Seems like a subtle advertisement for StartMail, honestly. Google has been doing this for years. I see the op has a previous submission for StartMail, too.
Any reason for that or is it just an attractive application/service to you? I mean, if it's something we should have a better look at, let us know.
You think MS don't scan emails? Than how are the naked pictures my next girlfriend sends me as attachments are automatically sorted in the quick views named pictures?
There was a relevant update to iTunes last night (or earlier this week) for both OS X and Windows. It is usually these types of updates i keep an eye out for, as it is most importantly an update to certificate validation.
CVE-2013-1014 as it impacts iTunes for Mac OS X v10.6.8 or later, Windows 7, Vista, XP SP2 or later (http://support.apple.com/kb/HT5766) -
"Impact: An attacker in a privileged network position may manipulate HTTPS server certificates, leading to the disclosure of sensitive information
Description: A certificate validation issue existed in iTunes. In certain contexts, an active network attacker could present untrusted certificates to iTunes and they would be accepted without warning. This issue was resolved by improved certificate validation."
There were almost forty other CVEs for iTunes on Windows. And just a last bit - the discussion and quality of submissions here at Hacker News has taken a substantial fucking nose dive in the last year. I change my name every so often, but i can tell you that i've been here long enough to say that.
What i found most interesting about this is the slimmed down nature of what you collect. In the video, when you showed the grid of things you've collected... it was really appealing.
I think the real strength of this would be in it's technical implementation; how not-annoying is it in my browser, is it resource heavy, how can i adjust it etc, and then the community around it.
Which is where i think there would have to be some real differences between Pinterest. If you give the user the option to share (or not!) what he/she has collected with other people (perhaps a dedicated page), and played with the idea of how users could interact with each other ("This is what Julie collected on Tuesday," - then i think this idea could have even more potential than it already does.
Good luck to you folks. As i said this is really interesting.
The first thing i did when i opened your link knowing it was a parody was to check how many responses to the article there were. And there were too many. Way too many.
Comments on Hacker News more often than not go into the meta almost immediately, and constantly, so there's usually one comment with well over half of the op's responses nested under it. I use a userscript for HN for this exact reason.
You know, it's funny because i got a very clever Pay Pal phishing e-mail this morning, linking to a PHP script hosted on renault-astrakhan.ru
What's worse is that i sent invitations to dropbox time ago to people that i have to now contact and say "Please be aware of this phishing e-mail disguised as a Pay Pal e-mail."
+1 for an alternative service, to be honest. Dropbox is very well done, but this is a good reason to stop using their service if they can't secure their clients' information.
It would greatly benefit them if they found the root of the problem, and reported if it were indeed an issue with them or one of the clients for dropbox.
In the David Sanger article published in the Times attributing Stuxnet to the US/Israel, this bit really struck me -
"One day, toward the end of Mr. Bush’s term, the rubble of a centrifuge was spread out on the conference table in the Situation Room, proof of the potential power of a cyberweapon. The worm was declared ready to test against the real target: Iran’s underground enrichment plant."
And i don't mean to stray off Stuxnet here, but just really quickly: The chosen-prefix collision attack used in signing the Windows Update malware (FLAME) also suspected of being from the US was a never before published variant.
The computing power alone was on the order of $200k, and makes you wonder what else the NSA or the national labs have up their sleeves.
The chosen-prefix collision attack used in signing the Windows Update malware (FLAME) also suspected of being from the US was a never before published variant.
Is anyone aware of a somewhat comprehensive auto-update cryptography survey anywhere?
I am often alarmed by the number of updates pushed through desktop software, often with little explanation. (I'm looking at you, Adobe.) .. not just for security, but for bandwidth management too.
Many open source products seem to just query a URL and direct you to go download stuff. With SSL essentially broken, that's gotta be a bit risky vs. MITM.
Gentoo for one combines pre-distributed SHA256, SHA512 and Whirlpool checksums with file size, which feels secure enough against collisions. But the pre-distribution is decentralized through potential MITM (non-trusted parties), and the cryptography around that process - if any - is less than transparent, and integrity checking is apparently not made upon locally extracted package database.
Perhaps we need a standard, cross-platform solution in the software update query space that is cryptographically paranoid and well-reviewed enough by multiple parties to be considered secure, meets the generalised need and has some OS-level integration features more advanced than "secretly do things in the background".
> Many open source products seem to just query a URL and direct you to go download stuff. With SSL essentially broken, that's gotta be a bit risky vs. MITM.
There's nothing stopping one from linking against their own copy of an SSL lib, and supplying their own list of trust anchors/trusted CAs. I've been wondering for a while why lots of apps (e.g. mobile apps) don't do this more often.
I believe the best way to do it is something like ECDSA to verify and sign update packages - but I'm not familiar enough with the crypto field to understand how the entire mechanism works.
Sure, signatures are ideal. The problem for distribution maintainers, I guess, is that really they can't sign off on things; only the actual package developers can. Further, you'd wind up providing a key distribution service which may rapidly become more complex than the software packaging itself.
Given the above, perhaps all distribution maintainers can realistically do is say "it hasn't changed since I first saw it" which is what happens when they provide multiple checksums of a file, which is probably lower CPU and software library overhead than performing a cryptographic signature check.
"And third, for fuck’s sake, you are the Department of Homeland Security. What happens to me the next time I got through TSA at the airport, or try to cross the border into Canada? Do you think I may perhaps be on a “list” and have some difficulties?"
Nice FUD, bro. With what DHS has to do on a day to day basis, your fucking boat isn't making any impressions outside of one office's circle of employees.
If that office failed to serve for whatever reason, and you called them out then congrats on being a good citizen. But suggesting something as big as what you just did is more than a little fear mongering.
Clever, utterly insane and timely.