If so, founder of smoothwall, history in the UK security scene. Not to say that means that what's happening here is as serious as what's being alluded to, but has some background in the area.
I'd guess someone who wants to be seen as a trustworthy expert wouldn't want modern browsers to show a big "This website is insecure" landing page before people see their website.
I guess this would filter non-technical people, but Let's Encrypt existence has made any argument against web certificates moot. There's no sensible reason not to.
How many times must this question be answered? TLS is a requirement because otherwise nodes between your device and the server can easily modify the HTTP requests and responses to inject malicious code. Your traffic is also trivially tracked.
Because it's a security liability not to have it enabled, so if he's going to complain about others security problems, the least he could do is put his metaphorical pants on first. He could be forgiven for not having it locked down to an few specialist cyphers he personally believes are resilient to attack, but to not even have it enabled is on the level of not putting your pants on before leaving the house.
Yes and no. It's more like flossing than wearing a seatbelt. The html tags won't fall out if you use http:// over port 80. It's not nice to end users in that it permits eavesdropping and content modification of website traffic in the clear by anyone in the network path. The assumption of http:// is that "pamphlets for the public" don't require privacy, confidentiality, and nonrepudiation for other users such as downloading software sources &| binaries or exchanging secret PII. The post-Snowden/-PRISM world opted to deploy https:// ubiquitously as both a virtue signal and technical defense to various problems inherent to using port 80.
Why does it not need verification? 3rd parties can a) replace the real content with lies, or more likely, b) inject it with 3rd-party ads. (this is not theoretical! *) c) inject crypto-mining/other malicious javascript into it. Outside of that though, d) Other people can see what you're looking at. Even if you don't take privacy seriously, you can at least understand that some people do, and would like their viewing habits to remain private.
John Gilmore's done more for the Internet than I ever could. I'm sure he's got a deeply philosophical, if not cogent reason for why http://www.toad.com/gnu/ is served over HTTP, but more than that, he's John Gilmore and his work speaks for itself. Dick Morrell, aka CloudGuy has no such chops. He's name dropped three unrelated government agencies and a car maker as a reason that his (dubious) claims should be respected, but, well, he's no John Gilmore.
>I searched him seems on a personal quest to get Musk. Tons of articles all going after Musk. Seems like another partisan hack.
Out of morbid curiosity, where did you find those "[t]ons of articles all going after Musk"?
Perhaps my DDG-fu is inferior, but searches for both "Dick Morrell" and "Cloudguy" showed a bunch of IT/infosec blogs/articles and articles flogging his technology bona fides.
Reading his other tweets the issue seems to be that old devices continue to get notifications even after you change the password since Amazon doesn't automatically remove old devices. I don't know how that's abused beyond being an issue for Amazon. Maybe if you lose your devices and don't force logout. His message seems a bit over the top but maybe there's more to it than I'm seeing.
Seems like the only vulnerability is if you've ever stopped using an Amazon-connected device without a logout everywhere and password change. Seems like the only precaution necessary is to do that after disconnecting but before giving away an Amazon-connected device.
So many people following, apparently blindly, advice on the interwebs.. i can't even figure out what this supposedly is about. Are Amazon devices scanning local wifi networks or what is going on?
Now he is telling us to not update Twitter and Fire Tablets, and he is deleting "dubious followers". He doesn't seem to have a problem with Microsoft Defender scanning his network though. Clearly an absolute sane security expert.
<meta> hmm one of the downsides of distributed social media here. Many mastodon instances are not up to handling a big influx of traffic from a popular post.
Would you say the same if this was a blogpost? If the blog software cannot handle the HN hug of death, the person should use Blogspot / WordPress / whatever instead? Centralized solutions cannot be the answer to every server going to its knees.
lol, I didn't say centralised services were always the answer, I said this was a downside of distributed social media because this was a link to a social media post and, if it had been on $centralised_social_of_choice, it would likely have handled the traffic better.
Yes and no. Behind a CDN is good, but people commonly use Cloudflare which has built-in bot protection, and the federation between fediverse nodes looks a lot like bots, and Mastodon isn't going to fill out a captcha, it'll just de-federate and break the network.
Configuring a CDN correctly of course will work, but I've done some basic analysis of the network and that is not happening, looks like a lot of first-time sysadmins running Mastodon without knowing about these sorts of things.
There is no "can Mastodon...", only "can this specific Mastodon instance...". Not everyone wants to run their traffic through a third party, especially if they usually do not expect such an influx of requests.
To be fair, you could probably run a local cache. There's no point in re-rendering a page that is expected to change at most once every minute at every single request during a hug of death type scenario.
Well from what I understand there's some kind of interoperable network that everything works through though? There ought to be some general caching there at least. Right now every time there's something hosted on Mastodon posted anywhere it's not accessible because apparently the architecture is so bad that the average instance can't even handle a few hundred visitors without completely freezing.
If you’re on an instance that got the post (by someone following them, someone following someone who boosted it, through a relay, by someone having visited it before, etc…), then yes, it’s cached and you can see it through your instance, usually by pasting the link in the search bar
The way it's supposed to work is that each user would view this from their own Mastodon instance, and the federation would mean that traffic would be much lower on the source instance.
That doesn't work when people post links like this though. Maybe we need something like activitypub://@username/postid that can be opened in the user's default client if they have one, or could be resolved to the original instance if not via webfinger. Unfortunately never going to happen, but it would be in the spirit of the systems.
It depends on how worried you are about stalkers. If your address leaking is a big deal to you (which, it validly is for some), then yeah, do the thing. Everyone else need not panic though.
Absolutely. If you were in such a position, you would weigh cutting down your online footprint, adjusting your privacy settings, and securing your accounts by rolling passwords.
For Google users, there is the APP that works with smartphone embedded keys and FIDO2 keys like Yubikeys and Titankeys.
Looks like and old tactic to gain popularity: recommend something that could never hurt to do, presenting a minor or no problem as pretty important. Do this enough times to enough people and by chance some will benefit from it, raising your profile.
