The paper is open access, any reason to not link directly? https://www.nature.com/articles/s41586-020-2649-2
I’m a fan of linking to the paper, but the NumPy team have added more tweets with more accessible information and TL;DR to that thread. This helps give even more people an overview, whilst those that desire more detail can still dive into the linked paper.
I personally use zenburn (Screenshot)
I don’t understand the popularity of Zenburn; it is really hard to see for me. Does anyone else experience this?
I have a strong preference for zenburn, but in spite of regularly searching for replacement themes, my eyes seem to find zenburn the most pleasant. I have not been able to determine why.
I would also be interested if anyone were to come up with a plausible hypothesis. (at least solarized has some sort of perceptual story to it :)
zenburn is pretty nice, though, somewhat muted. Monokai is a clean and readable theme if you like it a little bit less muted.
That’s the whole point of themes. Everybody can get what they want/need. Zenburn is totally unusable for me - I need a super high contrast theme.
I like the Deeper Blue Theme which I find to have good contrast and high readability for my crappy vision :)
After some years I found myself preferring light themes and at the moment I’m settled with spacemacs-light (which works even if you don’t use spacemacs).
I really like it, but agree that it’s too washed out — so I just shift the background colours down a notch to a darker version with more contrast. Specifically, in Emacs:
'(("zenburn-bg-2" . "#000000")
("zenburn-bg-1" . "#101010")
("zenburn-bg-05" . "#282828")
("zenburn-bg" . "#2F2F2F")
("zenburn-bg+05" . "#383838")
("zenburn-bg+1" . "#3F3F3F")
("zenburn-bg+2" . "#4F4F4F")
("zenburn-bg+3" . "#5F5F5F")))
(load-theme 'zenburn t))
Great. Now I have a certain song stuck in my head.
Exactly what happened to me. That was evil, cvoxel. A DOS attack on Lobsters' brains. :P
I’m always happy to have been of service! ;P
The author neglects, as many do, to mention the main reason for this and similar developments: the users don’t care and will not spend money on secure phones. The author also doesn’t mention there are suppliers of secure phones. Here’s a few for Android:
They cost a lot of money but mainly due to low volume. Brings us right back to original point. They mention in article that hardly anyone is putting security software on their mobile phones despite all the risks. There’s actually tons of vendors that go way past antivirus. Basically nothing spent. The manufacturers sell people what they will actually purchase instead of what they’re said to need. Almost all vendors of secure, cell phones and alternative OS’s without huge, app ecosystems went out of business or were acquired. They were punished for it. So, the manufacturers therefore shouldn’t give a shit about anything except what sales. Capitalism 101.
People on demand side need to demand, with cash ready, for a vendor to differentiate on basic security with steady, fast updates. An initial experiment might go further with suppliers taking the lead in a low-risk way. That would be to offer updates and maybe basic security apps for a monthly fee that’s reasonable. Similar to what people already pay for PC security software. That should cover the cost of developing and deploying infrastructure to patch all their images. They can even make some money off it. If customers don’t go for that, they shouldn’t give them shit because anything else will just be a loss on manufacturers' end.
I’m for sane regulations or liability on software. Meanwhile, we have a market-driven system where users don’t care about security in practice. They rarely pay for it. They’re getting what they’re paying for.
The cheapest of those phones is $600+ with the second cheapest being $1000+. Getting past the price-volume catch-22 is almost impossible.
For the largest part of android’s user base, those prices, and even a quarter of the cheapest offering, is out of reach, and this is why I did not mention it. For many users, $50 is already a stretch (think outside of the US) and expecting them to pay even more for security when there are cheaper alternatives is going too far. You can blame the users if you want, but that’s not going to help solve the problem.
As I mentioned in the post, what has a real chance of improving things is Google playing a much larger role in forcing manufacturers (and carriers!!) to keep phones up to date.
“For many users, $50 is already a stretch (think outside of the US) and expecting them to pay even more for security when there are cheaper alternatives is going too far. You can blame the users if you want, but that’s not going to help solve the problem.”
It’s a fair point but kind of a cheat. You’ll actually get more insight looking at other end of market. For many users, they can afford the $600-3000 to have at least one private communications, storage, and/or computing device. This is everyone upper-middle class on up. Plus execs, I.P. makers, marketing, etc for midsized and up businesses that can have business cover it. Plus government sector dealing with secrets under TS/SCI. That the many solutions available for this sell so low that they don’t show up in mainstream publications shows even this group barely cares about securing their devices vs Blackberries or iPhones as status symbols. This group is also smart enough to know better about value of privacy & has people coming after them specifically. Still little uptake although Cryptophone’s sales show a subset of them are wise. :)
Next we look at other end of market. They can’t afford cryptophones. The volume catch-22 might be impossible as you said. Is there demand, though? We can look at apps instead of phones as there’s private alternatives to a lot of them easily found with Google searches. Market share indicates almost nobody uses them. Even secure messaging that was usable, free (Signal), or cheap (Threema) hardly got uptake vs Facebook or WhatApp. Same with storage with them defaulting to whatever came on the phone or using a free service without much privacy like DropBox. Same for files on the phone. No demand in mass market = no reason to do anything for them. Whatever demand is there is tiny.
So, what to do? Answer is actually simple. I mean, Mr. Murphy tells us the simple things are always hard but it’s simple. Users buy what they think is cool, has great cost-benefit, necessary, useful, etc. iPhones were cool/beautiful, Androids were like cheaper iPhones, Blackberries had great enterprise integration + management, Windows Phone had some of the support of Microsoft’s ecosytem, SymbianOS had… each of these things had a reason other than security to be successful in the market. Likewise, all the consumer gadgets, virtual/server appliances, SaaS apps, etc. The simple model is to build one of those that just incidentally does security right on inside and operationally on supplier-side. It becomes an extra differentiator they probably don’t give a shit about but at least you’re doing your part as ideological supplier. Can also use yourself as benchmark in media against big players showing how apathetic they are.
What you won’t do is convince people to buy secure phones. Not 90-99% of them. Still narrowing down the exact number. Building products and services that bake security in from the start with a guarantee that will continue (eg in charter, EULA, and/or acquisition terms) is best bet. I mean, it might be as simple as a nice-looking phone with good specs, a promise of no spyware, no bloatware, Advanced Task Killer etc for power-saving, and extra benefit of weekly to monthly updates. Throw some kind of paid, monthly service on top of it like automated backups of contacts and photos (include “you know the ones”). Anything to keep revenue in for a product they want as security cost extra and you’ll need the revenue to survive while trying to change the mobile world.
Note: You’ll learn more about getting secure phone sales on Barnacl.es than here. Just a tip. ;)
BlackBerry’s Android line (PRIV, DTEK50, DTEK60) get monthly security updates. The DTEK50 is US$229 (it’s a slightly modified and rebadged Alcatel Idol 4). Although I don’t know what the update lifetime for each device is.
Fairphone 2 gets monhtly OS updates as well. Even the google-free OSS version does: http://code.fairphone.com/
Awesome tip, thanks!
Do you have any Blackberry source I can link to concerning their security update policy?
The best I can find where BlackBerry themselves are specifically talking about monthly updates is this post, which is specific to the PRIV but was from before the DTEK ones were released.
Anything else official is just vague marketing things where they say they’ve been fast at getting updates out.
So in practice, the updates are happening, but they don’t have any official policy for them. At least not anywhere that I can find.
I added your tip to the end of the post: https://cpbotha.net/2016/11/27/android-security-in-2016-is-a-mess/ – thanks again!
I’m currently back in the lovely tiled arms of i3wm.
I really appreciate the tiled window layout approach, but i3 also plays nice with dialog windows, and it has an explicit floating mode for when you really need it. At work and at home I use a Dell Ultrasharp IPS with 2560x1440 resolution.
i3 as well. The thing I like about it, over other tiling window managers I’ve tried, is that layout is manual: you can decide on the fly how you want windows laid out, rearrange them, restack, etc instead of having a single hardcoded layout that everything goes in.
I also use this tool by fellow lobster @cmhamill to get wmii-like dynamic workspace tagging. Just using numbered workspaces, I frequently tend to run out.
(I migrated to i3 over wmii, which is similar but a bit more restricted, mostly for a more elegant internal model and support for a small handful of additional window manager hints. There is something (several somethings, really) to be said for the fact that wmii’s event loop is literally a shell script, but I wasn’t making any use of the capabilities. i3 supports massively more sophisticated layouts than wmii, but the interface makes my brain hurt, so in practice I don’t use them much.)
i3 for me too. I am interested to see how things evolve; I’m running Fedora which is shaping up to make a move to Wayland; others will almost certainly follow. As I understand it i3 doesn’t currently support Wayland, so it’ll be interesting to see if the maintainers make the port, or if Sway will become the replacement.
Either way, I love i3.
It’s going to be interesting to see what happens with tiling window managers and wayland, since from what I understand application sunder Wayland are going to be drawing their own window decorations, which conflicts pretty hard with tiling WMs.
It’s a lot more complicated than that. The Wayland- aware applications (some QT versions and some GTK versions) can be forced to ignore drawing decorations, and a lot of applications run from XWayland which is “all of the Xorg.server inside a .so and some conversion” that follow the old model. THEN you have unstable protocols that extend wayland, like the one used by KWin that says ‘no, decorations should be server-side’. A rant from the WLC developer (that provides most of the compositor implementation for Sway):
i3 for me as well.
It hits the sweet spot between being customisable, yet having sensible defaults and having the ability to completely fade away into the background so that I don’t have to think about it at all on most days.
At work I’m on OSX, but at home I can’t get away from i3wm. So good. It’s so good I’m considering reinstalling Ubuntu over my MBP just to use i3wm as a daily driver.
i3wm too, running it on Arch Linux on my ThinkPad and desktop computer. I’ve seen some videos on customization but I feel like I’m just scratching the surface. I use a model M on my desktop so I’m thinking of reusing an old foot pedal I found to emulate the Windows meta key.
I really want to like i3, but the default keybindings interfere with emacs keybindings. Haven’t decided yet if I want to use evil mode in emacs or overhaul the i3 keybindings. Has anyone else found a nice solution to this?
It lets you choose your own meta key as a part of setup, is that enough to prevent interference?
I am a heavy Emacs user. In my i3 configuration, I configured windows key as the $mod key, so there are no conflicts between it and my emacs. (I know some people bind windows-key in their emacs. I am not one of those people.)
I gave it another try with super/windows-key as $mod, and so far I’m loving it, it really does “fade away into the background” as Todd says below. Spent some parts of the day tweaking, I really love the simplicity, so far no compatibility issues (Debian stretch with Gnome).
i3 as well for a couple of months now. Before that I had been running XFCE for a very long time, but I’ll probably stick with i3 for one reason, that workspaces don’t flip on all monitors when switching.
I’ve been using StumpWM for a while. I can get by with others (i3, xmonad, spectrwm), but Stump works the most like what I want on a dev system.
I finally settled on StumpWM as my window manager of choice as well. It also counts as my “desktop environment”, which means no notifications and such. It really helps to keep me focussed on things.
My only quibble (and a self-inflicted one) is that I got used to C-t as a prefix key and use in tmux as well, so I have “double tap” it when using tmux inside StumpWM. I can’t find another prefix key I like. This is such a first-world problem that I really shouldn’t be complaining about it…
I used Alt-Space and that seemed to work well. It’s reminicent of Mac’s Cmd-Space to bring up spotlight. Another option is Ctrl-o because it doesn’t interfere with any default emacs keys.
C-o is open-line which I use all the time, but Alt-Space is worth a try. Maybe my first-world problems are solved. ;-)
Fortunately I was able to keep C-t for stump, C-b for tmux (it’s easy to type on the ergodox), and C-x for emacs.
The one thing that gets me when I use !stumpwm is that C-t C-t now opens two tabs.
I was evaluating StumpWM at some point (I’m an emacs addict, so there’s the lisp connection) and stumbled across this old demo: https://youtu.be/tKt_rVO960Q – just listen to the guy’s voice! (it’s super suave)
I’ve had StumpWM running around the clock under FreeBSD/SBCL for the past 3 years. As stable as an old client’s VAX!