
"I don't want to start a flame war" but let me proceed and start a flame war.
20 publicly visible posts • joined 14 Oct 2020
You're entitled to love anything. But let's be rational together, if your phone has a Huawei/Xiaomi modified OS is less secure and private than other Android phones, it has the unintentional problems other android phones have, plus the intentional ones added on top. This is just how it is, it has been documented many times over, the blocklists, the trigger word lists, remote installation capabilities, the persistent ping home of system apps and other not documented but assumed to exist because they are in the law the companies are subject to. This is just how it is, it's a sad reality but the reality.
And don't tell me your data going to Google and Facebook is the same as going to some CCCP owned data center. These are two very different levels of bad.
"There was a moral code there somewhere between the 50s and the 80s." - This is just nonsense! Ever heard anything about Edward Bernays and his peers and their influence on modern society? How he redefined the term "public relations" because propaganda was too strong of a word? How, in their view, the average person is an idiot and should be manipulated because they don't know what is best for them?
Next in line TV series and movies, binge watching something is basically the same as smoking another one because the previous felt good. Then comes books, god forbid people throwing away half a day reading childish comic books, holding the pee because they have to turn another page. After that is music, you learn nothing from it and most current music is garbage anyways.
imperva[.]com is one of those companies offering protection against DOS attacks. Your traffic goes to them to be checked for 'legitimacy' and then goes to the destination. They have powerful machines receiving the traffic of all their clients and only the traffic deemed benign passes through. This explains why so many domains under one certificate. They probably have many certificates with many more domains in them, it's not so obvious who their clients are based on one certificate.
The good thing about certificates is that they are not magical and they don't appear and disappear without leaving a trace.
This trace would be visible in some Certificate Transparency logs. Google, Cloudflare, Facebook, and many other certificate issuers monitor the issuing of certificates so it's damn hard to just issue a certificate linked all the way up to a root CA for a domain you don't own without getting noticed.
For example, the 123-flowers[.]co[.]uk domain mentioned in the globalsign/imperva certificate, a bit down on the cert details page you can see in the "Embedded SCTs" section that this cert in particular was included in 3 transparency logs - Google “Xenon2021”, Cloudflare “Nimbus2021” and Sectigo (Comodo) “Sabre” CT.
I searched a few of these logs and no certificate was ever issued by globalsign to the sse[.]com[.]cn domain or any of subdomains...
It was probably a small mistake in your research that yielded those suspicious results.
Another good thing about certificates and certificate transparency logs is that you get to know a lot of subdomains - even the ones not for general public - for research and academic purposes ofc.
Regarding trace routing changing routes - that's just dynamic routing and traffic shaping working. Two tracert from the same place can have different routes and nothing guarantees you that your web traffic will have the same route as these two, also because you're using different protocols.
It's beautiful isn't it?
Has anyone ever studied (as in real science) who is really taking the benefit from advertisement? The buyer or the seller?
Someone would have to come up with a viable idea for supporting content based business besides ads.
People would consume less, and every time you need something you would actually have to search for it and compare solutions. The environment would appreciate it. Companies would have to actually create value and drive innovation instead of slowing innovation for the sake of capitalizing on each insignificant evolution step with the help of marketing. Online markets would flourish and small business would play on the same arena as big corporations. The current economic indicators would probably go down and blink yellow, but those are in need of replacement anyways.
Don't be so dismissive.
The same 'they' did to TrueCrypt, and at least attempted at Veracrypt, for example.
Targeted attacks, confusion and disinformation can amount to such a level that at a certain point you just have to trust the software.
Was openssl ever audited?
Can you trust all parties involved in the audit? To what extend?
What was the scope of the audit? Core libs or GUI code?
Which version do you use? Before of after the audit?
Do you get a compiled binary and you verify the hash if there is one?
Or you build from source because you don't trust the available binaries or no hash available?
Does it use OS libs or it's 100% self-contained? If not, ask the same questions about those libs too...
But wait, there's more! (imagine the guy in the TV commercial)
Encryption software was once subject to export restrictions just like weapons and ammunition.
Which version you have? the export ready or the other one?
What OS are you running those binaries on?
What firmware is below that OS?
On what hardware are you running that firmware?
It gets very tricky very fast. In the end it's just about how high is your trust bar and how much effort are you willing to put into it, but be reminded that most of the planet has much lower bar.
If only you in your family/friends/work circle accept and know how to use openssl, what is the use of it for you?
All of this trust chain is being attacked constantly, the only thing in our side is that governments don't have infinite resources and they have bigger problems.
In an extremis careless scenario, only a few thousand netizens kind of trust something they build but it's complex to use, while most of the world trusts something else that is easy to use, but can very well be a 'fit for export' software. Think of how easy it could be for a North Korean to get their hands on hardware and software that would allow him to send you a message that only the two of you can read.
It's fine if you don't make this your life battle, I don't either, but don't be so dismissive about it.
"They used a novel combination of techniques not witnessed by us or our partners in the past."
You're telling me that - in a world where stuxnet is just the tip of the tail of the hidden cat - you have never seen anything like this before?
Did someone implanted a satellite sting that uses custom protocols on inaccessible frequencies, burnt a bunch of 0 days for access/escalation, used thermal/seismic/wind techniques to bridge air gapped networks and finally extracted everything using a custom morse code with an invisible laser?
And all of that to steal red team tools and customer contracts and metadata from an infosec vendor that is no different than many others?
I'm sure they did. Might as well convince me it was aliens.
It's just marketing don't overthink it...
"Our camera goes all the way to f/0.000001 just like the pros." - they say - hoping we forget a "pro" camera has more kilos of dedicated image taking/processing hardware that a smartphone will ever have for all it's possible purposes.
The legal case is not about 30 or 10 percent. It's about not being able to sell in-app without apple taking a cut.
Your second paragraph is more to the point and is related to the intentions of Apple that gave origin to this case.
While you can subscribe in-app to Spotify without Apple taking a cut, Apple recently pushed new terms and conditions that forbid exactly that, In-app purchases can ONLY be done using Apple in-app purchase system and Apple taking a cut.
At almost the same time this case started, Google made movements in the same direction in their Google Play store... "Apple is about to get shot for this, let me put myself in the line of fire too..."
And that's why I quit my cyber security job in a big corp.. even though I loved my team.
It was not about doing things well once and moving on to improve security posture elsewhere, it was about making sure next year our budget was bigger so we could buy more crap we don't use/need.
At some point internal test reports and product comparisons were ignored, and the 3rd best (3rd least bad) was bought and half deployed - it would simply not work or conflict with existing infra.
I wonder if the expensive watch catalogues in the Project Manager office were given by PaloAlto or FireEye or others..
Back to topic;
I wish I had bough sp500 indexed stuff on 23 April this year :(
By network as a service they mean you route ALL your endpoints to somewhere on the internet through a fat pipe.
They will do routing/firewalling/segmantation/security for you with the most advanced AI/BigData/MachineLearning.
Zero trust I'm not certain, but I guess it relates to trust and the service they provide...