How is it not a real cert? Qualys indicates the cert on the HTTPS site is issued by GoDaddy.

Heartbleed is a data-disclosure vulnerability. If you're not using SSL and you purport to host only pages that contain no sensitive or private information whatsoever, then what would Heartbleed--if it affected you--even disclose?

I'm okay with reducing the man-in-the-middle attack surface to such a small group.

I'm going to guess that the proposal to adopt HTTPS for Federal websites does not apply to an individual's personal SMTP and IMAP servers, even if they're used for Federal business. Just a guess.

Her webmail did appear to use HTTPS.

If only there was some method of validating that party on the other end of a connection is the party you want to contact instead of a man in the middle.

It stops third parties from reading or modifying (including replacing entirely) the data in transit between the server and client. (For a certain value of "stops".)

Only if you're okay with a network-privileged attacker (someone on the wire--what HTTPS is designed to defend against) from:
* Recording what pages you're visiting
* Undetectably modifying the information presented on those pages
* Injecting their own advertising, browser-level tracking mechanism, or malware

There's a solid business case for HTTPS-encrypting static pages with minimal privacy risks, just because of the threat of having unauthorized parties (i.e., ISPs) inject their own advertising.

I really like the almost-no-ports Macbook Air. I also really see the utility of what you describe, since I'd like exactly such a thing as well. (We have something close.) The portable ton-of-ports-in-a-box laptop as a tech tool is very useful. But really, those are two very different products. It's completely true that Apple just doesn't make the latter product.

It doesn't seem like they say who the activist is?

That's why nearly ensuring detection is so attractive. If we don't detect a gravitational wave--which has been the case so far--it's a lot more meaningful with a very sensitive detector.

Oh, no. You do not want your defense to rest on technical details. Rather, a common tactic (admittedly, among people who are guilty) is for the defense to claim that it was an accident or malware and demand that the prosecution show intent. The defense can then hammer on the prosecution's expert witness (forensic investigator) and back them in to a corner where they're having to explain technical details. This makes the jury unhappy with the prosecution.

Displaying the images you found in court works pretty well for the prosecution, and is probably a significant contributor to their very high rate of plea bargains.

There's more to the Internet than the Web. There is certainly CP that can be accessed accidentally. It's true that it doesn't really happen all that often. (It mostly happens with people on P2P file-sharing systems who execute vague searches for porn and then mass-download everything.) But it doesn't matter -- the defense can and does make a legitimate case that it *could* be accidental unless you demonstrate intent to a reasonable degree.

In my limited experience seeing these cases go by, no.

It's usually hard to convict these child porn cases unless you can demonstrate that the perpetrator action's were knowing and willful. Yes, some of the laws aren't like that and are strict liability, which sucks. Yes, some unwise prosecutors indict on absolutely ridiculous cases, and that sucks. But in general, if you're going to actually get a conviction in court, you really need to be able to demonstrate that the guy did it knowingly and willfully.

Even then, if your evidence of intent is too deeply technical, you conviction is at risk, because a jury absolutely hates any deep technical discussions (they are not, in general, technically-minded people). So Web browser data, for example, sucks. If you find CP images in a browser cache, then you've got to demonstrate that they got there by willful action and not by mistake. (After all, both the forensic investigator and the defense know full well that you can get porn in your browser cache with one accidental misclick.) So you've got to connect Web browser history (which used to be shorter-lived than cache entries) to the CP, which is somewhat technically complicated, and as mentioned, technical explanations are looked down on. It's worse if you find CP in unallocated space on a hard drive -- now you've really got your work cut out for you. But, I digress.

Fortunately for the prosecutor, the gross majority of people they catch make it easy. They take zero of the half-assed paranoid steps that any armchair expert on Slashdot will tell you to follow. No encryption, no "download and secure erase" policy, etc. No, they download, organize, and label hundreds of gigabytes of child porn.

Anyway, in practice, mens rea really is necessary to get a conviction. Which means one of two things here: either the prosecutor in this case is looking to make headlines and is making a bad decision (namely, they'll get their headlines but not a conviction); or, more likely, the host has knowingly harbored CP -- perhaps even specifically sought out this business, has chosen to do nothing about it, and there is substantial evidence to demonstrate this. (I think the latter is more likely not because of my faith in prosecutors, but rather because businesses providing "secure storage" but explicitly and knowingly catering to this kind of business abound.)

That may be true.

It's not applicable in this case, because this is OEM-installed adware. Everything it does can be implemented just fine on a Linux system. The solution is really the same for this sort of thing regardless of whether you're talking Windows or Linux -- don't use the OEM-provided pile of crapware that comes with the machine; install a brand-new copy of just the OS.

That's a clever turn of phrase. Kaspersky pointedly calls them out as NSA, but doesn't explicitly say "this is a group at NSA".