Life In 19x19

Kirby wrote:A security expert would do enough research on the device to know the answers to the basic questions you asked about the device prior to getting paranoid.

That's what security experts did before concluding: It hardly matters whether one uses Windows, Android or iOS. Whichever OS one uses, one has to do the best effort to learn and understand security aspects and then configure the computer as securely as possible.

averell wrote:

The people who do this won't be targeting your bank account, but the more I learn about certificates, the less safe I feel: http://www.computerworlduk.com/news/sec ... sl-spying/.

That is hilarious. I especially like the part about it being the industry standard to betray their customers. But effectively it's not much different from CA's being compromised, which has happened before. There is only so much you can do from a technical side, when you cannot place your trust in these authorities either, and being at home or on some random starbucks wifi won't make a difference.

I'm not sure, but can't an OS that only runs Tor traffic help? https://tails.boum.org/

Depending on why you're concerned about security, this article could be either comforting or really scary: http://www.forbes.com/sites/andygreenbe ... gure-fees/.

But in any case, the user has to do something. It's not like my iPad is sitting here in the ground and the bad guys are just stealing my data. They have to trick the user into doing something (opening an email, opening a webpage...). Of course, emails are always risky. If you are over the top with security, just don't ever open an email and always type your URLs. Of course, make sure your router is completely secure, and all traffic is encrypted. And that your ISP is not tinkering with MITM schemes. And then you just forget to close the window and the spies just make photocopies of your papers. Meh.

RBerenguel wrote:don't ever open an email

It suffices to view emails as plain text and not open-execute any executable attachment.

RobertJasiek wrote:

RBerenguel wrote:don't ever open an email

It suffices to view emails as plain text and not open-execute any executable attachment.

Nothing guarantees your mail client does not have an exploit even when viewing only as text.

Ah, you have meant security protection against email reading by third persons? I see.

No. An HTML email can exploit your mail app. But nothing guarantees switching to text mode does prevent it. Just like opening a PDF can exploit Adobe Reader.

Exploit type I: the contents' source code is interpreted. This is possible for (java)script language in HTML but not for simple markup HTML or for plain text.

Exploit type II: the application is attacked. This is possible if it has some bug that is not fixed yet. The attacker can then read all (non-encrypted) emails and (subject to security measures outside the application) attack the PC.

Robert, I don't want to sound like a know-it-all, but there are more things in heaven and earth, Horatio, than are dreamt of in your philosophy. http://en.wikipedia.org/wiki/Buffer_overrun would be an example. Software is a complex thing.

You can also die both from driving while plastered or by having your airplane shot down by terrorists, but the smart money is on getting a designated driver when you need one and just going ahead and flying.

hyperpape wrote:You can also die both from driving while plastered or by having your airplane shot down by terrorists, but the smart money is on getting a designated driver when you need one and just going ahead and flying.

Indeed, this is more or less my point too.

I guess my point was that given that there's a concrete difference between what Robert does and what you do, it's not very effective to point out that there are in principle higher levels of security than what Robert wants.

Here are four policies:
1) Do whatever the heck you want with your computer, including downloading things from sketchy "free ringtones" sites and "sociel [sic] plugins" for your browser, while using Windows XP.
2) Run a good secure browser in a moderately secure operating system (Windows 7, Linux, Mac, iOS, etc) and don't download things that look sketchy (or use an app store).
3) Run some complex security setup (Robert's, obscure linux variants, etc)
4) Don't open untrusted text files, don't read text emails.

My point is this: I follow 2, but I can't argue against 3 without doing a comprehensive evaluation of someone's entire set of priorities for their life. Some people want or need that kind of security. Most don't, but I'm not going to argue that those people are crazy unless they start telling me that I have to get on their bandwagon. Pointing out that 4 is even more secure doesn't establish that 3 isn't worth it, just like pointing out 1 doesn't prove that people who follow 2 are being way too lax.

So in this case (and only this case, mind you!) I'm willing to live and let live.

I'm not trying to tell Robert that my view is better, but he seems overly concerned with security (with a highly complex system set up,) but after all, 3 is not that far from 2, because anyone willing to do it, can get into 2 and 3 without "much" trouble. 4 is a totally different beast. Like a security expert I read about recently (it was The NY Times..?) that has a different smartphone for going to China, a smartphone that gets completely wiped before going and after coming back. Never types a password (stores all in an encrypted USB drive), and so on.

hyperpape wrote:there are in principle higher levels of security than what Robert wants.

As I have argued elsewhere, what I really want is absolute operating system and software security: for stated requirements, proven by mathematical theorems for a well-defined finite space of admitted algorithms...!