Posts by Donn Bly

Re: Mind bleach

I'm more concerned about the ones waking up with a smile

Re: @Mage Not so crazy ... Crazy

Amazon sued Moyer, not Google, so Google isn't in a position to have anything tossed.

In the American Court System you should always plead "not guilty" and make the prosecution prove their case. They might get over-confident and screw up, or make claims that you can disprove and weaken their overall case. You might even be able to claim some mitigating circumstance if your lawyer can think of one. But if you plead guilty you have no control and they might even throw in extra stuff that you DIDN'T do just to make the case seem like a bigger win for them, or just open with an overcharged offense.

If they come back with a plea deal you can always change your plea to "guilty" to take advantage of it, but you can't change your plea once you have plead guilty.

Internet Web Version = No.

Intranet Web Version = Maybe.

In the days before .Net and modern web development languages, it was a viable tool in the toolbox of things that could be used to for automating custom business processes.

HTA files were a way to duct-tape different systems together using Internet Explorer. I once wrote a system to integrate an internet-facing online store (it used Zen Cart or OS Commerce, I forget) with UPS Worldship running on a shipping station in a warehouse. It would automatically download new orders (via xml over https), print out the barcoded picking tickets, insert the customer information into the shipping software and read the weights and tracking numbers out of the UPS Software via ODBC, update the shopping cart with shipment status and tracking information, print invoices to include in the box, send shipping notices to customers with their tracking numbers and estimated delivery dates, etc. -- all automated and running in background. The only thing the warehouse picker had to do was pick up a box and picking ticket at one end of the line, fill it with product, stick it on the scale, stick the picking ticket under the barcode scanner, press enter after the last box was weighed, tape up the box and apply the labels (which were automatically printed as well)

There was even a automatically refreshing web-based dashboard that the front office could use to see how many orders were queued, how long the oldest order had been in the queue, any products that were nearing re-ordering points, etc. -- but that part used Javascript and PHP so that it could be pulled up from anywhere,

It was relatively simple to design and implement using HTA and VBScript, but to do the same thing today using "modern" development tools would take 4 times as long and would be harder and more expensive to maintain. If I remember the hardest thing to do was figure out a way to automatically print the invoices on a local printer and the picking slips on a remote network printer.

Of course there were disadvantages too - but just like anything else you had to weigh and pros and the cons and determine the fitness for the application.

(and yes, this was all done more than 10 years ago)

Re: Even to this day...

Agreed - and production machines get a red background embossed with the machine name while development and staging machines have different colors.

Re: No f in button?

I have the same image url on my end, and I checked a couple of different articles and they have the same image url as well so it isn't tagged to the article either.

The button uses jquery to launch the Facebook UI, passing the url of the page on which the button was clicked. There, you would then have to provide your facebook credentials if you are not already logged in from another tab, and at which point you are then tagged and tracked.

So, it looks like the button and image are not trackers in and of themselves, but if you click on it you will be launching a tracker.

Re: "Off by default"

If you are far enough in to turn it back on, then you might as well install your own back door instead of using a SMB1 as a buggy one.

Re: The technology is somewhat hit and miss

I used to have a Tom-Tom, but got tired of it telling me to get out of the cornfields. Even with their most recent (at the time) maps they were not not taking into consideration that the highway US-24 had been relocated years before, having been rebuilt as a 4-lane divided highway instead of a 2-lane road. Apple was no better, because at the time they bought their mapping data from Tom Tom.

Re: Noscript to the rescue

Or use sandboxie if you are testing with Windows platforms.

Re: Designed by SW engineers

I don't know, I might implement something like that if they turned down my vacation request....

Re: Spot On

Yes, but those extra constraints are why the OP took the estimated $10K development costs and multiplied his estimate by 100 before offering it. I think that he would still be within budget.

Re: Subcontractor’s network compromised?

First, What difference does the "class" of computer make? Who cares if their storage network is on a mainframe or not as it was likely a workstation that was compromised -- and thus the criminals would have had access to whatever data the computer's user's credentials would have had.

Second, as the article clearly states, The Register had previously publicly identified Perceptics as the likely contractor.

This isn't Yahoo or MSN, the articles posted here do occasionally contain actual information if you actually read to the end.

re: anarchism in action

Isn't Linux (at least in its earlier days), and many other open-source projects, not essentially an example of anarchism in action?

Not really, in my observance successful open source projects generally don't exhibit a high level of anarchy. When anarchy rises then the projects generally fork or die. Survival of the fittest then determines who survives.

I would say that most successful open source projects grow and thrive under a "benevolent dictator". For instance in your given example of Linux, when you think of Linux and of Linus Torvalds would you use the word "anarchist" or ""dictator" to describe his management style?

Re: So...institutionally insecure?

or

Add no bit to user table, but expand the password field so that it is large enough to store a bcrypt hash.

Then, on logon validation, look at the length of the stored hash. If length != 20 ** then assume bcrypt and proceed accordingly, but if length == 20 then assume SHA1, validate against the stored hash, and if it passes updated the stored hash with the bcrypted version of the same value. After a REASONABLE period of time expire and wipe any account still having an SHA1 hash in the database and if the user does comes back make them go through a password reset procedure to establish a new, secure password.

** or 40 if storing the hexidecimal string instead of the actual hash.

Re: what does a plane autopilot do?

"No. If you are flying VFR and using autopilot to maintain a constant speed and altitude, you are still scanning the sky and the instruments. Visual Flight Rules require that the pilot is always looking for traffic."

In other words, just like autopilot in a Telsa where the rules say you are supposed to keep your hands on the wheel and eyes on the road.

The point is that when those rules aren't followed then the two aircraft can and will fly into each other and the autopilot won't take evasive action on its own (unless equipped with TCAS, which most small general aviation craft are not). Mid-Air collisions are rare, but they do happen when people don't follow the rules. As such, your answer should have been "yes" instead of "no".

Re: @DougS Crocodile tears

if you are an advertiser and there is no competition in ad flinging. Do you look towards another medium?

If I am an advertiser (and as a small business owner, I suppose I would qualify) then I am ALWAYS looking at other mediums. Nobody smart puts all of their eggs in one basket.

A few years ago there weren't any targeted ads and advertisers still advertised. A few years before that there weren't any web ads at all and advertisers still advertised. The shape of the market changes and evolves all of the time.

However the Internet is not like past mediums. It changes quickly and radically, and whomever is on top can be on the bottom or completely gone in a matter of years. A kid in a dorm room can come up with an idea, put together a prototype in a few caffeine-fueled weeks or months, and for better or worse turn the entire market upside down.

It doesn't do you any good to try to predict the market because any prediction you make will be so wrong it isn't worth the effort -- so you just diversify and go with whatever is the "in" thing this week.

The only thing you can assume is going to be steady is the cost. Cost is driven by demand and not by technology or supply, because in internet advertising the supply is so elastic that it might as well be infinite. You and your competitors are going to have a budget, and if the budgets don't change then the spend remains the same, and thus the costs remain the same.

As the "ad flinger" market consolidates as an advertiser I don't really care. I know that if the price per ad goes up then I will place less ads, and so will my competition, thus the ratio of my ads to theirs will remain the same. If the costs exceed return, then another avenue will always present itself.

So, when google makes "privacy" changes like this it affects other ad-flingers, but it doesn't really affect the advertisers. If the ad-flinger market was a level playing field then it wouldn't matter but we all know that it isn't, but while the other ad-flingers cry foul remember that it was Google that pretty much INVENTED the category of targeted advertising and that as such they have been playing in Google's sandbox since the beginning and had to expect that things would change to their determent at some time or another.

Re: Avoidance vs Evasion

And who's "fault" is it that Starbucks didn't show a profit on paper -- Starbucks or the politicians that wrote the laws that they followed to arrive at situation?

I submit to you that the problem is the tax code, not the businesses that FOLLOW the tax code. They are just law abiding corporate citizens that are doing what the law says they should be doing.

The solution is to change the law, not go after the guy who is following the existing one. The problem AND the solution start and stop with the government. Nobody else has any responsibility to fix it - not the individual taxpayers, and not the businesses that are following the existing tax code.

Also -

If you tax on turnover instead of profit on a high volume / low margin business your taxes would exceed the margins. Many companies run on razor-thin margins of 1% or less, but can do it because of high volume. If you put ANY turnover tax on such products, the increase will be added directly price of whatever the consumer pays. Any politician that thinks that you can increase taxes on a business and that the tax won't be passed on is incompetent. Anyone who believes that politician is gullible.

Re: Three year olds can't read

My youngest wasn't reading Heinlein at 3, but she was reading her older sisters' books and well into chapter books before she went to preschool. I didn't realize how much of a problem that would cause when she got a bit older, as she was always in trouble in school because she was so bored.

Re: Ceilings don't have Internet

I take it you didn't read far enough into the comment to see the part about "Ethernet over mains" - or perhaps you are an American that doesn't understand what "mains" means in this context? This link should help:

http://lmgtfy.com/?q=powerline+ethernet

Additionally, in this particular situation the smoke detector was installed in a room where a smoke detector would not normally be installed. If you are going to run wire to make such an installation, then running CAT5 was well as romex isn't going to be a problem.

And by the way FING won't find the device unless it is in the same subnet, either hardwired or wireless. It can't even find devices on the same subnet if the isolation is enabled on the guest network to which you are attached.

Re: I guess this is going to be tossed out

First, he is going to have to prove that the meeting was even recorded, and he will have to state who did the recording. In his filing, he didn't even provide a date of the alleged meeting.

He will have to provide sworn affidavits from either the person who did the recording (self-incriminating) or someone who has first hand knowledge (anything other than first-hand knowledge is inadmissible hearsay.)

Once that has been established as fact, THEN he will have to prove that the Apple product was used to record the meeting. Then he is going to have have to establish that he didn't have any other applications on his phone that could be used to remotely record the meeting.

Now, this is civil court and not criminal court, so he doesn't have to establish proof beyond a shadow of doubt. He only has to establish a preponderance of evidence -- meaning that it is more likely than not.

However, he is going to have a very tough time doing that. The only way that he is going to prove that the meeting was recorded is to provide a copy of the recording. He could also find someone willing to testify under penalty of perjury that they have personally listened to the recording and that they have first-hand knowledge that the recording was of the meeting in question -- meaning that they themselves would have to have been at the meeting -- but if they can do that then they could have made the recording themselves using any number of means unrelated to this bug, and it IS more likely that someone used a standard digital recorder than used an undisclosed bug, especially as the bug doesn't have the ability to create a recording in an of itself. He will also have to provide affidavits for all in attendance that they didn't record the meeting, and explain what due diligence he undertook to insure privacy at this meeting.

Additionally, he is not just suing Apple -- He is also suing the developers, distributors, and advertising agents. He is claiming that each of them not only knew of the bug, but recklessly proceeded in bringing the product to market knowing ahead of time that the bug existed. The discovery is to get the names of the people who acted in that capacity so that he can add them to the suit by name.

No, he is trying for an out-of-court settlement because he knows that the cost of discovery is going to be high and is hoping that SOMEONE (he knows it won't be Apple) would rather pay off a nuisance lawsuit than undergo the expense of fighting it. He is leveraging the "vast experience" that he has gained in his less than 4 years of practicing personal injury law on the claim that within the less than 90 days that it has been since the bug was introduced that an event has occurred that has resulted in irreparable harm and PHYSICAL pain and suffering, but can't even give the date of the alleged event. He is smart enough not to have himself for a client and is using another attorney to file the suit -- however if he was serious about taking this to court you would think that he would pick someone who is well versed and has lots of experience in this area of law -- but instead he hires a personal injury lawyer who specializes in car accidents with just of a year of experience as an attorney.

If it goes to court he is going to have to affirm, under oath, under penalty of perjury subject to incarceration and disbarment, to the events alleged in his filing. He certainly doesn't want to do that, otherwise he risks irreparable harm to his future as an attorney and it will have been at his own hand.

I kind of hope that Apple doesn't settle. Lawyers like this shouldn't be practicing law.

Re: All else being equal...

An as employee in a free market YOU get to decide how much you make. A prospective employer makes an offer, and you are free to accept or decline the offer.

If you accept it, it is YOUR OWN FAULT if you accepted an offer lower than average. Furthermore, you are only WORTH as much as the person behind you on the list is willing to take for the same job, no matter how much you think you are worth. Your labor is essentially a commodity, treat it as such.**

The solution? Know your worth, and don't accept less. Don't wait for them to tell you what they think you are worth, step up and make your worth known. If you remain unemployed then you overestimated your worth. If you want to increase your worth, learn some marketable skills.

It is up to you and you alone. Quit blaming others. It is not the job of society to train or educate you, and it is not the job of society to employ you.

** Think of your labor as a gallon of milk. As a consumer you can go into any number of grocery stores to buy your milk. The price is going to vary from store to store. Some decide go to the cheapest store, some decide to go to a more convenient store and pay more. The fact that someone else paid more for the milk at a convenient store doesn't make the lower price of the grocery store "unfair" to the milk or to the farmer who produced it. It also doesn't mean that the person going to the convenient store was price gouged. There are many more factors than just price that go into a purchasing decision.

Re: Always blaming Russia

The thing about spear-fishing email, I'm confident it doesn't take the CERN experts to figure out where it came from and who it benefits. I'm sure there's a whole industry around tracing down the who, what, and why.

The thing about spear-phishing is that it NEVER comes from where they say it comes from. That is, after all, the point of the phish. I can send a message and make it look like it came from any number of countries, doing so is trivial to anybody who knows what they are doing. The harder part is getting around SPF, domain keys, and message signing so that the phishing messages don't end up in a spam folder.

As to who it benefits -- You can try to guess who it benefits but all you would really be doing is bias confirmation. This week the DNC wants the bad guys to be Russian, so they will ignore any evidence that says otherwise or interpret any evidence to justify their conclusion. Next week it they could want it to be a Trump staffer or North Korea and make the same case. Do you really think that ONLY the Russians would be interested in a tap on DNC internal communications?

In order to really track it and find origin you have to set some bait for them to take, and then follow it back. You have to gain access to the mail server where the replies to their messages go to see if the server has been compromised, and then trace whomever accesses the mailbox to trace it back. You have to see if the machines used to access the server have been compromised, and go back further. They would have to establish a dialog with the phisher to keep them on the line so that all of this could happen without them finding out. All of that is very time consuming, expensive, and requires cooperation from friendly judges issuing warrants and lots of IT people sworn to secrecy.

None of that has occurred, therefore they are guessing and don't REALLY want the facts because the facts may not support their accusations. They are more interested in controlling perception for the purposes for political persuasion than they are establishing fact. Of course they are a political organization, and that is what political organizations do (no matter what side of the isle). Nothing unusual, just the normal day-to-day operations of a political organization.

Re: I'm sure the FCC will get right on it

As though Obama and Wheeler, or Clinton and Hunt, were any better. Unfortunately incompetence in federal bureaucracies is a problem that transcends political party.

Re: WinSCP 5.14...

I thought that this was fixed in the WinSCP 5.13.5 hotfix last November, though it would be nice to get a confirmation on that from someone connected with the project.

Re: It definitely happens

Never ever use personal email addresses for things like that. Use an administrative name that is really a distribution list.

I have come across more and more vendors and services, such as SSL Certificates, that no longer allow that. You have to resort to using a email address that LOOKS like a personal address even though it is a distribution list.

@Amplex

You might be confusing the quote (the part in italics) with my post, because I don't make such assumptions.

In addition, I don't have to imagine investing my own money. I used to own a wireless ISP back in the time-frame with WISPA was starting, and some of my friends/friendly local competitors were even among their officers. I am quite aware of the market and its challenges. Some 12-15 years ago when the municipality where I live looked at doing their own fiber rollout I saw the writing on the wall and sold off the ISP, even though we were the ones supplying the municipality with their bandwidth, and signed up my home to be on the waiting list for the municipal network. It took a few years before it got connected (and I suffered with DSL in the meantime) but it was worth the wait.

I wasn't happy at the time with public money being used to compete with private enterprise, but today I would be among the first to admit that in my local situation it was the right thing to do -- even though I was one of the private enterprises with which they were competing.

Re: Ooooh...

It may be easy to steal domains from them, but it is a real pain in the @ss to try to transfer any away from them. Sometimes it is easier just to pay their extortion fees for another year than spend the amount of time it takes.

Re: Ooooh...

In my college days I can remember one of my roommates going out on a cold and snowy morning to warm up their car, which also involved cleaning off about a foot a snow and digging it out from where it had been plowed in by the plow truck. However, when he went to leave for classes he noticed a problem in that the car he warmed up was a stick, while his was an automatic.