common for "Apps" to be nothing more than software firing up a browser control to display a website while running malware at your expense in the background.
The reason UK government is confused is because they look at this and immediately recognize it to be redundant, pointless and dumb... which while technically true is besides the point.
The reason you create an "App" on someone's device is because you then get to do things and exfiltrate all kinds of information no sane browser would dream of enabling access to by default. This was never about saving money or perusing a logical course of action. It for the most part is simply about p0wning your audience because fucking people over because you can get away with it is the way this industry rolls these days.
These complaints are coming from the same noisy minority who will ignorantly blame Microsoft or anyone else when their computer is infected by some exploit that would have been prevented had they kept it up to date.
Windows operating system is dying while Microsoft stumbles around drunk on cloud Kool-Aid. You can't make this shit up. batshit insanity. A company that lives or dies on TRUST keeps attacking their customers with one underhanded shady maneuver after another.
Vast majority of ownage comes from social engineering attacks requiring no unintentional software defects to succeed. Vast majority of Windows security patches are irrelevant to users who do not participate in a multi-user environments and do not expose any services to the network.
At this point given recent history of last few years using a third party browser and disabling windows update wholesale while sprinting to get yourselves the heck off Windows seems like the only rational course of action remaining.
The big data will revolutionize medicine meme has been going strong for over two decades and counting.
I often hear this rhetoric about high technology and innovative companies like 'Google' and 'Facebook' .. in many cases the same biological breakthrough meme is inevitably invoked in some way.
Just last week CNN's Fareed Zakaria ran a promotional interview with a toll from Linked In of all places with the very same nonsense about technological innovation, medical breakthroughs and all almost verbatim.
Actual worth in terms of "positive" contributions to society of these advertising firms seems to me to be completely overblown and divorced from reality.
APs failure to understand difference between the Internet and an internet is far from surprising. These failures have become so commonplace the definition of Journalism (US) effective tomorrow has officially changed to more accurately reflect present day usage.
journalism (ËjÉ(TM)r-na-ËOEli-zam)
Noun.
"Process of bumbling basic facts, hyperbole and trolling for profit"
... err who am I kidding... the Internet is owned by big content and you clowns don't stand a chance.
If ever there was a case for moving away from big content this would be it. Every light on the panel is flashing red.