from gameability (in short, SPAM) to politics. Rather than punish above-board or non-predatory websites, it will punish both subversive and innovative thought that runs well ahead of social consensus. Sure, it will also eliminate willful misinformation, but it turns Google into an inherently conservative, rather than socially innovative, force.

Can't say I think it's better. Probably not any worse, but certainly not panacea.

All code has bugs. Xen has bugs. Qubes has bugs. And yes, OSes have bugs, although Linux local privilege escalation bugs are not an everyday occurrence, and OpenBSD bugs are very rare. You can't handwave a 0-day privilege escalation vulnerability into existence and claim that there are no 0-day privilege escalation vulnerabilities in Xen.

tar is pretty solid, actually, but, if you don't like it, make up your own trivial archive format (it's not hard), or don't use it and follow a one-disk-per-message protocol. And don't use a filesystem. dd if=email.eml of=/dev/cdrw (approximately), then dd if=/dev/cdrom of=email.eml

User error could happen with any system. You're really stretching here.

Where did I ever say any of these computers had hard discs? And of course there's an out-of-band way to store info. Just use a magical vulnerability in Xen I made up to write it to another VM's permanent storage.

I have no idea where you're getting that disc encryption has anything to do with anything here, and, no, you could definitely use the same three computers for all your emails. If you find burning discs to be too cumbersome, use floppy disc drivers or Zip drives or something, but it's really not that bad, especially if you don't bother to fixate.

This whole notion you have that "the operating system is insecure so let's put another layer on top of it" is just silly. If you make Xen your operating system, then Xen is your operating system. If you want a secure operating system with no privilege escalation, then that's what you need. Using a hypervisor doesn't magically make security vulnerabilities go away. There have and will be attacks against Xen, against Qubes, and against any other complex pieces of software you create. You want a secure OS, then you need a dead-simple OS written with security in mind. True security comes from simplicity, not complexity.

The one thing I think you're right about is that modern OSes are too complex to provide extreme levels of security. OpenBSD is the best, but even it is a quite complex piece of software. A braindead-simple POSIX-like OS kernel prizing security above all other values may have its uses. It could use generic hardware drivers for the hard disk and display adapter (VESA). Ethernet would be a problem but maybe there's a standard for USB Ethernet adapters? Wayland for the graphics API instead of X, braindead-simple written-from-scratch TCP stack, you get the idea. I'll have to make that when I have time. It shouldn't be too hard.

Burz,

I'm not saying it's impossible to customize a USB device. I'm saying rooting a machine to the point that it can customize an arbitrary USB key plugged in by the legitimate operator of the machine is impractical. You're also invoking speculative, unknown attacks against the USB host driver and firmware, which I will see you with my previously invoked unknown, speculative attacks against Xen. Also, you completely ignored my suggestion of using an optical disk if you are concerned about USB.

Safest way I can think of using airgapped machines right now for encrypted email:

1. Copy received email from networked machine C to write-once optical disk.
2. Decrypt received email on airgapped machine A.
3. Compose reply on different airgapped machine B, encrypt reply.
4. Copy encrypted reply to write-once optical disk.
5. Send encrypted reply from networked machine.

This involves three physical computers, but none has to be recent or expensive. Airgapped machine A has no ability to send information to C or B, and airgapped machine B is never touched by any devices from the outside world, and also never needs to know any secret keys, since all you need to encrypt an email message is the recipient's public key. Theoretically you could type such a key in by hand, but in any case it's a once-per-recipient transfer.

I would argue using USB sticks in this scenario gives only a very slight reduction in security, but write-many optical disks would be a practical approach if you're scared of USB. I will say that compiling out obscure and unused USB kernel drivers is a good move, as is disabling USB kernel module autoloading.

StackExchange says you're wrong about USB having DMA: http://security.stackexchange....

In any case, BadUSB would require reprogramming the actual device, so I still don't think it is a practical attack vector in this scenario. Moreover, if you're really paranoid, you can use write-once CD-Rs instead of USB devices.

QubesOS is an interesting idea, but it's more complicated and therefore more likely to have bugs than airgapping a machine. You're assuming there are no bugs in Xen, for instance.

As for filesystem bugs, this code has been around for 20 years or more. There are bugs everywhere, but I think especially popular Linux filesystem drivers are likely pretty solid. But go ahead and just dd the file to the optical disk directly and don't use a filesystem if it makes you feel better.

Similar is Big Blue Button (a google summer of code project) - whiteboard functionality, upload files and do the "john madden football commentator thing" to them, voice and cam sharing, ability to mute, etc. And can be set up to record meetings/conferences/etc. Tested it a while back stand-along on a linode that would be $10/mo now (it was a $20/mo plan then), and it was enough to support 15 users at once as long as they all weren't connected via the same wireless link to the LAN to get out to the World

Honest question: What proportion of complainers just want porn, and what proportion just don't want censorship? And what proportion of those complaining about censorship really just want porn?

Back in the 80's, IIRC, there was a study where people were put into a cave with nothing but artificial light and allowed to sleep on their own schedule. They ended up with about a 25 hour day.

Dear Microsoft,

Sorry, but according to your tax filings you are headquartered in Nevada so investing in a Washington University for a Nevada corporation makes no sense.

- Washington

It's not a Windows RT port it's a WinRT port. Windows RT is an operating system. WinRT is the runtime which replaces Win32. WinRT runs on Windows 8.x, 10 and Windows Phone 8.x and 10.

Bugs in the filesystem driver, yes, but those are probably pretty rare I'd think. BadUSB, not really. That attack works by emulating a keyboard/mouse HID controller. If you plug your USB drive in and all of a sudden your computer starts typing things and moving the mouse on its own, you would notice immediately. Also it typically requires special hardware; a rooted box couldn't just take a real USB drive and turn it into a HID controller.

In Search Of... consolation...

Part of the problem is the CYA issue.

If you're writing the code, you sound like a laborer ("I have to..."). If it breaks, it's your fault and you're on the hook publicly.

If you present a third-party component in a meeting, you sound like a manager ("I propose that we..."). Once three or four other people in the meeting have concurred, if something breaks it's the third party's fault. A ticket or two are initiated, it's someone else's problem and everybody gets to cast blame somewhere beyond the walls of the company.

Rational behavior, regrettably.

What if you don't like your head? Ugly people could have their brains transplanted into pretty people. Think of the potential for sex changes too! Then just as there's a market for stealing kidneys, there will arise a market for stealing whole bodies. You don't have to steal a rich person's digital identity. You can steal their WHOLE LIFE. Mind you, you'd have to study up really hard on every detail of their life and even learn to imitate their accent and speach patterns exactly, so their friends don't catch on. And then, with everyone knowing about the potential for this kind of identity theft, imagine someone undergoes a personality change due to illness -- everyone will assume their brain was replaced by an imposter, because most people are fucking clueless about mental illness.

Your comment is probably the most insightful here.

Even with extreme optimism about neurplasticity and nerve cells sliced in the middle (not separated at the synapses but chopped like a stalk of celery) deciding to attach to other sliced neurons, the idea of taking one spinal cord and gluing it to another spinal cord and having ANYTHING line up right seems absurd to me. Talk about a registration problem! I suspect the only way to do it would be to be to perform microscopic surgery where tiny machines connect neurons one-by-one. Of course, even if we had that technology, there's a whole other problem of knowing which ones to connect to which, which probably doesn't have a real solution as you pointed out.

I was thinking flash drive or possibly optical disk ... couldn't there theoretically be an exploitable buffer overflow in ZModem?