https://vip.kogan.com/pub/cc? _ri_=X0Gzc2X%3DYQpglLjHJlTQGn68ivC5IMm3Pf6zcwcYpPUB0BnwrULsFFU3zezcTzaza6LMivm6kOzeKIzdzd63edhBVXtpKX%3DTDBTURT&_ei_=EkWqwsi91TXlqPTrcWgrEPZQbNGg3v4ClOjMrhfrvp7xr1eXSfMU3ei324HPdOyanzI6o9lgdV0B3QNE_oFn3_x6K80tFL5xjhE3ZZMtStxraFmi5WvVhz0tJosdUUZqLrKvm7yV_RiWfTdsFhOw1pjBuWJsZoKMB2bhnwRQmW6eI2RSUIS_emQokh- B0Nx9YKHLzSZAa8kjZcWOL7ijvCUXiDXyEhXj29YgHGyemzV56nlXR_ylv3UrB0. $16.70 per month per person for 2 accounts that each have a quota of 16G per month. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 02/10/18 22:38, Russell Coker via luv-talk wrote:
https://vip.kogan.com/pub/cc? _ri_=X0Gzc2X%3DYQpglLjHJlTQGn68ivC5IMm3Pf6zcwcYpPUB0BnwrULsFFU3zezcTzaza6LMivm6kOzeKIzdzd63edhBVXtpKX%3DTDBTURT&_ei_=EkWqwsi91TXlqPTrcWgrEPZQbNGg3v4ClOjMrhfrvp7xr1eXSfMU3ei324HPdOyanzI6o9lgdV0B3QNE_oFn3_x6K80tFL5xjhE3ZZMtStxraFmi5WvVhz0tJosdUUZqLrKvm7yV_RiWfTdsFhOw1pjBuWJsZoKMB2bhnwRQmW6eI2RSUIS_emQokh-
B0Nx9YKHLzSZAa8kjZcWOL7ijvCUXiDXyEhXj29YgHGyemzV56nlXR_ylv3UrB0.
$16.70 per month per person for 2 accounts that each have a quota of 16G per month.
Okay, that ends up here: https://www.kogan.com/au/buy/kogan-mobile-prepaid-voucher-code-large-365-day... So.. .17GB instead of 16GB .... however, it says that it is "sold out" ??? It is also PERSONAL USE only AND it is using the Vodafone network. Otherwise, it is a pretty awesome deal. btw It is 4G not 3G as per the subject line. Kind Regards AndrewM -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW7O1KgAKCRCoFmvLt+/i +xywAP46UWRuZWbSTYg2Pm42hpXHrw42DyeMdHi63GgAFfZH0AD7BXxS2/Po75B2 084eb8GvzYeUOIepN+MHJ07+2BaJ61E= =x3pY -----END PGP SIGNATURE-----
well there's cheap, and then there's $1 :-) https://www.tpg.com.au/mobile good for folks like me who do ~everything on wifi. maybe good for IoT stuff too, should you enter into that mine field. cheers, robin
Robin Humble via luv-talk wrote:
well there's cheap, and then there's $1 :-) https://www.tpg.com.au/mobile
good for folks like me who do ~everything on wifi. maybe good for IoT stuff too, should you enter into that mine field.
cheers, robin _______________________________________________ luv-talk mailing list luv-talk@luv.asn.au https://lists.luv.asn.au/cgi-bin/mailman/listinfo/luv-talk
Just realise with TPG the only payment option is direct debit; just in case you are phobic about such arrangements , like me ! (confirmed via their contact number 1300242011) regards Rohan McLeod
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 14/10/18 13:33, Robin Humble via luv-talk wrote:
well there's cheap, and then there's $1 :-) https://www.tpg.com.au/mobile
good for folks like me who do ~everything on wifi. maybe good for IoT stuff too, should you enter into that mine field.
Yes, I've got that too, but at the time when it was using the Optus network. They sent me a SIM and tried to get me to change to Vodafone in the process, but I refused. Still using Optus network on that SIM, still a dollar per month. It is an "incoming" only mobile number generally. I call out using a different phone. Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW8LRXAAKCRCoFmvLt+/i +yfzAP4gSoBLsW3St0jZo0pYCWKSwTszc9Xx1Ia4LMyphEWR6QEAsixRiD8VQ0DV qyaJF03M3FW3wLUyRsSOEXL+Q4iD4Uk= =2gvH -----END PGP SIGNATURE-----
On Wednesday, 3 October 2018 4:13:05 AM AEDT Andrew McGlashan via luv-talk wrote:
On 02/10/18 22:38, Russell Coker via luv-talk wrote:
https://vip.kogan.com/pub/cc? _ri_=X0Gzc2X%3DYQpglLjHJlTQGn68ivC5IMm3Pf6zcwcYpPUB0BnwrULsFFU3zezcTzaza6L Mivm6kOzeKIzdzd63edhBVXtpKX%3DTDBTURT&_ei_=EkWqwsi91TXlqPTrcWgrEPZQbNGg3v4 ClOjMrhfrvp7xr1eXSfMU3ei324HPdOyanzI6o9lgdV0B3QNE_oFn3_x6K80tFL5xjhE3ZZMtS txraFmi5WvVhz0tJosdUUZqLrKvm7yV_RiWfTdsFhOw1pjBuWJsZoKMB2bhnwRQmW6eI2RSUIS _emQokh- B0Nx9YKHLzSZAa8kjZcWOL7ijvCUXiDXyEhXj29YgHGyemzV56nlXR_ylv3UrB0.
$16.70 per month per person for 2 accounts that each have a quota of 16G per month.
https://www.kogan.com/au/buy/kogan-mobile-prepaid-voucher-code-large-365-day s-17gb-30-days/
So.. .17GB instead of 16GB .... however, it says that it is "sold out" ???
Kogan keeps having these deals. It's like CopperArt. If you miss one deal you get the next one.
It is also PERSONAL USE only AND it is using the Vodafone network.
It seems to mostly work fine. There are many places where Telstra gives better coverage, but a few corner cases where Vodafone gives better coverage (like the basement of the Arts and Design building at Melbourne University). As for personal use, there's nothing stopping you from using it for work. You just have to sign up under your own name. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 14/10/18 15:18, Russell Coker via luv-talk wrote:
On Wednesday, 3 October 2018 4:13:05 AM AEDT Andrew McGlashan via luv-talk wrote:
On 02/10/18 22:38, Russell Coker via luv-talk wrote:
https://vip.kogan.com/pub/cc? _ri_=X0Gzc2X%3DYQpglLjHJlTQGn68ivC5IMm3Pf6zcwcYpPUB0BnwrULsFFU3zezcT zaza6L
Mivm6kOzeKIzdzd63edhBVXtpKX%3DTDBTURT&_ei_=EkWqwsi91TXlqPTrcWgrEPZQbNGg3 v4
ClOjMrhfrvp7xr1eXSfMU3ei324HPdOyanzI6o9lgdV0B3QNE_oFn3_x6K80tFL5xjhE 3ZZMtS
txraFmi5WvVhz0tJosdUUZqLrKvm7yV_RiWfTdsFhOw1pjBuWJsZoKMB2bhnwRQmW6eI2RSU IS
_emQokh- B0Nx9YKHLzSZAa8kjZcWOL7ijvCUXiDXyEhXj29YgHGyemzV56nlXR_ylv3UrB0.
$16.70 per month per person for 2 accounts that each have a quota of 16G per month.
https://www.kogan.com/au/buy/kogan-mobile-prepaid-voucher-code-large- 365-day
s-17gb-30-days/
So.. .17GB instead of 16GB .... however, it says that it is "sold out" ???
Kogan keeps having these deals. It's like CopperArt. If you miss one deal you get the next one.
Yes, the same with many things. Supermarket specials come around again and again -- I never understand how they can sell some junk food at such exorbitant ricing and people still seem happy? Many things are a no buy for me unless they are significantly marked down; a "half price" special is not value when full price is triple or more than what it should be.
It is also PERSONAL USE only AND it is using the Vodafone network.
It seems to mostly work fine. There are many places where Telstra gives better coverage, but a few corner cases where Vodafone gives better coverage (like the basement of the Arts and Design building at Melbourne University).
As for personal use, there's nothing stopping you from using it for work. You just have to sign up under your own name.
Then "personal use" is a dud terms of service; it makes everyone whom uses these products in business into "Aaron Swartz" .. not doing anything wrong, really, but the law doesn't see it that way :( The other thing I don't understand about personal/business is that people without a job and plenty of "free" time are more likely to spend considerable time on the mobile than those busy at "work" on paid or unpaid tasks with the mobile being a significant distraction. Anyone actively working, sans sales people, do better to ignore the mobile on the whole and make use of voicemail and/or email or other forms of communication for a significant number of interactions -- sure there are times when a quick call is far better than back and forth emails that become useless because one or the other sender is ambiguous in the content and no reply email ever gets it solved quickly ... in those situations a quick call can be gold to stop the nonsense. Having said all that, sometimes you cannot ignore the incoming mobile call. A Signal call can equally put to rest issues raised by ambiguous Signal messages in the same way as a call does for emails. btw Nobody should put ANY trust in the mobile phone network when it calls to calls and SMS as it is an extremely insecure medium. At the very least you should be using Signal [or some other trust worthy end-to-end encryption tool with encrypted messages and calls, at the very least.... So sad that there is a need for Signal at all, but such is life. Oh and using Signal, you need data, the unlimited calls and text doesn't come in to it. Then you need to be able to trust your data path, which usually means only using trusted WiFi networks and/or 3G/4G data on the mobile. Definitely don't use any "free" WiFi, especially if you can't trust it 100% ... that's why using your own hotspot is so important these days. Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW8LVNAAKCRCoFmvLt+/i +06EAPwNLX/TUeYxx7B3pSOkqirVAxZ02cZVMY5TiOeKtviAnAEAgDNiT52NS5qR PyZaeQ3W6m6hWQMVBZMPZK1JJHgJ7fA= =2ZKj -----END PGP SIGNATURE-----
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
A Signal call can equally put to rest issues raised by ambiguous Signal messages in the same way as a call does for emails.
btw Nobody should put ANY trust in the mobile phone network when it calls to calls and SMS as it is an extremely insecure medium. At the very least you should be using Signal [or some other trust worthy end-to-end encryption tool with encrypted messages and calls, at the very least.... So sad that there is a need for Signal at all, but such is life.
FWIW, here's what a friend who's even more jaundiced on these matters than I am wrote about Signal and similar: tj> I've heard talk about people attempting to spend less time on tj> Facebook and more on Signal, Slack or Wire. These are nasty companies. signal -- never had any real federation. posting server source is an irrelevant stunt, similar to wire. posting client source is only useful for someone who wants to fork the whole network, not someone who wants freedom within it. unfriendly to pseudonomy by forcing phone number id, tying keys to phone, not supporting multiple accounts, etc. doesn't support free software. They refuse to allow publication in F-Droid because of $arrogant_rant. Yes, yes, reasons, but don't go full aspie on me. They don't meet the bar, and that's that. Rants are a distraction not an excuse because the issue is control, not why you want control. talks a lot of shit but has had multiple pants-down security moments: the group chat membership bug and the poor-choice-of-framework Blink bug. slack -- offered irc gateways to build network effects then shut them down fucking evil. a closed system designed specifically to poach lazy entitled "maker"-style can't-be-bothered non-player character users from a perfectly adequate open platform, then lock down the playing characters using network effects. Evil! wire -- this is some proprietary Swiss garbage, right? four legs good, two legs bad. Why do we have to go through this over and over? "But if you're not paying for the product you are the [SLAP]." Shut up, Robin. What's worse, unlike Google and Facebook, these "alternative" proprietary companies aren't under government and media scrutiny and don't have valuable reputations-to-lose bonding them. You would be better off protesting by using Bing, Wechat, or Baidu. tj> If so, where did everybody go? I'm wondering what happened to tj> all the people who actually did delete Facebook. still a good question. my nitpicking doesn't answer. I've been trying to get normies on riot.im. It uses signal-like insecure web frameworks, but prefers to run them in a browser tab instead of a standalone desktop app, which is more secure because you get chrome sandbox and chrome updates. It has a gateway to irc that is a little flakey but about halfway to ok---I use it with irc.hackint.org which runs their own instance of the matrix gateway. The server is a single-threaded Python twistedmatrix app that they are rewriting into multiple Go frontends around Kafka. The client is a single javascript blob for android/ios/web. The endpoint identifiers are Jabber-like, but there is a lookup server for verifying & "discovering" phone numbers (not sure how well it works), so theoretically best of both worlds. It's properly federated: you can set up your own domain-namespaced instance, and if matrix.org ceases to exist you can continue chatting. --end-- Again, that's _his_ view, quoted. I actually don't personally use any such services. In fact, what I use is a simple flip phone (calls and SMS), and I don't particularly trust it: To the best of my understanding, the baseband processor problem is so pernicious that you really cannot trust any cellular device to not have been hacked from over the air.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 14/10/18 18:31, Rick Moen via luv-talk wrote:
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
A Signal call can equally put to rest issues raised by ambiguous Signal messages in the same way as a call does for emails.
btw Nobody should put ANY trust in the mobile phone network when it calls to calls and SMS as it is an extremely insecure medium. At the very least you should be using Signal [or some other trust worthy end-to-end encryption tool with encrypted messages and calls, at the very least.... So sad that there is a need for Signal at all, but such is life.
FWIW, here's what a friend who's even more jaundiced on these matters than I am wrote about Signal and similar:
tj> I've heard talk about people attempting to spend less time on tj> Facebook and more on Signal, Slack or Wire.
These are nasty companies.
signal -- never had any real federation. posting server source is an irrelevant stunt, similar to wire. posting client source is only useful for someone who wants to fork the whole network, not someone who wants freedom within it.
unfriendly to pseudonomy by forcing phone number id, tying keys to phone, not supporting multiple accounts, etc.
doesn't support free software. They refuse to allow publication in F-Droid because of $arrogant_rant. Yes, yes, reasons, but don't go full aspie on me. They don't meet the bar, and that's that. Rants are a distraction not an excuse because the issue is control, not why you want control.
talks a lot of shit but has had multiple pants-down security moments: the group chat membership bug and the poor-choice-of-framework Blink bug.
slack -- offered irc gateways to build network effects then shut them down fucking evil.
a closed system designed specifically to poach lazy entitled "maker"-style can't-be-bothered non-player character users from a perfectly adequate open platform, then lock down the playing characters using network effects. Evil!
wire -- this is some proprietary Swiss garbage, right? four legs good, two legs bad. Why do we have to go through this over and over? "But if you're not paying for the product you are the [SLAP]." Shut up, Robin.
What's worse, unlike Google and Facebook, these "alternative" proprietary companies aren't under government and media scrutiny and don't have valuable reputations-to-lose bonding them. You would be better off protesting by using Bing, Wechat, or Baidu.
tj> If so, where did everybody go? I'm wondering what happened to tj> all the people who actually did delete Facebook.
still a good question. my nitpicking doesn't answer.
I've been trying to get normies on riot.im. It uses signal-like insecure web frameworks, but prefers to run them in a browser tab instead of a standalone desktop app, which is more secure because you get chrome sandbox and chrome updates. It has a gateway to irc that is a little flakey but about halfway to ok---I use it with irc.hackint.org which runs their own instance of the matrix gateway. The server is a single-threaded Python twistedmatrix app that they are rewriting into multiple Go frontends around Kafka. The client is a single javascript blob for android/ios/web. The endpoint identifiers are Jabber-like, but there is a lookup server for verifying & "discovering" phone numbers (not sure how well it works), so theoretically best of both worlds. It's properly federated: you can set up your own domain-namespaced instance, and if matrix.org ceases to exist you can continue chatting.
--end--
Again, that's _his_ view, quoted. I actually don't personally use any such services. In fact, what I use is a simple flip phone (calls and SMS), and I don't particularly trust it: To the best of my understanding, the baseband processor problem is so pernicious that you really cannot trust any cellular device to not have been hacked from over the air.
All valid points, sure Signal isn't perfect, but it's at least better than "clearnet" even if the devices cannot be fully trusted due to the baseband and other "builtin" vulnerabilities. Still better for the normies of the world though. Heck, baseband ..... IME .... we are so lost these days, when we should be enjoying a far better and infinitely safer computing environment without needing to revert to flip phones and ancient pulse dialer phones (neither of which are as safe as they should be either fwiw); which the powers that be couldn't care less about ... AU legislation for instance (both direction and current situation). btw not interested in using Slack either and riot.im -- I wish, but for the same reasons that Signal is a fair base for the normies, so too is FB, just don't over share and be skeptical of any and all stories that are often fake news and other hype that is totally bogus. I do run my own XMPP server, but rarely both with it. Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW8Lz5gAKCRCoFmvLt+/i +0CpAQCJW36drvp43ZlzWk2CAAPiwJfAJmYaUss73cGy1BVWxgEAjvh+KVYVuryD hqej661VgIevYwt7k/P5mmMKeEh28jc= =8SpS -----END PGP SIGNATURE-----
Quoting Andrew McGlashan (andrew.mcglashan@affinityvision.com.au):
Heck, baseband ..... IME .... we are so lost these days, when we should be enjoying a far better and infinitely safer computing environment without needing to revert to flip phones and ancient pulse dialer phones (neither of which are as safe as they should be either fwiw); which the powers that be couldn't care less about ... AU legislation for instance (both direction and current situation).
Heh. My attitude with my flip phone (Motorola RAZRv3, with a spare in my kitchen drawer ready for the SIM when this one dies) is that, absolutely, it could have been remotely compromised by the GRU, or these days by practically anyone down to Benny the bookmaker, using its crummy baseband blackbox chipset. So, I am careful not to trust it in any way, e.g., there's no data worth stealing on it, I assume all its channels for communication are insecure, and I authenticate anything on it I see or hear through other means. Reminds me: There was a hardened Android project that did a pretty hardheaded examination of all security risks on Android mobile devices, including the baseband threat. One of their conclusions was that, if you really wanted to be serious about device security, you should have hardened Android running on a wifi-only tablet, which you connect via USB cable to a separate mobile gateway ('modem') hardware widget. That being the only way they figured you could (at that time) ensure decent isolation of the phone processor from the baseband processor.
I do run my own XMPP server, but rarely both with it.
I used to do that, too, and it was fun. I should try it again.
Andrew McGlashan via luv-talk wrote:
btw not interested in using Slack either and riot.im -- I wish, but for the same reasons that Signal is a fair base for the normies, so too is FB, just don't over share and be skeptical of any and all stories that are often fake news and other hype that is totally bogus.
So you're not concerned about facebook experimenting on human beings without informed consent? https://en.wikipedia.org/wiki/Human_subject_research#cite_ref-:4_26-0 https://en.wikipedia.org/wiki/Informed_consent#cite_ref-39
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 15/10/18 11:51, Trent W. Buck via luv-talk wrote:
Andrew McGlashan via luv-talk wrote:
btw not interested in using Slack either and riot.im -- I wish, but for the same reasons that Signal is a fair base for the normies, so too is FB, just don't over share and be skeptical of any and all stories that are often fake news and other hype that is totally bogus.
So you're not concerned about facebook experimenting on human beings without informed consent?
Sure, but unless you do as Trent said and have no friends or other contacts, then you can give up on FB entirely too. In any case, whilst I do use FB, I don't use it like the "normies" as Rick puts it. I also use a bunch of other browser add-in features to at least lessen what FB can learn and exploit about myself to a significant but not zero degree. Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW8RTjgAKCRCoFmvLt+/i +/RBAQCKJAn/Ry13wRKTF3cTTBXBRNEeQNzyKLPyGmeMkEaNiQEAhHIHKFCmZidq 9QC45MhcZLrYiIgENhxSeZ9yaTvL1s4= =CEEi -----END PGP SIGNATURE-----
Hello Andrew, and others, On 10/15/18, Andrew McGlashan via luv-talk <luv-talk@luv.asn.au> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Hi,
On 15/10/18 11:51, Trent W. Buck via luv-talk wrote:
Andrew McGlashan via luv-talk wrote:
btw not interested in using Slack either and riot.im -- I wish, but for the same reasons that Signal is a fair base for the normies, so too is FB, just don't over share and be skeptical of any and all stories that are often fake news and other hype that is totally bogus.
So you're not concerned about facebook experimenting on human beings without informed consent?
Sure, but unless you do as Trent said and have no friends or other contacts, then you can give up on FB entirely too.
I do use Gmail, but will not go near Facebook, but I do have friends both in meatspace and online. Their policies as to privacy and data ownership are too focused on their making an obscene profit, they sell too much. Yes a free Gmail account makes me the product, but there are less unethical uses, I am currently using the online version, but the basic HTML view in Firefox ESR on Debian and do not get the adverts, along with an excellent storage and backup that are currently beyond my capabilities.
In any case, whilst I do use FB, I don't use it like the "normies" as Rick puts it. I also use a bunch of other browser add-in features to at least lessen what FB can learn and exploit about myself to a significant but not zero degree.
It is there, that one word, exploit.
Cheers A.
Regards, Mark Trickett
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 15/10/18 20:37, Mark Trickett via luv-talk wrote:
Hello Andrew, and others,
On 10/15/18, Andrew McGlashan via luv-talk <luv-talk@luv.asn.au> wrote:
In any case, whilst I do use FB, I don't use it like the "normies" as Rick puts it. I also use a bunch of other browser add-in features to at least lessen what FB can learn and exploit about myself to a significant but not zero degree.
It is there, that one word, exploit.
Yes, well, I certainly rally against the idea of "allowing" Google to read every single email if it so chooses for whatever reason. I /give/ FB very little and Google much less overall. And there is no way that I'll willingly use Chrome browser. Of course nothing is perfect and we all need to make choices as to what is right for ourselves. This group here is, at least, far better informed than most ... ;-) I do use DDG via their .onion address over Tor .... fwiw. http://3g2upl4pq6kufc4m.onion/ Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW8SWWAAKCRCoFmvLt+/i ++xwAP4lxflsh6WTBK5BSklzzdbEJ0zHAZh92gegLUjZYNYInAD+O4v0Iswmne9j z/yeDA3V/W+3rbBxa6djtEB2FaZiUQI= =2Tn7 -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, I do run my own XMPP server, but rarely *USE* it /other/ than as a signal (pun not intended or meant) that the server is running as expected if the XMPP client is working. Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW8L0xQAKCRCoFmvLt+/i +1h2AQCHWznHROwed6nmgbYEGYy/sNxqoSCHTq+e/XuOLQynbgD/cXJLNTooaAd7 PsoDwL1hxJKN4mC1+4udK2EJShomgAI= =ijD0 -----END PGP SIGNATURE-----
Rick Moen via luv-talk wrote:
a friend [...] wrote about Signal and similar:
friend> signal -- never had any real federation. posting server source is an [...] friend> slack -- offered irc gateways to build network effects then shut them down [...] friend> wire -- this is some proprietary Swiss garbage, right? four legs [...] Do you have a canned rant for this one? https://en.wikipedia.org/wiki/Matrix_(communication_protocol) friend> I've been trying to get normies on riot.im. It uses signal-like friend> insecure web frameworks, but prefers to run them in a browser tab friend> instead of a standalone desktop app, which is more secure because you friend> get chrome sandbox and chrome updates. Although then it can be XSS'd by other tabs, depending on how shitty your main browser is. There was an IEEE Spectrum article a while ago (can't find it now) called something like "the web will be insecure until we break it", advocating that each website looking like a desktop app (with strong separation between them), but still using the kept-up-to-date browser engine. The closest thing I've seen to this is this group policy in chromium (introduced in the wake of SPECTRE): http://dev.chromium.org/administrators/policy-list-3#IsolateOrigins If I actually logged into web pages and didn't e.g. locally NXDOMAIN facebook &c, I'd be turning this on for a bunch of name-brand domains. friend> It has a gateway to irc that is a little flakey but about halfway to friend> ok---I use it with irc.hackint.org which runs their own instance of friend> the matrix gateway. Ohhhhh, so riot.im is basically a matrix server you don't host yourself, so you have less hosting costs, but you have to watch for FISA canaries and stuff. The reason I asked about matrix is I know a couple of people who run their own matrices and then join regular IRC, and they mostly look OK from my end (a dumb IRC client). friend> The server is a single-threaded Python twistedmatrix app that they are friend> rewriting into multiple Go frontends around Kafka. The client is a friend> single javascript blob for android/ios/web. Yeah, that's when I started to tune out during the last round of advocacy, because AFAICT both go and ES are still in the dark ages WRT long-term maintenance and security.
Again, that's _his_ view, quoted. I actually don't personally use any such services. In fact, what I use is a simple flip phone (calls and SMS), and I don't particularly trust it: To the best of my understanding, the baseband processor problem is so pernicious that you really cannot trust any cellular device to not have been hacked from over the air.
100% agree. IME the best way to solve this is to have no friends, so you don't need a phone to organize when to hang out with them.
Quoting Trent W. Buck (trentbuck@gmail.com):
Do you have a canned rant for this one? https://en.wikipedia.org/wiki/Matrix_(communication_protocol)
I wish I did. I _could_ ask the aformentioned bitter and cynical friend, Miles Nordin. Personally, I'm a little out of touch, what with having (custom, de-junkified) Android only on a wifi-only Nook Tablet, not a smartphone. And I can't be bothered with the trendy stuff in general, e.g., when one volunteer effort I associate with were lobbying for the group to adapt Slack, I said 'I'm sorry, isn't that like IRC or XMPP, except with obligatory proprietary secret-sauce and control by some bunch of businessmen you don't know and have no reason to trust?' THey just looked at me, like, hey, the caveman spoke. ;->
There was an IEEE Spectrum article a while ago (can't find it now) called something like "the web will be insecure until we break it", advocating that each website looking like a desktop app (with strong separation between them), but still using the kept-up-to-date browser engine.
The closest thing I've seen to this is this group policy in chromium (introduced in the wake of SPECTRE):
http://dev.chromium.org/administrators/policy-list-3#IsolateOrigins
If I actually logged into web pages and didn't e.g. locally NXDOMAIN facebook &c, I'd be turning this on for a bunch of name-brand domains.
I've heard a great deal about this over the years from $SPOUSE, Deirdre, who for a long time was an engineer at Apple, Inc. working on the Safari Web browser -- which is surprisingly not bad for a proprietary binary-only thing, FWIW. Yes, what the article said. Deirdre regaled me with quite a few tales of where Apple introduced greater isolation between various things within Safari, and tradeoffs always being involved.
100% agree.
IME the best way to solve this is to have no friends, so you don't need a phone to organize when to hang out with them.
I find the potential privacy loss from $CROOKS potentially hax0ring my flip phone via the creaky, antique Freescale Semiconductor MC13777 quad-band RF transceiver and ARM-based DSP56631 GSM/GPRS/EDGE-enabled baseband IC to be of almost no concern -- because I don't have anything very meaningful on it (except the address book) and don't trust its operation with anything sensitive. In other words, one coping mechanism for mobiles not being trustworthy is to avoid trusting them. Similarly, people visiting my house are often surprised to find me advertising an unencrypted wifi ESSID. They ask, 'How can you trust the network?' I reply, 'I don't trust the network.'
On Sunday, 14 October 2018 4:33:45 PM AEDT Andrew McGlashan via luv-talk wrote:
The other thing I don't understand about personal/business is that people without a job and plenty of "free" time are more likely to spend considerable time on the mobile than those busy at "work" on paid or unpaid tasks with the mobile being a significant distraction. Anyone actively working, sans sales people, do better to ignore the mobile on the whole and make use of voicemail and/or email or other forms of communication for a significant number of interactions --
There are more than a few people watching TV on public transport on the way to/from work. If you spend 40 hours a month on public transport (which is not uncommon) then that would be 25G of data per month if you spent that time watching SBS on demand (I presume other TV sources have similar data requirements but don't use them so can't easily verify). Sometimes for work I have to download gigs of data. Doing an rsync of a Linux image isn't that uncommon for me.
btw Nobody should put ANY trust in the mobile phone network when it calls to calls and SMS as it is an extremely insecure medium. At the very least you should be using Signal [or some other trust worthy end-to-end encryption tool with encrypted messages and calls, at the very least.... So sad that there is a need for Signal at all, but such is life.
https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentic... Krebs gave the best write-up of SMS issues. As for Signal, it uses SMS to verify and change encryption settings. So if someone takes over your phone number of SMS I think there's nothing stopping them getting a new Signal key and communicating with people in your contacts list. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hi, On 14/10/18 23:31, Russell Coker via luv-talk wrote:
On Sunday, 14 October 2018 4:33:45 PM AEDT Andrew McGlashan via luv-talk wrote:
The other thing I don't understand about personal/business is that people without a job and plenty of "free" time are more likely to spend considerable time on the mobile than those busy at "work" on paid or unpaid tasks with the mobile being a significant distraction. Anyone actively working, sans sales people, do better to ignore the mobile on the whole and make use of voicemail and/or email or other forms of communication for a significant number of interactions --
There are more than a few people watching TV on public transport on the way to/from work. If you spend 40 hours a month on public transport (which is not uncommon) then that would be 25G of data per month if you spent that time watching SBS on demand (I presume other TV sources have similar data requirements but don't use them so can't easily verify).
Well, I have a mobile broadband product with 100GB of data, for a little more, they have 200GB plans now. Before that I had a 50GB plan for under $60, so the $10 extra for double data back when I started this plan in January was a no brainer. My plan was with a device at $70 per month for 2 years and the device was "worth" about $880 when new. Current plans like this are now $80 per month, also with 2 year contract . That gives far more than enough data for anything I need to do away from the fixed wire service; so much so, that I don't even have to worry about using 4G data when fixed wire is handy. That is, if a mobile is connected via hotspot, then I don't necessarily bother to switch to the local WiFi which is connected to the fixed wire service. This kind of data level is as good as unlimited for me as I use it. https://www.optus.com.au/shop/tablet/devices/apple-ipad-2018?plan=35 128GB iPad with 128GB storage, a SIM ... 200GB data each month and some data excluded from quota, including iView, Discovery Channel and more, but not SBS. I also get iHeart Radio streaming at no cost (no subscription service involved either). My SIM is in a mobile (not the tablet) that I carry with me and it provides a hotspot 100% of the time that I need it. Now, that $1 per month plan on TPG (even if you have Vodafone), well, that mobile can get all it's data from the hotspot. Another hone is used for normal calling if required, unlimited calls, SMS / MMS .... and more backup data at not much cost (similar enough to the Kogan deal, but using Optus network). If you are counting, that makes 3 mobiles, but one day I may end up using just two with one of the phones having dual SIM. My only problem or potential problem with the hotspot mobile is that I can run low on battery if I'm not careful.
https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-aut hentication/
Sure,
as I said, you can't trust SMS and you definitely should not use it as 2FA unless you have no choice, then you can consider it suspect. The best option is to use offline TOTP, which I do with a Python script and some encrypted files that hold the keys as originally presented by the QR code -- no need to use Google Authenticator or any other /like/ app.
Krebs gave the best write-up of SMS issues.
As for Signal, it uses SMS to verify and change encryption settings. So if someone takes over your phone number of SMS I think there's nothing stopping them getting a new Signal key and communicating with people in your contacts list.
Yes, but, in the perfect world, SMS is only used for setup and if you can share the "safety numbers" securely, then you should be golden going forward. I never said Signal had no problems, in fact I agreed with what Rick's friend said about it. However, Signal is currently one of the best options out there that is more commonly used and not part of FB as WhatsApp is with their own encumbrances (even though they use the Signal protocol). Way, way, way back TextSecure used SMS for messages, but they were encrypted. These days, if you send SMS via Signal, then it will always be in plain text -- it's only when both users are using Signal that messages can be sent encrypted as data. I also don't like how Moxie Marlanspike requires everyone using his servers to have to be using his own app. You can run your own servers, but it isn't trivial and perhaps all the required code and steps are not easy to attain even though there is open source involved.. .. Cheers A. -----BEGIN PGP SIGNATURE----- iHUEAREIAB0WIQTJAoMHtC6YydLfjUOoFmvLt+/i+wUCW8NJLgAKCRCoFmvLt+/i +wgLAP980twf/fnr8/0gmHTdra2QEgBkVX50wgh0l8aLRtab8QD/RjLreRkWyMBR Vf+eQfkQtGxHUPcJ3pbm/EFtRiSyHcI= =8AaR -----END PGP SIGNATURE-----
Andrew McGlashan via luv-talk wrote:
I also don't like how Moxie Marlinspike requires everyone using his servers to have to be using his own app. You can run your own servers, but it isn't trivial and perhaps all the required code and steps are not easy to attain even though there is open source involved...
You can "run your own server", but it can't talk to anyone using the first-party server. https://www.jwz.org/blog/2018/08/signal/ https://www.jwz.org/blog/2017/03/signal-leaks-your-phone-number-to-everyone-...
The best option is to use offline TOTP, which I do with a Python script and some encrypted files that hold the keys as originally presented by the QR code -- no need to use Google Authenticator or any other /like/ app.
Depending on your threat model, the EMV approach might be a further refinement. That uses an applet running on your credit card (i.e. tamper-proof hardware and hardened algorithm), plugged into an airgapped device that looks like a desktop calculator. You manually transcribe data from the untrusted device to the calculator-like device, it generate a magic number, and you manually transcribe that back to the untrusted device. If your bank gives a shit about security, instead of just dismissing bank fraud as "identity theft", this is how you buy stuff online (a.k.a. "card-not-present transcation"). In theory the credit card's secret numbers are initialized by a device that's also airgapped and behind locks and guards. https://en.wikipedia.org/wiki/EMV The US military have something vaguely similar: https://en.wikipedia.org/wiki/Common_Access_Card rja14's mob have also built something similar for a SIM (also tamper-proof), which is DEAD SEXY, but still in proof-of-concept stage: https://www.lightbluetouchpaper.org/2016/10/31/digitally/
Russell Coker via luv-talk wrote:
https://krebsonsecurity.com/2016/09/the-limits-of-sms-for-2-factor-authentic...
See also https://www.jwz.org/blog/2018/07/two-factor-auth-and-sms-hijacking/ …for someone (yes, *that* jwz) trying to drop SMS. TL;DR version: 1password-only works for: facebook dropbox etsy 1password-only fails for: instagram patreon ebay twitter kickstarter amazon
participants (7)
-
Andrew McGlashan -
Mark Trickett -
Rick Moen -
Robin Humble -
Rohan McLeod -
Russell Coker -
Trent W. Buck