How so? The mainline DHT used for torrents has been operating without outages for years, with tens of millions of nodes taking part (with a churn of about 10 million a day). The DHT is self-healing in that if there's a small cluster of nodes that are interconnected with each other but disconnected from the main DHT, a single connection to the main DHT will result in that cluster completely rejoining the main DHT.

Indeed. The system appears to provide decentralized, encrypted communications. That's a very important aspect to be sure, but it's not anonymous communication. I don't see any mention in the text or links of the summary saying that the system is intended to be anonymous, only encrypted and decentralized.

Perhaps. It'd be interesting to see a Tor-based DHT that would allow for this type of chat protocol to be extended -- that would make it both encrypted, decentralized, and anonymous.

OTR rides on top of underlying IM protocols (e.g. AIM, ICQ, XMPP, Yahoo Messenger, etc.) and encrypts the contents of communications. IM service providers can still shut down individual accounts, monitor who is accessing them, etc., even if they cannot read the contents of messages.

With BitTorrent Chat, the service takes advantage of the DHT (similar to "trackerless torrents" that don't have any single point of failure) to provide a decentralized, fault-tolerant means of exchanging data. There's no dependence on a single service -- all users would participate in the DHT, making it an extremely robust system.

If I read the description properly, it's similar to "OTR-over-DHT" but there's likely substantial differences in the details.

Users that utilize large amounts of storage are relatively uncommon and are subsidized, in part, by users who utilize less storage. If everyone used terabytes of storage at $4/month, that wouldn't really be sustainable.

Although just a personal anecdote, I've used CrashPlan for ~4 years now (with 11 computers belonging to various family members all backing up to their service with a total of around 500GB being stored with them). Zero complaints. It's done everything I expected, always worked, and never had issues. When I had a laptop stolen and purchased a replacement, I was able to restore all the files from CrashPlan in about a day or two of downloading. I highly recommend it.

It depends on your storage needs. For things that you need to regularly access, Amazon S3 will cost you about $175/month for 2TB storage plus transfer fees, but is readily accessible at any time.

Amazon Glacier would only cost you $20/month for that amount of storage, but has various limitations on retrieval time (~4 hour minimum) and higher costs if you need to retrieve more data in a shorter amount of time. As the name suggests, it's designed for "cold storage".

Both offer extremely high degrees of reliability.

Interesting. My wife has a Nexus 7 (2012 edition). It charges just fine (albeit relatively slowly) from 500mA USB chargers. It charges faster with the 2A charger that comes with it, but I've never had issues with it losing charge while plugged in to a standard charger.

How weak is your "weakly charging" USB port? Is it one on a keyboard or some other low-power accessory, or is it a port on the computer itself?

That's demonstrably false. There's plenty of references to Linux on the Ubuntu site.

That probably won't work: most (all?) grid-tie solar systems will cut off the solar panels if the grid connection is interrupted (so as to avoid feeding power back into the lines in an outage, which would endanger utility workers). Battery-backed solar systems could run independently, but are considerably more expensive and require more maintenance than simple grid-tie systems.

Also, most (again, all?) states have legal requirements that inhabited dwellings have basic utility service (e.g. electricity, water, sewer, etc.). If people were to cut off their power for several months they would likely be in violation of the law.

There's plenty of DNS servers (both root servers, gTLD servers, and ccTLD servers) located outside of US jurisdiction.

While an unexpected shutdown could certainly cause some disruption both inside and outside the US, I'm not sure how effective a global DNS shutdown would be -- there's been significant fractions of the root DNS infrastructure that's been taken offline due to attacks in the past and the system continued to work without interruption. Even if there was a disruption, it's likely that non-US operators of root/gTLD/ccTLD servers would setup workarounds fairly quickly and the rest of the world would go about its business.

Anyway, it's something the government could ever do *once*. The instant they do it, the world changes and would highly unlikely to depend on a system managed by a single country.

Shutting down something like Google, for example, would likely be far more disruptive.

As an example, NameCheap, an American registrar and host, sells Comodo certs for $9/year. GeoTrust are $10.95/year, while Thawte certs are $40/year. Prices drop by a few dollars for multi-year purchases. Gandi, a French registrar and host, offers Comodo certs for $16/year, again with discounts for multi-year purchases.

StartSSL offers domain-validated certs completely free of cost for non-commercial uses. Commercial users are expected to undergo validation (they validate both the person requesting the certificate as well as the organization) which costs about $100/year but entitles them to issue an infinite number of certificates for systems they control (i.e., no issuing certs for your friends, but issuing certs for your work servers is fine). In short, they charge money for what costs them money: signing a cert is essentially free, while validating identity is expensive.

There's plenty of options for cheap certificates, particularly if you buy from a reseller rather than from the CA itself.

Browsers like Chrome can come with cert data for major sites pre-pinned, so as to prevent MITMs even using certs from trusted CAs. Firefox users can use something like Cert Patrol to detect unexpected changes in certificates. The use of HTTPS would prevent malicious packets from being inserted into the data stream (encrypted data is MACed to ensure integrity).

It'd be quite unlikely for nobody to notice an unusual certificate change, particularly if expected cert changes were publicly announced through some other medium (e.g. other forums, Twitter, etc.). It's not perfect, of course, but it raises the bar considerably and would make any such attacks publicly visible.

True, but it would prevent the insertion of malicious packets (the "Quantum Insert" technique they describe in the various articles). Invalid SSL/TLS packets would simply be discarded and it would not be possible to insert malicious packets into the encrypted, MACed datastream.

Yes, MITM would be possible but Slashdot could implement certificate pinning (either through having browsers like Chrome have the cert details baked-in, or having users use something like Cert Patrol for Firefox) to make this harder. It's not foolproof, but it would certainly make this type of attack considerably more difficult and easier to detect.

Twitter's article about their shortener lists 3 reasons for why they do it:

That's reasonable. Still, if that was the only reason why it existed then one should have the ability not to use it or use a different one.

That information is valuable, I get that. Still, not really enough to justify requiring all links go through their shortener.

In my view, this is what makes the mandatory use of t.co worthwhile -- malicious links can spread really quickly on Twitter and having a mechanism to help minimize the damage of malicious links is a good thing. Not all third-party shorteners have such checking, so it makes sense for Twitter to enforce the use of their shortener that does the checks.

The OpenPGP smartcard was developed by the primary developer of GnuPG. Pretty much any smartcard reader will work without issues -- I have an SCR355 reader for my desktop (it was plug-and-play on Windows and Linux) and the built-in reader in my Lenovo laptop and both work fine.

There's also the GPF Crypto Stick, which is the same smartcard in a USB token form factor. I also have one, and it works well (though I prefer the card form factor as cards fit in my wallet better).

StartSSL offers free-of-charge domain-validated certificates that are widely trusted. Other CAs like GoDaddy and Comodo offer (often through resellers) domain-validated certs that cost less than $20/year. Thawte DV certs from resellers cost about $30/year. The cost (or lack thereof) for such certs is probably the least important reason why people aren't using HTTPS more.

EV certs are well within the budget for even small businesses, and usually cost around $150/year. Again, hardly unreasonable.

It'd be nice to see more hosting companies implement Server Name Indication (SNI) so that clients can implement SSL/TLS without needing to waste a dedicated IP address. This really should be the default.

The key servers don't need to be trusted, at least not in the same way that certificate authorities need to be trusted. The keyservers don't do any sort of crypto at all. They simply store keys that users submit to them and retrieve those that users request.

Someone can simply say "Hey, I have a PGP key with $FINGERPRINT. You can get it on the keyserver." and one can retrieve it. It's trivial to validate that a key retrieved from the keyserver matches the fingerprint given by the expected person.

While not immune to manipulation, keyservers can be difficult to trick: they're append-only (there's no way to remove data from keyservers) and they sync with each other. All keys are self-signed and many are signed by other users. If one keyserver were modified such that a key was altered, that is easily detectable and the changes would likely be undone as the server syncs with others.

Could one upload keys that falsely claim to be someone else? Sure, but that's not a problem with the keyserver, but rather a problem with human validation of fingerprints and other details. In the end, one needs to verify the fingerprint on the key.