The Saudis are being assholes in public again, so some people are starting to wonder if they're willing to be picky about where their money comes from. Hackernews isn't, for the most part, but they seem attracted to the idea that it's probably okay to take money from assholes if you think nobody will notice. Failing that, try to get some other people between you and the assholes. A few Hackernews just declare that there's no such thing as an asshole. I rarely* recommend reading "Hacker" "News" comments, but if you want to see the inner strugglings of people who just aren't sure if they should, through their labor, enrich murderers, this is the place to do it.
- A parasite compiles buzzwords into a Google Docs text file. In response, a Hackernews apostate suggests that perhaps building a lasting business at a sustainable pace is within the realm of possibility. The Hackernews Re-education Squad parachutes into the resulting panic to firmly explain that hockey-stick growth followed by acquisition or IPO is the only acceptable path forward, and that making a low-six-figure income in an affordable community is a dangerous myth. The real question is: during your normal, necessary, not-excessive twelve-hour work day, are you more productive before dawn or after dusk? [...]
- An Internet has a hobby. Hackernews likes to watch. The hobby involves Lisp, whose evangelists are so ancient and terrifying that the Rust Evangelism Strike Force declares the entire comment thread a no-fly zone and produces new maps marking the area as lost territory, impenetrable to the faithful.
What I only just realized is that it's pretty easy to use Let's Encrypt certs as SMTP TLS certs, if you have already been using self-signed certs: you just need to add your MX to the list of domains in the cert and install that cert into Postfix:
smtpd_tls_cert_file = /etc/
smtpd_tls_key_file = /etc/
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
They have a page that tests your server, but it's terrible, don't bother. If it detects a single problem it just says "Nope!" without telling you what the problem is. A better tester is at checktls.com which will actually tell you what it thinks went wrong.
We have three primary goals for STARTTLS Everywhere:
Improve STARTTLS adoption.
We want to make it easy to deploy STARTTLS with valid certificates on mailservers. We're developing Certbot plugins for popular MTA software, starting with Postfix, to make this a reality. [...]
Prevent STARTTLS downgrade attacks.
In order to detect downgrade attacks, we're hosting a policy list of mailservers that we know support STARTTLS. This list acts essentially as a preload list of MTA-STS security policies. [...]
Lower the barriers to entry for running a secure mailserver.
Email was designed as a federated and decentralized communication protocol. Since then, the ecosystem has centralized dramatically, and it has become exponentially more difficult to run your own mailserver. The complexity of running an email service is compounded by the anti-spam arms race that small mail operators are thrust into. At the very least, we'd like to lower the barriers to entry for running a functional, secure mailserver.
Yeah, see, that last part is the kicker. Only crazy people like me run their own mail server, because Google has managed to almost completely de-federate the world's email infrastructure. "Google has most of my email because it has all of yours".
Why would anyone run their own mail server?
"As an act of defiance against the Google hegemony" is probably not a selling point that resonates with very many people.
Nor is, "I really enjoy reading my logs and seeing Error 421: To protect our users from spam, mail sent from your IP address has been temporarily rate limited."
So, you know, maybe some day everyone who still runs their own email server will have certificates installed, and maybe enough of those certificates will be signed by a CA that validating the cert before exchanging mail might be a practical thing to do. But it's more likely that by then, email will have been killed as a concept. All it would take would be for Google to decide, "Fuck it, we're just not going to federate with anyone any more."
You know, like they did with GChat, single-handedly killing Jabber / XMPP.
They don't quite have the market share on the email side to get away with that right now, but maybe they will someday. But even today, they could probably get away with saying "We're no longer accepting SMTP connections, period": they'd just have to bully Outlook, Yahoo and iCloud into peering in some new way that locks everyone else out. They'd do this under the guise of "solving spam", which it wouldn't.
In summary, everything is terrible.
"I am writing to insist that AT&T take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data, including real-time location information, by at least one other company to the government," a May 8 letter sent from Wyden to the President and Chief Executive Officer of AT&T reads. [...]
In his letter to AT&T, which has similar text to letters sent to other carriers, Wyden writes that this check amounts of "nothing more than the legal equivalent of a pinky promise."
"The fact that Securus provides this service at all suggests that AT&T does not sufficiently control access to your customers' private information," the letter adds.
In Shocking Drop of Second Shoe:
Most of the users in the spreadsheet are from US government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others. The data also includes Securus staff members, as well as users with personal email addresses that aren't explicitly linked to a particular government department. [...]
"Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat. [...]
"Track mobile devices even when GPS is turned off," the Securus website reads. "Call detail records providing call origination and call termination geo-location data," it adds.
The original system had an i386SX running Windows 3.1 in a locked-down kiosk mode that would only allow the radio application to run. [...] The BIOS setup screen can be reached with the "HOME" key during the boot and is a nostalgia trip. "Boot Sector Virus Protection" is such a throw back.
Although Motorola advertised the MDT-9100 as suitable for secure data communication, the standard version was in fact highly insecure. [...]
According to Motorola, a 'special code' was used, but the code appeared to be nothing more than plain ASCII. The data protcol was known as the MDT-4800 protocol and used bit-interleaving as a means to correct transmission errors, and to obscure the data stream. When hackers discovered the properties of the protocol, several PC programs appeared that allowed the general public to monitor police conversations with nothing more than a scanner, a PC and a simple interface.
In the US, the problem was 'solved' by making it illegal to publish and use the PC-based hacking software.
Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.
Facebook has announced it's trialling a tool in Australia to fight revenge porn on its platform, one that requires victims to send the company a copy of the violating images. Amazingly, this is true, and not a Clickhole story. It's the kind of thing that makes you wonder if there are human people at Facebook, and do they even understand what words mean? Because as we unravel the details of this tool -- totally not conceived by actual robots or a company with a zero percent trust rating among users -- we realize it's a very confusing tool indeed. [...]
This apparently sends a copy of the image to the probable-Cybermen behind the scenes at Facebook, who momentarily pause from massaging advertisers with whale tears, laughing at people worried about Holocaust denial, high-fiving over scenes of unbelievable human devastation, and destroying democracy.
Then a person, and totally not a heartless tech bro, who works for Facebook looks at it. They decide if it is revenge porn, or if on that day you are just shit out of luck for getting your nonconsensual nudes removed.
At some point, according to what Facebook told Motherboard, the image has portions of it blurred out. This may happen with magic grey alien technology in transit, somehow preserving the privacy and dignity of the revenge porn victim. Maybe the employee just blurs their eyes over the sensitive parts by squinting really hard or rubbing their eyelids. Perhaps a superhacker Facebook cyber-script blurs the private bits so quickly you can feel a breeze come off the Facebook employee's computer.
But probably not. A Facebook spokesperson told Motherboard that when the image is blurry, a highly specialized and incredibly trained team are the only people who have access to it for a few days. It is my personal hope that their training is in martial arts. [...]
Anyway. As best we know, after employees look at the photo (and it may or may not be altered for the privacy and dignity of its subject), Facebook's machines take over. Facebook makes a hash of the photo and stores it in a repository that's cross-checked against photo uploads on the service. We can rest assured that this part will work perfectly because Facebook has never made a mistake. [...]
Facebook is asking people to trust it. The company that said Russian propaganda advertising only reached 10 million people then was forced to admit the true number was 126 million. The company that reached into people's address books on phones and devices, and altered Facebook users' contact information, re-routing communications to Facebook. The company that enforces a "real names" policy on users despite the fact that the National Network to End Domestic Violence proved that Facebook is the most misused social media platform by abusers. The company that let advertisers target users by race, outs sex workers, said "fake news" was not a real problem, and that experimented on its users' mental health.
Trust is something Facebook literally has none of.
Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.