Bruce Schneier r/IAmA, and Five Eyes Backdoor Bullshit

This "just give us a secure backdoor!" bullshit is just infuriating to anyone who can think.

Any programmer can write a new crypto program without the officially mandated backdoor. Even if the Stasi5 banned all existing interpreters and compilers (and watch the economy burn when we can't write any programs), we could rewrite a crypto program in assembly, type character codes into a text editor, save it and run it with a buffer overflow, and now we could communicate securely, while everyone else was completely exposed. Banning all computers? You'd also have to ban all electronics that could be used to make a new computer. Starting a new Dark Age with a Butlerian Jihad burning all computers is literally the only way to stop people from having strong cryptography.

The only purpose of the "secure backdoor" is to let governments spy on law-abiding citizens. It can serve no other purpose. Time for us to end the "intelligence" agencies and set up something new.

That_one_Pizza: "Your opinion on pineapple on pizza?"
BruceSchneier: "The 1973 Council of Naples authorized fourteen pizza toppings, and pineapple was not one of them."

Hawaiian Pizza: The pizza of rebels. Never let the Man tell you what you can have on your 'za.

The Wolf

These are amazing. The most overwrought, insane, semi-plausible haxxoring through shitty wireless printers. Great production values, reasonably well scripted. I'm always inclined to favor Slater's side in a movie, especially as a prankster/villain. ★★★★½ and I'm excited to watch more of these ads.

Their previous "The Fixer" series with Mike from Breaking Bad was awful, he can't even pronounce half the technology.

Obviously, no sane person would run a wireless printer and expect it to be safe. Also no sane person would run an immune-deficiency Windows box, HP or not, and expect it to be safe. Get a Mac, or install FreeBSD, OpenBSD, or OpenIndiana in lieu of Solaris, or if you really hate yourself, Linux (inevitable comment: "well, actually, it's GNU/Linux ahem may I show you my fedora collection"). At one time HP-UX was good, but that was a long time ago.

ESLint Security Incident

Happily, the version my installed eslint contains is later:

% npm info eslint|grep scope
eslint-scope: ^4.0.0

Interesting attack: Collect one bad password, use that to get someone's npm credentials, push a virus that uploads more peoples' npm credentials. Soon they could have had every package infected. Only being watchful prevented catastrophe.

Repeating my Password lesson: Use strong passwords. Do not ever reuse passwords.

The HTTP Sky Is Falling, Says Chicken Little

Dave's explanation is just absolutely wrong, and he has to know this, he's lying to frighten you away from security; I don't know why. Google's not planning censorship, just a warning being provided that a site taking your personal information is not secure.

Will this break plain HTTP sites?
No. HTTP sites will continue to work; we currently have no plans to block them in Chrome. All that will change is the security indicator(s).
Chromium: Marking HTTP as Non-Secure

Even if Google Don't Be Evil was Evil, you could still use Free-as-in-Drugs Firefox or whatever, and can just use curl to archive sites, or even by hand:

% telnet example.com 80
GET / HTTP/1.1
Server: example.com
(hit return twice, ctrl-D to end)

But you shouldn't be trusting anything you see or entering anything on an HTTP page.

If you connect to a site over HTTP and you do not fully control the wires from your computer to the server, that site can be spoofed and spied on. If you use public wifi to talk to HTTP, your logins and credit cards WILL be stolen. Guaranteed, some jackass in your Starbucks is wiresharking your connection.

Even if you think you have a secure connection, anyone on the routers between you and the server can read your connection. Routers are not secure, they have been routinely compromised.

The only protection you have against these "Man in the Middle" attacks is TLS (successor to SSL), using HTTPS instead of HTTP, SSH instead of telnet, SFTP instead of FTP, emailing with MIME and SMTP over TLS instead of unsecured ports, iMessage or Signal instead of IRC or Twitter & Facebook "direct messages" (which have bever been hidden from their staff).

In the early days of the ARPAnet and Internet, there was no security and we couldn't do much about it, but to resist warning people about insecure sites now is irresponsible.

Password

So first, and most importantly, never reuse passwords, no matter how trivial. Eventually any company will screw up or be hacked, and your password exposed, and then someone can try it on every other site.

Second, use a password manager for every password. I use 1Password, but other options are available. Don't write passwords on paper, unless that paper is stored in a safe (and then where do you store the combination?). Never write your passwords on a whiteboard! Never speak your passwords aloud!

Third, use a strong password, not 12345. 1Password will offer to generate a three-word password for you. I take that and often modify it, then save.

Fourth, keep your password vault safe: Put a good password (not just a number code) on your phone, always lock it and set it to autolock immediately, put a good password on 1Password, memorize that, write it NOWHERE.

Fifth, secure your devices. TouchID is a great convenience and a "tinsel lock" to keep semi-honest people from poking around in your phone, but it can be used against your will. When I go out, I turn off TouchID so pigs or other armed criminals can't force me to unlock my phone, and from there get to my password vault. If it's on, you can restart the iPhone quickly by holding power and home, and then TouchID is turned off.

On your computer, 1Password should always ask for a password, but it's also a good idea to lock the screen whenever you're away from it. On the Mac, open Keychain Access with Spotlight, Preferences, turn on "Show keychain status in menu bar". Now you can just click the lock in the menu bar, Lock Screen, and you're safe.

So you end up with defense in depth here: A strong unique password on each site. A secure password vault. And a secure device holding that vault. That's not paranoia, it's how you secure your data.