I think that's because email, fundamentally just isn't very secure.
Lots of email servers support fallback to non-encrypted, plaintext transmission, which can expose entire chains of replies to MITM attacks with a single message being routed questionably. [0,1,2] End-to-end encryption, via user-defined keys is actively discouraged by those who might assuredly know better, and be in a position to change minds. Usually, the cop out comes in the form of "too complicated for non-technical/less-technical users, and thus potentially harmful to profits."
As if to say, we've been espousing the use of an insecure method of communication for decades, so, to suddenly reverse our position, and encourage bring-your-own-encryption might provoke discussions of liability, or something. Nevermind, the premise of ad tech and scanning user messages, to sell data.
But you know, running your own server, and hiring people who can't be bothered to go deeper than using word art in MS PowerPoint slides, well, hey. Bring a horse to water... know what I'm saying?
PGP is easy to use. At this point, I'd like to think people are fatigued enough by the bottomless pit of nightmares we've fallen into, that they'd step up and tell people: yes, people are using SSH keys and SSL keys billions of times a day. It's okay to use PGP on your email. Go ahead, start doing it.
Or, you know, whatever. Lose another election. Right?
PGP addresses literally none of the operational security problems congressional campaigns have. No matter how you protect individual emails, for most users (and probably every single congressional campaign staffer) your email account is still the most important account you have, the key to every other account you control. And PGP doesn't do a thing about incoming emails with malicious attachments.
People think PGP is important for campaigns because they want it to be important, not because there's any empirical evidence that it is important.
Wow, so, you really believe that asking people to lock up their important messages to you, using a public key that you've provided through a verified, alternate non-email channel really won't work?
PGP actually does do something about incoming email attachments. It offers the opportunity to programmatically reject anything that is non-encrypted ASCII text, and renders malicious files as non-executable ASCII text, when such policies are properly enforced. At this point, the promiscuous user is protected from delving deeper into emails. The server can effectively isolate attachments entirely, by proxying mail delivery, and refusing to decrypt attachments automatically. This would further defend against account compromise, through practices that require special handling of attachments. Email then becomes a medium of communication, rather than file transfer, and file transfer is pushed to other protocols and applications.
Sort of like a point-and-call policy. Forcing a user to cognitively jump through hoops to discover the contents of an attachment, when they should really be using email for the exchange of messages with humans, or automated control messages, such as multi-factor auth. Doing something like this limits email to character data only, rather than interpretable instructions. You know, much in the way we don't execute JavaScript from an email context.
We've banned this account and numerous others. It's a violation of the site guidelines to use HN that way, especially when the accounts are used also to break the site guidelines. Could you please not do this?
PGP is so easy to use that the first day I attempted to configure it, I accidentally emailed my friends my private, rather than public, key.
I await the day that a great PGP client for everyone might emerge, but I'm not sure that it is possible, nor am I certain that people will want it. There is substantial utility involved in letting Google read all of my email for spam/malware filtering and more.
Yeah, there's no accounting for glaring cluelessness. Leaving S3 buckets open to the world, and totally unencrypted, for example. Downloading and running *.exe email attachments, destroying systems with ransomware, and so on.
Encryption can be its own foot gun. It can aid attackers, by totally destroying evidence that might exonerate you from being framed for other crimes. It can cost people dearly, in terms of lost data. Consider how many people have lost old bitcoin wallets, containing small fortunes, and similar tails of woe.
But look at how that plays out. A dropped bitcoin wallet, gone forever. The failure mode of something like that is often a better look than things going the other way. Imagine that same bitcoin wallet getting stolen, and seeing the thief profit from it. Sort of like watching elections get stolen, no?
So, think about that, the next time you warn someone against forcing you to exchange PGP keys, in order to communicate more securely.
U2F keys were invented in part because the glaringly clueless employees at Google were routinely shown to be phishable. People who dismiss phishing as a threat vector betray a lack of understanding of how difficult it is to mitigate reliably.
I always turn on 'tap to click' on my trackpad so you can tap anywhere to click, and two finger tap to right click. I haven't missed physical buttons since getting used to this. Is there a particular use case that the physical buttons are better for? I can imagine gaming at least.
On most devices tap-to-click is on by default. It’s always the first thing I turn off. I have always found it completely useless and it turns incidental touches into accidental clicks. “Oops, guess I sent that email.”
This isn’t relevant to the parent’s complaint, though. Without dedicated buttons, you’re relying on the driver to distinguish between a one and two finger click. That detection, even on Apple devices, is noticeably imperfect for reasons I don’t understand. (Click “anywhere” was solved by Apple with their haptic not-actually-clicking trackpads that are pretty awesome.)
I didn’t love the massive size of the new trackpads but it took me all of 5 minutes to adapt to the click. Happy to trade off a real click for click-anywhere behavior (and potentially better durability). Although I found the trackpad didn’t actually click well along the right edge. No idea what that was about.
This is probably a personal preference thing. It's always the first thing I turn off too, even on linux. No amount of tinkering with the settings ever got me to a "sweet spot" where I'm not accidentally clicking things.
This is by far the best setup for the trackpad. Ever since discovering 3-finger drag, I can't live without it. I don't understand why not everyone uses it, and why Apple decided to move it from the main settings screen to the accessibility settings.
Absolutely this. It is hands down the best possible set up for a trackpad. I like this so much that I actually bought a Magic Trackpad so I can do these things when I’m plugged in to my main desk setup.
I never use the Magic Trackpad though. It’s the best solution if you have to use a trackpad. A real mouse is still just plain better.
I did the same, bought a magic trackpad and preferred mouse. But I think the problem is placement. Keeping trackpad to the right of keyboard somehow makea it harder to use for me.
I use my laptop exclusively now and even on a desk I don’t use a mouse. The trackpad is fantastic on the new MBPs.
On MacOs, it's not possible to tun off the tap-to-drag release delay. So you may often end up dragging stuff around even after you think you're done dragging. The physical button helps ensure you get it right when you really need to (so the use case for the physical button is a workaround for the wonky software).
Is there a particular use case that the
physical buttons are better for?
EVERYTHING.
Every time I need to create a new folder. Every time I need to copy and paste. Every time I need to see additional information about a file. Every time I need to inspect an element on a web page. Every time I need to move something off my desktop. Every time I want to open in a new window.
Every time I want to do ANYTHING involving a right-click for a context menu WHICH IS ALLLLLLLLLL THE TIMMMMMMMMME.
Tap-to-click, and two-finger context click, are both unacceptable. They result in accidental clicks, and accidental context menus on scroll. Adding any gestures to most track pads results in accidental gestures, and chained combinations of unintended actions. I turn them off.
Not even Apple? That made me laugh. As best I can recall, Apple is to blame for no one having them. Apple introduced no buttons on their models and other manufacturers followed.
Since this article is about a Lenovo laptop, I'll point out that some Lenovo laptops (typically the big ones) still have physical left and right buttons for the trackpad. (I prefer their TrackPoint pointing sticks to trackpads myself, but that's a whole other discussion).
I have a Yoga P40. It's a great machine. The CPU, RAM, and SSD are very fast: I can compile heavy stuff in a blink. The HDPI display is gorgeous: I can open it 180° or 360° and sketch or paint on it with an active pen. The keyboard is not bad. It's not mechanical, but it doesn't tire my hands as others do.
But the one thing that drives me nuts is the buttonless trackpad. This thing is utterly unusable. I've been trying everything: pushing it down with the finger that's doing the tracking; using another hand to use the trackpoint buttons; using the trackpoint itself... it's no use. Clicking on the odd link is ok, but doing any precision selecting, dragging or drawing is useless.
I used to be able to draw freehand with a good trackpad and a separate button under it. Now I struggle to drag a file over the right folder.
In hindsight, I should have bought an older model with actual buttons. This huge disadvantage trumps all the other benefits.
Are you refering to the trackpad that doesn't have buttons, and the whole trackpad moves down when you click?
If so, I have a Lenovo Yoga laptop that did that too. I bought a regular trackpad from the same line off of eBay and swapped it out myself, it was quick and easy. I recommend doing that.
Yes, I'm referring to the whole trackpad that moves up and down. I have separate buttons for the trackpoint above the trackpad, but I cannot use them with my thumb. The whole layout has been driving me nuts!
I actually really liked the way Apple handled it on their 17 inch macbook pro. It had one physical button at the bottom of the trackpad that stretched the entire width of the trackpad. If you wanted to right click, you put two fingers on the trackpad and clicked with the thumb. It worked great.
Unfortunately, their first attempt at the magic trackpad worked poorly in that regard. I could never get the right click to engage reliably like I could on the macbook pro.
In the atmospheric climate context, possibly. But if we optimize only for that, is there not a potentially serious trade off in the likelihood of irresponsible disposal?
Honor? No, it's based on cold, hard cash; you charge upfront a fee (as if the person had dumped it illegally), then refund that fee if they properly dispose of it.
Lots of email servers support fallback to non-encrypted, plaintext transmission, which can expose entire chains of replies to MITM attacks with a single message being routed questionably. [0,1,2] End-to-end encryption, via user-defined keys is actively discouraged by those who might assuredly know better, and be in a position to change minds. Usually, the cop out comes in the form of "too complicated for non-technical/less-technical users, and thus potentially harmful to profits."
As if to say, we've been espousing the use of an insecure method of communication for decades, so, to suddenly reverse our position, and encourage bring-your-own-encryption might provoke discussions of liability, or something. Nevermind, the premise of ad tech and scanning user messages, to sell data.
But you know, running your own server, and hiring people who can't be bothered to go deeper than using word art in MS PowerPoint slides, well, hey. Bring a horse to water... know what I'm saying?
PGP is easy to use. At this point, I'd like to think people are fatigued enough by the bottomless pit of nightmares we've fallen into, that they'd step up and tell people: yes, people are using SSH keys and SSL keys billions of times a day. It's okay to use PGP on your email. Go ahead, start doing it.
Or, you know, whatever. Lose another election. Right?
[0] https://en.wikipedia.org/wiki/Email_encryption
[1] https://blog.filippo.io/the-sad-state-of-smtp-encryption/
[2] https://security.stackexchange.com/questions/51552/how-insec...