Not only do they not address the technical aspects of the paper, their response starts with a direct personal attack: "It seems Nadim (the author of this paper) took it really badly when we called him out for…
The analysis by Kobeissi is correct, and the claims by ProtonMail are a stretch, and sometimes they don't mean anything. For example, from their security details page [1]: "This means we don't have the technical ability…
You can actually see what code your browser is running, you have view source and all the developer tools to analyze the JS code. This is their main defense, they will probably post a link to their GitHub page where the…
I think what he means with certifications is that they'll get you the jobs you don't really want. For example, CEH (Certified Ethical Hacker) is a certification you'll see in a lot of job postings. The thing is, if you…
Of course, you're welcome. I forgot to address the salary question. Six figure jobs are common in this industry, but experience is required to get those jobs. I don't personally know of anyone that did the change at…
First of all: what in particular do you find interesting of the security field? Are you more interesting in the offensive or defensive side? I guess that given your background, the smoothest transition will be to…
This is really useful for security testing, where unexpected input could have security implications. There is a similar project, which I think is better organized and has more lists to play with:…
Agree, but I also read this as a little condescending towards Chinese workers. We tend to attribute their success to corruption, exploitation, or brute-force (given their population). But, could it be that they have…
From their first blog post [1]: "We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the…
Actually, you're both incorrect. It's "plata o plomo". "Plata" can mean "silver" or "money". In this context they are referring to "money". "Plato" is literally "plate" as in where you put your food on.
It isn't a matter of whether it's "secure" or not. The problem is that their security model is based around JavaScript code being pushed to your browser where all the "cryptography" will happen. Yes, maybe your e-mails…
Holy, I forgot about that one! You're totally right and I'm surprised it's not one of the main arguments for this push for HTTPS.
Of course, you're right. My phrasing was not the best. The rogue CA would need to perform a classical MiTM as all the other mortals do, having access to the signing keys does not give you special MiTM powers, other than…
This is important. Because the discussion around HTTPS tends to train users into think that HTTPS = Web Security. I totally agree that it's important, and I understand the attack vectors. But what about your outdated…
You don't need to have private keys to exploit this scenario. Let's say you own example.com, and you add a certificate by Let's Encrypt. If Let's Encrypt is a malicious actor, they could MiTM a connection to your site,…
If it's an NSA honeypot it will still be a positive thing for 99% of use cases. Also, why would they do this? It's smarter to compromise the existing CAs.
I see what you mean. And this is the problems with this subject and why most of the times these discussions end up nowhere. We end up discussing on what this hypothetical "regular user" does with biased examples from…
Of course, but I think that your portrayal of the regular user is not of a regular user at all. The regular users I know don't even know what syncing is, what the cloud is, what integration is. I know lots of people…
Totally agree with your familiarity argument. I think that's the main reason why Linux can't compete. One can think that the desktop OS for a regular user is a commodity, so why replace it? The benefits for the regular…
I think that your view on the needs of the regular user is pretty agreeable. I don't get why you got these kind of replies. Nothing you said was controversial about the regular user's needs. I too have experience…
A quick line count shows that the file from your link has 14354 entries, while the one on the github repo has 65357.
A good solution I've found for ad blocking is using the following hosts file: https://github.com/StevenBlack/hosts Which sinkholes every known ad/malicious domain. It's been pretty useful, and it hasn't broken nothing…
Really? When was this released? I can't believe I've missed this one lol. Does it support screen sharing? I thought to Java client was the only thing available, and it's terrible to run on Linux.
- Webex. I would go with the classic Office suite, but what I would really want in that area is support for open formats from Microsoft. This way anyone can write their fully compatible editor, and we could actually use…
True! A lot of people use Linux and the ecosystem because it's free. And that's a good thing! It's great to have this open alternative where people without economic resources can rely on solid systems without having to…
Not only do they not address the technical aspects of the paper, their response starts with a direct personal attack: "It seems Nadim (the author of this paper) took it really badly when we called him out for…
The analysis by Kobeissi is correct, and the claims by ProtonMail are a stretch, and sometimes they don't mean anything. For example, from their security details page [1]: "This means we don't have the technical ability…
You can actually see what code your browser is running, you have view source and all the developer tools to analyze the JS code. This is their main defense, they will probably post a link to their GitHub page where the…
I think what he means with certifications is that they'll get you the jobs you don't really want. For example, CEH (Certified Ethical Hacker) is a certification you'll see in a lot of job postings. The thing is, if you…
Of course, you're welcome. I forgot to address the salary question. Six figure jobs are common in this industry, but experience is required to get those jobs. I don't personally know of anyone that did the change at…
First of all: what in particular do you find interesting of the security field? Are you more interesting in the offensive or defensive side? I guess that given your background, the smoothest transition will be to…
This is really useful for security testing, where unexpected input could have security implications. There is a similar project, which I think is better organized and has more lists to play with:…
Agree, but I also read this as a little condescending towards Chinese workers. We tend to attribute their success to corruption, exploitation, or brute-force (given their population). But, could it be that they have…
From their first blog post [1]: "We’re not placing any particular bounds on this project and will work to improve the security of any software depended upon by large numbers of people, paying careful attention to the…
Actually, you're both incorrect. It's "plata o plomo". "Plata" can mean "silver" or "money". In this context they are referring to "money". "Plato" is literally "plate" as in where you put your food on.
It isn't a matter of whether it's "secure" or not. The problem is that their security model is based around JavaScript code being pushed to your browser where all the "cryptography" will happen. Yes, maybe your e-mails…
Holy, I forgot about that one! You're totally right and I'm surprised it's not one of the main arguments for this push for HTTPS.
Of course, you're right. My phrasing was not the best. The rogue CA would need to perform a classical MiTM as all the other mortals do, having access to the signing keys does not give you special MiTM powers, other than…
This is important. Because the discussion around HTTPS tends to train users into think that HTTPS = Web Security. I totally agree that it's important, and I understand the attack vectors. But what about your outdated…
You don't need to have private keys to exploit this scenario. Let's say you own example.com, and you add a certificate by Let's Encrypt. If Let's Encrypt is a malicious actor, they could MiTM a connection to your site,…
If it's an NSA honeypot it will still be a positive thing for 99% of use cases. Also, why would they do this? It's smarter to compromise the existing CAs.
I see what you mean. And this is the problems with this subject and why most of the times these discussions end up nowhere. We end up discussing on what this hypothetical "regular user" does with biased examples from…
Of course, but I think that your portrayal of the regular user is not of a regular user at all. The regular users I know don't even know what syncing is, what the cloud is, what integration is. I know lots of people…
Totally agree with your familiarity argument. I think that's the main reason why Linux can't compete. One can think that the desktop OS for a regular user is a commodity, so why replace it? The benefits for the regular…
I think that your view on the needs of the regular user is pretty agreeable. I don't get why you got these kind of replies. Nothing you said was controversial about the regular user's needs. I too have experience…
A quick line count shows that the file from your link has 14354 entries, while the one on the github repo has 65357.
A good solution I've found for ad blocking is using the following hosts file: https://github.com/StevenBlack/hosts Which sinkholes every known ad/malicious domain. It's been pretty useful, and it hasn't broken nothing…
Really? When was this released? I can't believe I've missed this one lol. Does it support screen sharing? I thought to Java client was the only thing available, and it's terrible to run on Linux.
- Webex. I would go with the classic Office suite, but what I would really want in that area is support for open formats from Microsoft. This way anyone can write their fully compatible editor, and we could actually use…
True! A lot of people use Linux and the ecosystem because it's free. And that's a good thing! It's great to have this open alternative where people without economic resources can rely on solid systems without having to…