Posts by doublelayer 10485 publicly visible posts • joined 22 Feb 2018
You're troubled about the privacy implications of social media and your primary suggestion is QQ? The one that transmits a bunch of cleartext messages straight into the servers run by the Chinese government? They of social credit score fame? Viber doesn't have those implications but isn't exactly known for their privacy, either. Try things like Signal or Telegram.
I appreciate the enthusiasm. I really hope it is proven correct. Unfortunately, I don't think we will see a viable third alternative. Huawei will probably have something. Whether that is AOSP-based or something less compatible, I doubt it will be released as open source for everyone else, and I doubt that it will really provide useful things over standard AOSP let alone something less supported but more powerful like Lineage OS. Meanwhile, while other companies may indeed worry about android access being cut off, they will probably worry even more about a third OS eating into their market share because they would have to expend resources on building and maintaining it, let alone advertising it. If it dies like every other attempt at a mobile OS (Windows phone, Ubuntu Touch, Firefox OS, ...) they will be out that development cost, the hardware that didn't sell cost, the loss of android market share cost that Apple can try to pick up, and the made Google angry cost. Companies have a lot of financial people who do not like that type of mathematics.
Google services are blocked in China, including the play store. No Chinese phone accesses this store directly, though there exist side channels to access some of it. For this reason, lack of Google play availability will not dramatically impact the ability to sell the devices inside China. Outside China is a very different story. It is also worth considering that even those phones in China need chips from the various companies who have agreed not to sell them to the company, which may cause problems for them in the short term until they find alternate suppliers for the functionality or arrange for a third party to purchase the chips and send them on.
The problem with rooting the device and installing a custom OS is that very few phones are supported. I'm happy to do so, and I have one phone here already running lineage OS, but the list of devices for that, while the longest I've seen for such a build, is quite short. The phone I was talking about, an older LG one sitting in a drawer, has no known rooting path described online, and certainly no build already for it. I may have enough knowledge to build the lineage OS build for the device, but that would be a lot of work that wouldn't help much because I do not have access to install it. I don't know enough about low-level manufacturer-specific things to find my own rooting path without spending a lot of time learning about it, and since this phone is an old one I haven't thrown away, it's not really worth the trouble to me. The result being that I can't actually do anything with this device to disable Google's data collection.
I beg to differ. Let's consider the processor in an older iPhone and the one in the Pixel 3a:
Iphone 7: four cores (two 2.3GHZ high performance plus two more lower-power ones)
Pixel 3A: 8 cores, two 2.0GHZ cores and six 1.7 GHZ cores
The iPhone's cores have a pretty good single-threaded performance, better than many snapdragon cores, but not dramatically so depending on what the cores are called on to do. Now, let's look at some phones that cost less than 200 currency units, as defined by GSM Arena. I'm not sure exactly what currency unit they're using, but it's either euros, pounds, or U.S. dollars, as they use all three on various pages. Also take note that GSM Arena uses old prices, usually a price that was seen shortly after launch, so this includes only devices whose release price was under 200 units. Many other candidates are available whose price has been reduced to that level, but don't show up in the quick search I did.
Xiaomi Redmi Note 7 specs: eight cores: two at 2.2GHZ and six at 1.8GHZ, 4/6GB memory, clearly outstripping the pixel
Realme X specs: eight cores: two at 2.2GHZ and six at 1.7GHZ, 8GB memory, clearly outstripping the pixel
Samsung Galaxy A20 specs: eight cores: two at 1.6GHZ and six at 1.35GHZ, 3GB memory: not as good as the pixel, but not all that much worse
Nokia 4.2 specs: eight cores: two at 2.0GHZ and six at 1.45 GHZ, 3GB memory: A little worse than the pixel
Oppo A3S specs: eight cores: eight at 1.8GHZ: probably about on par with the pixel
These aren't all of the models, as I only considered one for each manufacturer. As you can see, several outstrip the pixel, and if I had included multiple candidates from each manufacturer, it would be even more of them. Even those that do not exceed the pixel in power have respectable processor performance, having eight cores and not having weirdly underpowered cores either. If you're doing something very processor-intensive on a phone, these might not be enough, but this is not the budget android device of old. It is perfectly capable of the standard smartphone use case.
I don't think anyone thinks Apple's prices are in any way justifiable, but that doesn't suddenly make this phone well-priced. Yes, it's better than Apple, Samsung, and Huawei in the flagship realm. But you can get a phone for much less that has similar specifications. This article has described it as similar to a flagship, but it's really not. It has a slower processor, less memory, and less internal storage than all other flagships and many other low or mid-cost phones. That doesn't make it insufficient; I've long contended that it is hard to tell whether an android phone has 4, 6, or 8 GB of memory, but it is important to avoid categorizing it as one of the most advanced, because that misleads potential customers into thinking that the price tag is a bargain, when it is in fact a bit overpriced.
I would not get a pixel, instead going with a cheaper android device. There are a few good reasons to do that:
1. A lot of them have comparable specs and can't really be told apart.
2. Many of these, especially Xiaomi devices, are supported by lineage OS, so you can use that if you prefer it or want to extend the life of the device.
3. Looking in the low-cost field gives you more options so you can find a phone that has features you are more likely to want (for example, you can have a headphone jack, SD card slot, waterproofing, or a removable battery in various models, though all at once is harder to find).
4. If it turns out you really hate android, which happens from time to time, you have spent less money on your device and don't feel as bad when you sell it again.
I have to say that point 1 is the most important. While this article is extremely laudatory of the pixel, calling it low-cost, it really isn't when you compare it with the numerous good phones in the 100-200 price range. It's low-cost only when it is compared with flagships, which are all so high-cost as to be utterly ridiculous. The only thing I've consistently heard about being better in the pixel is the camera, but you will certainly get a serviceable camera in a cheaper phone, so it depends on your requirement for mobile photography.
Oh can it? I've never heard that before. Nobody's ever told me that. I have this phone over here that I can do that on. Just give me a few minutes... You want to explain why this phone, on which I don't have any google account configured, is still making DNS requests to google domains and shows play services as using a bunch of CPU and network on some occasions? It's also informed me that its performing a play protect scan of my phone. I have no malware, at least so sayeth Google when they checked my list of installed software against Google's servers. Which is some data. If this is happening, I'm guessing other data is coming out, too. Yes, I can go into settings and disable play protect. I can't disable google play services, though.
One major reason is to provide an extra obstacle to the mass creation of accounts. Since each account needs a unique email address, a spammer would need to create separate addresses for each account created. Yes, they could set up a mailserver and have a nearly infinite supply of those, but a monitor could notice this and ban all addresses under the domain they're using. So that means they have to use publicly available accounts, most of which have some method of preventing a very large number of accounts from being set up in short order or by one user. This also lets them report things should a user do something like break the law, and provides them a method of communicating with the user if the user needs to, for example resetting the password, informing of data breaches, etc. Most of this would not work anymore given a key-based authentication system, so people don't do it so often.
It depends very heavily on what the chips are doing. For operating systems under heavy use, the extra threads can produce real benefits because a lot of threads are cycling through those times they need to compute and those times where they don't. Whenever you really need performance on a multithreaded process that doesn't use much disk, network, etc., you would be best advised not to use it because four threads running under max capacity are usually better (exceptions apply) than eight threads that keep handing control over to others. This again varies, including how much memory each thread uses and how it makes use of a cache.
You can do exactly that. Not many people have decided to prevent you from using hyperthreading. Google has, but their OS is so lightweight (just a big browser) that it is unlikely to have a need for it and BSD has always been a configure all you like OS. Other things leave it on. However, we can't give you an accurate number of ongoing exploits because first, this is new and people haven't really had a chance to try to use it yet and second, nobody tells us when they're starting to exploit this and it doesn't have a simple definable signature we can search for. You'll have to make your decision on whether to hyperthread or not to hyperthread based on the technical descriptions alone.
Unfortunately, situations can be a lot more complex than they need to be. A "complex investment portfolio" can at times be created merely by having retirement accounts, even if there are no investments after that point. This differs greatly upon which country's tax regime is being considered, but you don't need to be super-rich, have created some complex set of accounts, or done something all that out-of-the-ordinary for the tax forms to become a lot less straightforward.
If that's the paramount problem for you, you can take that source and compile it yourself. But that's not really that concerning, because the risk of someone maliciously compiling a different binary and somehow getting it to you is less than someone finding a bug in existing code. The latter is much easier and more likely to occur. The former requires that signal themselves do that, or maybe that Google does so (you have things like FDroid, though), and that could be detected without much difficulty. So my point, that it is easier to audit the code if you can read it, still stands and your objections as stated are largely irrelevant.
Signal is not vulnerable to this, but could conceivably have a similar bug. It is open source, so that bug is more likely to be detected if introduced. What's app was not forked from signal (in fact it existed years earlier), nor was signal in any way forked. They're just two apps that look kind of similar. All the infrastructure, people involved, and app code is entirely different.
You can't really detect that. However, if you kill the app, which will happen automatically if you install the update, it will kill any compromised sessions and prevent new ones from starting. You would not know whether you have been attacked or, if you were, what if any data was extracted. There is no log of this from the application itself, as any logs could be written by the malware.
It doesn't seem that it is escaping the sandbox at all. Unfortunately, from within WhatsApp's sandbox, the malware can access contacts, call history, microphone, and camera* because of videocalls. That's enough to compromise the user of the device quite a bit, even if it doesn't let you read email, browser history, or other types of data on the phone.
*If the videocall or voice call function has never been used on an IOS device, this exploit shouldn't allow those to be taken because the permission has not been granted. This distinction does not apply to android, and if a voice or video call was ever used, it wouldn't apply to IOS either.
I don't think they were saying that this hack was created by NSO/anyone external, but that the expertise needed to find and exploit it in the wild, as has been happening, is likely that of NSO/someone external. I thought the exact same thing when I read that line, but the paragraph after that makes it look like the above suggestion. Given that this program is not open source and has an encryption layer on all its network traffic, I would say that it is at least somewhat hard to find and probably signifies some level of sophistication on the part of the attacker abusing it.
This is perhaps the first example of such an ordinance, and I hope it leads to many more. Those who profess to support such legislation but don't do anything about it because they think it's not going to pass may now see that it can be done and get going on spreading such restrictions. Here's hoping they do so across all cities, countries, and continents.
How does that have any relevance to this question? It is possible for a completely honest company to have a bunch of money. It is possible for the worst monopolist on earth to be losing money anyway. Are you trying to say that Apple must be a monopolist because they have a lot of money? It seems a lot more logical to argue that Apple are a monopolist because they engage in monopolistic practices.
I think there is a lot to argue about that, and I think the margin should be lower or zero, but it is worth keeping in mind that you can have a payment system in an app that bypasses Apple's in-app purchasing system (E.G. please sign into your account, from which you will pay your bill with your credit card information). It is more difficult than letting a user press a button and authenticate with Apple, but it can be done and is in many applications. This option is very much not available when purchasing apps, although you can go the route of having a free application that makes you sign into an account and pay from there, which developers don't choose to do very often.
But the case is not at all about operating systems. They're not saying that there should be some alternative to IOS that runs on iPhones. At most, they're saying that IOS should allow sideloading, and they may simply be saying that there should be more control of app pricing and a lower commission. If a case did happen with the decision saying that apple needs to provide an alternative OS loading facility, it would be problematic for every manufacturer of android devices that has ever produced a bootloader that isn't unlocked. Even those that were hacked to provide the functionality didn't actually intend to provide consumer choice. So that probably wouldn't succeed, but is definitely not what's at issue in this case.
I'm not sure about that. From a user perspective, there are probably many advantages to the app method of getting a car. You don't have to try to catch one in transit. You don't have to call in and prearrange something. If taxi places started using apps, you'd still have to a) know which taxi locations are available and b) have installed their app when you are going to the place. And this does at least produce a larger supply of available transports. So there do seem to be real benefits to the users of these applications.
Of course, there are many major downsides as well, both to the increased number of people driving about and the companies administrating the application. I'm not saying they're perfect, or even good. I can't say I use their services very frequently, either. But I don't think it's child's play for a taxi company to duplicate their benefits.
This is when security through obscurity actually has a chance, because security for an antivirus is very different than security for an operating system. The difference is this:
OS security: Malware can't get in, malware can't escalate, etc.
AV security: malware can't evade
In other words, malware wants to break into and exploit things in the operating system, but just wants to hide from antivirus. So the operating system components need to be audited by a lot of people to understand how they work and try to identify any holes before the malware people find them, but the antivirus system needs to prevent the malware writers from doing the same kind of thing to its code.
I remember a time where Amazon was nicer. Not perfect, of course, but you could usually find what you were looking for, which would be sold there. You could get a relatively exhaustive list of all the options for that thing and compare them. Then you could read the reviews and clearly figure out which were fakes, then purchase the thing, which would be sent to you easily enough. It was a very useful experience then. I think this was around the time I used to think of Google as an ally because they opposed crazy break-the-internet suggestions and released a bunch of code as open source. All of this has dramatically worsened. Google's worsening is clearly intentional, but I don't even know why Amazon let that happen to them. They have a lot of resources from selling all of this; one would think they would eventually realize that there are a few things, like having the search results at least match a little bit the search query, that couldn't help but enhance their business.
Those are bad, but another style gives them a run for their most disorganized title, which is companies in which one person or group is responsible for each specific technical area, and no person or group is responsible for more than two of them. If a real technical problem exists, so much time is wasted by the group who got asked about it with the group that should be doing it and the group who knows necessary information to do it that nothing happens. Meanwhile, when one group tries to do something that may be somewhat connected to the things they should do, they run into situations known by a different team but not properly documented, or otherwise properly documented on one of these sheets of paper in the big filing cabinet, and break something. At least somewhat ironically, this structure is usually created under the idea that the systems people should be more organized into specific groups.
They don't have to do that. They control the core, so they can keep adding things to it that are difficult to rip out of the code, and enforce their control that way. That means that some other browsers will, by using chromium, be forced to choose to stay with an old and insecure version, fork and reimplement all of that, or run Google code without protection.
That is true, but I have never seen a system elect to use 127.0.1.2 for an additional service, whatever that might be in this case, and almost every system only bothers to resolve 127.0.0.1 to the local machine unless specifically instructed otherwise. If the addresses were used for multiple internal interfaces, one would need 257 to reach 127.0.1.2. So I'm still not sure why that was suggested and I think I'll stick to 0.0.0.0 until I hear more.
Because 0.0.0.0 means unroutable, and the system won't try to do anything with it unless it has a bug. If I use 127.0.0.1, it will start trying to make connections to services on my machine. If I have a webserver running, that will add junk to my logs and return random 404s from that. Even if I don't have that, there will be some overhead as the browser/application initiates TCP connections that aren't going to work. Why bother? As for 127.0.1.2, I'm not sure why that was suggested. Yes, it's not localhost so it avoids the TCP overhead and local service problems, but it doesn't have any intrinsic benefits (as far as I know) over any other 127.* address, and is less likely to be checked than a proper unroutable 0.0.0.0.
No, what they should do is continue to allow a phone number to be sent as an identifier and a callback, but have that be a secondary one. Kind of like how an email can be sent from one account but have a reply to address for a different mailbox. Blocking would be done on the real number, which would always be sent. Caller ID would start with the real number, and if it wasn't found, continue on the stated number. That way:
If a company owns a block of numbers and sends the main one no matter who calls, the company name appears on caller ID, and the company can be blocked.
If I'm using a spoofing service to make a VOIP call from my number, it will show up as me, but clearly indicate that it's not my normal phone.
If someone else is making a call and spoofing my number, it will show up as me, but the number could still be blocked without blocking my real number, and it could also be tracked.
It is dangerous to allow impersonation of numbers without any detection.
I wonder if there are some numbers that robocallers avoid for some reason. Despite the fact that they've increased nearly everywhere and that a lot of my acquaintances complain that they receive them daily, I really don't. I've only received three types of unwanted calls on my phone, and two have ceased entirely. The first was people looking for the former owner of my phone number, but they all took "That guy doesn't have this number anymore" and left. The second was one specific robocaller with the same message and running a very primitive Eliza bot. One time when this called me, I had a discussion with a friend on how terrible the bot programming was, and forgot to hang up on it. I don't know if anyone listened to that, but they formerly called me about twice a week and they stopped after that occasion. So I probably get one robocall a month, usually the type telling me that I've won a prize. Somehow, the robocallers either decided not to call or don't know my number. I wonder if people making decisions are in that situation too. Having previously had a landline that received many more callers, that situation can be quite persuasive in the do-anything-to-shut-them-up category.
I have used windows devices for years and never had malware on them. Because I installed a very small subset of applications and I trusted them all. I have the same track record with android, Mac OS, IOS, and Linux. That doesn't make all of these the same level of security. The question is not "Have I had malware that I know of?" but "Is it easy for malware to get onto the devices, whether owned by me or someone else?". On that, Windows and Android have a worse track record. Maybe because of market share. Maybe because of bad design choices. Maybe because of specific malware authors. But the data is there.
Really? There are many security researchers, and they have to stay somewhere, especially if they're attending security conferences or going on holidays. If they do that enough, eventually one of them finds a camera. They're also more likely to look for one and have the skills to identify places where one could be. Why is it so unlikely in your mind?
One thing to do, and what I think was done in the Ireland case, is to run an NMap scan on the WiFi network and look at the list of devices. Those that are not obviously there could be dodgy. This is well and good, but it doesn't work against many things and is therefore limited. If the device is recording locally, it cannot be found by any network investigation. If the host is intelligent enough, a network-connected camera would be firewalled from any ability to scan for it, too. But at least the tool is there to catch a subset of available ways to install a camera. My guess is that the first time one finds a camera, one stops using that service for housing.
I think you've described it well. Top posting is great when you've read the older emails, because you see the only thing you need to read, and have the old material below if you need to refer to something. Bottom posting is great when you need to read all of the material, because the order makes sense.
I would still prefer that, instead of forwarding me a chain or at least in addition, the sender succinctly describes why I'm getting it and the information that is the most relevant. Often, when I'm forwarded a message chain of more than three messages, at least two of them will be developing a misunderstanding and then clarifying the real situation, which doesn't help me at all.
I very much agree with you, but there can be problems with some types of contextual quoters as well. My favorite (in the sense of least favorite) are those who drop their comments into the original email train but don't bother to delete the unnecessary portions. In many cases, it would be more helpful for them to quote the relevant portion of the message in their reply, rather than making me search through someone else's email to find the things they wrote. The competition for the most annoying way to do this is currently tied between messages where I've already seen the older ones so I cannot possibly get any benefit from the old text in which their reply is placed, and ones that were not formerly connected to me and contain information I don't need to read, like this example:
---Original message---
From: Not the person whose name is on the message I'm reading
To: The person who forwarded this
CC: A bunch of people I don't care about
Subject: Normal subject
Dear [not me],
[Bunches of meaningless pleasantries that do not matter to me because they're not relevant to the situation.]
[Information about a situation that is not the one I'm supposed to deal with.]
> And, on another topic, the related [my project] project, [summary of my project which I already know], may be able to provide some useful functionality to our project if we can integrate things. Could you link them to us and see if they're interested in teaming up?
[Here's where the sender has placed information I need, like the summary of their project and ways for me to learn about it so I can actually decide this question]
[More information about something not related to me]
[...]
I would much prefer that they just tell me this in one unified message. They could get it across by saying "I'm on a project and we think your project has some useful components that could help us out. [Summary and link to their project]". If they really want, they can forward the original message along with this, but I will read those only if they've asked me to or it is clear that there is information in them I need, not in the hopes of finding more things they wanted to say to me.
How much of that do they have to do before you don't blame them? For example:
1. Them: I'd like to use WiFi. You: No. Their problem.
2. Them: You can run the software on your local machines, which would be a good test case. You: I'm not running unproven software on my machines. That's as bad as connecting your machine to our network. Still their problem?
3. Them: No problem, I have a cellular data connection. You: The building is a massive cell dead site. Have they got reasonable options left?
Yes, they should confirm this with you before they come, but they know you have a network, and they're there to demo something that needs it. They have some reason to expect that you will be able to see their demo. If they came without a machine and asked to borrow one of yours, that'd be very unreasonable. If they wanted you to give them access to an important network, that would also be unreasonable. If they just want an internet connection because the thing they're demoing needs one, it's kind of expected that you have the capacity to connect them and makes it pretty pointless to come do the demo if you won't agree to let them use a connection.
Well, I feel the need to tell you that the spleen can be removed safely if damaged without serious consequences, unlike many other organs. It's not like the appendix where it's removed whenever they've already opened the abdomen, but its purpose is not critical to life and can be served by other parts of the body if need be. So I'd suggest continuing to work at top capacity and never burst.
I'm mostly on your side in that they should be better prepared, but offering a guest connection is common sense. Your external people might want to show you something that is online, or the online test of a system that runs over the network but not on their laptop. Would you similarly complain if they asked to plug their laptop in because the battery is dying? Yes, they should have charged it fully before they came but sometimes they forget, they're there long enough for the battery to run down, or their battery is old. It doesn't seem all that unreasonable for them to expect that you have the same general facilities as every other business and ask to use them when it would be useful.
That depends heavily on how good your mobile provider is and what details they have set for your bill. Unfortunately, while I can usually get access to signal in most places, my provider charges rather a lot for plans giving access to a lot of data, and another larger a lot for any data I consume over my low cap. I think this applies to providers in many places, unfortunately. The other issue is that, depending on where you are, you may enter an area where coverage is not good enough for standard internet tasks. It may be fine for SMS and voice calls, and it might even let you see your email, but have fun trying to look something up online.
I also think it depends a lot on the definition of "a new challenge". This sort of applies to me. Once I've reached a certain level of income, having even more, while useful, is not that important to me. If I am offered more for a job I will find deadly boring, I'll likely turn it down. However, that's not because I really want a bunch of new challenges thrown at me. I want to keep doing interesting things, with new challenges as applicable. I don't want this description to mark me as the person to whom all challenges should be brought just because I'll pay for lack of boredom. Maybe if they wrote these descriptions with actual words that have meanings, it might be more helpful*.
*Actually, it would still be junk. Carry on, then.
There's a lot of discussion of when biometrics can be used, with the "use biometrics everywhere" crowd and the "biometrics is only ever a username" crowd. The truth lies somewhere in the middle. You have to decide where the threat landscape is. If you're afraid that someone will be physically present, such as when police/a criminal have you and your mobile phone, biometrics are risky. If you will be targeted by an advanced group, then biometrics are too easy to forge and should not be used except as an additional security measure. When it's authentication over a network that you're worried about, biometrics offers the ability to ensure that people are present at a scanner you know before they can get in. If you are not worried that someone will break in but you don't want to have the thing open to access from anyone (E.G., a phone that doesn't contain anything sensitive), then biometrics can be a time-saving measure. It all depends on who might break in and how they'd do it.
"6. Don't user GMail or Hotmaill addresses. They look unprofessional, and Google and Microsoft are allegedly notorious for blocking the wrong domains and snooping on your content. You have an ISP. They often supply more than one email address, so use everything they can let you have for free."
No. A hundred times no. GMail and hotmail aren't great, but they have relatively good intrinsic security, stay up most of the time, and you can avoid at least some of their tracking. An ISP email is run on a system with completely untested security except sometimes when the security has been tested and it failed the test. Also, if you move or decide you don't like that ISP, your mailbox can be deleted or placed in a limbo state. Using an ISP-provided email is a security and usability disaster. Don't do that. If you really want security, set up your own email system, usually by getting a domain. If you don't want to run your own mailserver (and you would have many good reasons not to want to), you can use one of a number of domain registrars who will supply email accounts, usually at least one is included with your domain purchase. You can keep that account no matter where you are as long as your domain is still owned by you. If you must have a free account, use a service kept up by a company that does not have the ability to kill that account for other activity you do. Protonmail is a good one for this, but GMail is not that bad when compared to other options.
If you want to try this, make sure it can't send any email but instead just logs the message and copies it to the sent mailbox. As for things to populate, you could always create some dummy addresses that send messages from public sources. I don't know if people would run attachments, but you could always try.
I'm as irritated by bad passwords as the next security person, but let's revisit a few parts of this article:
"An employee is likely using the same password for your internal systems as they are for Instagram."
How am I supposed to know that? Yes, they'd be prevented from using "password", but when they've decided in their life that "F9zna/zv00w" passes all the tests for passwords and they'll just use that for everything, the only way I'd know is if I tried to log in with that and any usernames or addresses I can guess. That's not all that nice. Of course, they can be told not to reuse passwords, but that won't necessarily stop them.
"According to OneLogin, 63 per cent of network administrators don’t require special characters or minimum length passwords. Numbers? 71 per cent don't require it. Upper and lowercase? 72 per cent."
That's a good po... Interesting fig... Well, you just quo...
Sorry, I can't pretend. I have no idea what these numbers mean. You tell me that 63% of admins don't require certain rules, which already sounds kind of weird, but then your next sentence says that 71% don't require it. Is "it" the same thing as covered in the last sentence? Why are the percentages eight percentage points different? Is this from a different source? Who? And the 72% don't require multiple cases? Meaning that either 29% or 37% require special characters but only 28% require multiple cases? And earlier, you told me that 75% of admins "don’t check employee passwords against password complexity algorithms." This implies that they don't check at all, but, in that case, a maximum of 25%, not 28%, 29%, or 37%, could require special characters or multiple cases. So I must be making some really stupid mistake, right? Please tell me what it is.
"And an amazing 63 per cent have not put password rotation policies in place. What are you doing people?"
Holding back my astonishment that, by these and previous numbers, at least 12% of admins rotate passwords but don't check them against any complexity algorithms at all, we don't rotate passwords all that frequently because it means users will respond by decreasing the security of their passwords so frequent rememorization is easier. Yes, we have complexity rules here. But once you've met those limits, you can have a more secure or less secure password. If we make them choose a new one every month, the number of users using a very strong password approaches zero. This isn't new. This has been the recommendation of many security advisors for the past few years. It has been reported here. That's what we're doing.
For the record, my complexity recommendation is designed to maximize entropy. If you go for a short password (minimum length 10 characters or 12 if I'm nervous, the system's important, or the users are willing to be reasonable), you have to use all four types of characters. If you make the password longer, the requirement for different characters is removed as the length increases. And passwords are checked against password lists.
That's the right way to do it, and I'm sure el reg has done that. However, if they wanted to know how many users used password, they could find out. They have the hashes and the salts. They could go through the list, put the salt on "password", and see if it matches the hash. This wouldn't tell them what your or my password is, but if anyone used "password", they could see. So the question is answerable though nobody would bother to answer it.
Good points in theory, but you have to consider the whole set of possible passwords as well as a single user's set. If the length limit is set at 8, then the rainbow table generator can throw together a list of hashes of 8 and 9-character passwords. If the password length is longer but constructed of larger components, a person needs a good list of all of those components. If they're all single words found in a dictionary, that might be doable, but if a user makes any type of adjustment, as simple as switching an o with a 0 or putting an & before the last word, the generation of hashes from all the words in a dictionary won't uncover it. Similarly, if a word is included that isn't in a convenient list, E.G. one the user uses as an inside reference, a term from fiction, a word from another language, etc., it becomes nearly impossible.
I agree with you that the XKCD article isn't entirely correct, but I mainly think that the entropy of a shorter password is underestimated, making the four random words from a set of 2048 options thing look better than it really is. Still, I think that urging length is very helpful, because a password with lots of words and things that the user recognizes but others probably wouldn't makes a password much more secure.
I'm not a downvoter, but I'll do a bit of education. MDM is an Apple feature. They built it. They almost by definition can't abuse it, because they set the rules for how it's used. Also, they don't use it. They built it for corporates, who do use it for internal devices. Apple doesn't make any apps that use MDM, and their OS doesn't need to because it already has such access. It's like saying "Does Google internally use their search engine to abuse users?", I.E. it's a crazy question that doesn't make any sense.
The other reason that you might be collecting downvotes is the typical charge that Apple is busy collecting user data. They don't collect that much data. They make a point of showing this to everyone, possibly because they like bragging. You can fault them for the bragging, but it is a bit annoying hearing people decry Apple for data harvesting when A) they don't do it all that much as large tech companies are concerned, B) you can turn a lot of their data collection stuff off and it stays off and you can prove it, and C) many of the alternatives are a lot worse on all these points. I don't know if that's what you're saying, or what people are thinking you are saying, but your post sounds a little like it might be.
Some guesses there, but this might be what's going on.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
