Posts by Ben Tasker

Yeah, but then you wouldn't have been able to award a £260m contract to people you know in order for them to suffer from Not-Invented-Here syndrome and piss about with approaches that everyone else already know don't work.

The aim wasn't just to get a working app - that's easy - it's to get a working app whilst filling their mates pockets. Embarrasingly for them though, turns out their mates are as incompetent as you might expect from people who's work seems to be solely derived from knowing the right people

Re: Um...?

> but there's a restriction in that you have to have lock screen security turned on.

And will get a permanent notification in your notification bar saying something along the lines of "network communications may be being monitored".

A long standing issue that Google, frankly, couldn't give two short fucks about - https://issuetracker.google.com/issues/36984301

If you're going to install additional certs on Android, the only real solution is to root the device

Re: Paper trails...

I had a boss who _really_ had it in for me - to the extent I was put on paid suspension on some made up charges that, unsurprisingly, later fell through (I've written about it previously).

Anyway, one of the things they did was pore over my attendance, hoping to find some form of unauthorised or unexplained absence.

BINGO. They managed to find a date where my sheet said I was on leave, but the HR system had no record of leave on this date. Could I please explain why I'd not correctly recorded my leave for this date?

So, in the meeting - with her boss present too - I produced the email where I'd checked with her about being off that date, and she said *she* would enter it into the HR system. I accompanied that email with a brief comment about how it was my understanding that a subordinate shouldn't need to check his manager had completed their tasks correctly.

Didn't go down very well.... She *really* had it in for me after that

Re: Identified Root Cause

The flip side though is that without automated updates, users don't voluntarily keep things up to date, meaning they miss out on security fixes.

But, I share your frustration, I don't want my UI fucked with *again* just for the sake of it.

Re: What's the difference between Mi Browser and Google Chrome?

For one, I don't think Google have ever said "no they're wrong, we don't collect that". Their response seems to be more "Yeah we do, it's in the terms, piss off" than "fake nooos".

Also, Google actually tell you that Chrome will collect stuff, and they don't send full urls back

Xiaomi's issue here is derived from so much more than what their browser was doing. Their entire response to it has been utter shit - read their blog post (linked to in TFA), it's waffle that completely avoids the thing at issue, when it's not outright contradicting itself. It's that response which has blown it up into a brouha - had they said "yes, shit, we'll fix this" then there wouldn't have been nearly the same shitstorm.

Instead they went with "the people who found this are wrong"

Re: Correction

Because private secrets never get leaked?

If spooks are hitting up a privately held database, it doesn't matter whether that private company considers it a secret, it's still more likely that information will leak than if the database is held by the spooks themselves.

The only way for 3 people to keep a secret is if 2 of them are dead etc

Re: @Whitter

> and a justice system not dealing with criminals.

Ah, another service that is massively underfunded for the demands that are being put on it. And that's before we consider Grayling and his "improvements".

Yeah, I found it too heavy-handed too, so I've moved it into a VM so that I can control the resources available to that and stop it impacting me while I'm working.

Looks like I've got a *lot* of catching up to do though.

> Perhaps the OP found the terminology a bit dumbed down?

Exactly that.

Re: SMS is U/S for 2FA

> but I'd rather use an app as the second factor than a card reader.

Same.

One of my banks (I suspect same as yours) uses a card reader. When they introduced that they stopped being my primary bank because it just became too much of a hassle vs having a little code generator (as I have with another bank). I think they've actually scaled back how often you need the reader now though.

The (growing) issue I now have is banks who've taken their code-generating app and made it a full internet banking app too. I don't want that shit on my phone, I _just_ want the code generator (or better yet, for them to use TOTP so I can use my app of choice, and have just a single app)

> I'd be more open to DNS over HTTPS if there was actually a number of resolvers people could run on their own equipment. Last I checked I haven't seen any (one recent forum thread on the topic here someone pointed me to a product but it ended up being a simple proxy to an already existing DoH provider, not capable of serving DoH from say a local BIND installation).

It's perfectly possible to run your own DoH Server. The post covers a few options for how you handle the back-end, but the base principle is

- Get the DoH terminator up and running

- Configure it to forward onto the resolver of your choice (which may well be a local BIND instance)

Personally I've got it forwarding into Pihole (for ad filtering), which then sends into Unbound (because I have some additional config in Unbound format). You can just as easily _just_ use Pihole, or install BIND etc.

I do fear the number of end user issues encountered as a result of split DNS on vpn systems where resolving some host externally results in a different address than internally and that behavior being intentional.

You _can_ address that to a limited extent where you're running your own DoH server. Basically, you need 2 and need to split-horizon those too. The internal one returns the VPN/local addresses, the external one the external addresses.

I've not done as much with that though.

Re: Internet facing database?

A place I rented a while back had a convenant on it saying you couldn't have a rooftop aerial.

The reason was there was a community aerial, with the cable run and maintained by Virgin Media.

It had broken 5 years before, and Virgin never fixed it despite many complaints/reports over the years.

You might be unsurprised to hear that this led to them getting the princely total of 0 customers when they tried to push their cable/internet services on that particular road.

Virgin Media are, and always have been, completely and utterly crap. They entice you in with sweet offerings, attempt to lock you in, and then leave your services to rot for as long as they think they can get away with.

That they'd have done the same with a database is no real surprise

Re: "Please let it be a joke"

Convenience?

Come back when they're self lighting.

Re: Seems Optimistic

If your code relies on this module and you can't replace it in one full year or so then I think the problem is with your resource management.

You could say exactly the same about Python 2 <-> Python 3. And with that you at least don't have the issue of some module you use also relying on the deprecated module.

The world just doesn't work that way, even if it should.

A lot of businesses won't pay for refactoring of something that's currently working, and devs often won't go out and learn a new library if they've got one that works just fine (now) that they're very familiar with.

None of this is the problem/fault of the requests maintainer of course, I was simply commenting on the fact that I think he's still somewhat underestimated the inertia.

Re: Questions II?

I stopped using Google Search a while ago.

I don't use Bing directly, but use Ecosia which uses Bing as the underlying SE.

I've not had any issues with it really. I tried Bing when they first launched and found it more or less unusable, but it does seem to have come a long way.

I didn't miss your point, it's just that it's a strawman.

No-one is sitting and pulling people's words apart in this story.

Re: WW III

If I remember correctly we also developed the rule that said that non-Member states can't have access to the secure parts - and then insisted on it.

Re: Bankers

As opposed to the mindset that says "everyone should do this, or they're wrong", and has absolutely no contingency in place for the fact that the majority will probably stick 2 fingers up and carry on the way they were and not give a toss if you think they're wrong?

When you're designing a solution to something, you *have* to factor in existing behaviours and use-cases. It doesn't matter whether you think they're valid or not, if they exist you need to work out how you're going to either accommodate them or smooth the transition for users.

To take your example, we know a simple way to reduce our impact on the environment - use less stuff, throw less stuff away. It's a simple message, but simply using that as a message isn't really working is it? Whereas designing solutions that fit into common use-cases - replacing tungsten bulbs with increasingly energy efficient bulbs - is working. The overall benefit is less than if everyone stopped being shits overnight, sure, but the latter simply isn't going to happen.

There's even a common saying in relation to this - "Don't let perfect be the enemy of good"

Re: Ludicrous

> I would like something that take input from Android as well, ideally, or a central music store

Have a look at Subsonic - http://www.subsonic.org/pages/index.jsp

I switched from Play music over to self-hosting ages ago. My only real criticism of it is - did it *have* to be in java :(

So you run subsonic in a VM and then your clients stream from it (and locally cache where possible).

There's Android apps available, the free one's a bit meh IMO, but DSub works *very* well for my needs. If you google Jamstash you'll also find a HTML5 interface you can drop on it to have kiosk stuff (like a Pi with a touchscreen) just go to a simple webpage for playback

I now buy my music from wherever, and download it into the NFS share that Subsonic looks at, and it's available to all our devices as well as a few "built in" appliances I've put into some rooms.

Re: Security layers

> Nesting VPNs would probably be a workaround unless the method used here can be used to drill down through the layers.

Because of the way it works, that wouldn't help you much either.

If you have the following interfaces on your system

tun0 10.10.10.10

eth0 192.168.1.10

Where tun0 is the VPN virtual interface and eth0 is your physical NIC.

The way this works is that the attacker sends SYN-ACKs towards your eth0 with the dest IP in the packet header being for 10.10.10.1 then .2, then .3 to see what responses it gets. Eventually when it reaches 10.10.10.10 it'll get a response - a RST packet.

They now know what the IP of your tun0 is, and can start the rest of their process.

If you nest your VPNs the way most people do, you'll just end up having tun0 and tun1. You may buy some time if they stumble on the IP of tun0 first and try and inject using that, but the process isn't too different if they find tun1 (though the extra padding of having another tunnelled connection might throw them off).

The article didn't mention it, but Amazon Linux followed up with an interesting use of this attack where (with some effort) an attacker could use this to spoof DNS responses from a "trusted" DNS server at the other end of the tunnel

>> Active noise cancellation needs code to execute to work.

>

> No it doesnt. Just in these ones it does.

>

> Active noise cancellation has been a feature way before headphones needed firmware updates.

I'm not saying you're wrong about it being possible to do noise cancellation purely in hardware, but not needing firmware updates isn't the same thing as not running software (having code execution).

It's not been at all uncommon in the past for something to run software but for updates not to be provided, or at the very least not be provided (or referred to) in any kind of a self-serve manner.

Much the same way as _most_ people didn't talk about updating software on their cars 10 years ago. Software updates were available and generally installed by dealers though. The fact you can self-install the updates (on some models) now doesn't change that older cars also had software running

/pedantic

Re: which can unmask CNAME shenanigans

>A records produce an IP, but I assume it's less practical for tracking if the third party server needs to be set up to respond to a bunch of other domains.

It'd need to be setup that way anyway.

A CNAME changes the destination for the DNS lookup *only* so the HTTP host header (and SNI if using HTTPS) will still be for the original name.

Re: My guess, he's lucky to be alive

Rule 1 is verging on victim blaming.

We're all adults, and if someone wants to take nude pics of themselves they should be able to. If someone else steals/leaks them, the blame lies with that person. Not taking the pics means they can't leak, but having it as a "rule" removes individual control over their own body.

We don't consider it acceptable (any more) to tell a rape victim they shouldn't have worn a miniskirt, why is this any different?

Re: Cross platform embedded/streaming video

> Flash owned the early embedded video space

It's still been heavily used for that far too recently too.

A little while ago now (but not nearly as long ago as it should've been), I disassembled a customers flash player SWF concerned with playing back multi-bitrate video, then spent about 4 days (well, at the time, nighshifts) working through the resulting actionscript to find the bug that was causing the behaviour the customer was complaining about (playback would break just after switching bitrate).

The customer in question was a mammoth American media organisation who I can guarantee you've both heard of and seen their logo before movies. i.e. more than big and rich enough to know better.

But there they were, still using a flash based player in order to achieve adaptive playback with RTMP rather than switching over to HLS (which even then was very well supported).

Re: Yes please...

You *do* need to inform US customs (when travelling there) that you don't have any social media accounts.

It's almost like the things you listed are things that the majority of people don't have, whilst the majority of households do have a TV.

Re: Who vets the vets?

I think you're confusing moral and legal here, resulting in a very blinkered view of reality.

It's quite possible for something legal to be immoral and vice-versa. Although morals can be far, far more subjective where the definition of legal is pretty strictly codified.

But, how does something normally become illegal in the first place? Because sufficient people have decided that it's immoral and have complained about it, driving lawmakers to pass a new bill to make it illegal.

Businesses withdrawing support from customers over immorality is a part of that. As a supplier you have the right to tell a customer to get stuffed because you don't like what they're doing with your product.

Would that not be undermining the courts in the world view you've written above?

Sticking with the US, how does that stack up against the 1A right to freedom of association, and freedom from forced speech?

Businesses cancelling supply sometimes to comes about because employees have spoken out internally. Can an employee demand that change (and expect to get it)? No. But they should definitely have the right to speak up.

*That* is what Gitlab is denying here.