Studys shows 95% of wearables were contaminated with various forms of bacteria: Metal still better than plastic or rubber

https://void.cat/d/DEFu9FsMhVAx78G93YHb5s.webp

As smartphones became mainstream over the past decade, multiple research papers popped up, documenting how extremely filthy they can get. Fresh research from the University of Arizona said that smartphones can be 10 times dirtier than a toilet seat. Another paper published in Nature claimed that microbial infection is so bad that robust public health and biosecurity protocols are needed to minimize the risks.

But over the years, another class of personal devices has become a part of our daily lives — health wearables such as smartwatches and fitness bands. Researchers at Charles E. Schmidt College of Science of Florida Atlantic University studied various types of wearable straps and discovered that nearly 95% of them were contaminated with various forms of bacteria.

Among the different types of band materials, rubber- and plastic-based materials were found to harbour the highest degree of contamination, while metal-based bands with gold and silver metal showed the lowest bacterial activity. The research paper — published in the Advances in Infectious Diseases journal — notes that depending on the gender and a person’s occupation, the bacterial load can vary.

And I suppose this can make sense as wearables are usually even more exposed on one's wrist vs a phone that is often carried in the pocket. We also saw during the Covid-19 pandemic that brass transferred way less virus than other materials (brass is a copper alloy, and copper has antimicrobial properties).

The team tested three kinds of cleaners — Lysol Disinfectant Spray, 70% Ethanol, and apple cider vinegar. Notably, the Lysol and ethanol solutions took only 30 seconds of exposure to dramatically reduce the bacteria count, while apple cider vinegar needed 2 minutes to get the job done.

The linked article does also give some additional guidelines on cleaning, but it is important not to forget cleaning wearables, and again it seems the same lessons from the Covid-19 epidemic apply, namely that 80%+ concentration of alcohol should work well.

See https://www.digitaltrends.com/mobile/why-scientists-want-you-to-clean-smartwatch-fitness-tracker-bands/

#technology #wearables #hygiene

Note: this is really part of the data import/migration from an existing Chrome browser installed, just for extensions that are already supported, and not installing from the Chrome web store

Smart Garbage Trucks with AI are perfect for spotting street maintenance issues

https://void.cat/d/SoqsYSvFBAN5TaMScmLYse.webp

If you’ve ever had trouble with a footpath, bus stop, or other piece of urban infrastructure, you probably know the hassles of dealing with a local council. It can be incredibly difficult just to track down the right avenue to report issues, let alone get them sorted in a timely fashion.

In the suburban streets of one Australian city, though, that’s changing somewhat. New smart garbage trucks are becoming instruments of infrastructure surveillance, serving a dual purpose that could reshape urban management. Naturally, though, this new technology raises issues around ethics and privacy.

I know in our own Province of Western Cape, in South Africa, they had been experimenting a few years ago with vehicles to drive around and record potholes for repair. But that was before AI (meaning that it need no longer just be for potholes) and it was all done with a specific vehicle in mind (way better to put it on a vehicle that regularly travels along most streets in a city).

Not only can this timeously record issues, but even more important, it can measure how long it takes to actually be repaired. I get really irritated when our own municipality closes out calls as soon as they've been scheduled for repair, as the actual repair may only be a month later. As I pointed out to them in an escalation, citizens measure performance by when something is actually repaired, not by how quickly it can be scheduled for repair to happen later.

And yes I get it that many may be quite worried about privacy, but I suppose that is also why these streets are called public roads. I would expect such a system to have some assurances (and audits) that facial recognition is not being used (no, I don't suppose the municipality would prevent number plate recognition, because after all, they'll want to recover those outstanding speeding fines while they're at it).

Something I've also long suggested to our municipality also is, why can't the garbage trucks beacon out their location, so we know exactly when to put our bins out. Maybe we can get that functionality in exchange for this AI scanning.

See https://hackaday.com/2023/08/24/smart-garbage-trucks-help-with-street-maintenance/

#technology #AI #localgovernment #maintenance

Firefox can now import and use Chrome extensions

https://void.cat/d/RjnE2bHZvZ7kiMpz9EDktU.webp

In a major update towards cross-browser compatibility, Firefox users are set to enjoy the benefits of importing Chrome extensions, thanks to a new feature unveiled by Mozilla. This is a big deal because it brings us one step closer to having more compatibility between browsers.

Mozilla has been working on making extensions easier across multiple browsers, and this new feature is currently being tested.

Best part? It’s already available to all users of the latest stable version of Firefox.

Firefox itself actually has quite a few excellent extensions that you don't find on Chromium based browsers, so I'm wondering whether Google will be responding with importing Firefox extensions into Chrome? But I'm not holding my breath at all.

See https://debugpointnews.com/firefox-chrome-extensions/

#technology #Firefox #extensions

Pine64 Pinecil V2 Open-Source and Portable Soldering Iron

https://void.cat/d/9mjvmXFyuGHx7f3iR5gFCR.webp

This is an IronOS open-source software portable soldering iron with temperature control, auto sleep, and auto shut-off based on movement. It costs around US$36-$45 depending on where you buy it. It can be powered off USB-C (even via a battery) or the 12V barrel DC jack.

The hardware board schematics as well as software are all open-source. Pine64 encourages you to experiment with the software, and seeing its bootloader is safely in the ROM, this is reasonably safe to do.

I hear there are some AliExpress knock-offs, so you should probably consult their Wiki page to ensure you are sourcing an original device.

Watch https://youtu.be/Gbc0koEhKGA

#opensource #technology #DIY #solderingiron #Pinecil

Is that a 2FA tool too?

2FAS is a private, free and open-source two-factor authenticator for Android and iOS, and Desktop Browsers

https://void.cat/d/PkqzRzuDCuCtaypaNvkica.webp

2FAS is an interesting app as it focusses more on privacy than Google and Microsoft's 2FA authenticators do (we all know Google and Microsoft love to know where you log in, from where, and when). To this end, the app operates on its own and, if you choose to, it syncs between devices using your own iCloud or Google Drive. It requires NO account registration to be used.

It has a dark mode, as well as the ability to group your 2FA tokens, and can also show the upcoming 2FA token (useful if there is say 15 seconds to go, and you don't want to wait). It is compatible with any service that supports the TOTP and HOTP standard, including Google, Microsoft, and Dropbox.

There are two potential downsides right now: Firstly, this works with one or more mobile devices, so the desktop browser extension does not run its own tokens (it calls the mobile device for an OK). Secondly, this could be a problem if you use an Android as well as an iOS device, as there is no syncing between the iCloud and Google Drive storages. However, migrating from one OS to the other should not be a problem as the app can export and import the tokens.

If you want to work offline without the cloud sync, just remember to make a copy of the backup codes or save (with a password) the tokens to a file, and move that file off your mobile device.

Their code is open-source, including the server side, which can install using a Docker image.

See https://2fas.com/

#technology #2FA #security #privacy #opensource

I was pretty lucky last time in London as I booked a small fuel friendly car. When I arrived they said they could not provide the car but had upgraded me to a bigger one at no extra cost. I said that was no good as the fuel would cost me more! So they gave me a tank of fuel free. That worked out well at least!

Australia’s internet providers are ditching email, to the disgust of older customers: But maybe it's a good thing actually

https://void.cat/d/GD2YJBC46FdrZGAu6qHxxz.webp

I'd long ago ditched using my own ISP's e-mail service for exactly the reasons given in the linked article. I know it was a freebie, but it ties you into that provider, and it is a major pain to change 500+ logins elsewhere (another good reason why we should be allowed to use login IDs instead of e-mail addresses). The days of having only 5 or 10 services to log in to, are long gone.

Yes one "could" move to Gmail (or similar) but the thing is Google does mine that data (I know it won't worry many people) and Google has also shown it is not always interested in keeping a service going forever. A free Gmail account forces you to use their domain name, as a custom domain name will require the paid Gmail service. So, for a free account you are now tied to Gmail, have your mails mined, and would have to go through lots of pain to move again in the future. If you don't like Google, GMX is another good option for free e-mail without a custom domain name.

E-mail redirectors also pose a similar problem because I used Bigfoot for many years for this, but then they also shut down.

You could also host your own e-mail server, but that takes technical knowledge and some cost of either hardware or hosting costs anyway, and you run the risk of being an untrusted mail domain. Most average users are not going to opt to go this route.

What does not shut down though is one's own domain name. My domain name costs me about US$7.70 per year. I can use that for a website if I wish, but also for e-mail. That e-mail address will never change as long as I keep paying the annual fee for the domain name. The domain name can point to any other e-mail service, no matter how often you change your actual e-mail provider service. The ONLY proviso for this is that you must choose an e-mail provider that allows the use of a "custom domain name". What does frequently come with this, unfortunately, is that it is typically only paid e-mail services that allow you to use your own custom domain names. Still, e-mail as a service is not very expensive, and if you are a business, this is really important for branding and consistency anyway. I was already paying for Proton VPN, and to upgrade to use their free e-mail with a custom domain name and 500 GB of space, cost me around US$3 per month extra (and that now also gives me fully encrypted and digitally signed e-mails).

But something worth otherwise considering is checking with your domain name provider too. Mine actually offers an e-mail service for about US$1.90 per month. You can always move to a different e-mail service later on, as you still have your own domain name, and there is no need to update your e-mail address anywhere else again.

Although paid e-mail does cost a little money per month, one perk you do often get is multiple e-mail addresses, so you could also consider sharing with trusted family members where you could have their first name as the address, and use your family name as the domain name.

In summary, if your mail service is completely free you are probably the product of that service (either through data mining, lock-in without a custom domain name choice, forced to use webmail login, restricted storage space, tied to another service you have to pay for, etc). Similarly, if you go with a custom domain name e-mail service, you will probably have to pay a bit and go through an initial setup, but usually your e-mail is being left alone by the provider, and you can switch at any time with nearly zero interruption or notification changes to anyone. It's worth thinking about.

See https://www.theguardian.com/australia-news/2023/aug/19/australias-internet-providers-are-ditching-email-to-the-disgust-of-older-customers

#technology #email #Australia

India's e-Gov digital public goods diplomacy scores wins around the world

https://void.cat/d/5dYuSKx7KJdM9ukQdzd7JM.webp

The Indian government has decided to share with the world the many e-governance tools it has created to run the country, under the name Indiastack. Other nations can now get their hands on India's identity service Aadhaar, the DigiLocker cloud storage locker, the CoWin Vaccination Platform, the Government e-Marketplace, and the Ayushman Bharat Digital Health Mission.

The project's digital home describes the project as "a set of open APIs and digital public goods that aim to unlock the economic primitives of identity, data, and payments at population scale." An FAQ states "None of the systems which comprise India Stack require any proprietary technology or intellectual property which would preclude their implementation in any other country."

India's government has announced that the island nation of Trinidad and Tobago has signed a Memorandum of Understanding (MoU) to share India Stack, making it the latest territory to adopt the collection of digital public goods the world's most populous nation has created as a means to assist development of government digital services (and its own diplomacy) around the world.

India Stack is based on the payment, identity, and data services India developed to power its own citizen-facing services. India's population recently topped 1.4 billion, meaning India Stack is proven to operate at a scale that can meet the needs of any other nation. India Stack also powers impressive services: the Unified Payments Interface (UPI) has brought electronic payments and banking services to even the country's smallest merchants.

India Stack therefore gives India a chance for deep engagements with other nations, and a different way of doing so compared to the economic and/or military ties promoted by China, the US, or Europe.

It's a great pity that South Africa (also part of BRICS) has not been able to offer their own e-Services stack to the world. It was started in about 2015 (8 years ago called an Open Jig framework), all based on open source software (and used to boast open APIs) as well as an open data policy, but there never seemed to be any unified payment services, and the mention of APIs, and even open source (there is now a copyright notice on the website), has all disappeared from the website. It is clear that South Africa was busy on the same lines as India, but it looks like India has beaten SA to the finish line in terms of implementing the full stack, and making it available to the world. A world-class vision also needs a world-class execution plan!

See https://www.theregister.com/2023/08/18/indiastack_trinidad_tobago/

#technology #India #egovernment

Well we know the Twitter name has gone, it's now X.

Is it a give way for the LG TV? It's not even launched yet as far as I know?

LG has a 27-inch battery-powered touchscreen 1080p LCD 'TV' in a suitcase

https://void.cat/d/LmsWChwuAWNvpRmHFE3TP2.webp

The suitcase not only makes it highly portable, but also allows it to be orientated in landscape or portrait mode. From what I see on the Korean site, it says it is really Wi-Fi enabled and not receiving broadcast TV signals.

But apart from basic streaming entertainment, it can also do AirPlay screen mirroring for iOS and Android devices. A nice touch is that it also will work flat as a chess board (it has a touchscreen) as well as a 'turntable' music player!

The idea is that this thing can be a portable entertainment solution whether you’re at a picnic, on a family vacation, or just hanging out on the back patio. Maybe you’ll bring it tailgating with all your pals during football season. The possibilities are limited only by your imagination and the StanbyME Go’s three-hour battery life.

It would also be great for giving business (or family) presentations anywhere, any time.

But before all get too excited, it seems it will cost around $999 so it won't be found in the bargain bin.

See https://www.theverge.com/2023/8/15/23832712/lg-stanbyme-go-suitcase-tv-announced-pricing-features

#technology #entertainment #portable

OpenFarm is a free and open database for farming and gardening knowledge: Open-Source is not just Software

https://void.cat/d/R7GjZrwzBehLyY5yB8dwq6.webp

They provide a platform for expert and beginner farmers and gardeners to share their knowledge in the form of Growing Guides - structured, community generated, single-author documents that describe how to grow a Crop based on specific environmental conditions and growing practices. Compatibility Scoring between Users and Guides allows high quality and relevant information to be discovered quickly.

The concept of OpenFarm originated in September of 2013 in the FarmBot Whitepaper by Rory Aronson. The idea was to build a centralized, structured, and open dataset that described how to grow plants based on specific environmental conditions and growing practices. This database would be the knowledge for FarmBot to function, and it was necessary to build from the ground up because nothing like it existed.

They are a global service that aims to break down borders through the open sharing of knowledge, increase participation in the food system, and help everyone become a better farmer or gardener.

They believe that the open sharing of knowledge - especially that for growing food and taking care of our environment - can significantly raise our quality of life and reduce our negative impact on the earth. As a project with openness at their core, they’re striving towards organizational and financial transparency; accessibility of our data and source code; and openness to all ideas, people, and perspectives. Their source code is on GitHun under the MIT license.

See https://openfarm.cc/en

#technology #opensource #farming #gardening

After two years of testing, Cape Town's Golden Arrow Bus Service will go operational with 60 new electric buses per year

https://void.cat/d/NSV6Fm6QKT5kJN16JoS5Kw.webp

Cape Town-based Golden Arrow Bus Services (GABS) is planning to introduce 60 electric buses to its fleet every year starting in 2024 until it has replaced its full fleet of 1,100 diesel-powered people haulers.

After two years of testing both a 37 and 65-seater electric bus along major commuter routes in Cape Town, GABS’s pilot project has proved to be highly successful.

Initially, the buses completed 7,000km of testing without passengers with the weight of the maximum number of occupants modelled using sandbags to check whether the vehicles would be able to traverse the mountainous terrains on which they are required to work. The real-life trials showed that the electric BYD buses were able to operate on the steepest inclines in Cape Town, most notably Hospital Bend on the M3.

In addition to the satisfactory driving performance, GABS found that it could save upwards of R657,000 per year on fuel for its diesel buses by switching to electric, as well as achieve a 50% savings in spare parts and 80% savings in oils and lubricants.

Therefore, despite the battery-powered buses being two to three times more expensive than their diesel counterparts, the cost savings will see them paying for themselves within two to eight years, according to a Green Cape case study.

Test after test has shown that bus fleets around the world will benefit from going electric. Busses are the perfect type of vehicle for this use case, as they are depot bound, have known routes and distances, and have a period of rest when charging can be done. Bus fleets also have lots of operational and maintenance data to do proper case studies. And, of course for commuters, both inside the bus and others in rush hour traffic, the air is far cleaner to breath.

The facts are, times have chnaged along with available technology and the economics are telling us the chnage now makes sense.

See https://topauto.co.za/features/83106/1100-electric-buses-coming-to-cape-town/

#environment #EV #busses #capetown #airpollution

India, the world’s largest smartwatch market, is getting new smart rings by BoAt and Noise, similar to Oura but likely cheaper

https://void.cat/d/Cr5hpEZgC7TxmMW5jBwRN8.webp

Tech giants such as Apple, Samsung and Huawei have long focused on the wrist. It’s not the most comfortable option for everyone, and it can be challenging to maintain precise tracking through the wrist. Ensuring that your smartwatch fits snugly to obtain accurate data is crucial. A smart ring can be the great solution, however, provided you have the right size.

A finger has access to arteries, which a smartwatch could not reach, Mohit Kumar, founder and CEO of Ultrahuman, which counts iSeed, Steadview, Nexus Venture Partners and Blume among its key investors, told TechCrunch.

“If you go to any medical grade pulse oximetry devices, you put it on your finger. You don’t put it on your wrist. That’s primarily because this is a much better source of data,” he said.

Khatri of Noise agreed with Kumar and said the data available through a finger is way higher than a device can get from a smartwatch. Launching smart rings from BoAt and Noise is expected to bring competition to this nascent space.

The products are not yet launched, but the R&D and work commenced over a year back. Another positive sign is that it is unlikely that the data will sit behind a subscription pay wall (as Oura's latest ring has). I've been pretty impressed with my Oura ring, but it was very costly, and they did send me a replacement ring just after the warranty expired as the battery was suddenly giving out. So I may be keen to test one of these new Indian rings out when they are available. So I'll be watching this space closely.

More competition in the market, especially from India, is going to be good for consumers.

See https://techcrunch.com/2023/08/13/smart-rings-india/

#technology #fitnesstrackers #smartring #India

You can build your own NAS home server and save $100s

https://void.cat/d/6BvpP32Zs8eZcKCNz2Ft2o.webp

Self-hosting your data and services with Network Attached Storage (NAS) is a great way to free yourself from the spiralling costs and tangled web of subscription fees. Whether you’re simply looking to back up your photos or stream 4K movies on your travels, there’s a wide range of products to pick from, but not quite so many to suit all budgets.

If you’ve been tempted by one of the best NAS systems but are put off by the expense or lack of gradual upgrade paths, building a cheap DIY NAS could be a better alternative for you.

I have a mini-PC running OpenMediaVault at home, with two external notebook drives (they power off USB power). OpenMediaVault runs a daily backup which copies data from the primary drive over to the second drive. It's not fancy, but it offers a couple of home-hosted services that I run inside the house, as well as a Nginx Proxy Manager service that securely manages any external connections from the Internet.

The only downside is that the combination of LAN network, mini-PC power, and externally connected drives via USB, means that it has been too sluggish for me to do proper desktop backups over the LAN to it. Maybe I must try tuning it again, but this is a potential bottleneck if you wanted to back up hundreds of gigabytes of data. Still, it is highly functional, and I find it very worthwhile running. All my self-hosted services are running in Docker containers under OpenMediaVault.

So, as the article says about some options, you can go extremely budget, or if you pay a bit more, you get more functionality and speed. Off-the-shelf NAS hardware is a great way to get started, especially if you’re limited on time. But hopefully, this guide will convince you that a self-built PC or Mini-PC/DAS setup is a great way to take control of the setup yourself. Plus, it’ll cost you significantly less and net you a lot more hardware than a Synology or QNAP.

See https://www.androidauthority.com/cheap-diy-nas-server-3348392/

#technology #selfhosted #NAS

Omnivore is an excellent open-source read-it-later alternative to Pocket, that can be self-hosted as well

https://void.cat/d/D9Q1HhvMWPhSbUCd8Tmy2v.webp

I use read-it-later services extensively to save any news I want to do blog posts about later, or something I want to look at in more detail when I have time (and three monitors).

I had been self-hosting Wallbag for quite a while, and did a video about it too, but I had some issues re-installing it when I moved to Docker container hosting on my VPS.

Ominvore certainly looks very interesting, with a modern interface and quite a few useful features. I'm starting so long with their free cloud hosted service, and could register with ease, and even initiate an import from Pocket. They do have a docker-compose file for setting up containerised self-hosting, but I'm going to wait a bit just to see if that matures a bit, as it seems it is early days still and no proper guide has been completed yet for it.

Apart from the usual saving links for reading later, with tags, archiving, etc, it also supports a clutter-free reader view for easy reading without adverts. In the reading view you can also change formatting, highlight text, add/view notes (in a Notebook view), and track reading progress across all devices (each note also shows a yellow progress line on its tile view to indicate reading progress).

It also has a feature for subscriptions via e-mail. Omnivore can generate unique e-mail addresses you can use for subscribing to online newsletters, and it is intelligent enough to realise that if a mail contains a welcome message, note from the author, etc that will be forwarded by Omnivore to your main e-mail address (without exposing that to the newsletter service).

It also has integration with Logseq, Obsidian notes, webhooks, and more.

You can save links by adding them in the app, using a browser extension, or by using the share option on mobile devices and just selecting to share to the Omnivore app.

There is no price model yet set up for the service, but I'm pretty sure they'll have an ongoing useful free tier with their online service, and probably only charge for some more advanced functionality. There is always the self-hosted option too. But for now, this looks very functional and useful to me, and I've started using it.

See https://omnivore.app/

#technology #opensource #productivity #readitlater #bookmarks

Cult of the Dead Cow releases Veilid: A secure open-source Peer-to-Peer network for apps that flips off the surveillance economy

https://void.cat/d/Dsb3vu7HDsgJpzCss6Do1j.webp

DEF CON Infosec super-band the Cult of the Dead Cow has released Veilid (pronounced vay-lid), an open-source project applications can use to connect up clients and transfer information in a peer-to-peer decentralized manner.

The idea being here that apps – mobile, desktop, web, and headless – can find and talk to each other across the internet privately and securely without having to go through centralized and often corporate-owned systems. Veilid provides code for app developers to drop into their software so that their clients can join and communicate in a peer-to-peer community.

If an app on one device connects to an app on another via Veilid, it shouldn't be possible for either client to know the other's IP address or location from that connectivity, which is good for privacy, for instance. The app makers can't get that info, either.

The framework is conceptually similar to IPFS and Tor, but faster and designed from the ground-up to provide all services over a privately routed network. The framework enables development of fully-distributed applications without a 'blockchain' or a 'transactional layer' at their base.

To demonstrate the concept, they have published the code for a chat app called Veilid. Veilid is designed with a social dimension in mind, so that each user can have their personal content stored on the network, but also can share that content with other people of their choosing, or with the entire world if they want. The primary purpose of the Veilid network is to provide the infrastructure for a specific kind of shared data: social media in various forms. That includes light-weight content such as Twitter's tweets or Mastodon's toots, medium-weight content like images and songs, and heavy-weight content like videos. Meta-content such as personal feeds, replies, private messages, and so forth are also intended to run atop Veilid.

The easiest way to help grow the Veilid network is to run your own node. Every user of Veilid is a node, but some nodes help the netowrk more than others. These network support nodes are heavier than the node a user would establish on their phone in the form of a chat or social media application. A cloud based virtual private server (VPS), such as Digital Ocean Droplets or AWS EC2, with high bandwidth, processing resources, and uptime availability is crucial for building the fast, secure, and private routing that Veilid is built to provide.

The interesting thing for me here is, that usually with peer-to-peer client apps, they need to know, or be able to discover, the IP addresses of other P2P client apps in order to connect over the Internet. This is obviously a major privacy issue, but without it being able to happen, a P2P network cannot be established. So, I'll be interested to read more about how they have solved this in a workable manner.

Peer-to-peer networks have always been the most censorship resistant, full ownership of identity, etc, but the downsides were the IP address advertisement, the difficulty of finding anyone else on the network, and often having a separate identity for every device. The closest I've seen so far in addressing the shortcomings has been the Nostr protocol. So, I'll be following discussions on Nostr about this to get a better idea of how Veilid compares with Nostr.

The questions really for most will be, how easy and practical will Veilid be for average users to use, and how will it fit in with the W3C standard declared for social networking (will it be yet another extra social network).

See https://www.theregister.com/2023/08/12/veilid_privacy_data/

#technology #socialnetworks #privacy #Veilid #P2P

Both the TETRA radio and Microsoft Azure Cloud vulnerabilities are 'Negligent Security Practices' and 'Security Through Obscurity' is not secure

https://void.cat/d/Wk9tejC62rZa8R4JRdaGWt.webp

Listening to Steve Gibson's feedback today on the Security Now podcast #934 made me realise that both companies knew about the vulnerabilities but were extremely lax about doing anything (probably both trusting in their security by obscurity). Both also put government data and communications at risk globally.

It's yet again a lesson on two fronts:

1. Obscurity is no good defence against, especially, state level actors. The same goes for proprietary encryption algorithms. You actually require transparency and interrogation around what is used, and re-inventing the wheel yourself is risky. The same goes for security backdoors, as they're going to become known at some point.

2. There needs to be some legislative requirement for companies to urgently declare vulnerabilities, and to patch them. In both the cases here, months went by without any action.

Maybe both these companies are just too big, but it also goes to show that bigger, or more secretive, is just not better. I suppose both don't want to risk their global government business, but this could actually have put lives at risk.

Security through obscurity is no reliable strategy, and should again be a warning against those who think it is fine to have a security backdoor just for governments to use. It's a bad idea. You either have security, or you don't. There is no such thing as 80% secure.

The Microsoft case is highly embarrassing, and it is no wonder that the US is going to try to investigate it. All the noise about Huawei, and the real problems were right in the US's own backyard, committed by US companies. All products need the same levels of scrutiny, no matter what country they belong to. Intention and negligence can often amount to the identical consequences.

With both these vendors now, we've also seen their technology being pedalled to non-allies of the US, so that the vulnerabilities could be exploited. It's also a lesson to other governments to be very careful about what promises are made, and to remember even your 'allies' are not your friends. It is no wonder that the BRICS countries all wanted to implement their own operating systems for use across their governments (mostly self-compiled and localised Linux distros). Now we know why...

And of course, with some of Microsoft's products, once used, it may not be easy to actually switch to someone else (which is, in itself, possibly part of the problem on both sides). How does the US government actually carry through any threat not to use Microsoft? The cost, and time, to move off Huawei network hardware would pale into insignificance.

This is why security standards, interoperability standards, etc just cannot be compromised on. The standards need to be enforced no matter who the vendor is. I have myself seen standards being bent, where it is better just to say you won't procure the product in the name of 'modernisation'.

See https://www.grc.com/sn/SN-934-Notes.pdf

#technology #security #vulnerabilities #openstandards