That extracts to over 3GB, so yes, there's a hell of a lot of redundancy.

He's referring to another criteria of success - user adoption. Revision control logs don't fill the same requirement if a user wants to know what's new. That plays some part in determining whether users will upgrade. If they don't, then additional development is rather pointless.

Note that he only gives not having GNU Make a FAIL score of 10. Which seems about right - it has a small effect on the entrance level for developers and wide spread adoption of the project. It's a critical factor only if your project has accumulated a bunch of other fails.

Dear coward

I'd have thought that obvious. Licensing difficulties. The more difficulties a project has the greater the chances it won't succeed in the long term. (if only I could think of a simple analogy you could comprehend)

That's the problem with guessing. Git wasn't developed just for the kernel project. Fun fact: "own" has more than one meaning. Words can be tricky like that. e.g. linux, and kernel.
Even if the kernel (Linux) didn't use git - that's only 30 points of FAIL, just enough to make a baby cry.

Logic can be tricky as well. You seem to have conflated your premise with your conclusion. Some deductive logic might of been good (and a schema) - you seem to have leaped to a conclusion. A valid premise would not be "it's all wrong".

tl;dr your deductive argument is unsound. (and not deductive)

Dear coward

He hasn't always worked for Red Hat. They are a good list of rules to use if you want to see where your project could be improved. I suspect you have some obscure definition of success, and/or missed the implicit definition of FAIL.

Try asking independent developers for a list of general reasons why projects fail to get wider usage, grow, and last - I have (that's an old list), the resulting list is pretty much the same, only the scores seem to change.

Everything is obvious when you understand it?

If common sense was common... would people still say patently stupid things like "you can lead a horse to water but you can't make it drink" (want a bet?), "doesn't have the horse sense to stay out of the rain" (clearly never owned horses, they will seek shelter from rain - in some conditions - it's the broad brush of stupid, though some horses are smarter than others), "you'll catch more flies with honey than with vinegar" (try that with a fly trap).

I could go on... oh wait, I just did.

Um, because some people know, what's it called - yeah, history.

Osama Bin Laden. Tell me the plan was to take him alive and put him on public trial. And I'm allowing for the Hollywood factor in the books about his "capture".

Snowden will be "reaching for a weapon" if the USA ever get hold of him.

I hope he lives a long, quality, life.

If the page loads slow, the user will go. Elsewhere.

This is good news. I sincerely hope it triggers a fevered rush by advertisers to outdo each other in slowing down page loads.

One of the rare occasions I've found a compelling reason to endorse stupid.

Dear coward

What "shifty shit" do "they" do. A current citation would be informative.

Nice that you include default. The first thing I do when I install it click on the radio button that disables the default "show acceptable ads". (second sentence)

Interesting. You say that. A lot. Is that out of altruism?

Which uBlock are you promoting? There are two. uBlock Origin (or uBlock) and uBlock.

I tried both uBlocks, and found they had a number of failings for my use case. I'll reassess my reasons for not using or recommending it if you show me which reasons are incorrect:-

• It didn't block as many ads, or pop ups - so it's not as fit for it's stated purpose. That's clearly stated in the documentation - they support the majority of ads in the ABP filters.
• Neither uBlock support regex filters, which I use a lot.
• The uBlocks don't support $sitekey
• ABP removes social buttons
• ABP stops most tracking
• ABP has Typo Protection (it has to be added as an extension in Firefox)

• Caveats: I use ABP in Iceweasel (Firefox) on Linux, all my boxen have >2GB of RAM. I add a lot of extra blocking to the standard filters (and some specifically for /.).

  Balance - I have no interest in support for Chrome. I'll happily trade a few extra MB of RAM usage, or a few microseconds of page load time for improvements in blocking. Not seeing ads, seeing relatively more content, customisability, exploit blocking, and decreased data transfer are high priorities for my use case.

  For people that need something simple for Chrome to block some ads, and run an OS that chews up most of their RAM, and only want to block ads - uBlock Origin is probably the best choice.

  Also use https everywhere.

  I use NoScript - which makes HTTPS Everywhere redundant while giving me extra valuable features. I'd add FlashBlock to the minimal recommended extension - if someone has Fffflash installed.

His list, instead of the link to a blog with an article about the list. That blog post is interesting - though the picture of the author scratching is just weird. Was that taken at a lice convention?

So? Stop whining, scrape up $20 and buy a better one.

$100 will get you one with 500 Fffacebook friends and 1000 Twitter followers.

$1000 will get you one with no Ffffacebook friends or Twitter followers.

For $5 you could be Depak Chopra.

No. Because you're just using an existing network connection. They're creating one. A covert channel.
And not even close to the same level.

Other posters have constructed scenario based on the most secure conditions to demonstrate the hack is worthless - while conveniently overlooking the fact that many companies have an air gapped computer with little tight security. In which case the evil maid scenario would work just fine.

Is it a hack, or a crack? It's both. The hack is used to crack the air gap security.

Is it no news because TEMPEST is old news. No. Because TEMPEST has distance, difficulty and space limitations. This attack will work anywhere you can get access to the air gapped computer and put a suitably modified mobile phone within reception range. Mobile phones are easy to hide. It wouldn't be difficult to put one in a wall or roof cavity and power it from a simple puncture clip (a plastic clamp with two pin that penetrate the insulation).

It could also be used to bypass encryption and firewalls that protect non-air gapped computers. Lots of those in places where you can have a mobile phone and get reception. One scenario where this might work is ATMs - which would be easiest if you had the willing assistance of anyone who services them. If it was possible to to pull useful information from the system you'd then be able to siphon off useful info without needing to try and break the encryption used for transmission between the ATM and the bank. Generation II Skimmers.

Petrol bowsers (cheap or free petrol), vending machines (free snacks) and similar devices (cheap tickets, credit card information) - if the information can be reconstructed from the data, and if the method could be used in both directions to allow data injection (which is theoretically possible).

Spot the Fed is always fun. I've always wondered how many that look obvious then are just low ranking Postal workers taking the piss.

There's been talk in the past of banning them - but I don't think the organisers are actually serious about it. I think it's one of the main attractions. They have the best swag to swap.

Agreed. Likely version that ATMs that run XP it's probably the embedded version (on a cheap single board computer with a USB sevice port). Most of the insecurities in XP vanish when you don't attach a web browser, many of the rest when you strip out what isn't in the embedded version. So XP can be made pretty secure. It's possible that it's firewalled - I'd hope so.

It's also possible the Brinks app is Java - and that the exploit is an MiM. In which case the same weakness would likely remain on whatever OS is was running on.

Granted that's a lot of "possibilities". However they're presumptions (mostly a guess based on something) - most of the posts in this thread are pure assumption.(pure guess).

Why does Brinks use software running on an OS? Two reasons I can think of:- they want to see easy customisability as a feature, it's a cheap platform for them to work with. Now they may have to reassess the costs for the latter reason.

And I'm not a fan boi - I run Linux except where I run BSD. I also have more tools than a hammer, and my pepper grinder can be adjusted to grind the size appropriate for the desired result.

Um, no - you responded to my post. I responded to a post by bdubSOv1iKIJ403M. No mention of plaintext there.

Interesting reference. Thanks. I don't have immediate comments on it other than: nothing looks dodgy about his tests; SS writes and erases are quite different from HDD (I don't understand them). I've bookmarked as something to ask some one of the ASD SME's about.

I use LUKS (and dm-crypt) for personal and work computers, with critical information also encrypted - because I don't know of a better option, and because it's the highest standard set by main clients (audits aren't a huge concern, penetration is). I have tried to recover data from a damaged drive for which I did have a backup LUKS head and key stripe - and failed. As have others - that not proof it's impossible. I'm now curious if the ASD rules for privileged environments which ban SSD devices even with LUKS in the highest category sector may be related (though it could we be for other reasons e.g. Shamir's third law?).

Maybe. It'd be worth actually testing - which shouldn't be difficult. Until I saw some empirical data I'd be reluctant to form an opinion either way. If it is possible it's game over. (like AES-256 encrypted images, pointless)

Agreed (with qualifications). As I previously stated, that's something I regard as a strength of LUKS, and, as also previously stated, I suspect you are using encryption to different ends.

I don't trust encryption completely - if Shamir's 2nd Law holds true it's likely that there's simply not enough expense involved to make it impossible for all the "information" to be recovered through reconstruction. You keep conflating data and information. Which gives weight to the possibility that you don't even bother to read what you reply to - or worse, don't know what the fuck you're talking about.

I suspect you mean the conclusion of your unstated logic is that the attacker is more likely to have a corrupted file. Maybe (if they try the less likely approach of encrypting your data to access the information). Again, I suspect you are using encryption to different ends (to hide something you've secured). Why you would hide something you don't wish to access again seems stupid - and I don't think you are. What I do think is that you've overlooked the most likely attack to succeed (Shamir's 3rd Law) which is to bypass encryption. If you are keeping something that contains a secret it's likely you'll look at it again (or you wouldn't be keeping it) - that leaves open the possibility that it may have had something inserted that will break the security the next time you view it. That's purely conjecture on the methodology. Shamir's 3rd Law is not conjecture - every defeat of encryption I can think of has conformed to that law (PS3, Wii, Xbox, Xbox 360, Amazon Kindle 2, HTC Thunderbolt, Motorola, Samsung Galaxy, Nikon and Canon Cameras, Airport Express, Diaspora, Chromecast, Android code signing, iPhone/iPad/iOS, Windows RT UEFI, Windows 8 UEFI, CCC 2011 badge, just about every type electronic payment card, several of the bank HSMs that I know of ). Everyone was broken because encryption was bypassed - not broken.

At present I strongly suspect that LUKS, dm-crypt, and several other protocols haven't been broken by bypassing or cracking the encryption. But that's just a suspicion. And is very unlikely to hold true forever.

My point being that you're guessing that an attack will take the form of someone trying to grab the encrypted data and then trying to unencrypt it.

I suspect your original premise is flawed which leads you to the second incorrect conclusion - that it's more difficult for the person with the LUKS password to read the information than it is for an attacker to read the information or the data.

Built-in authentication modes. Can you expand on that? What's the problem with existing four authentication modes dm-crypt supports? Do you mean TFA authentication modes? LUKS already supports several.

No-oooo. Tell me that you're just trolling. Please.

I'm a special snowflake that will last throughout the year. If you don't take that back I'll hold my breath. Oh wait....

I'll pay that. Thanks for the laugh. If there are any moderators left that don' t just mod down that should be modded Funny.

[shrug] I guess I've read over 20K books, so I'm not complaining - I just felt a little stupid after thinking that the prescription for two pairs of glasses was wrong. And that was after "thunking" it was an issue with displays. You'd think all the wrinkles would've been a clue. Just goes to show that it's not just the eyes that getting past their peak.

I sort of like all my wrinkles. Which is just, um, weird. My girlfriend freaks out about hers. I catch sight of mine in a mirror and it just makes me laugh, which causes her to lecture me about not making the laugh lines worse (which just makes it harder not to laugh).

We all get our time in the sun. I can't say I've missed out on much of the good, have any real regrets - or look forward to senility and a loss of physical ability. But that's another subject. (one I also find hilarious)