For only $289.00, you too can have an annoying insurance salesman in your home

Hello! I love your sailing posts and have started trying to work towards my long time goal of working on/with ships. I took a sailing class, started volunteering with historic wooden boats, and am planning to work towards my keelboat certification in the coming year. I would love to eventually work on a schooner but I have a cat and would just need to do day trips or shorter week long trips and not live on board. If you have any tips or advice around finding a space like that I would greatly appreciate it! I've found one schooner on Lake Superior that looks attractive and a few sailing education orgs here in the PNW though they don't have schooners...

Oh congratulations! And good luck with the certification!

Day sailors are probably the way to go, whether commercial or educational - they’ll be back at the docks every night. (Windjammers have to fit as many multi-day trips as they can into the season, so living on board is mandatory and the turn around between trips is about ~24 hours max).

My experience with day sailing is that the hours more forgiving (you often start at 9-10ish), you can go home at night, and you have days of/work a specific schedule/ can potentially get a day covered if you have to. I had crew who worked one day a week and crew who worked five; some were full time career sailors and some had picked it up for a fun summer job or a side gig. It seems like that might be a good fit!

Finding boats that could work: in addition to searching ‘location you’d like+tall ships/sailing tours’ (usually my go to lmao), check out Tall Ships America Billet Bank! Filter by Deck Unlicensed for deckhand/educator jobs that don’t require official certification, which is the majority of deckhand jobs on day sailors. Marlinspike Magazine has job postings too. This is a good time of year for it, since everyone’s working on getting a 2023 crew together! I know in New England especially, just about every coastal town with some tourism draw has a few traditionally rigged boats that do day tours.

Can I ask you about 7 (if it doesn't embarrass you :D I would be embarrassed XD), and 43? (I'm @i-dont-talk-for-days-on-end asking from my main ;))

Thank you :D And I don't mind at all, it is cringe, but it's funny cringe xD✨ I've put read more, cuz the first question gets outta hand xD

7. Can you tell us the plot of your first ever fanfiction?

I've cast my mind as far back as I possibly can and to the best of my knowledge, my first ever fanfiction was [long, resigned sigh] a Tintin x Self Insert OC fanfic. I wrote it in my diary and illustrated it myself, it's iconic- it follows our protaganist, me I mean a girl called Kate Blackline as she gets vanished through a portal and ends up in Marlinspike where she meets and falls in love with Tintin. I honestly want to do a full commentary on it one day, but highlights include: Kate having a cheating ex at age sixteen; channing tatum gets roasted; i write the shittiest original song; aforementioned original illustrations which I honestly believe i should bring back; and the real kicker, Kate gets send back home and that's how the story ends!!! Tragic, original, inspiring, I'll never write anything like it ever again-

43. How did writing change you?

I honestly don't really know how to answer this, my ass has been writing for so long I can't really mark a change in myself- I started reading super early as well, which is not a flex I promise lmao I guess it's made me more observant in people and general life, and that deepens every year as I gain more experiences to incorporate in my narratives :>

some self indulgent concepts for a 20-something year old Chang where he becomes Tintin’s photographer. I wanted him to have a slightly eccentric sense of style to reflect his playful personality.

as my Area 51 post where Chang and Tintin are middle aged did well I was speculating on what would have happened between the “canon” timeline and them being in their mid-40s, just to get a better idea of what their relationship would be like! A Lot of background stuff beneath the cut, cw for mentions of racism and homophobia  - buckle up boyos:

After Alph-Art Chang finishes school and starts studying commercial photography at university. On an exchange programme, he goes to study in Belgium for a year. Haddock has Chang live at Marlinspike during his studies, hoping he would keep Tintin out of trouble (and perhaps convince Tintin to finish school). This backfires significantly.

He’d bring an emotional intelligence to the Marlinspike team, as well as an outsider’s perspective on things. As he’s around Tintin’s age, Tintin feels more comfortable confiding in him. I imagine he’d have a wicked sense of humour too which Haddock appreciates, and, most importantly, he’s the guy in the group who brings a bag

He’s juggling a photography course, dangerous adventures, his job with the newspaper and a social life, but deep down he doesn’t feel like he truly belongs anywhere. He’s very aware of his outsider status, so embraces it. As a working class orphan who was taken in by a family of academics he’s used to not quite fitting in. He’s also trying to work through his trauma from his two near death experiences, wanting to Live Life To the Fullest, frequenting jazz bars and staff parties whenever he can.

Tintin is overjoyed to finally be able to spend time with him and takes him sightseeing in between adventures. A few months in he realises he’s developed feelings for him and has A Crisis - he is gripped with feelings of guilt and self disgust and is terrified he’ll lose Chang’s friendship. At first he attempts to bury his feelings, leading to some Incredibly Unhinged Adventures. Chang catches onto this and confronts him about it, and helps him overcome his self hatred. The two start a relationship in secret (Haddock can totally tell tho, he quickly makes it clear they have his full support). Chang’s photography career takes off and he starts engaging with local immigrant and LGBT communities

things seem to be going well for the two of them until a tabloid outs them publicly (could it be Rastapopolous? I know he took a tumble but maybe he survived? idk). Chang and Tintin lose their jobs and their reputations. WW2 hits and they take it upon themselves to travel around, beating up fascists and foiling nazi plots (I know the canon comics follow a floating timeline with some being set post-war but here I’m rooting things in a specific time period)

after the war they manage to find more work. Tintin finds work with a small local paper and Chang scrapes out some freelance jobs. The war shaped their perceptions of journalism significantly, with Tintin now giving more of his attention to less flashy stories, pledging to do what he can to prevent anything like the war from happening again. Their itch for adventure returns, however, when reports of alien sightings start cropping up in the papers...

Before The Fall

Pairing: Tom/MC (Margot) 

Summary: After the long night is over, Margot and Tom talk about where they're going next. 

Warning(s): Grief, Trauma, Injury, PTSD Symptoms, Cursing, Fluff. 

Word Count: +1,500

Disclaimer: Tomoichi Sato and It Lives Beneath are owned by Pixelberry Studios. This fic was also inspired by @littlecrookedheart fic Glass Houses so you should definitely read that! right here! (It's really good, I really admire their fic ethic and writing though I think mine seems more flowery and idealistic lol) (it’s also 18 so kiddies beware)

It was over.

Josephine was dead. Really dead. Briny water lapped at Margot’s ankles, her clothes soaked to the skin. Her ears were ringing and blood trickled from the graze on her neck, she didn't know how bad it was but she felt lightheaded and dizzy. Beside her was Arthur, slumped against the wall with the marlinspike in his chest. 

Margot dropped to her knees at his side, she said something she couldn't remember. It felt like her head was still swimming.

“I’m not going anywhere kid, you did good.” Her grandpa smiled at her and stroked her hair with his free hand. Her mum use to do that too. “C’mere. You look like shit.” Margot leans into him as he wraps his arm around her. She felt so tired. It was really nice to hug him.

“Rest up, kiddo. Your friends should be along any minute now.” His voice sounded farther away.

Yeah, It would be nice to sleep for the first time in what felt like forever. Maybe she could just sleep it all away for good.

…

“Mara… you’re supposed to be recovering.” Tom frowned when he finally found Margot with her knees tucked to her chest, sitting against a tree near her grandpa's house.

“Tom, I was already discharged from the clinic two days ago. I don't need constant bed rest!” She laughed and tugged Tom down to her when he got close. He sighed and shuffled so he could hug her from behind while she sat on his lap. Together they soaked in the sunlight dancing through the trees in the glade. She looked beautiful as always with the beams dancing across her skin, but he could see the dark circles under her eyes.

“You wouldn't if you slept,” Tom sighed and lay his cheek against her hair, “You collapsed before, can you blame me for being worried?” Margot looked down sullenly, she forgot that it would worry him when she didn't look after herself.

“Sorry… I didn't want to worry you, I just.” Everything she wanted to say got caught in her throat, there was so much on her mind she couldn't think form any cohesive thought to say. She understood that she should be resting, but she felt restless, and useless. He said he wanted to travel the world and save people, but stayed more than two weeks just to take care of her. She felt insecure, but she knew the things she felt were unsaid Tom didn't even know were going wrong. She just didn't really know how to say it.

She didn't feel right for him, right for anything at the moment. How could she when she didn't even feel right in her own skin anymore. She said she was happy to be in love with him and date him, and it was true, but what if she was wrong? What if she was too traumatized to love someone properly? She didn't realize she'd be feeling this scared, this different. She wasn't usually like this. Some small part of her knew her thoughts were rushing, that she was overreacting. It wasn't fair to Tom to doubt things like this but her head was like a maze and she couldn't find the exit.

“Margot, I don't know what you're thinking,” Tom's voice took her out of her mind, a gentle whisper close to her ear, his use of her full name worrying her in its seriousness, “But I know this is all hard on you. It hasn't been that long since we stopped Josephine, and you've never had time to mourn or process your emotions… so, uh.” Tom trailed off in uncertainty, and Margot felt her heart stuck up her throat.

This was it, this is where he tells her she's too damaged to be in a relationship with. That she couldn't love him when she didn't even love herself. She realized none of that was wrong but she didn't want to let him go. She loved him too much for that, god, how could she doubt even for a second.

“I texted Dan and I thought we could take a trip together down to Westchester to visit him and the gang again. Maybe you could talk to him about how you're feeling, you know, if you wanted to- and when you're better obviously!” He tripped over himself as hesitantly gave his offer, and suddenly it was too much for Margot. Her eyes stung and tears began to fall down her cheeks.

“Woah-! Mara? What's wrong? Did I say something dumb? That was dumb, right?” He jumped and turned Margot so they were sitting in front of one another with his hands on her shoulders. She sniffed as Tom peered into her eyes in worry. She didn't know if she wanted to laugh or cry more.

“No, I just… I was sure you were gonna break up with me.” Margot’s lips trembled and Tom stared at her in shock.

“What? Why would I do that? Why do you think I would do that?” Tom looked so stricken that Margot felt herself fill to the brim with love and guilt.

“I thought… you would think I was too messed up to be with. I mean, it's just the truth right? I've been a state since Josephine died. We're supposed to be moved on and happy but I’m just… not.” Margot cussed under her breath and rubbed her fist against her eyes. She realized how melodramatic she sounded, but she couldn't express herself any other way.

“Yeah, you're grieving Mara, of course you're gonna be in bits. Not to mention everything you've seen, you haven't had the chance to process it,” Tom frowned and ran his thumb along her cheek to wipe away her tears, “I know some people say it's not good to stay in a relationship after a traumatic experience, but, I don't want to leave you while you need me most. I love you so much and I hate to see you in pain like this.” He moved closer and wrapped her in a hug, which Margot couldn't help but cling to.

“We don't need to rush right now, we can take our time and recover from everything that's happened together. And I think we're really in need of a break, don't you?” Tom pulled back to look down at her, giving her that goofy grin she loved the most.

“You goob…” Margot sniffled and moves her arms from his waist to his neck, hugging him tight, “I don't know how you can be so sexy caring, you're too good for me.” Her strange comment startles a laugh out of him.

“Wha- sexy? How is this sexy? I've got your snot on my hoodie!” Tom sputtered incredulously and Margot huffed then thumped him harmlessly on the chest.

“Caring is the new sexy! You’d be a panty dropper if you weren't so wonderful and faithful to your girlfriend…” Margot exhaled a shaky breath and chuckled wryly, the torrent of emotions must have made her joke about weird things and ruined the atmosphere. She breathed in the fresh outdoor air and tried to compose herself.

“Do you really want to go on a trip with me…? And then what would we do?” She couldn't hide the worry in her tone, Tom sobered up as well and rubbed her back while she was still in his arms.

“Whatever we want to, Mara. You don't need to worry about the future right now. But one thing I do know is that I’ll be here for you as long as you want me to be.” He moved his hand up her spine and ran his fingers through her hair. Margot let out another long sigh and snuggled into him more.

“I guess there's always gonna be an uncertainty of what will happen next,” Margot murmured with her cheek pressed against his chest, “Just instead of ‘if we’ll survive tomorrow’ it's ‘would this cheese ketchup combo enhance or ruin my fries experience’ ‘who wins our bet on who gets dumped on Wiped Out first’ or…’where will our relationship be a few months- years down the line… and is it worth it to try at all if it doesn't work?’” Margot pulls back to look at him, taking in shock before the fall in his eyes. He didn't say it but he was waiting for the other shoe to drop too. She, however, only wanted this wonderful man to grin and be happy so she didn't hesitate this time when she said;

“We don't know what's going to happen from here on out… that's why I want to keep trying with you, Tomoichi. Especially when we screw up or misunderstand or fight. Because I want to remember everything we've been through and how worth it this was. And seeing your face makes me remember it… so if you're really okay with settling for me… I won't let you go.” Margot looked up at him hopefully in return, seeing his expression morph from shocked to awed and finally… delighted. He really was happy.

“Settle?! I’d be thrilled, Mara!” Tom all but tackled her and they both fell to the leafy forest floor in laughter. He kissed her cheeks, her eyelids, her temples before finally pecking her lips. Then they nuzzled their noses together like two nerds doing their damnedest to navigate this strange, radiant world of love.

Since they met, Margot and Tom had made unimaginable risks to stay alive for themselves and each other. It wouldn’t get any easier, but they knew this risk would be more than worth it.

What We Learned From Apple’s New Privacy Labels We all know that apps collect our data. Yet one of the few ways to find out what an app does with our information involves reading a privacy policy. Let’s be real: Nobody does that. So late last year, Apple introduced a new requirement for all software developers that publish apps through its App Store. Apps must now include so-called privacy labels, which list the types of data being collected in an easily scannable format. The labels resemble a nutrition marker on food packaging. These labels, which began appearing in the App Store in December, are the latest attempt by tech designers to make data security easier for all of us to understand. You might be familiar with earlier iterations, like the padlock symbol in a web browser. A locked padlock tells us that a website is trusted, while an unlocked one suggests that a website can be malicious. The question is whether Apple’s new labels will influence the choices people make. “After they read it or look at it, does it change how they use the app or stop them from downloading the app?” asked Stephanie Nguyen, a research scientist who has studied user experience design and data privacy. To put the labels to the test, I pored over dozens of apps. Then I focused on the privacy labels for the messaging apps WhatsApp and Signal, the streaming music apps Spotify and Apple Music and, for fun, MyQ, the app I use to open my garage door remotely. I learned plenty. The privacy labels showed that apps that appear identical in function can vastly differ in how they handle our information. I also found that lots of data gathering is happening when you least expect it, including inside products you pay for. But while the labels were often illuminating, they sometimes created more confusion. How to Read Apple’s Privacy Labels To find the new labels, iPhone and iPad users with the latest operating system (iOS and iPadOS 14.3) can open the App Store and search for an app. Inside the app’s description, look for “App Privacy.” That’s where a box appears with the label. Apple has divided the privacy label into three categories so we can get a full picture of the kinds of information that an app collects. They are: Data used to track you. This information is used to follow your activities across apps and websites. For example, your email address can help identify that you were also the person using another app where you entered the same email address. Data linked to you: This information is tied to your identity, such as your purchase history or contact information. Using this data, a music app can see that your account bought a certain song. Data not linked to you: This information is not directly tied to you or your account. A mapping app might collect data from motion sensors to provide turn-by-turn directions for everyone, for instance. It doesn’t save that information in your account. Now let’s see what these labels revealed about specific apps. WhatsApp vs. Signal On the surface, WhatsApp, which is owned by Facebook, appears to be nearly identical to Signal. Both offer encrypted messaging, which scramble your messages so only the recipient can decipher them. Both also rely on your phone number to create an account and receive messages. But their privacy labels immediately reveal how different they are under the hood. Below is the privacy label for WhatsApp. The next one is the one for Signal: The labels immediately made it clear that WhatsApp taps far more of our data than Signal does. When I asked the companies about this, Signal said it made an effort to take less information. For group chats, the WhatsApp privacy label showed that the app has access to user content, which includes group chat names and group profile photos. Signal, which does not do this, said it had designed a complex group chat system that encrypts the contents of a conversation, including the people participating in the chat and their avatars. For people’s contacts, the WhatsApp privacy label showed that the app can get access to our contacts list; Signal does not. With WhatsApp, you have the option to upload your address book to the company’s servers so it can help you find your friends and family who are also using the app. But on Signal, the contacts list is stored on your phone, and the company cannot tap it. “In some instances it’s more difficult to not collect data,” Moxie Marlinspike, the founder of Signal, said. “We have gone to greater lengths to design and build technology that doesn’t have access.” Business & Economy Updated  Jan. 27, 2021, 11:46 a.m. ET A WhatsApp spokeswoman referred to the company’s website explaining its privacy label. The website said WhatsApp could gain access to user content to prevent abuse and to bar people who might have violated laws. When You Least Expect It I then took a close look at the privacy label for a seemingly innocuous app: MyQ from Chamberlain, a company that sells garage door openers. The MyQ app works with a $40 hub that connects with a Wi-Fi router so you can open and close your garage door remotely. Here’s what the label says about the data the app collected. Warning: It’s long. Why would a product I paid for to open my garage door track my name, email address, device identifier and usage data? The answer: for advertising. Elizabeth Lindemulder, who oversees connected devices for the Chamberlain Group, said the company collected data to target people with ads across the web. Chamberlain also has partnerships with other companies, such as Amazon, and data is shared with partners when people opt to use their services. In this case, the label successfully caused me to stop and think: Yuck. Maybe I’ll switch back to my old garage remote, which has no internet connection. Spotify vs. Apple Music Finally, I compared the privacy labels for two streaming music apps: Spotify and Apple Music. This experiment unfortunately took me down a rabbit hole of confusion. Just look at the labels. First is the one for Spotify. Next is the one for Apple Music. These look different from the other labels featured in this article because they are just previews — Spotify’s label was so long that we could not display the entirety of it. And when I dug into the labels, both contained such confusing or misleading terminology that I could not immediately connect the dots on what our data was used for. One piece of jargon in Spotify’s label was that it collected people’s “coarse location” for advertising. What does that mean? Spotify said this applied to people with free accounts who received ads. The app pulls device information to get approximate locations so it can play ads relevant to where those users are. But most people are unlikely to comprehend this from reading the label. Apple Music’s privacy label suggested that it linked data to you for advertising purposes — even though the app doesn’t show or play ads. Only on Apple’s website did I find out that Apple Music looks at what you listen to so it can provide information about upcoming releases and new artists who are relevant to your interests. The privacy labels are especially confusing when it comes to Apple’s own apps. That’s because while some Apple apps appeared in the App Store with privacy labels, others did not. Apple said only some of its apps — like FaceTime, Mail and Apple Maps — could be deleted and downloaded again in the App Store, so those can be found there with privacy labels. But its Phone and Messages apps cannot be deleted from devices and so do not have privacy labels in the App Store. Instead, the privacy labels for those apps are in hard-to-find support documents. The result is that the data practices of Apple’s apps are less upfront. If Apple wants to lead the privacy conversation, it can set a better example by making language clearer — and its labeling program less self-serving. When I asked why all apps shouldn’t be held to the same standards, Apple did not address the issue further. Ms. Nguyen, the researcher, said a lot had to happen for the privacy labels to succeed. Other than behavioral change, she said, companies have to be honest about describing their data collection. Most important, people have to be able to understand the information. “I can’t imagine my mother would ever stop to look at a label and say, ‘Let me look at the data linked to me and the data not linked to me,’” she said. “What does that even mean?” Source link Orbem News #Apples #Labels #Learned #Privacy

Good News: Signal is finally bringing its secure messaging to the masses

The encryption app is putting a $50 million infusion from WhatsApp co founder Brian Acton to good use, building out features to help it go mainstream

$50 million from WhatsApp co-founder Brian Acton is helping the Signal Foundation to develop state-of-the-art enhancement features

Signal founder Moxie Marlinspike is all set to roll out his encrypted messaging app to the masses

A few days back, American entrepreneur, cryptographer and founder of Signal private messenger Moxie Marlinspike was travelling when his co-passenger asked for help, the person who asked was in his sixties and he was not able to activate airplane mode on his old-fashioned Android phone. Marlinspike got shocked the moment when he saw the screen and found among a few installed apps there was Signal.

Signal is considered the world’s most secure end-to-end encrypted messaging service, was launched by Marlinspike nearly 5 years ago. Today, the app is maintained by Signal Foundation, a non-profit organization heads by Marlinspike. But the man who asked for help was not aware of these things. Marlinspike politely showed him how to activate airplane mode and returned his phone but the man had Signal app along with handful of other apps installed on his Android phone.

After that flight, Marlinspike told “I try to remember moments like that in building Signal,” in an interview given to WIRED. Marlinspike adds “The choices we’re making, the app we’re trying to create, it needs to be for people who don’t know how to enable airplane mode on their phone.”

From always, Moxie Marlinspike has talked about making encrypted communications easy and simple for everyone. Due to his efforts, today Signal is finally reaching to mass audience and is not only limited to activists, privacy diehards as well as cyber-security nerds.

Thanks to his efforts due to which app becomes more accessible as well as appealing to billions of netizens.

Signal was growing rapidly even when it was just a calling and messaging app. In 2016, Marlinspike had confirmed that over two million users are registered with Signal. However, in a recent interview with WIRED he hasn’t said anything about number of Signal users but according to Google Play Store count, Signal has been downloaded by more than 10 million times. On the other hand, 40% of the app’s users are on iOS. Its adoption has spread from Black Lives Matters and pro-choice activists in Latin America to politicians and political aides—even noted technically incompetent ones like Rudy Giuliani—to NBA and NFL players. In 2017, it appeared in the hacker show Mr. Robot and political thriller House of Cards. Last year, in a sign of its changing audience, it showed up in the teen drama Euphoria.

About 2 years ago, a new chapter in Signal’s evolution was added when WhatsApp co-founder Brian Acton invested $50 million into Signal foundation, a few months after leaving WhatsApp due to rising tension with Facebook top management (WhatsApp was acquired by Facebook in 2014). Acton Not only donated $50 million to Signal foundation, he also joined Signal Foundation as an executive chairman to help improve end-to-end encrypted messaging project.

Signal’s open source protocol was used by WhatsApp to encrypt all communications end-to-end by default but it does not seem effective to Acton when he saw Facebook is playing with privacy of WhatsApp’s users.

Marlinspike effectively plans to use Acton’s millions of dollars and his experience of building encrypted messaging app for billions of users. After working for a few years with just 3 full-time employees, now Signal is a team of 20 employees. From texting and calling app to a fully featured mainstream application, Signal has evolved itself a lot.

Thanks to Signal’s new coding muscle, in just the last 3 months, it has rolled several features such as support for iPad, emoji reactions, downloadable customizable “stickers”, ephemeral images and video designed to disappear after a single viewing. In addition to this, it has announced to introduce a new system for one-to-many (group) messaging and a method for storing encrypted contacts in the cloud.

Marlinspike told WIRED in an interview “The major transition Signal has undergone is from a three-person small effort to something that is now a serious project with the capacity to do what is required to build software in the world today.”

A few features of Signal seems trivial to its earliest core users and Acton calls them “enrichment features.” They are for people who want Signal as multifunctional as iMessage, WhatsApp or FB Messenger but value Signal’s security and the truth that it does not collect users data.

“This is not just for hyperparanoid security researchers, but for the masses” “This is something for everyone in the world” says Brian Acton.

Stickers are the latest Signal updates. Every sticker pack is encrypted with a ‘pack key’ so that Signal server can never see decrypted stickers or get to know about the Signal user who has created or sent them. With Signal’s new group messaging, administrators can add or remove people from groups without hinting a Signal server about that group member.

Signal also collaborated with Microsoft Research in order to invent a novel form of “anonymous credentials” that allow a server guard group users without knowing members’ identities. It is testing ‘Secure Value Recovery’ feature that lets users to create an address book having their contacts then store them on a Signal server. In this way, server-stored contact / address book will be preserved even if user switches to a new phone. Signal servers cannot see those contacts as they would be encrypted using a key stored in the SGX secure enclave. This key is meant to hide data from the rest of the Server’s OS.

For security reasons, a cryptographer at Johns Hopkins University Matthew Green says that a few of Signal’s new features should come with an on-off switch. He says that new features may add more chances for security vulnerabilities to slip into Signal’s engineering. But overall, he is impressed with the Signal code. He said “After reading the code, I literally discovered a line of drool running down my face. It’s really nice.”

Brian Acton’s ambition is to grow Signal like WhatsApp – sized service (even beyond). After all, he not only developed WhatsApp but also helped it achieve over 1.5 billion users. Acton thinks he can do the same again with Signal. He says, “I’d like for Signal to reach billions of users. I know what it takes to do that. I did that.” “I’d love to have it happen in the next five years or less.”

Marlinspike says, “This has always been the goal: to create something that people can use for everything.”

He adds, “I said we wanted to make private communication simple, and end-to-end encryption ubiquitous, and push the envelope of privacy-preserving technology. This is what I meant.”

Get Signal App now!

What Intel’s Foreshadow Flaw Means for the Future of Cryptocurrency

Yet another dire security flaw was unveiled Tuesday with potential ripple effects across the tech world, including for cryptocurrency projects seeking to leverage certain hardware devices.

Following a pair of bugs unveiled earlier this year, the Foreshadow vulnerability impacts all Intel’s Software Guard Extensions (SGX) enclaves, a special, supposedly extra-secure region of chip often used for storing sensitive data.

In short, while the enclave is supposed to be tamper-proof, a group of researchers found a way for an attacker to steal the information it stores.

For many, Meltdown and Spectre were spooky enough. The bugs impacted every single Intel chip, the hardware powering most of the world’s computers. But, since it wasn’t so easy to execute, there weren’t many real-world attacks.

Foreshadow might not sound as bad because it impacts a more specific type of Intel hardware: SGX. However, since many cryptocurrency projects plan to use this technology, Foreshadow could have even worse ramifications for the cryptocurrency world.

Perhaps most notably, Signal creator Moxie Marlinspike is in the process of advising a new, allegedly greener coin called MobileCoin that puts SGX at the center, even raising $30 million to do so.

As a result, these projects will have to do some restructuring before launching for real.

“The findings released today absolutely have a broad impact on cryptocurrency projects,” Cornell University security researcher Phil Daian told CoinDesk.

The good news, though, is that the researchers followed the security world’s “responsible disclosure process” for revealing bugs, alerting Intel before showing it off so the tech giant could come up with a fix (which deployed a few months ago).

But the security world is making a lot of noise because that still might not be enough.

“It is likely that, because many of these systems are slow to upgrade and because many of these fixes require either involved or hardware upgrades, infrastructure will remain vulnerable to this class of attack for a long time,” Daian said, adding:

“It would be surprising if at some point this flavor of attack is not used to steal cryptocurrency.”

The good and the bad

But there’s both good and bad news.

For one, it appears as though none of the high-profile SGX projects in cryptocurrency are yet being used to secure real money. “To my knowledge, there is no SGX system in production or widespread use in the space today,” Daian said.

The bad news is there are a plenty of projects that want to use SGX, and maybe even have plans to do so soon. And the ideas are pretty cool.

MobileCoin is perhaps the most ambitious since the project’s developers want to replace miners, a crucial part of securing any cryptocurrency, with these enclaves to build a more energy-efficient cryptocurrency.

But there are plenty of others that want to use SGX for its security and privacy gains.

Enigma is using it in a unique bid to boost privacy in smart contracts, while wallet hardware company Ledger went as far as to partner with the tech giant Intel to explore using SGX as a new avenue for storing private keys. And the list goes on and on.

“The SGX attack is devastating,” Kings College London assistant professor Patrick McCorry told CoinDesk, adding that research groups have long been discussing how it can be deployed to add extra security to data.

“It can potentially undermine the integrity – and privacy – for any application that is reliant upon trusted hardware. A lot of companies in the cryptocurrency space rely on SGX to support multi-party protocols, but this attack allows any participant to cheat,” he added.

“In my opinion, good SGX research and systems should assume hardware can always be broken at some cost, and should, as always, design defensively and include layered security,” Daian said.

He went on to give some advice to companies that plan to launch soon.

“Projects planning to launch soon that rely on SGX should evaluate the vulnerabilities and any updates from Intel with caution for implications to the security of their systems, and should publish such investigations along with their code,” he said.

The other bad news, though, is it’s possible for hackers to find a new variant of the bug, similarly impacting all SGX chips.

“But as foreshadow demonstrates, attacks only get better,” McCorry remarked.

Sweet vindication

Meanwhile, the bug is leaving some developers feeling vindicated.

Because Intel has a backdoor into all SGX devices, it’s long been a controversial tech avenue for cryptocurrency projects, with enthusiasts often arguing that using the technology puts too much power or trust in one company’s hands.

Simply put, in their minds, the Foreshadow vulnerability is a good example of why not to put SGX at the cornerstone of a cryptocurrency project.

“Good thing we didn’t adopt a certain professor’s SGX-based bitcoin scaling solution!” tweeted pseudonymous bitcoin enthusiast Grubles.

“Though even *if* it had been somehow perfect, it was never a good idea to root the security of bitcoin in a chip vendor’s secret sauce technology,” Bitcoin Core maintainer Wladimir van der Laan responded.

But again, most projects using SGX haven’t actually launched in production.

Some researchers went as far as to argue most cryptocurrency projects exploring SGX haven’t actually used them on real money because Intel has such a bad reputation. The industry has been experimenting with the technology – but is too cautious to actually launch go through with it.

Some security researchers advise to continue on this trend – to not use SGX.

But other researchers are more optimistic that SGX, or something like it, could one day play a big role in cryptocurrency, seeing Foreshadow as a positive sign trusted hardware is being battle-tested.

“SGX will need to be repeatedly tested and broken by adversarial researchers until it can claim a strong degree of security, which will take years,” Daian said, going on to add that he believes trusted hardware along the lines of SGX may one day play a big (and positive) role in cryptocurrency.

In short, it might just take some time, he argued, adding:

“Realizing such a technology certainly holds great promise for trust minimization and scalable privacy protection in cryptocurrency and beyond.”

Laptop via Shutterstock

The leader in blockchain news, CoinDesk is a media outlet that strives for the highest journalistic standards and abides by a strict set of editorial policies. CoinDesk is an independent operating subsidiary of Digital Currency Group, which invests in cryptocurrencies and blockchain startups.

!function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','//connect.facebook.net/en_US/fbevents.js');

fbq('init', '472218139648482'); fbq('track', "PageView"); This news post is collected from CoinDesk

Recommended Read

Editors' Picks

BinBot Pro – Safest & Highly Recommended Binary Options Auto Trading Robot

Do you live in a country like USA or Canada where using automated trading systems is a problem? If you do then now we ...

User rating:

9.5

Demo & Pro Version Get It Now Hurry!

Read full review

Most Popular 2

Bit Bubble Tech – Learn How To Profit Big When Bitcoin Bubble Bursts?

If you have not already heard of the Bit Bubble Tech App, you undoubtedly wish to read this Bit Bubble Tech Review. We ...

User rating:

9.3

Free For 90 Days Get It Now

Read full review

The post What Intel’s Foreshadow Flaw Means for the Future of Cryptocurrency appeared first on Review: Legit or Scam?.

Read more from → https://legit-scam.review/what-intels-foreshadow-flaw-means-for-the-future-of-cryptocurrency

Simple Security

As most of us now know, internet and phone security is becoming more and more of a concern for everyday people.  Thanks largely to people like Ed Snowden and Wikileaks, it is now widely known that groups like the NSA and the CIA have developed the ability to penetrate and control almost any communications device in the world.  Major companies that store the credit cards and personal information of millions of people get hacked almost every day.  A whole economy exists around the vast databases that exist to store your browsing habits, shopping history, and the records of virtually anything you do on the internet.  We've moved from the country to the city in terms of security and privacy - it's become time to learn how to start locking your doors.

I'll share some tools and practices that I use on my phone and laptop, but the most important thing is begin to change how you think about security.  Spend a few moments to consider who and what you're trying to protect against.  Most people are not going to go to the lengths of a journalist investigating the military industrial complex or an activist trying to evade state surveillance.  If that describes you, you should already know everything in here.  For those who are interested, the book Beyond Fear, by security researcher Bruce Schneier, is an excellent read on changing the way you think about security and privacy.

Most people are looking for ways to protect against identity theft and viruses, keep their internet activity out of as many databases as possible, and make work a little harder for any surveillance bureaucracies who might be glancing their way.  Some of this might make your online life a little more inconvenient; it's up to you to decide what's worth it.

Habits

Use different passwords for different sites.  It is inevitable that a company with whom you have an account will be hacked, and the attackers will get your username and password.  If you use one username and password for everything, they will now have access to your email, your online banking, and anything else that uses that username/password combination.  Having different passwords will make this significantly more difficult.  At the very least, have several different passwords - a unique password for your email, a different one for your facebook or bank, a general one for things you don't care about.  Write them down if you have to.

Don't allow any site to store your credit card info.  Uncheck the box that says "Remember this card".  They keep all that card information in databases, and those databases are not secure.  Honestly, when you start paying attention to how often major companies have their databases stolen it's a wonder that any of us trust them at all.

Use a lock screen on your device.  For phones, a numeric pin is probably the best, but anything that keeps your phone locked is important in case your phone gets lost or stolen.  For computers, make sure that your screen locks after a short period of inactivity, or when the lid is closed.  While it can be annoying to enter a password so often, this is the first line of defense if your device is ever lost or stolen.  A device without a lock screen is like a house with no locks on the door.  Anytime you're not home, someone can just walk right in.

Pay attention to emails that seem fishy.  No bank or internet company will ever ask you to send your password or other personal info in an email.  Call them if you're not sure about an email, especially your bank.  Avoid clicking suspicious links from email contacts - double check with them if a link is by itself, or is contained in an email that doesn't seem like their usual writing style, as their email may have been hacked.

When downloading anything from an unknown source, check the filename to make sure it's what you're expecting.  Look at the filename extension (.avi, .exe, etc...).  If you’re using bittorrent, make sure the torrent title follows the naming conventions of other similar torrents, and check the filenames before you open anything.

Install updates regularly, just make sure they come through the normal update channel for your software and not through some weird looking popup.  Updates often contain security patches.

Never click anything in a popup you're not expecting to see.  Your windows is not going to run faster, you're not infected with 10 million viruses, you didn't win a million dollars.

Tools

Signal - An app for your phone that can replace your regular texting app, Signal encrypts any messages sent to other Signal users, and can encrypt all the texts stored on your device.  This makes it significantly harder for any attacker to intercept and read your messages.  Easy to use, free and open source, and generally trusted by security experts.  Signal was developed by a badass anarchist named Moxie Marlinspike - read more here (https://moxie.org/).

WhatsApp - Also for your phone, WhatsApp uses the same protocol as Signal, and is generally a good choice for international messaging.

HTTPS Everywhere - developed by the Electronic Frontier Foundation, forces your browser to use encrypted connections whenever possible.  Helps keep your browsing safe from anyone who might be intercepting your internet traffic.

Disconnect.me - Blocks connections to 3rd-party websites (i.e., not the ones you're trying to look at) that collect browsing data through ads and plugins.  Helps keep your info out of marketing databases.  Just the free version is probably fine, though there’s a premium upgrade as well.

Adblock Plus, Adblock for Youtube - does exactly what it says, not only making your internet experience way more pleasant, but also keeping your info out of the hands of ad companies.

Tor - Probably a step beyond useful for most people, Tor makes it very difficult to identify an internet user by send their traffic through a network of volunteer maintained servers around the world.  Slow, but essential for some people in particular situations.  Try the Tor Browser Bundle for the simplest experience, but if you're not already using it, you probably don't need to.

Other general tools and practices

VPN - More and more people are using VPNs to connect to the internet.  A VPN (Virtual Private Network) sends all traffic though an encrypted connection before it goes out into the world.  That protects it from ISPs (like Comcast, Verizon, etc...) who want to harvest your data for marketing and surveillance purposes.  It's probably worth paying for a subscription -  there are many out there but look for one whose privacy policies state that do not retain any logs of internet use.  A useful guide is here (https://torrentfreak.com/vpn-services-anonymous-review-2017-170304/) and AirVPN seems like a good choice to me. [Edit: after a bit more research, AirVPN gets  very mixed reviews.  May or may not be a good choice.]

Full disk encryption - There are different ways to do this, but it basically makes all the data on your device inaccessible without a password or PIN.  Most newer Apple and Android phones have this enabled by default (check your security settings on your phone to be sure).  For computers, it can be a bit more difficult but it's still totally doable - look up a guide for your type of device or ask a tech-savvy friend.

Incognito mode - Most modern browsers have a private browsing mode (Incognito in Chrome, Private Browsing in Firefox, InPrivate in Edge and Internet Explorer).  Websites visited in incognito mode will not be able to save any data on your device - web history, cookies, cache data, etc.  This is one of the major ways that companies like Facebook track your activity beyond their website.  However, it does nothing to keep websites from tracking your activity on their end.

Antivirus/Anti-malware - While built-in antivirus solutions have definitely gotten better, it's still probably a good idea to run antivirus and anti-malware software.  There are many out there, the names that come up well in reviews are BitDefender, Kaspersky, MalwareBytes, and Avira.  Check reviews, decide whether you're willing to subscribe to a paid service, and make sure that whatever application you install runs regularly scheduled scans and updates.  Here's a good place to start: http://www.tomsguide.com/us/best-antivirus,review-2588.html

Other notes

-Everyone probably knows this already, but social media makes all of its money harvesting and selling your personal data.  That data then gets used in ways that you may not be aware of or at all ok with.  For an extreme example concerning the recent US election - check out Cambridge Analytica (https://motherboard.vice.com/en_us/article/how-our-likes-helped-trump-win).  Someday we will all look back and be horrified that we didn't just delete our facebook already.

-Your devices are increasingly likely to be searched at international borders, particular the US border.  Border and Customs agents can and will look through your emails, texts, and social media profiles.  The best way to avoid this is probably to factory reset your device before you cross the border, or keep your data at home or in the cloud with no passwords stored on your device.  It's an emerging area of concern and there doesn't seem to be a consensus on the best way to deal with it.

-If you are an activisty type you probably already know this, but leave your phone at home or at least turned off if you are going to a protest.  Police agencies use tools to identify protest participants by their devices, and any arrestees will likely have their devices seized and searched.  

Further reading

- https://arstechnica.com/security/2016/12/a-beginners-guide-to-beefing-up-your-privacy-and-security-online/ - https://ssd.eff.org/