Re: Which is worse
Opps, did I just feed a Troll?
2873 posts • joined 15 Mar 2007
Opps, did I just feed a Troll?
"Have you looked at the amount of crud you get with say a default Linux install?"
And yet a typical Linux install takes up far less disk space than typical Windows 10, odd that?
From here, Windows 10 16GB/20GB for 32/64-bit, Ubuntu 7GB:
Also its easy to fire up Synaptic or whatever package manager and de-install anything you really feel is unneeded for your system. If you are doing it a lot, then just use command line 'apt-get' (or equivalent) program to remove packages, and when done, use 'history' to list what you did, and copy/paste it in to a bash script that allows you to do the same on other installations.
It seems I stand corrected on this one:
I have not tried it, and would be interested to know if it plays nicely with the (usually off) AppArmour profile, etc, but it is a step in the right direction.
"The only actual effect of DRM is that it makes it so I cannot use my Linux box to watch Netflix and I'm a paying subscriber."
At one time they used Flash, and for all of the swiss cheese flaws in its implementation, it actually achieved the goal of having something that ran on all major OS (Windows, MacOS, Linux, maybe even Solaris once?) and could do enough DRM-ish stuff that companies were happy with it as a solution to getting people to use a paying service instead of torrenting it.
But then they decided to use Silverlight as apparently Flash was not secure enough (in DRM terms, they care not one hoot about your security) to keep Hollywood happy. Or maybe MS paid someone to try and embrace their new and long-lasting technology, who knows... Add to that Apple's decision to kill flash on mobile, and Adobe's utter inability to fix it for any sane length of time, and we see Flash is dying as well with only an old version support on Linux (unless you let Google slurp your privates with Chrome).
So we are back to the situation of not having support on many platform (older Android, Linux, Windows XP, etc) and it is easier to torrent. Any how many tears do I see being cried over this?
"So the government could decrypt part of the key, then brute-force the remainder"
One aspect of all of this that I wondered about is most folk have pretty simple PIN sequences or unlock patters for their phones, so I suspect they are brute-forcible in the order of 1E8 attempts or less, for a 4 digit PIN probably ~500 attempts. So is recovery from a confiscated phone really beyond the law enforcement capabilities, or is it simply an issue of cost/time that it looks too hard to do without a simple backdoor?
After all the Internet part needs very strong encryption because there are plenty of opportunities for the data to be intercepted and plenty of botnet PCs to do cracking if it looks worth it, but physical access to a phone is much less common and generally I suspect most stolen phones are going to be wiped and re-sold unless its trivial to get profitable data off it.
"Of course the big difference between being in government and having left government is that you no longer have
the direct responsibility to keep people safe to knee-jerk to tabloid scare stories and moronic voters who believe them"
Is the fixed version for you. Really, what we have seen recently mostly did not use encryption, and decades ago when the likes of the IRA, Red Brigade, ETA, etc, we bombing and shooting people they did not have access to encrypted phones at all but some how managed to keep killing.
Yes, when I was self-employed that was the downside. Ended up with an arm like Popeye...
"Refusal to comply is not the same as giving a reason for not being able to"
But what is it? The El Reg article reads is if they just point-blank ignored the Brazilian courts (which is always possible I guess). But so far I have not seen any translation of what the court requested nor what the official response of WhatsApp was to this request.
Can someone find out the real point of disagreement?
I use WhatsApp as it offers a group messaging facility that is handy to organise meetings of friends, etc, and once after wiping data to clear space on my SD card it asked if I wanted to download the previous messages, so obviously it keeps at least some history.
That would make sense, as the recipient's phone could be off or out of range for a few days so you would still want a message to get through. However, if anything like SMS I doubt they bother to store more than a week or two's worth of history (as it can also have photos, audio and video clips, so could be large).
As for WhatsApp having flawed encryption, that is a different matter. The fact that it can be broken or intercepted with moderate effort by a skilled hackler (GCHQ/NSA sort of thing) is not the same as being able to offer plain text on demand.
That was my thought - they simply can't provide what was requested and the court can't get their head around that concept. But without an explanation of the original case and court order its just speculation.
Not if your sole route and connection (i.e. ISP / mobile operator) disconnects that service by blocking it.
You (an El Reg reader) can of course use VPN, etc, to bypass regional blocks, unless they are told to block VPNs for that reason, then you are in to the whack-a-mole game of blocking proxies, protocols, etc. Joe Public will just look at the phone/PC and go "WTF?"
I wonder if there is a good reason that WhatsApp refused to comply with the court order. Were they asked to supply plain-text data that they simply had no access to? Or did they think the original request was unreasonable in any other way?
The article covers none of this, and it seems odd that WhatsApp would simply refuse to consider a valid court order relating to an intentionally-accepted crime in any country unless there was something odd about it.
This appears to be very different to Uber who make a point of not complying with existing rules on licensing and insurance for taxies by arguing they somehow are not offering rides-for-hire, when everyone can see that is the whole point of paying for a ride.
I can't quite tell if you were meaning to be sarcastic or simply trolling (if so, not a quality Troll).
And yet, including all of the terrorist killings in USA and EU in the past decades, it is still only equivalent a few weeks of road deaths in the same area (and gun accidents in the USA, for added Troll flavour).
Step 1 - unplug networking
Step 2 - wait for several days/weeks to see what falls over and/or who calls you.
Step 3 - shut down rig now your fairly confident its not really needed, as once stopped and cooled you have little chance of spinning the disk up ever again!
The main problems with all of this discussion about the legal aspect is it relies on all gov doing the same thing in law as the EU standard and companies honouring that as well. Both as slow and unlikely to happen, and also likely to get screwed over by some gov deciding to change the law on slurping (or just doing it by the back door of secret court orders).
But there is the option of encrypting a customer's data with their own key(s) in such a way that the cloud service never has access to said keys. In that sense it matters not one hoot as to where your data is because its always under your lock & key.
Yes, I know it might not be fully NAS-proof if they took a fancy to it, but it is enough for companies to be able to honestly say they cannot prove clear-text data, so there is no point in asking. In addition there is little to no risk of accidental disclosure to a corrupt cloud company employee, discarded equipment, sale if cloud company goes in to administration or is taken over, etc...
Of course that has its own issues, and is not going to go down well with data slurping companies like FB, Google and (sadly now) MS where scanning your data to whore you to advertisers is how they make a living. They could work around that to have a decent compromise, but without all of the lovely profitable user-identifying data to play with. So bugger-all chance of them volunteering to do this.
You are thinking like an engineer. That is how companies like Sun did so well when they were pushing/practically giving away stuff to universities to get it used and liked by the upcoming generation of computer science students.
Oracle thinks more like a business. As in the business "offer you can't refuse" because your (legal) balls are in the vice and every time Larry asks for more money you just have squeal to ask "How much?"
Grub updates are usually OK so long as you don't have a "custom" boot arrangement which you don't really understand.
That usually shows up as a prompt about what do you want the update to do, usually in terms of using the default package maintainer's config or your own (own! own!) and/or which drives to install the boot loader (MBR) on (almost a trick question as it often offers logical drives like /dev/sda1 in the list but you should only ever install on physical drives such as /dev/sda).
Also, and this is the bummer for some, most grub updates don't need a reboot. But unless you reboot there and then to test it, some weeks/months later if something is screwed up you will be forced in to booting and it borks, and you have forgotten all about this update.
So my advices is install it, if prompted keep current settings (and/or install MBR on the /dev/sda) and then do a proper clean reboot just to be sure.
I find no real problems with MS software licensing these days.
Oh yes, forgot to mention its mostly Linux here, with the odd XP VM for various occasionally used software that has no viable FOSS alternative.
Exactly! That is no way to make a good perv-cam
Yes there is - make sure the fsckers know they (whoever is in power currently) will be tarred with introducing it come the next election. It might magically make the grow some ethics, like the LD has in this respect.
The ISPs should tell the committee that cost recovery is not an issue - they will all simply put all of the hardware, software and administrative costs down on the customer's bill separately itemised as "Conservative Government Snooping Tax".
"same kind of lock-in as if they'd stuck with a Windows-native client"
Actually if they had used a win32 client and stuck to the most simple and common API calls (and actually read MS' own guidelines about privileged use, etc) they would have far less of a problem.
I have several applications that were written for Windows a long time ago that just keep working, version after version. Often also working on Linux+WINE as well. Its the fancy new and/or undocumented stuff that bites your ass eventually, so just keep clear of the latest fad (how is Silverlight doing?) and use the common stuff and its not too bad.
Much more so if you force your developers to build & test on two different platforms/compilers always (even if both are "Windows" and "Visual Studio" but different releases) as that way they can't use the ephemeral stuff...
So how does it survive reboots? Can it spread machine-to-machine, or would making your office work PCs shut down every night be a useful mitigation technique (as well as saving money on electric)?
"the incident nevertheless serves as a reminder that
free stuff in the cloud can be taken away as well as given"
There, fixed it for you...
" I was impressed with the power and the fuel economy" ... "my 13 month old car with less than 9,000 miles is worth half of what I paid for it"
Why don't you just keep the car for 5-10 years and get your money's worth out of it? Works for me (as a tight-fisted Aberdonian)
Yes, this is a sore point also on most Linux systems as well. If there is one sane thing that the Firefox management could do for their products and the world at large, it would be to focus on making a browser that was easy to secure and designed to enforce a respect for privacy.
That means having a simple way of using central management tools to set parameters and to force/block plug-ins that are centrally defined, and to have a sane limit on what the browser should ever need to access so things like apparmour profiles are trivial to use without issues. And this goal should be thought through so it works using WSUS and several of the Linux options (both per-machine via local admin, and centrally for the network).
As far as privacy goes, this means reporting only one of a few configurations so its not easy to fingerprint for tracking (and/or randomly reposting different bits every time so no two sessions on a given machine look alike, e.g. dithering on canvas draw etc). It also means having a design so things like history and cookies are all isolated from javacript and plug-ins by default, and only signed plugins that ask for permission and are granted it can use it. And that denying access just returns a near-blank list, like a fresh browser install, so a plugin can't tell if it has real access blocked or not.
So please Firefox team, quit dicking around with the GUI to look like chrome, quite removing features because you can't be arsed to support or test them, and focus of having a selling point that system admins want - an easy life of little trouble from users, idiot or otherwise.
Poor quality trolling there.
You could have tried mentioning the lack of portability beyond Windows, or the benefits of ASCII for cross-platform use in bash, maybe even joked about csh/tch/sh/bash offering one common way of doing things.
Of course this is not helped by the muppets at Google & Firefox, etc, dropping support for web browsers on the likes of XP even though a significant number of folk still rely on it.
For the technically competent there is always Linux for safely browsing using old machines, but that is hardly a solution for the majority who don't even grasp what an operating system is, let alone that it can be replaced on existing hardware.
Meanwhile in Europe we don't have school massacres practically every year for the last century...I think you will find that even with all of the "terrorist" acts in Europe post WW2 together the death toll is less than a year of US gun-related accidents.
With the billions of dollars in funding and all-seeing surveillance, can''t they do something useful to help out the government departments they are supposed to serve?
You know like catching the perpetrators, recovering data, that sort of thing...
I'm glad I am not the only one thinking that.
Thanks, mine is the dirty mac...
The ars technica article, essential reading for those who didn't get your reference:
The resulting Hitler parody to enjoy:
Just by making suppliers liable for faults and security holes that are not patched reasonably quickly and for the usable life of the IoT devices, and no weasel EULA to got out of it, would be a major start. Most of the problems fundamentally come down to the "ship it fast even if shit, and don't pay for a decent support team" mentality of modern businesses.
 say 30 days from it being reported
 say 5 years after that model was last offered for sale
"Alternately, do not access password stores on any systems that are not known-secure."
Please tell me just how you know when a machine is compromised without being able to boot it and scan with various rescue CDs to check?
If you can do this where no one else has, there is a fortune in AV to be made!
"How many RFCs...have been written by women ?
I'm guessing within an expected statistical range of the proportion of women taking part in the organisation.
Plenty of women have technical merit, but if you look at the proportion leaving school with an interest or attempt to follow a technical career you will see the problem is far from an issue with the IETF or similar.
Why so few women lecturers? Why so few women in science/technology roles? Duh, look at the number of women graduates 10-20 years previously!
"Doubling the amount of time they have to devote to testing is"
WTF? Don't they have any automated testing then? In which case its only another build machine and for someone of Google's size I doubt that is such an intolerable expense.
Edited to add: Or is this down to the shitty inclusion of FlashPlayer, and the pain of supporting that?
"At the same time, build, Firefox, and platform engineers continue to pay a tax to support Thunderbird."
Really? It sounds like they really don't have a sane project structure in that case.
FFS just how much HTML or web rendering should be possible in any web client? Or is this really a case of their sponsors wanting people to move to web-mail so they can whore them more effectively to advertisers?
A very good question and the answer is usually one or more of three options:
1) Cost savings
3) Trendy, as everyone else is apparently doing it
Sadly there has been nothing serious to place responsibility on those in charge to do it properly. And by that I mean to consider security from the very beginning: How it is protected, how it is partitioned to control damage, how it is tested, how it is patched [repeat from start]. Dangle serious fines and jail time over managers and things will then be done, otherwise its business as usual until the shit hits the fan...
"We see from this place every day the malign scope of our
adversaries’ advertisers' goals"
Both, most likely.
I don't know if it was specifically intended for this port-forward risk, or just the more general issue of a VPN being dropped due to other software bugs or MITM attempts, but the UK Gov security advices on system deployment has a section on setting the firewall to only allow the VPN range of access. For example, see section 8.7 of this:
"In the UK the headline figure for investment in this is £175M over the next 10 years"
And the ISPs, etc, who have a clue are saying £2B or so is needed. Now why would the gov not publish its costing approach when the bill is in the debate stage?
"Now, they're guaranteeing a mess in the future"
As if any of the recent bills have been any different in this respect?
The whole thing stinks, but how much of that is incompetence and how much is (political) malice is hard to tell.
You are aware that article 33 of the Fourth Geneva Convention specifically forbids collective punishment?
Its only the best all round solution if you don't have any significant delays in loading ads, and they are not poisoned flash files or similar that then infect your PC.
"competing against your contemporaries you are competing with 60 years of back catalog"
It is worse than that as today people are paying lots of different fees: ISP's, mobile phones, computer games, alcohol, etc. So music has to fight against a whole lot of other things to get a share of the youth's limited money compared to 20+ years ago.
And the problem is it is much easier to get music without paying compared to the more tangible goods, not just file sharing but YouTube and radio, etc. You really need to have something very special to keep enough fans buying. Today it also seems most folk are contended with crappy compressed audio, so the benefits of selling a CD or FLAC track appeal to few.
I don't know what the answer is. Certainly it would help if buying music was easier by micropaying options per track, etc, and such a scheme would potentially help others to make a living without being whored by Google. But will it happen?
"The thing that is important is entropy"
The things that are important are entropy and rate limiting on brute forces trials.
High entropy means more attempts on average to guess it, rate limiting stops them from doing it quickly. However to most likely password cracking scenario is when they have already compromised a web site and can brute-force the database.
Or 50 Shades of Grey?
That would be bad, I mean there are much better examples of BDSM literature for the discerning reader...
"For the really clueless it will take personal friends or family dying at the hands of terrorists before they wake up and smell the coffee."
So what? In the week or so since the Paris attacks more folk have been killed and injured on the roads of Europe than in the attacks. Should we all give up our own privacy and security to stamp out
cars the next bogeyman?