IMHO, the perfect is the enemy of the good. Even though metadata is not protected, data is, so if Yahoo gets hacked, people's E-mail is protected.

One doesn't have to use their OpenPGP extension, nor their authentication. I'm glad it is available.

As for metadata, we already have a way for this. NNTP and alt.anonymous.messages. There is a DEFCON report on how good/bad this security is... but if you really want privacy, this is the next step up because the messages go to nobody in particular... just the newsgroup.

Overall, I'm happy someone is working on PGP/gpg stuff. It is boring to developers compared to shiny new (and likely insecure) stuff, and has been neglected for years, but it is one of the few security protocols that actually works and has stood the test of time.

Another idea that comes to mind is to use a feature that all web browsers have had for over 10 years (even Lynx) -- client certificates.

This way, on setup, the website asks the user if the current client certificate presented is the one he or she wants to use, then from there on, authentication is completely transparent.

It goes without saying to have SMS as a backup, but the absolute easiest way to authenticate on a "known good" computer is to have a client cert.

The ideal would be to use the standard TOTP method that Amazon, Google, EMC, and other companies use. The Google Authenticator is just one implementation of the standard, and there are others (Amazon has one, for example.)

I really wish Yahoo would have SMS as an -option-, but would allow TOTP as well. This way, if one has the seed keys in an app, they don't need to get a SMS, but if they are on a new machine, SMS still works.

You just hit the nail on the head. As of now, if someone steals my phone in an unlocked state, they will be able to get the second factor... but they won't be able to log into the account due to the password. What having just one factor does is make a phone theft all the more crippling where a bad guy can do a lot of damage.

2FA is 2FA because it covers at least two of these properties: Something you know, somewhere you are located, something you are, and something you have. For example, a secure biometric system uses the fingerprint/retina scan as a username, then a PIN for access, or a remote access system uses a password and a OTP so that if the password gets sniffed, the OTP is still an obstacle.

On the other hand, perfect is the enemy of the good. In general, someone is going to be less likely to have their phone stolen than to have their password sniffed or cracked, so moving to a SMS message can be argued to be a security improvement.

This is a solved problem, although by a commercial solution. Symantec's Encryption Desktop (formerly PGP desktop) allows one to either decrypt/check signature and view what is on the clipboard or decrypt/check signature and view what is in the current window.

We don't need a Web browser plugin. This is like drilling a hole in a boat that has one hole already in it, expecting the water to drain out.

Instead, we need something with functionality similar to SED that is completely standalone from other applications and functions completely independent of the Web browser. This is tougher than it sounds. GPG4Win is a good effort, but it does not come anywhere close to the ease of use that SED has. Macs and Linux have decent utilities like GPGTools (which was pictured.) If PGP decryption is put into something, it should not be part of a Web browser, but should be in the MUA. Web browsers should have as little running as possible, just so they have as small an attack surface since they are the biggest frontline for computer compromise these days.

The beauty about the OpenPGP spec is that it is completely independent of any transport mechanism, be it Slashdot posts, E-mail, MMS, AIM, Facebook's PM, or a file saved to a ZIP drive. Tethering it to a protocol can easily render a quite secure system extremely insecure, if only for the fact that a specific program or browser extension would be needed for the decryption.

Ideally, fetching E-mail via the Web should be more of an item of last resort, where one is using another machine. A high quality MUA (Thunderbird, Mail.app, Outlook, even mutt) is a lot more secure than a Web browser.

For me, it is not "why put up panels", it is "why not?"

Solar won't drive my A/C here in Austin... But, I can do two things with a roof full of panels:

1: I can have the panels plug into an inverter and have it feed the grid.

2: I can buy a set of storage batteries and have them feed that.

Option #1 is nice, but option #2 is quite useful, especially when Elon Musk's Tesla starts offering battery banks for houses. Done right, this will be a whole-house UPS that gets a good chunk of its power from panels.

The big problem I see with IoT devices is focusing on the sizzle... and there is little, to any effort focused on security. With how inexpensive 3G boards are, it is easy to get a device online with its own Internet connection... but why should it be connected even in the first place?

What is wrong with having devices in a house communicate to a central server that has a hardened Internet connection, and that communicates out/in? This way, it lowers the attack surface from being able to nail the device from anywhere on the Internet to having to be in radio range of the item.

Even with that, there is really no point for most of the uses of Internet connected items in the first place, and because budgets usually place security dead last, they are just disasters waiting to happen, especially when the only way to fix the security exploits would likely be to replace the entire device.

It doesn't seem like much of a step, but it is an advance for the bad guys.

As always, even though save game files may not be something people consider as valuable, it is still something that can be lost.

Ransomware seems like it is just starting to ramp up this year. I would not be surprised to see the next generation of it starts checking if the user has any AD rights and attacks entire AD forests. A company that loses access to AD (especially if they use rights management servers) likely will pay a criminal organization top BTC to get their access back.

The ironic thing is that tape drives are starting to see a resurgence. The market share for tape drives grew 13% in 2013, and 26% in 2014 (as per Extremetech). Add Sony's sputtered deposition technology (similar to how some high-end studio microphone elements are made) that offers 185 terabytes per cartridge, and we have a decent tool to combat ransomware.

Of course, the best solution for a small installation is a dedicated backup server that pulls backups (optionally encrypted), and plops data on a disk array as well as tape. Tape isn't perfect, but its advantage is that it is easily stored offline, where physical presence is needed to put a tape in, and cartridges have a read/write switch that is honored, barring a covert reflash of the tape drive's firmware. For larger installations, it is hard to beat WORM media, SPIN/SPOUT encryption on the drives, and silos.

Long term, what really is needed are more sophisticated backup programs than the stuff we have now since once SSD fails, it fails for good. Backup programs not just for recovering files, but can handle bare metal restores, and are initated by the backup device (so malware on the backed up client can't trash the backup data.)

For desktops, this isn't too bad, because one can buy a NAS, or an external drive at minimum. For laptops, it becomes harder, especially if one factors in robust security measures while not on the LAN.

As swap, it is nowhere near good as RAM, but it has one advantage -- SSD excels at random writes, which is what swap is usually doing, so just because of this, it is better than regular disk. To boot, if one has the bay for it in a desktop, it might just be worth tossing in a 100-200 gig drive and using it for swap, as well as possibly moving the OS's partition to it as well, although it is good to have a lot of free pages on a SSD to wear-level a swapfile.

If you can't get more RAM (especially with the trend in newer laptops being to have soldered in chips), buy as large a SSD as possible that you can dedicate to swap. The reason is that this gives the drive more cells to wear-level the swapfile writes over, prolonging the drive's life.

NiFe batteries (i.e. Iron Edison) models are starting to get a foothold in the solar storage battery market. Their main selling point is the fact that they have a very long usable life and are very stable. They have a relatively poor energy density in volume compared to lithium variants, but for storage battery installations, this isn't as big an issue as in a smartphone.

If space isn't a problem, why not NiFe batteries? Those don't damage themselves if they drop below 50% SoC, and unlike lithium batteries, don't lose most of their capacity in 2-3 years.

Another energy storage medium would be flywheels.

I do like the idea of a battery bank at residences, because this is an ideal whole-house UPS.

If someone has physical access, they can also slice a break line, cut a belt, drain the oil pan, put engine-kill into the crankcase, or many, many other things.

The fallout of this lawsuit is going to be bad for all consumers, and it actually puts car makers in a better spot:

Need an air filter? For security reasons, only Powell Motors filters will work, which have to be installed and activated by equipment only the dealer will have. Need a new battery? It has to be a genuine Powell part [1] because the battery has special authentication circuitry. New tires? Better be Powell authorized with built in TPMs, and they can only be installed at a Powell dealer because only they have the proper equipment.

We have seen enough of this hogwash already, and this lawsuit is only going to make it far, far worse when it comes time to do basic vehicle maintenance.

[1]: One foreign make of cars actually will have vehicles not start if the battery is replaced until it is "registered" at the dealer because they state an "unregistered" battery might fry their precise engine components.

To me, if Apple wants to price a watch at $10,000 because it is gold colored while there is an offering with the same exact functionality for a few C-notes, that's just fine. Let people who want to spend that much for a watch help finance Apple's R&D so "the rest of us" can get new and cool things. Same if Apple decided to buy Vertu and make diamond-encrusted iPhone 7s. If people want them, so much the better.

iPhones are not that expensive either relatively. I still remember when one of HTC's phones ran $1200, and that was with a two year contract.