, also the firstlook/intercept...

Shelley shelley at
Fri Oct 2 15:01:10 PDT 2015

[Random snipping ahead to reply inline while on my mobile, apologies]

On October 2, 2015 7:35:19 AM Lodewijk andré de la porte <l at> wrote:

[Georgi]> btw, does rowhammer escape VM? (appears to me yes).

I think it does, but I've not done enough testing on my own to be sure.

> You know, a webpage is supposed to be in a VM too.

Yep, agreed.  I meant that I also use VM on my crappy airgapped box, even 
though it doesn't matter as much as my other boxes of importance or 
networked laptops etc. VM should be pretty standard security fare, and yet 
nothing is 100% secure.  We do what we can, adding layers so that it may 
slow down any threats.  There is no way to be absolutely secure, it's a sad 
fact of modern life. But we don't have to make it easy for the bastards, 
you know?


> Which relates as to why I lost a lot of personal photo's; I didn't use the
> cloud backup feature. Now nobody has my pictures, except maybe whomever
> stole my phone* =(

Automated TiBU + weekly manual backups of media to external drive?  That's 
what I do; couldn't pay me to use a cloud backup.  Same as with people 
complaining about the first Blackphone not having access to GAPPs/ Google 
Play (...seriously?), do u even sideload bro?  Do it regularly when you're 
managing your other data backups, it's quick and painless after the initial 

> Using one of those file hosting sites provides a greater level of
> convenience. Perhaps so much greater that without that level of convenience
> it would hardly be possible at all.

I'm surprised to hear that come from you.  I've never used a cloud backup 
and the most I've ever lost is a day or two's worth of data/ media.  I have 
redundant backups.  It's not difficult (it truly isn't, I'm not trying to 
be snotty.)

>The consumers don't care to invest in
> security very much, in fact, hardly at all.

Do you mean the same lusers who broadcast the fact that they're on vacation 
all over Failbook, post photos with GPS enabled and are then surprised when 
their home is burglarized?

> * full disk crypto is not a thing in androidland ;(

Sadly, it's not a "thing" anywhere right now.  Not when EC has been 
intentionally weakened, etc.  Hell, even if crApple did have true full disc 
encryption, I wouldn't use their closed source crapware.

> tl;dr: javascript could be fine if we'd have secure software - as it is
> HTML/CSS/images/videos/etc are all also dangerous. Top level security seems
> (and often is) useless - therefore we don't really have it (even when we'd
> like it so very much) unless we keep ourselves from essential features.

"Essential" is very much a subjective term.  I don't mind most of my web 
browsing experience looking like plaintext (in fact, I much prefer it.)  
However, I understand most people do not want to use the web in that way.  
We all make concessions we consider acceptable, sacrificing 
privacy/security for convenience.  I'm guilty of it, too.  Anyone with a 
smartphone and a credit/debit card is as well.


More information about the Testlist mailing list