You need to be well versed in the attribution for camera disposition. I am too old for that so getting understanding who is the better person is challenging :)
Indeed. I have 16e from it's launch and can't be happier. Battery life is incredible while no issues with connections whatsoever (I am heavy traveler so can test it on multitude of telco hardware)
Country dependent of course, but recently i observe steady push from banks to adopt mobile app. Some have webui neglected and glitchy, some openly announce sunsetting, some already killed web access only allowing app.
And this tendency will prevail as bank can collect way more data this way. Just a month ago one of banks that is often praised here sent me a letter saying “your IP activity doesn’t match your residence” (and i am not even installed their app, they pulled data from web ui usage. Imagine what happens when they get access to data mobile app can supply
There's a massive difference between having a country spying on it's own citizen versus having an adversarial country doing it. The three-letter agencies would likely not be trying to sabotage or destroy their own country's economy and global standing for one.
It's concerning that someone from the EU is still asking this question. How is there any doubt left in you? Yes, of course both are adversarial countries, and shouldn't be treated all too differently. In the short-term, the US is the bigger threat, as they've shown they're much more willing to use the power they have to cut off access than China.
As someone from the US I would suggest viewing both as adversarial. I don't really trust my own government, but if I was born abroad I would trust them even less.
You absolutely can. We see a huge uproar in European enterprises against US software/vendors/etc. Many companies are halting their cloud migration because they are now worried that the current US government could decide to just pull the plug or something otherwise inane.
Wouldn't having an adversarial country to be spying on you be the better option for you personally? At least privacy wise, not using your machine as some infiltration point, as the country you reside in has many more opportunities to abuse the data
I hear this theory being claimed so much, but I don't see any real evidence for it; we have routers that you can monitor traffic on, we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools. Correct me if I'm wrong, however.
I'm not denying that a lot of data is likely surreptitiously collected, but I'm talking microphone/camera in particular.
Most traffic is encrypted with HTTPS unless you can root every single device you own
we have microphone use indicators on mobile, and I would imagine it would be pretty clear if an app was uploading audio with even very basic monitoring tools.
Complicated smartphone OS, firmware, drivers might have bugs allow overrides of visual indicators.
That is fair. I do not think anyone could feasibly could detect/extract the exact data sent, because of HTTPS.
However I was more thinking of simple things, such as disabling anything that SHOULD be communicating with the Internet and seeing if any constant traffic persists.
Now of course, some very small (e.g plaintext) traffic might be almost undetectable, however that would suggest that most of the data would not be able to be transmitted due to size.
How confident or certain are you of what CSME or PSP or some code in TrustZone is doing? How certain are you that not a single piece of software on your machine, be it in the kernel, userland, drivers, is performing some type of surreptitious communication with CSME or PSP or program running in TrustZone?
Do you know for sure whether PSP or CSME has ever done DMA, or fingerprinted stack/heap allocation patterns and timing, or inspected the contents of your disk (after FDE was done being decrypted, of course), to evaluate whether common packet capture software is installed, or even whether it's currently running?
Detecting spyware is one thing. Detecting surreptitious nation-state spyware that behaves differently when it's being observed is a different challenge entirely.
In my case, I don't currently have any capture software on my main computer at all.
Our routers are Asus, and so I'm able to install tcpdump and log traffic directly without the source device itself knowing anything. This makes it really easy to monitor the traffic of any device, albeit not knowing exactly what it is being sent.
But it is true that I really can't know much more than what tcpdump shows.
I recall there were quite a few experiments where people use certain keywords heavily just to get closely related ads later on. I can totally relate my experience with it as well. Of course it is inconclusive - but if there is an incentive, management of big companies will venture into it. And chinese management is no different from western ones to that matter.
They don't pick the keywords uniformly randomly from a list of all keywords though. They think they randomly picked something that popped up in their mind, but those keywords are either
- stuff they saw online recently — ads or otherwise, which put the keywords in their mind
- or stuff they were already interested in recently
Not hard to imagine targeting algorithms picking up on either of these
You dont see those "coincidental" ads because your phone is listening to you, you see them because your freind showed interest in the product and theirs enough information to infer they talked to you about it. The good news is, your phone isn't listening to you without your consent. The bad news is, because it doesnt need to.
The difference is that the Chinese intelligence agencies abide by Chinese law and don't really pose any kind of threat to American citizens, while the American intelligence agencies engage in unconstitutional schemes (as ruled by a federal judge) to illegally spy on Americans and lie about it to both congress and the American people, murder American citizens, and can, at any moment they want, fabricate evidence to procure no-knock search warrants where a team of armed gunmen will throw flashbang grenades into the homes of journalists and political dissidents in the middle of the night before barging in with assault rifles.
And yet, for reasons that remain beyond me, many Americans remain more fearful of the former than that latter.
Perhaps because foreign governments with a known antagonistic stance would happily sell or hand over your data in order to cause large-scale economic instability via account attacks, political instability via fostering the prosecution of minority groups (as identified by said data)... get creative. Large-scale data on your enemy's citizenry is a new weapon in the modern arsenal, and we haven't seen anyone really try to use it yet, but I suspect the results when they do will be ugly.
Care to elaborate on "known antagonistic stance"? Is there any evidence that China has ever actually performed any of these types of attacks you're discussing?
"Get creative" might work well for fictional writing exercises, but is it such a sound strategy for assigning guilt? Surely you wouldn't like being prosecuted for crimes that someone "got creative" with in accusing you of, no?
No, because this particular attack is (as far as I know) a new concept, but in general, China being a major state sponsor of all sorts of large cyberattacks is very well-known (in security circles, at least) and has been extensively documented. The current likely scenario is that attacks would be performed against the US in the event that they tried to help defend Taiwan against Chinese invasion.
The consensus is usually "well the government only targets you when you probably deserve it" whereas china is spying on everyone regardless of your opinion of the actions of the current administration.
To address your last paragraph - it’s not unlikely the latter use all powers to divert attention to the former as it conceals shenanigans of the latter
China and Chinese companies flaunt every single law that at all hinders them, IP law being the typical example. The EU has the Privacy Shield agreement with the USA. Such an agreement with China would be effectively impossible, since even if it existed, they'd simply ignore it. People criticise Five Eyes, and for good reason, but it's existence at least means that intelligence agencies are willing to follow domestic law.
Not to mention the use of the word "Western", which is the kind of bullshit I could write a smaller book about.
If you look at almost all "protect the kids" initiatives, they are targeting mostly to deter free speech or cover other shenanigans. Same people who "want to protect kids" have no problem exploiting kids.
General public should be more intelligent and look a bit deeper than a cool title, but I really can't realistically expect that.
I suspect providers are tinkering with antispam systems, likely adding "AI". FastMail had good one for years, if not the best, was the last to make its antispam totally useless in last year or two.
> Sometimes the new guy can make a better version themselves over the weekend, not because they’re a supergenius, but because they’re not hampered by 47 teams all trying to get their stamp on the project.
In 99.9% of cases what seems to be "the better" version is better only for the "new guy" or rather his ego.
Those 47 teams hampering doesn't necessarily mean a bad thing, and more often than not actually well justified "stamps".
You only understand those things when you turn from the "supergenius" into an owner who have to take care not only of numbers on screen, but also security, interfacing, management and so on.
That is often the case, but far from all the time. Other times something is made so needlessly complicated by office politics that it may never get shipped.
Not saying it never happened in history, but most of those "complications" are justified. Being narrowsighted and overfocused does not help to assess it.
Conversely, sometimes when you have 23 people designing something, they can lose track of what they’re trying to accomplish and focus on how they’re trying to accomplish it. It can be an XY problem sort of thing. “How can we get the Redis queue to do an exactly-once insertion into Kafka, if we can’t guarantee exact ordering from the Paxos framework?” “Uh, guys, aren’t we trying to send out the weekly email newsletter to our estimated 500 subscribers?” “Oh, well, I guess we could just use Mailchimp…”
Like I said earlier, it’s ok not to believe me. I don’t particularly mind. But just between us, my solution met every one of the project requirements using COTS parts because they’d made it waaayyyy harder than it needed to me.
Nothing personal, but our conversation reminds me many similar convos I had with developers who thought their product was superiour - but they could see it only from their angle. And it was superiour - but again, only under narrow view.
Not saying you're wrong in all cases, but there are enough examples of hugely expensive megaprojects which totslly tanked, which would have definitely been much more successful with OPs approach if executed correctly. Not saying they would be done and done within a weekend, that's silly. But the alternative, poorly defined integration interfaces, multiple contractors, multiple stakeholders with conflicting requirements and zero (real) regard for the user is unfortunately fairly common, both in public (city/regional/government) and private bureaucracies.
The examples are legion, and they always seem to have NIH and baroque requirements, and be rather over- than underspecified. I would go so far as to say that these projects are almost never successful (and definitely never on time and budget).
Let's Encrypt has nothing to do with this problem (of Certificate Transparency logs leaking domain names).
CA/B Forum policy requires every CA to publish every issued certificate in the CT logs.
So if you want a TLS certificate that's trusted by browsers, the domain name has to be published to the world, and it doesn't matter where you got your certificate, you are going to start getting requests from automated vulnerability scanners looking to exploit poorly configured or un-updated software.
Wildcards are used to work around this, since what gets published is *.example.com instead of nas.example.com, super-secret-docs.example.com, etc — but as this article shows, there are other ways that your domain name can leak.
So yes, you should use Let's Encrypt, since paying for a cert from some other CA does nothing useful.
Another big way you get scooped up, having worked in that industry among other things - is that anybody - internal staff, customers, that one sales guy who insists on using his personal iPhone to demo the product and everybody turns a blind eye because he made $14M in sales last year - calls some public DNS resolver and the public DNS server sells those names --- even though the name didn't "work" because it wasn't public.
They don't sell who asked because that's a regulatory nightmare they don't want, but they sell the list of names because it's valuable.
You might buy this because you're a bad guy (reputable sellers won't sell to you but that's easy to circumvent), because you're a more-or-less legit outfit looking for problems you can sell back to the person who has the problem, or even just for market research. Yes, some customers who own example.com and are using ZQF brand HR software won't name the server zqf.example.com but a lot of them will and so you can measure that.
Statistically amount of parasite scanning on LE "secured" domains is way more compared to purchased certficates. And yes, this is without voluntary publishing on LE side.
I am not entirely aware what LE does differently, but we had very clear observation in the past about it.
reply