Fun fact - "DivX ;-)" was a cracked version of the Microsoft MPEG4 decoder which was originally restricted to only play in ASF containers and has nothing to do with DivX the company which came later.
Are you confusing the DivX codec with the DIVX DVD format? I don't know how accurate to it is to say that the cracked MPEG4 decoder had nothing to do with DivX the company. Gej (https://en.wikipedia.org/wiki/J%C3%A9r%C3%B4me_Rota) was the guy that created the DivX ;) crack, and definitely worked at DivX, Inc. from the very beginning.
> My hosting provider eventually took it down, because URL redirectors can be used for phishing.
What provider was this? I'm going to make sure to never use them. That's not a valid reason at all to take someone's site down, even if it's being actively abused you notify them first and notify them many times before even considering booting them as a customer.
I think about 3 times a week I get emails from a new cryptocurrency upstart that I've never heard of but which is using either the hacked Mt.Gox or BTC-e list.
The practices these people are using are scummy as fuck.
I don’t know if you looked at the samples or not, but out of 6 samples only 2 can be considered remotely political. Sure, one uses a photo of Putin with a toast “let’s drink for politics”. At the stretch we could consider every “thanks Obama” meme a political one.
I think this is a distraction maneuver by Facebook to direct away attention from the latest events.
I suppose you're right, not necessarily between the two parties but between US citizens and each other, for which the parties are sometimes used as a proxy - you see lots of promotion of black rights groups with fringe views and far-right groups with thinly or completely unveiled racist views. Just little tricks that will hook a small number of people, but make the overall picture you see on TV look much worse than it is on average.
But there is none of that in these samples provided. It’s just memes and and garbage “viral” content a-la buzz feed.
I know there were other samples posted before that had more of what you are talking about. But I’m strictly speaking about the current batch and the article in question and screenshots from that article.
I’d imagine Facebook would cherry pick the most offending pieces to show off. And whatever evidence is currently presented seems weak at best.
Curious - why is argon2 still second to scrypt on this list?
I'd also question the backup solution, I think Restic is a better option due to its flexibility, I can do cheap backups to B2 and fairly reputable people seem to be approving of its cryptography:
Yeah. Here’s my situation, which I don’t think is especially uncommon:
- My laptop has a 1TB disk, which is mostly full. I want to back it up.
- Some of the data on it is sensitive. The vast majority is not - for example, a large fraction of the disk is taken up by torrented anime videos - but I don’t want to separate out only the sensitive data to back up securely. Not only would that be inconvenient, it would be wildly insecure, since I’d presumably want some other, potentially less secure backup solution for the rest of the data, and it’d be really easy to miss some sensitive data and have it accidentally included in the insecure backup.
- Storing 1TB of data on Tarsnap for a year costs $3,000 (though after deduplication and compression there should be somewhat less than 1TB).
- Storing 1TB of data on Amazon Glacier for a year costs $48, which can be combined with various open-source encryption tools (of varying quality).
- Backblaze’s consumer backup product, which I currently use, costs $50 per year for unlimited storage; it supposedly does client-side encryption, though I don’t know how much I trust it.
- One of those prices is not like the others.
- I expect to have a larger disk in the future, and fill it up too; storing 2TB would double the Tarsnap and Amazon prices.
- If Tarsnap actually made the difference between my data being compromised or not, that would be worth $3,000 or $6,000 to me, and I do have the means to spend that much if necessary. But in reality, I’d expect it to only slightly reduce the chance of compromise compared to a high-quality alternative, and I don’t have so much money (or arguably, I don’t value security highly enough?) that I can reasonably spend so much on that small of a benefit.
- Why should you, the author of the post, or anyone else care that I’m stingy? Well, you don’t have to. But I’d certainly appreciate advice from experts about which of the alternatives are the best. In other words, what the right-est answer is that fits my budget constraints, even if it’s not actually the right answer. :) I don’t think the alternatives are all so insecure that it would be irresponsible to recommend any of them.
- I have nothing against Colin personally; indeed, I wish him the best of success. I do think his pricing model doesn’t do a great job representing his costs, since the time he spends maintaining the Tarsnap software and servers, and providing support, doesn’t scale linearly with the amount of data stored. But there’s no rule it has to; it’s his choice. It’s just that the result is a service that isn’t for me.
Restic's threat model assumes trusted systems - the ability to make a backup also implies the ability to destroy and tamper with existing ones. Tarsnap has fine-grained access controls which can severely restrict hosts:
e.g. you may give each host their own write-only key so they can automatically create new snapshots, while keeping the keys that permit reading and deleting old snapshots on separate machines with separate passphrases.
> But, seriously: you can throw a dart at a wall to pick one of these. Technically, argon2 and scrypt are materially better than bcrypt, which is much better than PBKDF2. In practice, it mostly matters that you use a real secure password hash, and not as much which one you use.
It’s not so much a strict order of preference as it is a preference, any preference, so as to still be recommending things. Argon2 and scrypt are too close to call.
I'm under the impression Argon2 is at least marginally better than scrypt as it has heavily analyzed side channel mitigations and such. Is scrypt better in some other way?
Argon2 and the PHC precipitated a lot of analysis that increased our confidence in scrypt, too. My point is that it doesn’t really matter, so optimize for availability. I like Argon2 for the stamp of approval, but dislike all the confusion around parameter selection and i-vs-d confusion. (I know argon2id exists.)
Doesn't scrypt suffer from much of the same parameter selection issues? I know I've had to choose some fairly obtuse values when using scrypt for login in a webapp.
In fact, taking a quick look again I find Argon2's "memorySizeKB" and "iterations" make much more sense to me than scrypt's "CostFactor" and "BlockSizeFactor" parameters as it's a lot clearer what's being impacted. I agree with the i-vs-d confusion, but in most cases I think using argon2id as you mentioned should resolve the contention as is already the suggested default in the IETF draft.
> We recommend the following procedure to select the type and the parameters for practical use of Argon2.
As opposed to just pick a profile, which, to be fair, the RFC also suggests :) So I guess that’s a fair point, it just feels like as with the i-vs-d thing there’s just more song and dance around it that I wish wasn’t there. The suggestion in the RFC vs published 3rd party recommendations (eg jjarmoc’s NNC reco) are also off by a factor of 100 or so? I’m happy to buy that that’s an unfair subjective impression, but when I was reviewing an argon2id python implementation last week I really just wanted to give people a function that just does “encrypt my damn password already”. Maybe that’s up to the implementation layers job, that’s fine - I did that for txscrypt too and I don’t remember where I got the magic numbers from :)
To be clear in case someone else reads this out of context: I am not saying not to use Argon2id!
I like and use tarsnap (and have for years) but the lack of choice of backends is a downside. I've been waiting for something I can use to backup my workstation and laptops to a server at home as well as a server I have at $work (ISP). I've tried out all the usual applications but have yet to find something I'm happy with.
One of the nicer bits of borg is the ability to restrict it to append-only mode, which limits the damage compromised hosts can do. e.g in authorized_keys:
"Do you get enough control do to that on rsync.net?"
Yes. You have your own .ssh folder in your account and can edit (upload) your keys as you see fit.
Also, if you have our ZFS snapshots enabled, those are immutable/readonly - so even if you aren't using a sophisticated tool like borg, you still have snapshots of your data that are immune to attack - even from someone who knows all of your credentials.
+1 for restic. I've been using it for work-related backups for a while and it works quite well. rclone support has recently been added [0], expanding the number of storage backends available by quite a bit.
If you read the details of that decision, they're pretty interesting - they only did it because people were claiming CloudFlare were supporting their ideas.
Matthew Prince basically said "this is dangerous" and a month or two later that exact decision was being used against them in court to take down a copyright infringer.
Not saying one way or another about it being a good or bad decision, but they definitely knew they were setting a scary precedent when they did it.
Sure, you can sync to your own drives or to several commercial storage providers, but it's not as cheap as it should be. We're talking geographically distributed storage on an open marketplace, cryptographically enforced for extremely cheap prices.
Wasabi and B2 are pretty much the only commercial services which could even attempt to compete on price with something like Sia today (Filecoin and others in the future potentially), but they're only in single DCs and if they lose your data you have no one to go after. In the cryptocurrency-based systems, this is all automated.
For as many incredibly stupid and useless applications of blockchains as there are, this isn't one of them in my opinion. It may not be unique, but it's actually something that could have a competitive edge over a centralized service.
>Wasabi and B2 are pretty much the only commercial services which could even attempt to compete on price with something like Sia today (Filecoin and others in the future potentially)
It would be nice to see Sia/Filecoin provide some basic DB metrics like availability, durability, latency, bandwidth... things that any prospective client would absolutely need to know.
Yeah, I mean it only makes sense. It's about price discrimination - they don't want to give you a discount if you're willing to pay full price, same reason companies send out coupons or mobile app offers. They want to offer discounts only to bargain hunters and those who otherwise wouldn't be able to afford the service because that's where it's worth spending the money for them.
If you're not already, find yourself a local deals site - it can really help you avoid getting screwed over by stuff like this. You can also wind up staying if you're willing to call your current provider back and say "here's what they're offering, beat it or I'm leaving".
Not so sure, I saved over $1200 this year in about 1 hour of research and 1 hour of phone calls and live chats... my time is definitely not worth $600/hr.
Your savings are also tax-free (for personal bills), so for those of us paying just over 50% in taxes on the last dollar, we make would need to make over $200 in income to put the same $100 in our pocket as cutting a bill by $100.
It's just business. If you really feel like pushing back, then focus your efforts on changing legislation or spreading your money around so that we don't only have 2 mobile providers, and 1 internet provider, and 2 taxi options, etc.
It's likely quite profitable, they don't buy bandwidth from Amazon, they get a few colo'd machines or dedicated servers in many DCs - you can get dedicated gigabit lines in several DCs for a few hundred a month. Most subscribers only use the service occasionally and won't place that much load on it.
For more history on this, see https://en.wikipedia.org/wiki/DivX#History