Exactly. Now all he has to do is block Flash and Acrobat and he's protected mother Russia from 99% of all malware vectors.

Quod dixerit ad illum, infantem!

You're in Estonia? Just trying to figure out which country actually uses client certificates for tax filing.

It'd be interesting to see more details on power usage from other devices, if you look at the PF figure it's just over 50% which means they must be using awful power supplies (PFC != efficiency, but it's useful as a rule of thumb, once you get into efficiency classes like IV or V you generally need active PFC - optional for IV, mandatory for V - which these things obviously don't have). Most external power supplies (EPCs) now should be class IV or V, whereas these look more like class I, a.k.a. "fail".

If this is indicative of the rest of the electronics, it's no wonder that these things are power-guzzlers.

With the Xiaomi this is especially the case, it sends a pile of private information on you back to Beijing, China. So it's not just the generic spooks, it's also the manufacturer who's spying on you.

No, that's Windows Vista. And then there's Windows Cthulhu, a.k.a. Metro/Win8.

While I fully support the sentiment, completely removing components like this can cause Windows Updates to fail to install. For example if your Windows desktop PC or server doesn't have a "Tablet PC" folder in the start menu, some updates won't install. So you potentially need to keep gigabytes of Microsoft's crapware sitting on your PC on the off chance that some update checks for it and won't install if it's not present.

Well I'm not sure who Dan Greer is, but I've known Dan Geer for ages, he's a libertarian academic type who publishes somewhat philosophical texts on the economics of information security. If you're looking for some sort of evil CIA spook, you'll need to try again.

Paleface no ask question with forked tongue, paleface get correct answer.

Weeellll... you end up with something that's been run through gcc -wall, which is a long way from "free of known errors". Now admittedly "free of known errors" is a nice circular definition meaning "free of things gcc warns about", but even then it's not necessarily the case, there's plenty of code that ships with avalanches of warnings when you build it, but no-one's bothered fixing it up.

At best, you get something that doesn't produce warnings in gcc and clang. At worst you get code that hasn't been changed from the default release because the maintainers decided none of the warnings were serious.

Barely. If you look at what they're offering it's FindBugs, clang, gcc, and cppcheck. Completely bog-standard tools that anyone should be using anyway, but they're being paid $23M taxpayer dollars for it. Shee-it, I could do the same thing with $10K to cover the cost of renting some EC2 space, and I'll spend the remaining $22.99M on coke and hookers (seriously, how can they have spent $23M on this? One person could set it up in a few hours, the only constraint is how many VMs you need to spin up if lots of people sign up for it).

This looks very much a DHS solution, vast sums of money spent on something that should be nearly free. Not to mention that while gcc -wall, clang, and FindBugs aren't bad as far as free software goes, they're nowhere near the level of commercial offerings like Fortify, Coverity, and others.

OK, so in terms of cost/benefit it's more of a TSA solution then strictly a DHS solution.

This also relates to the problem of the "cure for cancer" that will never be found because "cancer" isn't a single illness but a generic name for a huge range of different ones, with a wide range of etiologies and manifestations. A single "test for cancer" seems about as likely as a single "test for virus".

As you say, it's a cool study, but like far too many other studies I think it got released to the PR department of the research institute a bit too early (I've experienced this myself on several occasions).

Not quite. As of November, the official CAs will claim that they've stopped issuing those types of certs. When something like the SSL Observatory points out that they're still issuing them, they'll say that this (and the other 8,192 times they did it) was a one-off mistake and they've updated their policies to make sure it never happens again. Then when they get caught again they'll say that it was test certificates that accidentally escaped. After that, they'll stop responding to reports. And we'll all be much, much safer, and phishing will be eradicated once and for all.

They'll offer to replace it, but only if you pay the shipping costs to send it back to Shenzhen.

It's not big brother, it's anyone. All of the IPMI systems used by Intel, Dell, HP, etc, are unaudited cesspits of remote-rootkit capabilities full of buffer overflows, authorisation bugs, parser errors, and so on. It's hard to know where to begin, but here's one starting point. Hack like it's 1999.

Intel SSD's have had AES encryption built in for years, it's no big deal. What they've added with their IPMI support is a capability for remote attackers to get at the encryption, which is kind of a big deal if you're worried about your privacy.