Posts by Michael Wojcik

Re: Reset the clock!

Citation needed.

Cryptocurrencies are highly vulnerable to theft. There's no evidence I'm aware of to demonstrate that a majority of high-profile thefts are fraudulent. Care to provide some?

Re: More to come of course...

That's the thing. The actual driver isn't all that large, though it's still a bloated mess. It's all the horrible garbage HP packages with their drivers that's taking up most of the space.

I will never buy another HP printer. The hardware is junk, from what I've seen; the ink is a blatant scam; and the software is just malware you pay for up front.

Re: And so we have churn

So we should ignore updating, because there's no difference between a version with both published and unpublished vulnerabilities, and a version with only unpublished ones?

If refraining from using computers at all fits your needs and threat model, then by all means feel free to do so. Otherwise your objection has no practical value.

Re: the hash?

It's not useless because of user behavior. Some users might go through the effort of transforming images until the output has a PhotoDNA vector sufficiently far from the original. Some might even create software to do that automatically. Hell, the really smart ones would train GANs to generate similar images based on an existing corpus – that's a lot cheaper¹ than producing real images with real children.

But the vast majority will almost certainly continue to share images verbatim through various off-the-app-store-shelf messaging apps, and for them the PhotoDNA vectors will remain stable.

If the match rate ever fell below whatever target Apple have,² they can switch to more-sophisticated algorithms. Run each photo through an CNN stack to extract high-level features, compress those, and measure distance in a high-dimensional space, for example. We have lots of classifier architectures that let you split the process at arbitrary points so you're not transmitting the original data.

¹Is it less immoral and/or exploitative? There's a fun question for your ethics class.

²And that's probably very, very low. I have no evidence to speculate on how much of this is Apple trying to placate governments and NGOs, and how much is virtue-signalling, and how much is just meant to be the thin edge of the wedge, and how much might even be some sort of misguided altruism. But Apple can't reasonably be expecting to have many true positives, and probably is hoping the positive rate – true and false – is very, very low.

Re: domain name system

Public package repositories and the "ecosystems" that have grown around them are toxic. The namespace problem is only one small part of that. Fixing it won't help much.

Some of the older public repositories, such as CPAN, are not quite as much of a mess because they began with better governance and evolved a measure of community oversight, and because they're not so popular with the kids and therefore don't attract quite so many trivial submissions. But on the whole it's a concept which can't be fixed in its current form.

Building applications with a vast and largely hidden array of direct and transitive dependencies of unknown provenance and quality is never going to work well.

Re: Knickers

Well, I see my underwear has already been forked, so it's probably inevitable anyway.

Re: Lets do the maths

I've always been fond of the "generate electric in the Sahara and use it to reform hydrocarbons on the coast" blue-sky proposal myself (as I dare say I've posted before).

I don't think CO₂ capture from the atmosphere scales, though. (I mean, yes, it does for green plants, but not for this purpose.) And seawater doesn't look like a much better solution to me. I'd suggest shipping organic trash to the reforming plant -– it'd just be going to landfills or incinerators anyway – and reducing it to mostly carbon.

And I'd reform it into propane, not methane. Less to worry about a leak because propane is heavier than air so you can build capture-and-evacuate systems for it more easily, and methane is a potent GHG so a leak would have bad publicity.

We already have a good global propane delivery-and-storage network which just needs building up as we scale this process up; and it's easy to convert gasoline (petrol) engines to use propane, so the market for it can expand quickly. Lots of propane-consuming appliances are available at various price points, from household to industrial. Most "natural gas" appliances can be retrofitted to use propane. It's kind of a sweet spot for a hydrocarbon fuel.

Masoch's Law got a boost thanks to Rule 34 but has plateaued since.

Re: Hunters-gatherers

The real trick would be a cryptocurrency based on Proof of Hype. That appears to be an unlimited resource.

It's more secure than encryption

"This apple is more food than baking!"

It's not possible to avoid all of them without significantly reducing your consumer choice

This may be true for you, and for many other people; I haven't seen any methodologically-sound research on the subject. But I have never contacted any company by Facebook, and while I've used it on a couple of occasions to respond to meeting announcements for local organizations, I could easily do without that.

I haven't read Twitter in years and I've never posted anything to it. I've never even had an Instagram or WhatsApp account.

I haven't "reduc[ed my] consumer choice" in any way I can discern. My refusal to use social media has had precisely no effect on how I interact with businesses or my ability to do so, and has had minimal effect on how I interact with organizations and individuals.

Re: TCP is wrong for most network transactions

Not really. The original point of the OSI stack was to be descriptive. Actual implementations were a secondary concern.

But in any case the claim you quoted is wrong, for the obvious reason that a great many programmers will use existing implementations of higher-level protocols which provide framing and messaging. Most programmers working on distributed systems are writing web applications – most commonly in Javascript – which use existing HTTP implementations. Someone writing XHR requests for an RIA / SPA (or, more likely, writing to a Javascript framework which hides XHR under more layers of abstraction) is most certainly not worrying about framing and messaging of those requests and their responses.

So "invariably" is a load of rubbish.

There are those of us who do work with protocols at a lower level and have to worry about implementing things like message reassembly, but that's relatively rare, and should be rarer. I'd say 90% of the questions I see about sockets and other lower-level communications APIs online should be answered with "you're doing it wrong – use a higher level".

Re: Precedent

Frankly, the motion should be thrown out merely for the "most sophisticated cyberattack in history" claim.

Re: Please stop calling computer programmers "engineers".

Engineers drive trains. When was the last time you saw a programmer driving a train?

Language changes. I don't care for the title "Engineer" for software developers myself – and it's in my official title – and I sympathize with the desire to keep "engineer" as a professional designation, though that's certainly not without problems. But this ship appears to have sailed.

Re: They're doing such a fine job thus far

So, be perfect or do nothing? That's a fine plan.

That sounds plausible, but out of curiosity I dug up some analyses on the recent performance of REITs (Real Estate Investment Trusts), as a proxy for the health of the commercial real-estate market, and it appears they've been surprisingly robust. A sample quote:

It is important to take note of the REIT resilience through the crisis and their ongoing recovery. The year-to-date total return of the FTSE Nareit All Equity REITs index at the end of May was 18.1% and the index is 4.3% above its pre-pandemic high. Capital markets are open and we are observing growth oriented M&A transactions that reflect confidence in business models and the sector outlooks. Operationally, REIT earnings are recovering quickly, with aggregate FFO now at 85% of its pre-pandemic level.

That article did go on to note that WFH remains a concern for its long-term effect on the commercial-property market. But for now, at least, commercial real estate in the US (no idea about other countries) seems strong.

I suppose we'll see in a year or two how that unfolds. I certainly don't know enough about the commercial real-estate market to make any predictions that aren't better than wild guesses. (Whether anyone does ... well, I'll let you decide that for yourself.)

My guess is that the US government is at least as heavily engaged in "cyber crime" (and probably better at it) as Russia is, just not for altogether the same ends.

Really, there's no need to guess; it's amply documented. I don't think any reputable IT-security experts disagree that the US is one of the top-tier nation-state IT-weapon developers. Generally speaking, the top-tier and second-tier rankings from various observers are pretty consistent, and they're supported by plenty of evidence. In the case of the US, that includes disclosures like the Snowden and Winner leaks, breaches like the Shadow Brokers dump, journalist and NGO investigations into incidents such as Stuxnet, and information from official sources such as government reports.

On the other hand, it doesn't make much sense to make wild claims about which of the top-tier nations "does the most", as some commentators have here. We have some idea of the scope of US hacking activity, and some of the scope of Russia's, and China's, and Israel's, and so forth. Those give us lower bounds. The evidence to support upper bounds is much scarcer and less reliable.

And, more importantly, it doesn't matter. All the top-tier, second-tier, and even third-tier states are doing as much as they can. As you say, they have different goals as well as different capabilities, and those shape what those efforts look like and how successful they are. That's a far more interesting and useful observation than the sophomoric tu quoques being thrown about by some people.

I do take exception to this statement, though: "The West will never agree to a proposal that will in any way endanger or expose our hacking". History shows quite the opposite. Nations, including Russia and those of "the West", have been perfectly happy to propose, and agree to, all sorts of things in public, while ignoring them in private – and for that matter often abrogating them in public as well.

There will be more proposals like this. There may well be treaties. They won't change much of anything, except perhaps the public posturing and claims of innocence. If anything, they'll be a bit more incentive for signatories to improve their false-flagging efforts.

Re: Application Overreach

the secrecy of a 16 digit (10 of which differ) number that we give out to every waiter / gas station / store clerk

Virtual credit cards, like those issued by privacy.com, avoid this problem. One number per merchant, locked to that merchant, and with other limits set by the user: single use, maximum per transaction, maximum per time period, etc. Push notifications every time the card is used.

But since they're virtual they're online-only (unless you're up for manufacturing your own physical cards), and there are still some payment processors who won't accept them (due to not following the standards properly).

privacy.com makes its money off transaction fees, so there's no additional cost to the consumer over using a bank-issued card.

I have no relationship with privacy.com except as a customer.

Re: wow

Telnet is still widely used, particularly the TN3270 / TN3270E variants¹ with z systems, and in somewhat smaller numbers the Telnet variants for other mainframe-class systems such as i and Unisys ClearPath.

Telnet can be used securely when tunneled over TLS, or even using "opportunistic TLS" (STARTTLS) provided both sides enforce it (so a MITM can't downgrade to plaintext). There's also Thomas Wu's SRP-enabled Telnet, which offers not only message confidentiality and integrity but ZKP authentication; it's less widely available but there are both clients and servers.

¹Technically, TN3270 is "regular" Telnet with various options such as Binary and EOR enabled during negotiation. TN3270E negotiates a single more-complex option with various sub-options, and then adds a header to the Telnet records. Both use EBCDIC once negotiation completes and are significantly different from NVT mode, but TN3270E is more different.

Indeed. It's Sommerfield who's advocating "judicial activism", at least based on what's in the article.

That's not to say that machine-generated inventions should be allowed, just that Australian law apparently does not forbid them. That's a legislative issue, not a judicial one.

Apparently many commentators here also have trouble with that concept. (But then this is a Reg tradition: the comments on any article which mentions "AI" or machine learning must include a standard set of sophomoric claims about statistics, the Turing test, "real AI", etc., all displaying a distressing lack of understanding of the subject.)

Re: The idea that ShotSpotter 'alters' or 'fabricates' evidence in any way is an outrageous lie

In this case, ShotSpotter did nothing to bias or alter the outcome.

And your evidence for this is what? The claim from ShotSpotter? Yes, that's very convincing.

One of the many problems with the US justice system is that it is increasingly being infiltrated with black-box proprietary algorithms. Defendants have claimed this violates their due-process and Sixth Amendment (right to confront witnesses) rights – correctly, in my opinion.

The vendors of these systems need to be compelled to make all of the relevant information, including hardware designs, source code, test results, and actual data, available to the defense and whatever experts it wishes to employ. If not, then it shouldn't be admissible. If that's a problem for the continued commercial success of those vendors, tough. They decided to get into the conviction business.

Re: Optimised in compiler

To be fair, it wasn't just the Alpha team. NexGen showed it was feasible to ship an x86 CPU that decoded the CISC stream into RISC instructions to speed up the ALU, for example – and more importantly, showed Intel that if they didn't do it, someone else would. A lesson they'd have to learn all over again when AMD started shipping x64 CPUs.

(AMD also acquired NexGen, of course. And eventually some of the stuff from Cyrix after its acquisition by National Semi.)

Re: lack of a clue on the basics

Yeah. Code signing certainly isn't a silver bullet, and plenty of attacks have bypassed it in various ways. Organizations are often very poor about key hygiene. But defense in depth, man.

Of course, it hasn't been all that many years since I last saw an organization that didn't even use a change-management system for source code. Even the most basic good practices will go ignored in some places.

Re: if you know the suspect addresses

Which leads to the question why can't you, or won't, just stamp it out?

"Can't" is very difficult. The US most certainly does not have the capability to do that without massive collateral damage (sorry, NSA trufans).

To really understand why you'd need to learn quite a lot about the current state of IT security, but you might start by reading some of the major IT-security blogs and mailing lists such as (just as examples, in no particular order) Full Disclosure, Threatpost, Brian Krebs' blog, Bruce Schneier's blog (or his CRYPTO-GRAM email newsletter), and Graham Cluley's blog. And also some of the more-rigorous research outlets such as Citizen Labs' publications and the research announced in Cambridge's Light Blue Touchpaper blog.

Or you could just read decent popular treatments such as Greenberg's Sandworm, which is a pretty good piece of investigative reporting. (I'm not usually a fan of Wired's output, but Greenberg does his research.)

As for "won't" – well, as it happens, a number of people have asked US Federal officials about why the US response to IT attacks has been so inconsistent and generally muted. The answers (when they aren't just the usual waffling bullshit) are pretty consistent: the US government doesn't want to advocate rules in this area that it doesn't want to abide by. Various agencies in the US believe we have good IT offensive capabilities and can develop better ones, so they aren't willing to take, say, attacks on civilian infrastructure (like the Ukraine blackouts perpetrated by Sandworm / Voodoo Bear¹) off the table. Those are likely to be very useful in future conflicts.

As for why the US government doesn't just happily rattle its sabre over these sorts of attacks and then go on to do the same thing ... well, that's a matter of geopolitics and diplomacy. Sometimes not appearing hypocritical is useful. Sometimes not making promises you don't want to keep is useful.

¹Some reports have grouped Sandworm, aka Voodoo Bear, in APT28 (aka Fancy Bear), but there's evidence to suggest this is incorrect; specifically that Fancy Bear and Sandworm / Voodoo Bear are separate GRU units which sometimes both contribute to specific campaigns.

Re: Eye opener

It used to be the case that some national standards bodies published standards "aligned with", and essentially identical to, various ISO standards, for much less money. Other posters have mentioned that BSI used to do this in the UK. In the US, for another example, you could by the ANSI 1990 C standard for (IIRC) $18, which was much cheaper than ISO 9899:1990 at the time (about an order of magnitude more expensive, I think), but they had the same content.¹

So in many places, many of the more-popular ISO standards were ignored because you'd just refer to the corresponding national standard instead. Even things like section numbers were the same, so you could cite the ISO standard without actually consulting it.

Alas, that is no longer the case, at least as far as ANSI is concerned. I get the impression it's not true of BSI either.

¹Of course, the C90 standard was a special case, because of the existence of Schildt's book The Annotated ANSI C Standard, which reproduced the entire standard and cost less at the time than the actual standard did from ANSI. The predominant opinion on comp.std.c was that the price difference reflected the value of Schildt's annotations, but you were free to ignore those.

Re: Remember Lay by?

Alternatively, some vendors will offer discounts if you buy on credit, as long as you go through one of their partners, who will give them a kickback. Banks are eager to sign up new revolving-credit customers whom they can milk for years afterward.