Kirby wrote:A security expert would do enough research on the device to know the answers to the basic questions you asked about the device prior to getting paranoid.
That's what security experts did before concluding: It hardly matters whether one uses Windows, Android or iOS. Whichever OS one uses, one has to do the best effort to learn and understand security aspects and then configure the computer as securely as possible.
That is hilarious. I especially like the part about it being the industry standard to betray their customers. But effectively it's not much different from CA's being compromised, which has happened before. There is only so much you can do from a technical side, when you cannot place your trust in these authorities either, and being at home or on some random starbucks wifi won't make a difference.
But in any case, the user has to do something. It's not like my iPad is sitting here in the ground and the bad guys are just stealing my data. They have to trick the user into doing something (opening an email, opening a webpage...). Of course, emails are always risky. If you are over the top with security, just don't ever open an email and always type your URLs. Of course, make sure your router is completely secure, and all traffic is encrypted. And that your ISP is not tinkering with MITM schemes. And then you just forget to close the window and the spies just make photocopies of your papers. Meh.
Geek of all trades, master of none: the motto for my blog mostlymaths.net
No. An HTML email can exploit your mail app. But nothing guarantees switching to text mode does prevent it. Just like opening a PDF can exploit Adobe Reader.
Geek of all trades, master of none: the motto for my blog mostlymaths.net
Exploit type I: the contents' source code is interpreted. This is possible for (java)script language in HTML but not for simple markup HTML or for plain text.
Exploit type II: the application is attacked. This is possible if it has some bug that is not fixed yet. The attacker can then read all (non-encrypted) emails and (subject to security measures outside the application) attack the PC.
Robert, I don't want to sound like a know-it-all, but there are more things in heaven and earth, Horatio, than are dreamt of in your philosophy. http://en.wikipedia.org/wiki/Buffer_overrun would be an example. Software is a complex thing.
Geek of all trades, master of none: the motto for my blog mostlymaths.net
You can also die both from driving while plastered or by having your airplane shot down by terrorists, but the smart money is on getting a designated driver when you need one and just going ahead and flying.
hyperpape wrote:You can also die both from driving while plastered or by having your airplane shot down by terrorists, but the smart money is on getting a designated driver when you need one and just going ahead and flying.
Indeed, this is more or less my point too.
Geek of all trades, master of none: the motto for my blog mostlymaths.net
I guess my point was that given that there's a concrete difference between what Robert does and what you do, it's not very effective to point out that there are in principle higher levels of security than what Robert wants.
Here are four policies: 1) Do whatever the heck you want with your computer, including downloading things from sketchy "free ringtones" sites and "sociel [sic] plugins" for your browser, while using Windows XP. 2) Run a good secure browser in a moderately secure operating system (Windows 7, Linux, Mac, iOS, etc) and don't download things that look sketchy (or use an app store). 3) Run some complex security setup (Robert's, obscure linux variants, etc) 4) Don't open untrusted text files, don't read text emails.
My point is this: I follow 2, but I can't argue against 3 without doing a comprehensive evaluation of someone's entire set of priorities for their life. Some people want or need that kind of security. Most don't, but I'm not going to argue that those people are crazy unless they start telling me that I have to get on their bandwagon. Pointing out that 4 is even more secure doesn't establish that 3 isn't worth it, just like pointing out 1 doesn't prove that people who follow 2 are being way too lax.
So in this case (and only this case, mind you!) I'm willing to live and let live.
I'm not trying to tell Robert that my view is better, but he seems overly concerned with security (with a highly complex system set up,) but after all, 3 is not that far from 2, because anyone willing to do it, can get into 2 and 3 without "much" trouble. 4 is a totally different beast. Like a security expert I read about recently (it was The NY Times..?) that has a different smartphone for going to China, a smartphone that gets completely wiped before going and after coming back. Never types a password (stores all in an encrypted USB drive), and so on.
Geek of all trades, master of none: the motto for my blog mostlymaths.net
hyperpape wrote:there are in principle higher levels of security than what Robert wants.
As I have argued elsewhere, what I really want is absolute operating system and software security: for stated requirements, proven by mathematical theorems for a well-defined finite space of admitted algorithms...!
Indeed, this is more or less my point too.