Playing dumb has been my personal strategy yet I have no reference to judge effectiveness against other strategies.

You are rarely helped by acting like a know-it-all. The goal I have found is not to help, inform or impress but to get the person on the other end of the line to just give a shit about helping you. Sometimes being stupid is better for you than having the clueless parts changer and "rebooter and chief" you talk to or they send out be offended when you go talking over their head or attempt to do their job for them. Sometimes if the tech they send out is not a total zombie they will see equipment racks and *ask* intelligent questions at which time it is safe to blab.

I intentionally lie about what I know, avoid argument and work hard to contain laughter especially during onsite visits. I will follow all even stupid instructions unless what I'm being told to do is outright destructive or wastes too much time.

Have also experienced the flip side of this first hand. Sometimes people who think they know something turn out in reality to know a lot less. I'm an Oracle without cookies in a couple niche domains where all who challenge me lose yet the same people keep coming back for more with the same hubris filled retorts undaunted and unaffected by previous lapses of understanding and judgment. What is particularly amusing and annoying are the guys who restate the original question thinking I must not have understood what they were asking in the first place. At all costs don't be this person.

What I find difficult to believe:

1. Russia or China would make it known they cracked anything.

2. Western intelligence would make it known they know what Russia and China were able to do.

3. Articles which read like propaganda, provide no details and cite no specific sources.

I'm not qualified to judge complexity. Estimates for EMP mitigation across the grid costs on order of $1B as judged by 2008 EMP commission report.

It seems there may be confusion on my point. The point is not to ban firmware. The point is you no longer persist firmware *changes* in field reprogrammable roms. Instead any updates are loaded into volatile memory at boot just like an Intel CPU Microcode update.

The execution environment of the system is based on data obtained from those very same disk drives. It defies belief an adversary with state level money and time on their hands couldn't inject whatever they wanted into the running operating environment.

It was painful to watch Microsoft intermission at the Oculus event today.

Hey so ah we're bundling an ordinary xbox controller with the rift... okay whatever I don't care except for having to pay for it with cost of the rift and your main competition offering a much better input tracking solution with their product.

Rest of the MS demo was someone wearing a VR headset and playing xbox in "VR" by creating a virtual room with a virtual 2D display and playing the game on that 2D display within the virtual world.. one of the sorriest tech demos I've ever seen in my life. I kept waiting for a punch line that never came.

You should immediately contact OpenSSL and have them correct attributions in the change log to reflect this reality.

It isn't a notification it is a nag screen. Nags are intentionally engineered to be unnecessarily difficult to remove. Notifications are designed to be easily dismissed once the user has had a chance to see it.

Given local storage extensions supported by most browsers these days advertisers don't need to install anything to pull this off. They have all the tools to do it right now.

I encourage all of our competitors to do the same.

I know it is difficult for some to understand they exist at the pleasure of their customers. Have no F*#$**$# business dictating to customers how we are to be contacted. The majority use email yet some prefer phone and voice messaging.

Regardless even VMs end up as emails in everyone's email inboxes. Unless your PBX was invented in a land before time there is little to be whining about.

If a component ever needs new firmware it should be provided by the operating system when subsystem is initialized never to be stored anywhere except the systems main persistent store.

This is a no-brainer win-win for everyone. Manufacturers reduce risk associated with firmware updates and reduce costs from smaller bill of materials.

Users win by retaining the ability to recover from ownage by wiping persistent storage.

Also please enough of the computers within computers crap. I'm looking at you Intel. Vendors never bother properly maintaining and most of these systems are defective by design.

The biggest issues I am aware of is the mostly worthless notion of protecting stored passwords by irreversibly hashing passwords changes.

While stolen SRP verifiers (equivalent of a password hash) can't be used to login to a legitimate system they can like password hashes be used to conduct brute force attacks and they can also be used to trick individuals into thinking they are connecting to a legitimate service. This is equivalent to theft of private key or subversion of CA infrastructure.

The other problem is when PKI is not used with SRP the authenticating identity is transmitted in the clear which may give away information (e.g. a username or alias) to an eavesdropper users may not want disclosed in the clear.

Saying that bootstrapping trust is SRPs problem is like saying distributing trusted certificates is PKIs problem.

At some point you need to do work to create trust relationships.. This is fundamentally unavoidable reality the same way people in the real world come to trust or not other individuals based on their experiences.

I do NOT believe SRP is a replacement for PKI. They each have their roles and I believe they can and should be used concurrently. PKI is obviously much better suited for initial service discovery on the Internet. Yet the reality is most sites worth protecting with TLS require a login of some kind. Everyone has a login for their email accounts, their banks and their facebooks... What I find unacceptably dangerous is the world continuing to ignore individual trust relationships to secure sessions... because the alternative is asking hundreds of redundant global trust anchors to be responsible for the security of the worlds systems...a laughably insane delusion.

It becomes tractable to educate users to enter their passwords only into a specific browser menu rather than random attacker forms which appear to be indistinguishable from legitimate counterparts which are constantly subject to change, redesign and often contain baseless security assertions (such as fake padlock imagery and baselessly reassuring text)

NTLMV2 and Kerberos Authentication both need to be replaced with a modern secure authentication system however a lot more people login to websites using pre-established usernames and passwords than they do a network file share. Many of them have no training and believe whatever they see on their screens because even legitimate sites spew lies to cover for fundamentally indefensible reality where insecure authentication is tolerated.

This has been studied and it is far from impractical. You just need better protection circuits.

Whoever made that bomb would be my first guess.

Dear Microsoft,

Please let us establish secure connections using TLS-SRP in IE11. This would be most helpful. Imagine a world where even people with weak passwords (most everyone) fooled into supplying credentials to a phisher or MITM attacker face no risk for being suckers.

Apache and some of our Intranet applications support TLS-SRP already yet unfortunately usage is currently limited to machine to machine as none of our users have a browser that can negotiate it. This would be a perfect opportunity to get a leg up on your competition and provide an important security features no other browser vendor has yet to deploy.

When I hear 4K or 8K all I think of is a Spishak Mach 20.

https://www.youtube.com/watch?...

Even 4k at highest possible FOV in full VR is overkill with a working eye tracker and clever photon source. 15 degrees of arc is all cones of human eyes can see.. /w rest requiring an irrelevant number of pixels.

There will be excuses like VR that will push legitimate uses of high density yet relatively low DPD (Dots-Per-Degree) displays for a number of years yet this is only a passing state of affairs.