This time I omitted any posts earlier than 2017, since there were still a few perennial favorites in the list.
The Saudis are being assholes in public again, so some people are starting to wonder if they're willing to be picky about where their money comes from. Hackernews isn't, for the most part, but they seem attracted to the idea that it's probably okay to take money from assholes if you think nobody will notice. Failing that, try to get some other people between you and the assholes. A few Hackernews just declare that there's no such thing as an asshole. I rarely* recommend reading "Hacker" "News" comments, but if you want to see the inner strugglings of people who just aren't sure if they should, through their labor, enrich murderers, this is the place to do it.
- A parasite compiles buzzwords into a Google Docs text file. In response, a Hackernews apostate suggests that perhaps building a lasting business at a sustainable pace is within the realm of possibility. The Hackernews Re-education Squad parachutes into the resulting panic to firmly explain that hockey-stick growth followed by acquisition or IPO is the only acceptable path forward, and that making a low-six-figure income in an affordable community is a dangerous myth. The real question is: during your normal, necessary, not-excessive twelve-hour work day, are you more productive before dawn or after dusk? [...]
- An Internet has a hobby. Hackernews likes to watch. The hobby involves Lisp, whose evangelists are so ancient and terrifying that the Rust Evangelism Strike Force declares the entire comment thread a no-fly zone and produces new maps marking the area as lost territory, impenetrable to the faithful.
What I only just realized is that it's pretty easy to use Let's Encrypt certs as SMTP TLS certs, if you have already been using self-signed certs: you just need to add your MX to the list of domains in the cert and install that cert into Postfix:
smtpd_tls_cert_file = /etc/
smtpd_tls_key_file = /etc/
smtp_tls_cert_file = $smtpd_tls_cert_file
smtp_tls_key_file = $smtpd_tls_key_file
They have a page that tests your server, but it's terrible, don't bother. If it detects a single problem it just says "Nope!" without telling you what the problem is. A better tester is at checktls.com which will actually tell you what it thinks went wrong.
We have three primary goals for STARTTLS Everywhere:
Improve STARTTLS adoption.
We want to make it easy to deploy STARTTLS with valid certificates on mailservers. We're developing Certbot plugins for popular MTA software, starting with Postfix, to make this a reality. [...]
Prevent STARTTLS downgrade attacks.
In order to detect downgrade attacks, we're hosting a policy list of mailservers that we know support STARTTLS. This list acts essentially as a preload list of MTA-STS security policies. [...]
Lower the barriers to entry for running a secure mailserver.
Email was designed as a federated and decentralized communication protocol. Since then, the ecosystem has centralized dramatically, and it has become exponentially more difficult to run your own mailserver. The complexity of running an email service is compounded by the anti-spam arms race that small mail operators are thrust into. At the very least, we'd like to lower the barriers to entry for running a functional, secure mailserver.
Yeah, see, that last part is the kicker. Only crazy people like me run their own mail server, because Google has managed to almost completely de-federate the world's email infrastructure. "Google has most of my email because it has all of yours".
Why would anyone run their own mail server?
"As an act of defiance against the Google hegemony" is probably not a selling point that resonates with very many people.
Nor is, "I really enjoy reading my logs and seeing Error 421: To protect our users from spam, mail sent from your IP address has been temporarily rate limited."
So, you know, maybe some day everyone who still runs their own email server will have certificates installed, and maybe enough of those certificates will be signed by a CA that validating the cert before exchanging mail might be a practical thing to do. But it's more likely that by then, email will have been killed as a concept. All it would take would be for Google to decide, "Fuck it, we're just not going to federate with anyone any more."
You know, like they did with GChat, single-handedly killing Jabber / XMPP.
They don't quite have the market share on the email side to get away with that right now, but maybe they will someday. But even today, they could probably get away with saying "We're no longer accepting SMTP connections, period": they'd just have to bully Outlook, Yahoo and iCloud into peering in some new way that locks everyone else out. They'd do this under the guise of "solving spam", which it wouldn't.
In summary, everything is terrible.
"I am writing to insist that AT&T take proactive steps to prevent the unrestricted disclosure and potential abuse of private customer data, including real-time location information, by at least one other company to the government," a May 8 letter sent from Wyden to the President and Chief Executive Officer of AT&T reads. [...]
In his letter to AT&T, which has similar text to letters sent to other carriers, Wyden writes that this check amounts of "nothing more than the legal equivalent of a pinky promise."
"The fact that Securus provides this service at all suggests that AT&T does not sufficiently control access to your customers' private information," the letter adds.
In Shocking Drop of Second Shoe:
Most of the users in the spreadsheet are from US government bodies, including sheriff departments, local counties, and city law enforcement. Impacted cities include Minneapolis, Phoenix, Indianapolis, and many others. The data also includes Securus staff members, as well as users with personal email addresses that aren't explicitly linked to a particular government department. [...]
"Location aggregators are -- from the point of view of adversarial intelligence agencies -- one of the juiciest hacking targets imaginable," Thomas Rid, a professor of strategic studies at Johns Hopkins University, told Motherboard in an online chat. [...]
"Track mobile devices even when GPS is turned off," the Securus website reads. "Call detail records providing call origination and call termination geo-location data," it adds.
The original system had an i386SX running Windows 3.1 in a locked-down kiosk mode that would only allow the radio application to run. [...] The BIOS setup screen can be reached with the "HOME" key during the boot and is a nostalgia trip. "Boot Sector Virus Protection" is such a throw back.
Although Motorola advertised the MDT-9100 as suitable for secure data communication, the standard version was in fact highly insecure. [...]
According to Motorola, a 'special code' was used, but the code appeared to be nothing more than plain ASCII. The data protcol was known as the MDT-4800 protocol and used bit-interleaving as a means to correct transmission errors, and to obscure the data stream. When hackers discovered the properties of the protocol, several PC programs appeared that allowed the general public to monitor police conversations with nothing more than a scanner, a PC and a simple interface.
In the US, the problem was 'solved' by making it illegal to publish and use the PC-based hacking software.
Previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously, previously.