While these seems to be secure... tampering with default settings always cause PITA; especially during automated upgrades. In addition, ssh port changes are all security thru obscurity.
Just closing well known ports will mean less drive-by sniffing. Which is an improvement. Doesn't mean you are now completely safe - it's just an improvement. At the very least it will make your logs smaller, as they won't be as full of drive-by sniffing.
Security is an onion, you can add layers. There is no perfect security. You can add hurdles and hope you make yourself too difficult for you adversary. Some hurdles add more than others, and not using well known ports is on the lesser end of the scale. You might still find it worthwhile, just so you have cleaner logs to sift through.
Pretty sure EU and US will not diverge so much like Russia did. Russia is also tiny market (both population, GINI, internet penetration). See EU-US Privacy Shield - courts may say but nothing practical.
May be India/Middle-Eastern countries might but still there is so much inter-dependency everywhere - no one dares to annoy other.
There are lots of executives, politicians across EU/US living + having family in either places. So unlikely.
Russia wont dare start a war, was said up to last year. We saw the EU/US relationship detoriate under Bush and then again under Trump. Extremism is on the rise on both sides of the relationship, with insane leadership popping up everywhere in at least the west. This is the kind of political shift that seems impossible until one day it becomes inevitable.
Besides, having big dependencies makes a country vulnerable to pressure and weak in negotiation. In the long term, not having a plausible alternative is just being dumb on this scale.
Also there is China appearing as a new superpower, there is the climate change that will cause political instability. Things are going to get rough for the Pax Americana in the next decades.
Exactly. Seems like poor support. "We're amazing because we'll put a human on the line to tell you that you're fucked and we can't do anything" doesn't seem like the status-quo-busting human support the "mainstream" wants.
That is what it means by encrypted data storage. Only the user has access. If they managed to see/recover your files then it is not encrypted.
(at the end, people will complain at both ends - some want convenience and do not care if companies see data. Others want total encryption and do not care if lost.
One year (one day actually) in a decade comes close to the very definition of a black swan event. :)
And yes, people will opt for convenience, not rational behavior:
In some cases, that black swan event will cost more than the cost of inconvenience. For example in the US, it is "inconvenient" to retrofit buildings to make them earthquake-resilient, but when the earthquake black-swan hits -and it will hit for sure, the only question is when- damages will be huge, and costs as much as 4 times higher than investments in earthquake-resilience today: https://www.optimumseismic.com/earthquake-preparedness/what-...
I'm sure Kahneman & friends have a name for this cognitive bias that somehow makes it hard for humans to correctly assess the risk and cost for black swan prevention (sometimes, because of the rarity, these computations in principle can't be made). This type of cognitive bias seems also connected with difficulties humans have in thinking on time scales that exceed their own life spans ...
Lets be honest - not having cards working for a day is not the same as earthquake. Sure people will miss trains/rent etc. 1 or 2 business may go under but for 90 % people all will be fine. Heck I am sure if many shops/metro will be free if some one like erste bank or Sparkasse does not work.
> Data security is very important to ente, whether that is your personal information or any other data. That is why we publish our client-side browser and mobile app software and why we have provided information in this Policy on collection and storage of all data whether or not it is personal information.
How does this prove Data security?
> And what is this: our architecture has been reviewed by cryptographers and engineers from IBM Research, ETH Zurich, IIT Delhi, Google, Facebook, Amazon, Microsoft, ...
You're right, that by itself doesn't prove data security. But what we try to do is follow the example of other privacy-first Google alternatives like DDG, Signal, and try to structure our organization/processes/code in a similar way.
Not quite a white paper, but I feel https://ente.io/architecture/ covers the practical aspects of what we do in a human readable way (we wanted this page to be understandable by people with a non-cryptographic background, I'm just mentioning the intended audience, a few of our customers have reached out to us and have mentioned they found it useful too).
> Because I've been warned by security conscious people never to use phone number
Sadly you read only one part of the warning from security conscious people. The main part is to get U2F/FIDO key or use QR-code/authenticator. The same security conscious people use Fdroid/AndOTP where you can export all your 2FA codes.
There NO reason to say if I shatter my phone. Yes, you can also print recovery codes and keep it at home.
We're not talking about 2FA, we're talking about account recovery. I do have my authenticator app set up. Can I use it to prove myself if Google thinks somebody stole my account?
Yes, I just tested it with one my accounts that has NO recovery email address/phone. ONLY U2F key.
Select forgot password; the it asks Insert U2F Key. Then recovered. Yes, it may be that if one loses U2F key in Metro it is dangerous but some risk is always there. (i.e) how many times have you lost your key in your life? If more than one per year then keep one U2F at work and one at home.
> presumed that the security message was because of new IP addresses that must have been assigned. While I was initially able to log in to my accounts after replacing both the routers, o
1. Verify if your router or router software that you installed in your PC is doing something fishy.
2. As long as you have a browser window with cookies - even new IP address should NOT matter. It should allow you. I am almost always working in cafes with different IPs it - just works.
3. Please please verify your recovery email ID. Some times I have made the mistake of typing first.last@ instead of without dots. Send an email to your recovery ID to test.
I have never had one actually require it, often the installers will claim that but back in the day I would just say "sure here is my linux machine have fun installing your windows software on it" and magically they did not need to install anything any more....
1. My new Asus RT AX86U had Merlin installed on it. I disconnected this router after I started getting security alerts and switched to using the router provided by my Service provider.
2. I use firefox with cookie cleaner add-on that clears cookies the second I close the tab.
3. I have a paper copy of the account details and I am 100% sure of my recovery email. I got a Yubi key recently and plan to use that and authenticators on all my accounts.
2. Instead of that use separate firefox profiles - one exclusively of Gmail. Another for casual browsing. If you clear cookies all the time then it seems like you are logging in so many times per day. This could be a warning sign of hacked account - for google. (i.e) do not do unusual things.
3. At the end U2F is the proper solution, albeit late!
