Comment Re:What do you expect... (Score 2) 137
You say that, but Google's phone app doesn't have any ads. This one's entirely on Samsung.
You say that, but Google's phone app doesn't have any ads. This one's entirely on Samsung.
Twitch does have content detection that mutes portions of audio when watching a recorded past broadcast (not a live stream). But it's not perfect; it misses things.
I don't know about other LG phones, but the Nexus 5 (specific phone mentioned in the article) already had an unlockable bootloader. No exploits needed; just fastboot oem unlock from a connected PC, then flash whatever custom ROM you want.
Unlocking the bootloader in the supported way would also wipe the user's data. That's a good thing: it's a security measure to ensure that the unlockable bootloader can't be used as a backdoor to access someone's data on a stolen or confiscated phone. This new attack sounds like it sidesteps that, so it's a security risk.
Git is actually in the process of moving away from SHA1: see hash-function-transition.txt
Some people forgot Unix was originally designed as many small tools that do one thing really well, which can be powerfully combined into bigger tools with scripting and logic. Now we get this one size fits all do everything monstrosity.
Some people seem to think systemd is a giant monolithic daemon that does tons of unrelated stuff all in pid 1. It isn't. It's a collection of programs, each for a specific purpose, designed to work together through interfaces. There are some questionable design choices (like the binary logging), but it's not really the "monstrosity" suggested above.
This is just saying that 5G will be fast enough for interactive two-way video with low latency. Sure, but that's already possible with the wired and wifi connections that people use at home. So it's not like this'll be an automatic and direct consequence of 5G; it's just a separate technology that happens to also be in development.
None of those reasons they cite are specific to email. They're valid reasons why one might want to use Edge as the default browser for everything in Windows 10, but if a user has nonetheless chosen to use a different browser, the mail app -- just like other apps -- ought to respect that preference.
...will open in Microsoft Edge, which provides the best, most secure and consistent experience on Windows 10 and across your devices. With built-in features for reading, note-taking, Cortana integration, and easy access to services such as SharePoint and OneDrive, Microsoft Edge enables you to be more productive, organized and creative without sacrificing your battery life or security.
This is marketing-speak. It seems pretty clear that the purpose of this change is basically to advertise Edge: Microsoft is dissatisfied with how many people are choosing different browsers, Microsoft thinks that people would prefer Edge if only they'd give it a try, so Microsoft is basically railroading people into trying Edge whether they want to or not. Same sort of thinking that gave us GWX.
Crypto currencies are factually based upon nothing more than marketing and public relations, with zero real worth backing, zero.
I don't know about other cryptocurrencies, but bitcoin, at least, requires a significant amount of computation to mine a coin, and that computation takes time. Every block added to the chain represents more computing time that has been expended on all the transactions in the chain's history and all the coins that have been "mined". That computing time has both an energy cost (electricity to run the computer) and an opportunity cost (you could've been using the computer for something else besides bitcoin mining), and those are the basis of a coin's value.
Of course, the "worth" of any currency depends on what goods are available to buy with it, and how much confidence people have that it'll still be accepted to buy those goods in the future. But as a basic requirement, every currency has to be based on some sort of scarce resource (like the natural scarcity of gold, or the artificial scarcity of a fiat currency), and bitcoin is based on both time and energy.
I think there's just too many things unnecessarily built into systemd rather than it utilizing external, usually, already existing utilities. Does systemd really need, for example, NFS, DNS, NTP services built-in? Why can't it run as PID 2 and leave PID1 for init to simply reap orphaned processes?
Those things do run as separate daemons. They're not all crammed into PID 1. The actual systemd program (PID 1) just handles starting and stopping services, and is similar to (and inspired by) launchd on macOS. The other services generally aren't required, aside from (I think) the journal and udev daemons.
As far as I can tell, the optional services (like the DNS resolver) generally aim to provide some sort of useful integration with systemd, but may lack other features compared to their conventional, non-systemd counterparts. It's OK to continue using those conventional, non-systemd services, and Debian at least (don't know about other distros) generally does so.
Everyone seems to be reacting as if ISPs are suddenly going to start selling all your personal info in a major blow to Internet privacy, but these FCC rules just went into effect at the beginning of January, and were enacted because ISPs were doing it already. So we're really just back to the status quo.
It's one thing if you've made a conscientious and competent effort to build a secure product, and you provide security updates for a reasonable support period afterward. The point isn't to punish vendors for not being perfect; responsibility for an attack ultimately lies with the attacker, after all, and the vendor is a victim too.
Something like an open telnet port with a hard-coded password, though, is gross negligence. Heartbleed might not be the device vendor's fault, but not providing a firmware update to fix it, for devices that haven't reached a reasonable end-of-life date, is gross negligence. Continuing to ship something like Debian 3, which reached end-of-life and stopped getting security updates more than a decade ago, is gross negligence.
That's the sort of thing that vendors ought to be held liable for. Gross negligence in the security of your product makes you an (unwitting) contributor to the attack, not an innocent victim.
Getting updates actually installed on devices, after they're released by the vendor, is tricky. It may be a good idea to have the device just update itself automatically, though that opens a different can of worms relating to forced updates and people's control over the devices they own. But if the owner chooses not to install a security update within some reasonable time period after it's released, maybe the owner should be liable for some portion of the damage when the device ends up participating in an attack.
Can't see how a national government can fix this
By making manufacturers liable for damage done by their insecure devices.
Insecure software is an externality: the manufacturer creates the vulnerability, but the customer (or the whole public) bears the cost when it's exploited. Free-market competition is good at optimizing for minimum cost, but by default, externalities aren't included in the cost being optimized. That's why you get cheap, insecure devices.
If manufacturers are held liable for damage done by security flaws in their devices, that cost is no longer external. The manufacturer bears the cost of its own insecurity, and has an incentive to reduce that cost. Security becomes cost-effective, and competition will reward the manufacturers who do it the best.
The government doesn't have to mandate that devices be secure. It doesn't have to verify that devices are secure. It just has to make the manufacturer liable when a device is insecure, and the market can do the rest.
(This will, however, generally raise the price of devices. The cost of security gets transferred more directly to the customer, instead of foisted onto the public.)
"i386" is still the name that Debian and its derivatives (like Ubuntu) use for the 32-bit x86 platform, regardless of the specific chip. Debian actually dropped support for pre-686 CPUs a few months ago, and had required at least 586 for several years prior, but the overall architecture is still called "i386", because that's what it's always been called, and there's no real benefit (and lots of inconvenience) in changing it. Same reason why 64-bit x86 is called "amd64" even though Intel implements it too.
This Ubuntu proposal is about dropping 32-bit x86 entirely, not just certain old chips.
There's a certain amount of security to be had using a more obscure operating system.
Linux is hardly "obscure". It's not widely used on desktops, but it's the dominant operating system for Internet servers. That makes it a plenty big target for attackers already.
The best solution on offer is to use SCRIPTING in the initfs to mount the RAID volume before systemd gets to run. Yes, SCRIPTING.
You can use systemd and I'll stick to scripts.
Just not in your initramfs, I guess?
Really, though, distros use sophisticated scripts in initramfs anyway, which should handle this sort of thing. Mounting the root filesystem is initramfs's job, not
Make sure your code does nothing gracefully.