Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×

Comment Re:Signal is great (Score 1) 171

True about the desktop version. They had something that claimed to be a desktop version, but when I ran it the first thing it wanted was a mobile #. Uhh.... my desktop PC doesn't have a phone number!

Signal uses your mobile number as a unique identifier akin to a username. Even if you don't run the app on a phone, you need to give it a mobile number to actually use the service.

That said, Signal is designed to be mainly used on mobile devices. The desktop version is convenient, but isn't really meant to be the primary means of using the service.

Comment Re:Which one should you be using? (Score 1) 171

The one your friends and family use. What's the point of a secure messaging network if nobody you know uses it?

Users can install multiple messaging apps. I, for one, have several: Signal, WhatsApp, Google Hangouts, Skype, etc.

So far it works fine, and most of my friends and family use Signal.

Comment Re:Why not press the switch (Score 2) 170

It's easy to know how a GPS receiver will work if there's no signal: it simply doesn't function.

But how does it function in the presence of strong jamming signals of different types? Does it produce spurious errors? False position or timing data? Does it have other issues? Can very strong signals cause damage to various components like amplifiers and the exquisitely sensitive receiver circuits?

I'm just speculating, but I suspect that they'll be doing tests of that type.

Comment Re:And what's our suggestion to friends and family (Score 1) 79

Have good, versioned backups. I like CrashPlan, as one can use it to backup to various destinations, including local systems/disks, remote systems associated with one's account, remote systems belonging to others (so long as they give permission), and for paid users, to the CrashPlan-run storage service.

All backups are encrypted so that the destinations cannot access one's data, it keeps regular versions so one can easily recover from a ransomware (or other) infection that corrupts or destroys files slowly over time, and compresses/deduplicates data to save space. I've used it for years and it's saved my bacon a few times. Their family plans are quite affordable.

(Disclosure: I am a paid CrashPlan user but otherwise have no connection, financial or otherwise, with the service.)

Comment Re:Why worry about credit cards? (Score 1) 64

I'm under no obligation to pay until the investigation and any related processes are ongoing.

Sorry, it's late. I meant to say I'm under no obligation to pay until the investigation and any related processes are complete (and I'd only need to pay if the investigation shows the charge was legitimate; obviously I'd not need to pay if the charge was fraudulent).

Comment Re:Why worry about credit cards? (Score 2) 64

That's why I essentially never use debit cards and advocate the use of credit cards: if I contest a charge on a debit card, I'm contesting whether or not I should get my own money back and, as you say, the money may be unavailable during the investigation.

With credit cards, I'm contesting if I owe the bank money and I'm under no obligation to pay until the investigation and any related processes are ongoing.

In regards to eBay, the merchants never get your credit card information. Virtually all transactions go through PayPal, which has its own buyer protection options above and beyond what your credit card offers. Things might have been different eight years ago.

Comment Re:Why worry about credit cards? (Score 3, Interesting) 64

You need to convince the bank that any transactions between its being compromised or stolen and your notifying them were not in fact yours. Good luck with that. I would not notice a fraudulent charge until the next monthly statement

I'm not sure where you live, but in the US it's quite easy: most banks allow you to simply mark one or more particular charges as fraudulent using their online banking website. Otherwise, you can report the card as lost/stolen using the website or by calling them. One time, ten years ago, they sent me a form I had to sign and mail back (at their expense) to attest that the charge was fraudulent. Took me about 30 seconds. The one other time I've reported it since then, it was all online with no paperwork. The one time the bank caught it before I did, no paperwork was necessary: they called me, described the suspicious transaction, I confirmed it was fraudulent, and they handled it from there.

There's never been any adversarial questioning or anything from the bank, it's simply routine.

But you sound as if your cards are often compromised, lost or stolen, so it's all the more suprising if your bank cancels the fraudulant charges at the drop of a hat. You must have such a reputation with them that I wonder why they don't cancel your contract instead.

It's happened to me three times in 15 years, never through any fault of my own. I'd hardly consider that "often" or somehow deserving of a "reputation". Even if it was somehow considered excessive, I find it hard to believe that a bank would drop a long-time client simply because they were frequently the victim of crime.

In each case, it's been quite obvious that the charges were unusual and fraudulent: As an example, when my card was compromised one time I lived in Arizona and I regularly made various routine charges (e.g. groceries, gas, food, etc.). It didn't really make sense that my card was used to buy $300 worth of gasoline at a gas station in Florida 20 minutes after I bought my regular groceries in Arizona, so the bank flagged the transaction and called me. Another time it was used to buy household appliances in some distant state I'd never visited to be delivered to an address I had no connection with whatsoever.

Either way, dealing with the aftermath of the fraudulent credit card usage was only the most minor inconvenience. I don't understand why people get so worked up about such things: I'd be more concerned with my name, address, and other account details getting leaked since those can't be changed as easily (if at all).

Comment Why worry about credit cards? (Score 2) 64

I've never understood why anyone worries about their credit card information when shopping online: it's literally the least-valuable information that I possess, insofar as its compromise will affect me.

I'm not liable for any fraudulent charges made with my card, and reporting mis-use is the work of a few moments (unless the bank notices it first and notifies me, in which case its even less work for me). A replacement card will be in my mailbox in a few days.

Is it a minor hassle to update the card number on file with various merchants I do business with? Certainly, and I'd rather such a situation if possible, but it's a minor inconvenience in the grand scheme of things.

Other information -- social security numbers, for example -- are much more valuable to criminals (which is dumb: there really should be some better way of identifying someone), and it's a good thing such information is only rarely needed and asked for. In general, SSNs can't be changed and it's a huge pain to recover from identity theft, but a stolen credit card? That's a minor inconvenience, at worst.

Comment Re:Unless... (Score 2) 314

The computer you bought 3-5 years ago, barring mechanical failure still meets or exceeds your needs for the most part, so why waste the money?

Indeed. I have a computer that's about 8 years old (Gigabyte-brand motherboard, Intel Core2Quad Q6600, 8GB DDR2 RAM) that I've made only some minor changes to (lots of storage, SSD boot disk, GeForce 550 Ti graphics card, etc.) that's still ticking away just fine. Turns out the Gigabyte's marketing their boards as "ultra-reliable" was accurate.

I intend to upgrade later this year to something a bit more modern (i7, more RAM, new graphics card, bigger monitor, etc.), but the need really hasn't been pressing. Since most games are released for PC and console, developers (annoyingly) target the performance level of the consoles, so the PC has no problems running them even at high graphics settings.

Either way, I won't be using Windows 10 -- I'll image the Windows 7 installation I currently have and move that over to the new system. Worst-case, I re-install Windows 7. When Win7 goes EOL I'll probably switch to Linux.

Comment Re:Can I please have an unencrypted phone? (Score 1) 47

Why not get the best of both worlds and have automated backups and an encrypted phone?

If you're not comfortable with Google's various backup options (e.g. Google Photos' cloud backup), that's fine: there's alternatives. I use BitTorrent Sync to sync the camera folders on my and my wife's smartphones with our various computers and NAS. Not only does this make it easier to share photos and video with family (I find it easier to share from a computer, rather than from a phone), but it runs continuously so there's only a few seconds between when the photo was taken and when it's available on the computers. Works incredibly well.

You can choose whether or not to sync using your cellular data or just on wifi, depending on your needs.

Comment Re:I don't understand (Score 4, Informative) 56

HTTPS provides several benefits:

- Encryption which, as you point out, keeps other parties from knowing the content of data you access. Sure, the bulk of that data may be mundane, everyday stuff that you don't really care if anyone knows about, but there's no harm in keeping it private in transit. It's the same reason you enclose letters in envelopes rather than sending postcards.

- Verifying the authenticity of the server. Domain-validated certificates offer a relatively low level of validation, but they still provide you reasonable assurance that the server you're communicating is the one operated by the actual owner of that domain name -- your connection isn't being intercepted and spoofed by some shady wifi hotspot, for example. Organization-validated and Extended Validation certificates provide higher degrees of validation, and include details (e.g. company name, location, etc.) of the entity to whom the certificate was issued.

- Tamper-resistance. All HTTPS connections provide tamper-resistance by using either HMAC or AEAD ciphersuites. This prevents third parties from altering the content. A public hotspot or your ISP may inject content, malicious or not, into unencrypted connections. HTTPS prevents this.

Considering that there's essentially no costs for using HTTPS (certificates are free or exceedingly cheap, CPUs have hardware support for AES so there's basically no overhead for encrypting data, ECDHE key exchanges are extremely fast, as are ECDSA signatures, and so present minimal load to servers. RSA signing is a bit slower for servers, but modern CPUs are fast and TLS handshakes are brief and only happen occasionally.) and many benefits, why wouldn't everyone want to secure data in transit?

Comment Re:Let's Encrypt (Score 2) 56

Certificate cost is no longer the obstacle it used to be, as a TLS certificate is free unless you need organizational validation. StartSSL and WoSign have been providing domain-validated (DV) certificates without charge to individuals for years, and automated ACME CA Let's Encrypt has been in operation for several months.

Indeed. TLS certs are, as you point out, available for free. Even if one wishes to pay for a cert, DV certs are available for a pittance: Comodo's PositiveSSL certs are available for as low as $14.97 for three years ($4.99/year) from SSLs.com, a reseller owned by NameCheap. I spend more getting take-out lunch one day than it'd cost to get a cert for three years. That's basically a non-issue when it comes to even the most budget-constrained websites.

Other interesting details:
- Comodo's PositiveSSL offering is one of the very few CAs that will not only sign elliptic curve certs, but will do so using a separate, all-ECC certificate chain. Their ECC root is in all major browsers, but it's cross-signed by their UserTrust RSA root for legacy users. Naturally, PositiveSSL also offers an all-RSA chain for those who prefer RSA certificates, but I thought it was cool they offer an all-ECC chain and charge the same price for ECC or RSA certs.
- StartSSL recently started signing ECC certs from their RSA chain (4096-bit root, 2048-bit intermediate). While not as quite secure as an all-ECC chain, it's fast: clients can verify the RSA signatures quickly, and the server can perform fast ECDSA signatures/ECDHE key exchanges quickly.
- WoSign uses StartPKI, StartSSL's managed-PKI offering that chains up to the StartSSL root. Nifty. I knew StartSSL has offered that for a while but I'd never seen any such intermediates in the wild before.

Full disclosure: I have no relationship with Comodo, StartSSL, SSLs.com, NameCheap, etc. other than being a paying user. I don't get any compensation, direct or otherwise, from mentioning them.

Comment Re:Who signs the certificates and maintains the ke (Score 3, Insightful) 56

This may be overly cynical of me, but could they be doing this to imbue the sense of improved security, while still being able to decrypt and observe the traffic themselves? For themselves as well as for the government, where the particular datacenter is located?

How is encryption of data on-the-wire relevant to the observation of data stored in their datacenters?

Whether or not they use HTTPS, Google has always been able to access the content of Blogspot-hosted blogs because Google runs Blogspot and the data resides on their servers. Adding HTTPS doesn't change that at all.

Comment Re:Smoking Man (Score 1) 117

Seriously. I'm 33 and HL2 came out when I was 21. I've got a nearly two-year-old daughter now, and I'm hoping that I'll be able to play HL3 sometime before she's old enough to play HL2.

Don't get me wrong: I love all the other Valve-produced games like the Portal series, Left 4 Dead, Team Fortress, etc., but there's a special place in my heart for the HL series.

Comment Re:We don't need "backdoors" (Score 1) 259

Put simply, there exist plenty of systems and techniques that don't depend on a third-party who could possibly grant access to secure communications. These systems aren't going to disappear. Why would terrorists or other criminals use a system that could be monitored by authorities when secure alternatives exist? Why would ordinary people?

That's a really easy answer -- terrorists use these simple platforms for the same reason normal people do: because they're easy to use. Obviously a lot of our techniques and capabilities have been laid bare, but people use things like WhatsApp, iMessage, and Telegram because they're easy. It's the same reason that ordinary people -- and terrorists -- don't use Ello instead of Facebook, or ProtonMail instead of Gmail. And when people switch to more complicated, non-turnkey encryption solutions -- no matter how "simple" the more savvy may think them -- they make mistakes that can render their communications security measures vulnerable to defeat.

If the choice was between (easy & insecure) and (hard & secure), you'd have a point, but there's plenty of easy ways to have secure communication: for example, OTR-over-(any IM protocol) is about as simple as it gets (it's literally a one-click thing, and can be set to automatically go secure with no user interaction), doesn't depend on a provider for keys, and can work with any IM network. If someone can install an executable file, they can install and use OTR.

Sure, it doesn't conceal metadata, but most (all?) IM networks leak metadata as well. XMPP-over-Tor-hidden-service can help mask that, and isn't really complicated for the users ("Open Tor, click 'Connect' and wait for the green light, then open your IM client.").

Tox is another option: anonymous, distributed, and with no single point of failure. It's as easy to use as any other IM client.

Even if secure communications weren't as easy as non-secure methods, there's plenty of easy-to-follow guides on how to setup and use secure methods. It's hardly rocket science, and those methods aren't going away, so there's no reason to expect that bad guys that are motivated to keep their communications private will avoid them simply because they may be slightly more difficult.

I'm not saying that the vendors and cloud providers ALWAYS can provide assistance; but sometimes they can, given a particular target (device, email address, etc.), and they can do so in a way that comports with the rule of law in free society, doesn't require creating backdoors in encryption, and doesn't require "weakening" their products. And of course, it would be good if we were able to leverage certain things against legitimate foreign intelligence targets without the entire world knowing exactly what we are doing, so our enemies know exactly how to avoid it. Secrecy is required for the successful conduct of intelligence operations, even in free societies.

Sure, a company could do that (and several do), but there's certainly a lot of interest from users to have secure systems (devices, accounts, etc.) that cannot be remotely unlocked or decrypted by the company or authorities (see Apple). Considering how massively the US Government abused its position of power and authority through massive, warrantless surveillance of people, hacking and snooping corporate networks, doing shady things like parallel construction, and generally violating everyone's trust, it should come as no surprise that there's some pushback from users and industry.

Statistically, the risk posed by terrorists is so low as to not be a concern in my day-to-day life. I'm in far graver danger from occasionally eating hamburgers or riding a bike than I am from terrorists. Considering that "free societies" are hardly permanent things, and that a major event or political upset can dramatically change the nature of government, I'm more worried about granting even the most trustworthy government (which the US Government is not) powers that groups like the Stasi or KGB could only dream of in exchange for the dubious assurance that (a) it's necessary for them to stop bad guys and (b) they won't abuse that power.

Your mileage may vary, of course.

Slashdot Top Deals

"Never ascribe to malice that which is caused by greed and ignorance." -- Cal Keegan

Working...