Dropbox is literally the worst anmong all. For every little feature, like setting a password it requires upgrading your already paid plan. It’s slow and offers nothing.
I put a Nextcloud snap on a VPS in the same city. Fast and no limitations.
I don’t know why the author likes AES 128 so badly. AES 256 adds little additional cost, and protects against store now decrypt later attacks (and situations like: “my opinion suddenly changed in few months”). The industry standard and general recommendation for quantum resistant symmetric encryption is using 256 bit keys, so just follow that. Every time he comes up with all sorts of arguments that AES 128 is good.
Age should be using 256 bit file keys, and default to PC keys in asymmetric mode.
> The industry standard and general recommendation for quantum resistant symmetric encryption is using 256 bit keys
It simply is not. NIST and BSI specifically recommend all of AES-128, AES-196, and AES-256 in their post-quantum guidance. All of my industry peers I have discussed this with agree that AES-128 is fine for post-quantum security. It's a LinkedIn meme at best, and a harmful one at that.
My opinion changed on the timeline of CRQC. There is no timeline in which CRQC are theorized to become a threat to symmetric encryption.
he pretty explicitly states that AES 128 is not in any imminent danger and mandating a switch to 256 would distract from the actual thing he thinks needs to happen.
So why argue about whether AES-256 is worth it if we can just literally replace those 3 characters and be done with the upgrade? This was the smart move already in 2001 when Shor's algorithm was known and computers fast enough that we don't notice the difference. At least to me, it seems like less bikeshedding will be done if we abandon AES-128 and don't have to deal with all the people left wondering if that's truly ok
Then again, something something md5. 'Just replace those bytes with sha256()' is apparently also hard. But it's a lot easier than digging into different scenarios under which md5 might still be fine and accepting that use-case, even if only for new deployments
There's a whole lot of cases where the tokens are temporary in nature with an easy cut-over, either dropping old entries or re-encrypting while people are not at work. We tend to think of big commerce like amazon or google that need 24/7 uptime, but most individual systems are not of that scale
In most other cases you increment the version number for the new data format and copy-paste the (d)e(n)cryption code for each branch of the if statement, substituting 128 for 256. That's still a trivial change to substitute one algorithm for another
Only if there exists no upgrade path in the first place, you have a big problem upgrading the rest of your cryptography anyway and here it's worth evaluating per-case whether the situation is considered vulnerable before doing a backwards-incompatible change. Just like how people are (still) dealing with md5
I'm working on just that in some IoT context, and a lots of chips I have to deal with only have hardware support for AES-128, so it's a little more complicated...
You can’t just throw “Grover’s algorithm is difficult to parallelize” etc. It’s not same as implementation, especially when it gets to quantum computers. It’s very specialized.
I felt that too, when I first used cursor/claude code, it was awesome and I just wanted keep building, the dopamine hit after shipping is really good. But later, when I needed to inspect the code manually, and I realized there were a lot of trash/dead/unoptimized code. I started drowning in the mess I generated. It is good until you need manual changes.
What is the best way to sandbox LLMs and packages in general, while being able to work on data from outside sandbox (get data in and out easily)?
There is also the need for data sanitation, because the attacker could distribute compromised files through user’s data which will later be run and compromise the host.
I wrote this[1] for myself last year.
It only gives access to the current directory (and a few others - see README).
So, it drastically reduces the attack surface of running third-party Python/Go/Rust/Haskell/JS code on your machine.
Some of these European countries such as France are quite authoritarian. They frequently pass (update: propose/push for) laws to ban VPN and even social media, request access to private messages, etc. It seems to me the situation is equally bad in EU.
You have no idea what you are talking about, really. We don’t "frequently" pass such laws. Nobody is accessing private messages, even if there have been such attempts.
The EU has still the strongest privacy laws world wide, and in contrast to others a strong ethical foundation. It may be slow, it may be torn, it may be overly beaurocratic, but sure enough not authoritarian.
I don't think the french as a whole believe that. A lot of people in France are highly critical of the way the current government (and how it is more and more far right leaning) has been handling things in the last decade. There is a big issue of the police forces syndicates being highly far right biased which doesn't help.
None of the issues highlighted are because of the last decade of any alleged "far right leaning". In fact things have probably improved compared to a few decades ago.
It’s remarkable how incompetent Iranian security system has been. This has been going on for over a decade. They just can’t fix their intelligence failures.
Who on earth uses consumer phones at this level (which was the case among their elites till last year)?
Why do they walk in open streets and reside in residential buildings now, and all gather in single location?
It’s remarkable how incompetent Iranian security system has been. This has been going on for over a decade. They just can’t fix their intelligence failures.
Who on earth uses consumer phones at this level (which was the case among their elites till last year)?
Why do they walk in streets and reside in residential buildings now, and all gather in single locations?
One needs to be qiite naive to believe any of the reports which come from US and Israel on their assassinations.
They are lying to you. About the assassinations. About the causes of war, about "nuclear threat" (there is a threat, but it is a long term threat, which is why what Israel does aims to break the spirit of the neighbouring nations, killing heads of the military, then just politicians, then journalists, then..).
There are indeed many, many lies, but the Iranian government confirmed these deaths. The BBC is a reasonably reliable source, and if they didn't have confirmation, they'd have written the headline as "Israel claims..."
It's not really much in their interest to lie about killing military leaders, precisely because their goal is to break the spirit. If the guy popped up the next day and said "Nuh uh!" it would be counterproductive to their goal.
For the rest, yes, it's rife with lies. The fact that they are actually killing people does not make this more moral. I'd rather they were lying about that, too.
Rule of thumb, its not. Common stuff like address randomization is a recent default, afaik still doesnt have random process ids, and the base permissions arent stellar. However I would prefer jails any day of the week vs the clusterf** that are namespaces and cgroups.
Right, because linux security == init system used by some distros. My experience with FreeBSD may be somewhat dated (I've used it since the 4.x days, provided commercial support for it for more than 15 years), an that is not my experience - at all. Obviously, it depends on the threat model you are considering and how far you want to go. The default install does not have (or had) sane security defaults, at least comparing to your random $ystemd linux distro; try installing both and give local shell to a red team and see how fast they get root access.
I put a Nextcloud snap on a VPS in the same city. Fast and no limitations.
reply