Oh, for fuck's sake roll it back.
It's fucking awful.
64 posts • joined 2 Jul 2010
It's fucking awful.
> I didn't ask ...
Yes you did. You used sites that make your downloads and actions public, you have a public blog, twatter account, and register account using the same handle. You give away your identity on the first two, and then complain that you're easy to find?
If you cared, you wouldn't do that.
No more youtube video downloaders, which are verboten on google's extension list.
Potentially no more adblockers, ghostery, etc.
Your browser is currently a general purpose computing environment. That's about to get restricted.
Oh, and this : http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/
My guess (based on how most half-sane people would do it) would be that they're salting each user's password with a unique-per-user salt, so when you enter your new password it's merged with "your" salt, hashed, and the hash then compared against your previous password hashes to detect "naughty" password reuse.
This approach would keep 99% of the usefulness of the salt (i.e. you can't generate a rainbow table and mass-reverse everybody's hashes), and any additional weakness this introduces is rather overshadowed by their insane password policy anyway.
Ebay's password policy, in which password space is bounded to 6 <= length <= 20 characters, passwords must contain 2 of [lower-case, upper-case, punctuation-symbols], with no single dictionary words allowed (amongst other things), whilst removing the possibility of passwords like "apple", reduce the search space for brute-forcing algorithms significantly (with the main culprits being the low minimum length requirement and the bounding of password length to 20 characters)
>> It would have been more useful if they had said whether the passwords were salted or
>> not. If my salted hashed password has been released, I'm totally "meh" about it,
>> where as if my unsalted encrypted password has been released then I'm much more angry.
You're wrong, then. Let's assume (and it may be a rather large assumption) that ebay are not complete fucking maroons, and are not only salting your password, but salting your password with a unique-to-you, or better, unique-every-time-you-change-your-password salt. Now, as the bad guys have your salted password hash, they can't do anything with it, right? Wrong. Of course they can. If they've managed to extract your salted, hashed password from ebay's database, we can also assume they bothered to extract the salts at the same time, and they know the salting & hashing algorithm that ebay use. Because they aren't fucking mongs either; indeed, we should assume they are somewhat smarter than you or I. So, if your account particularly takes their interest, they are perfectly capable of building a rainbow table for reversing your password hash to its original plaintext version of "ebay.com". If it's salted uniquely per password, they can't then use the rainbow table to reduce the time taken to do an *en masse* reverse; they effectively need to brute force every password. And even that is less of an issue should they happen to have a botnet at their disposal; all they need to do is distribute hash/salt pairs out, and have their bots do the crunching via brute force rather than rainbow tables. That's how I'd do it, anyway.
We can probably assume that ebay have fallen into the common trap of using lower-complexity hashing algorithms, on the grounds that 500ms is too long to wait to log in, and the combined compute load of their users logging in would be too expensive should they use something "heavweight". Which is fair enough, but it makes brute-forcing feasible, time-wise. And even if they are using something "hard", all the brute forcer needs to do is give up after a certain amount of time, or put harder hashes "back onto the queue" for later attention, focussing on getting the lower hanging fruit first.
Whichever way you look at it, if they want into your account, you're proper fucked whatever happens.
As for "pissing about with remote computers whilst I'm in the marshes", I can do that just as well, and probably better, with my thinkpad. What the surface brings (and the *only* thing it brings) is the "tablet" side of things, which is utterly useless for the aforementioned remote login stuff (and, of course, is available far more cheaply on a non-surface laptoplet hybrid.
It's a shame really. The ARM version is far too locked down (at the current $199 for a "refurb" - read "written off as part of the $900M loss MS took on them - it would be attractive if you could do anything useful with it), the Intel version far too expensive, and neither of them fill a particular niche.
So far, MS have pissed away nearly a billion and a half on Surface. I don't see this version turning that around.
Up to a certain point, there are gains to be had. If you have a decent amp, source, and speakers, then you /may/ be able to hear the difference between super-cheapo "wet string" bellwire speaker cable as shipped with Dixons-style hifi and a "fatter" speaker cable. You will not, however, be able to tell the difference between £10/m speaker cable, £1000/m monster cable, or 10p/m 1.5mm solid core mains cable - there is none.
Of course it's directional. One pair of wires goes in the direction of the left speaker, and the other goes in the direction of the right speaker.
I don't do 16mm^2, though. 1.5mm solid core is fine. Well, overkill, really.
...and be sure that, instead of doing its designated task, the damned thing will send its time arguing about japanese comic trivia or star wars on the internet.
>> I don't know with Open Source either. What I do know is that it's much easier to go find
>> new holes in Open Source given the motivation as you can look at the source code...
Cobblers. Holes are mainly found by fuzzing, not by poring through source code. Exploits rely on code mishandling user-supplied data - fuzzing involves sending enormous quantities of deliberately broken data at something until it does something it's not supposed to. This is far easier than having to work out what some piece of logic is supposed to be doing, what it's actually doing, and why it's broken in this or that edge case. Chuck a load of crap at a victim machine (that you also control), wait for it to go bang, and then work out what you are going to be able to do while the smoke's clearing.
> What were you using in the 90s that had those features?
gnus (the mail client in emacs), but IIRC mutt did threading too. And, if I'm not mistaken, so did eudora on the mac.
Spam blocking was a bit more tricksy, but gnus allows you to do that too.
and it does newsgroups.
After all, there's all those Zunes out there. They've gotta count, right?
>> Let's say I have xcode on screen one, photoshop on screen 2. Working in xcode.
>> Now I need to do something in photoshop from a menu. So I have to mouse over to
>> photoshop on screen 2, activate it, mouse back to screen one, select from the
>> menu, mosue back to xcode.
That's not only a fairly contrived example (I doubt many developers have XCode and Photoshop open at the same time for work on the same project), but it's also 100% wrong. I currently have emacs on my laptop's built-in monitor (along with Chrome that I'm typing this into, and a bunch of other crap), and IDA Pro (my old windows copy, running in a VirtualBox VM) on the external monitor. Now, should I need to touch the apple menu bar on the external monitor (rare with VirtualBox, it's got shit-all you'd want to fiddle with anyway, but the principle remains the same), I mouse over to the other screen (well, pen, actually, wacom tablet so no dragging needed), activate the app (one click, the same one you'd have to use under windows or a single-screen mac) and the apple menu bar automagically pops up on the external monitor. I'll grant that for a draggy mouse you'd have extra mileage to get to the other screen, but you'd have that under windows as well.
Horses for courses, really. I use a mac because I like the way it works, it can be made to fit(t) with my workflow. I don't like windows because it can't. A lot of that is probably because it's what I'm used to, that my expectations of how my workflow should flow is at least in part based on the way I'm used to OSX (and MacOS before it) behaving - the same can probably be said regarding your experience and opinion.
> There is no winning.
But there /is/ whining.
EIEIO on the 6502? You jest. It's the PowerPC "Enforce Instruction Execution In Order" opcode. It *might* go back as far as IBM's 801 processor, or more likely the original POWER ISA, but no further. The first time you're liable to have come across this unless you were doing low level AIX development on IBM hardware is when the first PowerPC Macs came out in 1994. About ten years after the 6502 was commonplace.
>> I wouldn't like to do it like that on a modern car with an engine management system,
No more difficult than any other car engine. Disconnect electrical bits, remove ancilliaries, unfasten engine, remove.
I've got 4 of those lying about somewhere, I think. Want 'em?
>> if it's not intrusive
That's the thing, though, isn't it? Advertising *is* obtrusive. TV ads are mastered to run at a higher volume than the programs they intersperse. Web banner ads are placed and designed such as to demand your attention. And so on.
The response is instamuting the telly every time the ads come on, adblock pro, noscript and other browser addons. Ads are largely speaking offensive (not in a NSFW sense) and intrusive, it's how they are designed, and people try their hardest to avoid them.
So what's this? An adman's wet dream. Ads that not only you can't skip, but that demand 100% of your attention whilst you're not skipping them.
Fuck them. Fuck them anally with a large pole wrapped in barbed wire.
Are you completely mental? It's completely evil. It'll do nothing to reduce spam (sweatshops, etc), but will do everything to put more fucking advertising IN YOUR FACE, as though you needed it.
"Bored with typing stuff in? Here's an INTERACTIVE ADVERTISEMENT YOU CAN'T IGNORE OR BLOCK instead."
Advertisers? Out round the back of the shed, two barrels upside the head..
Ah, Citroen handbrakes. Gotta love 'em. Especially when you've got a flat rear tyre on your BX (yeah, I had the super-cheapo model, if you think the GS suspension was bad you need to try a clapped out BX), and you're parked on an icy car park. Hint - the only way to stop the wheel spinning on the ice is to block it - OK if it's the left hand rear, as you can use a blanket laid under the front and rear wheels, but the right hand rear is basically impossible.
>> Some people even called the shortcut a three-fingered salute.
Not "some people", it was /everyone/. Everyone called it that. Everyone. Even people like me, who didn't use DOS or Windows, called it that. Because everyone knew what it meant.
We (the western world, and probably much of the rest) have a huge problem with illegal drugs. We don't even know the full scale of it, because, as an illegal situation, it's almost entirely underground. The only bits we see are the health and criminality repercussions, which are a secondary problem, not the primary one.
How would legalising help?
The supply chain would no longer be in the hands of criminals. Primary suppliers (the cocaine farmers in South America, for example) would be paid a fair price, improving their way of life. A significant load would be taken off the hands of customs and excise. Drug mules would no longer be risking their lives.
Quality control would no longer be in the hands of criminals. Rather than having drugs cut with whatever shit comes to hand, users would be guaranteed pharmacological grade drugs. Result - less overdoses, less secondary health effects, a huge weight taken off the health service.
Distribution would no longer be in the hands of criminals. Result - tax income, and a concrete idea of how big the problem is. An ability to contact and help those who are dependent, without having to "overlook" the criminal aspect of what they are doing.
FWIW, my grandfather came home from the first world war with half a leg less than he went with, and a lifelong diamorphine addiction that he didn't have when he went. After coming back, he held down a responsible job until retirement, despite twice-daily doses, and finally passed away aged 92. The difference between his addiction and that of the average street junkie was that his heroin came direct from the NHS.
Legalising is the first step to solving the problem. Criminalising is a total abandonment of duty.
So, yeah, this lot might be a bit nutty in some respects, but they're bang on the money as far as drugs go.
>> Microsoft's domination over integrated HW/SW designs will be of great concern for everyone.
Look what happened with XBox.
V1 was pretty much a PC in a funky case, and worked better as a PVR than a games console. It tanked compared to the PS2.
V2, the original 360, was awesome, modulo the odd hardware issue. It kicked the PS3's ass so hard MS thought they had won, and started fscking with the interface, making it an ad delivery platform, etc. Result - PS3 is winning again.
V3, the Xbox "one", is dead in the water compared to the PS4. MS have backtracked and u-turned on their plans so often I doubt even they know what their plans are.
Sony are evil, arguably more evil than MS, but they aren't incompetent. MS have both in spades.
It was (and, to some extent, still is) far more than just a PDA. It was a full computing platform, and while people who haven't used them in earnest (I still have, and use, my MP2100) focus on the handwriting aspect*, there was far more to it than just that.
- No "filesystem", just a big "soup" of data. You don't need to worry about where their data is stored in some arbitrary hierarchy of devices and folders, or what you've called it, all you ned to know is what you're looking for. There's nothing quite like that, even now.
- Extreme integration. This lives on, to some extent, in some of Apple's software (for example, highlighting of (fuzzy) dates in Mail.app enabling you to add items to the calendar, etc, but Newton hooked into everything, even 3rd party apps.
- Write anywhere. The handwriting recognition might not have been perfect, but it fit perfectly with the form factor of the handheld Newtons. Keyboards worked too, of course, and would have been good for a "desktop" NewtonOS device. MS might be failing with their "one UI fits all" paradigm, but newton had it in the '90s.
- Expandability. USB, Wifi, Bluetooth, ATA storage cards, all aftermarket "hacks" for the Newton that work very nicely despite the fact they hadn't even been invented when it was released. Quite astounding when you realise the restrictions of the platform.
- Instant on. Really. Totally instant in most cases. Straight back to where you were when you turned it off. Even if that was weeks, months, or even years ago (in which case you might need to boot from cold, but you lose nothing - try taking the batteries out of your Palm pilot and see where that gets you)
What really killed it (apart from the price and the heckling) was the fact it was so radically different from other platforms. It was hard to make it work properly with the "status quo". Sure, you could sync it and keep your data safe, but that was about it. Interop with desktop apps other than calendars and address books was hard to do (and is even harder now).
Newton is probably the closest thing to the perfect computing platform ever invented (eclipsed, possibly, by the Lisp machines). It's a crying shame the rest of the world hasn't managed to catch up.
* The descendant of the Calligrapher cursive recogniser used by the later Newtons is now, I believe, owned by MS, which is why OSX's "ink" recogniser (OSX 10.2+) only handles printed handwriting.
>> a standalone Nokia under Elop, which has been going great guns for the past year.
Since Elop's infamous "burning platforms" memo, Nokia have gone from being the number one mobile supplier (and projected to stay there), the world's biggest smartphone supplier (and projected to stay there) to an industry joke. In the 2 years from 2010 to 2012, Nokia's business fell back more and more on the featurephone market, with smartphones dwindling from 35% to 14% of their output. They currently have around 2% of the smartphone market. That's "stellar"* performance.
If standalone Nokia under Elop had been going "great guns", they wouldn't have been bought out for pennies on the Pound by Microsoft. The only gun they've been wielding is the footgun, and Elop's been using it with great precision.
* as in "brown dwarf"
>> Previous revelations have revealed that the NSA routinely stores encrypted traffic transmitted over
>> Tor for subsequent cryptanalysis.
Time for some noise generation, then. A pair of apps that ping-pong encrypted chunks of random data across tor should be pretty simple to set up.
SPAFF - Serious Problem Activates Final Failsafe
GOO - Geosynchronous Orbiter Override
SLAG - Satellite Lohan Abort Gizmo
STIFFY - Satellite Technology Imminent Failure Failsafe Yanker
FAP - Failsafe for Aerial Payload
That one keeps coming up, but it's, amongst other things, :
1 : forgetting Win2K
2 : forgetting that XP was almost universally loathed until at least SP2 ("Tinkertoy interface"), and was pretty much crap until SP3.
Yep, that's what we're talking about.
...after all, they found a Brazilian and all they did was question him, rather than carrying out a summary execution in public.
Whether or not the black helicopter crew can decrypt information is largely irrelevant. The fact that they can detect that it is encrypted is enough. Once they know that, rubber hose cryptanalysis is enough.
There's 2 use cases.
One is that someone is leaking information that "they" would rather not have out in the wild (Snowden, Manning et al). Once the information is leaked, what they want is to plug the leaks and "deal with" those involved in the leaking. So the whole idea of secrecy is about hiding who you, and your sources, are. Cryptography doesn't help much in that.
The second is that you are transmitting information that you'd rather nobody knows about. It may be that you're cheating on your significant other, it may be that you're planning a terrorist attack. Here you want to keep the information *and* identities secret - at some point the information must be decrypted, so "they" only need to find one end or the other of the chain and, again, apply rubber hose cryptanalysis methods.
Once one or more of the identities are known, all bets are off. Decryption may be possible (if expensive), but rubber hoses are cheap and readily available.
"Don't trust electronic communications" is the only reasonable approach.
>> We began trending towards socialism after the "Red Menace" was no longer a threat.
No, seriously, WTF? The US trending towards /socialism/? You're completely mental.
>> Excel is still the best spread sheet.
No, Excel is the most commonly used spreadsheet. It was left in the dust in terms of features by Improv and Quantrix, and still hasn't reached where they were 20 years ago. Excel is probably the number one example of a market leader stifling innovation to the point of holding the market back.
As for Windows RT, I' sure MS will manage to improve on that $900M writeoff.
Nah, you want to be the one who "surveys" material on the web to make sure it's not breaking Osborne's guidelines on pr0n. Qualifications required : ability to type 80wpm with one hand.
>> SD card blah blah apps to SD card
But you still run out of space. Not space to store applications and documents on the SD card itself, but "internal" memory used by applications and Android itself. My several-hundred-euro tablet running Android has >16GB free on its SD card, but won't check my mail because
"Out of space ... Free up some space and try again"
Fuck Android. It's crap. I've tried to like it, but it's crap.
Innocent until proven guilty, m'Lud.
As it happens, it's *alleged* sexual assault, and he's not yet been actually *charged* with anything. He, of course, denies the allegations, claiming the relationships in question were consensual, and reckons the whole thing is a put-up-job to make him more easily extraditable to the US.
He has, however, offered to meet and co-operate with the Swedish investigators at his current "abode", or to go to Sweden if guarantees are issued vis-a-vis his safety from extradition to the US. The Swedes have refused both options.
> Microsoft need to get their heads around the fact that a mouse is not a finger and a finger is not a mouse.
The never stop to think a mouse
The always on the brink a mouse
Fingernouse, that's me
I am the mouse called Fingermouse
The mouse with guts and verve
I get past cats so easily with my favourite body swerve
I'm a sort of wonder mouse
A hit, a miss, a blunder mouse
Fingermouse, that's me
Won't somebody please think of the children?
As opposed to "three hours of inaction crammed into five days"
Coat? Yes, mine's the white one.
>> They get what they deserve, especially since Android tells you that an application has
>> permissions to send SMS under a large heading that says "services that cost you money."
The problem is 3-fold, and categorising those affected as being somehow "deserving" is both condescending and hideously unfair.
1 - Pretty much *every* application demands a raft of permissions. As a user, you have no way of knowing *why* they are demanding those permissions, or what, exactly, the application will do with them.
2 - The user (self included) wants to run the application (it's why he / she has downloaded it in the first place, doesn't necessarily understand what the permissions mean, and is already used to simply clicking through without thought (see 1 above). So they simply click through without thought.
3 - Android doesn't give any option of "install this app, but disallow this subset of the permissions it's asking for". It's either "install the app, and give it what it wants", or "don't install the app". And the user, as previously noted, /wants/ to install the app.
I would imagine that the percentage of apps which fail to be installed at the point they've hit the "wants these permissions" screen of the installer is vanishingly small. Android's "wants these permissions" thing is far to little, and potentially worse than the "do nothing" option.
While it may technically sneak in as a virus, Leap/A is/was not much of a danger - it involved several manual interventions on the user's part to get in, after all - quoting from the article you linked:
>> it requires user interaction (the user has to receive a file via iChat, and manually
>> choose to open and run the file contained inside).
Oddly, last week I was asked to fix a friend's mac, which had started behaving oddly. The problem? His wife had installed Avast!
Mainly because pretty much all the other A10 boards out there are using the Allwinner reference designs, and those don't expose the SATA either. When you're making peanuts on boards like this, and it really is a dog-eat-dog world, there ain't much time for designing and debugging new boards. Hats off to the Cubie guys for doing it.
Another one to watch is Olimex. They're about to release - the betas are all sold out - their A20 board, which is basically their original A10 design with the A20 plugged in (not the A10S board, the A10S doesn't have SATA). They also have an A10S board, which is pretty nifty if you don't need SATA or the grunt of the A20. Olimex are cool guys, too.
The issue with micro-usb is twofold.
The first is the shift from switchmode regs on the alpha boards to linear regs on the production ones. They use more power than is necessary to get the job done.
The second is that the market is flooded with crappy chinese USB cables, and USB "PSUs" which are, in fact, chargers. Charges my phone, right, must be good enough to power the Pi? Wrong. 500mA USB supplies abound, 2A ones don't. Especially not ones that actually put out what they say they put out. Added to the fact that the power coming in is often marginal in terms of voltage levels and regulation quality, it's a recipe for, if not total disaster, at least a lot of confusion. And there's been a lot of confusion.
The alpha boards, on the other hand, took anything from 9 to 16v DC (from memory), which leaves a lot of voltage headroom, and it's hard to find super-low-power DC bricks in that kind of voltage range.
Like I said before, the decision was understandable, if a little naive in terms of performance expectations of real world chargers and cables, but it was still (IMO) a bad decision. And yes, when a "marginal" cable can pull the whole power system down, that's a problem with power design.
As for edjerkayshun, the Pi's been a runaway success. Perhaps it hasn't made massive inroads into the classroom, but it's raised awareness of the problem, shown that something *can* and *should* be done, it's shown teachers that they have the power to do something, even if it's not directly Pi-related.
Yeah, the majority of Pis have been sold either to the clueless tinkerers brigade, the vast majority of whom are underusing it in their "hacks" in the same way they would underuse an arduino, and a lot of the rest oversold to those with expectations way above what $35 buys you. But even that's a win. Because it's shown there is a market for affordable "dev boards", from the teensy 3 (cortex-M) all the way up to things with multicore Cortex-A SoCs.
WRT the power issue, I criticised the decision to go micro-USB with power on the Pi when it was announced, and I stand by that criticism. It was an understandable decision, but a bad one, even ignoring the poor quality of most micro-usb "power supplies" out there.
Ah, you may be right re: USB, I believe Gordon's done great work there. I've not tried the latest firmware or kernels, I tend to spend my time in the bare metal world.
However, the documentation is *definitely* lamentable if you're not relying on Linux to deal with all that "hardware" stuff. Unless you happen to have datasheets available for the USB controller, SDIO controller, full explanation of how the GPU interacts with the CPU, etc, in which case a good deal of people would be very happy to hear from you.
Yeah, yeah, the (linux) code is the documentation, you say, but that doesn't cut it when you're coding to the metal. Especially when the code in question (a shining example being the USB host code drop from Synopsys) is shot full of bugs and implemented in what appears to be the least efficient way possible.
> The Raspberry Pi is most likely a re-branded Japanese product
Is it cobblers. It was designed in the UK by guys working for Broadcom. The problem with the Pi's documentation isn't to do with translation, it's to do with getting Broadcom (and the various IP vendors) to release it.
As for video performance, I'm almost certain the videocore blows the SGX out of the water /generally/ in terms of processing power. It certainly does in terms of H.264 (and certain other codec) decoding, as the SGX has no specific video decode hardware.
It's often better to keep your mouth shut and have people think you an idiot, than to open it, and prove it.
Documentation - The Sitara chip has copious and usable documentation. The Broadcom unit on the Pi doesn't. The SGX530 has a technical reference manual. Broadcom's videocore doesn't, at least not outside of Broadcom.
Power - The beaglebone is far more flexible in terms of powering. PSU "issues" are one of the major issues with the Pi.
USB - The Ti chip does not, as far as I'm aware, use the same undocumented, buggy, USB host IP the Broadcom one does. Even with the recent fixes, simply using a USB keyboard and mouse on the Pi will eat around 10% of your CPU. ADD USB networking or anything more meaty, and you don't have many cycles left.
So you get slightly lower HDMI resolution, but everything else is made of win.
>> you have to download and install the malware - which means you have to agree to the permissions it needs to run.
Quite, but how many people actually take any notice of, or understand, the permissions warning screen? After all, if you've downloaded <x>, it's because you already /want/ to run it - Android doesn't give you any option of "stop this application doing this, but it might compromise functionality", it's all or nothing, "install it or don't". Everyone I know, *myself included*, hits "install it". So all you need is something that people *want* to run, and you're on a load of devices.
Your issues 2 and 3 are largely moot because, once you have code running on a machine, you effectively have physical access. Privilege escalations are hardly unknown, after all, and Linux kernel + Android runtime provides a pretty large attack surface, especially given the likelihood of anything having been patched since the device left the factory.
I strongly doubt that "it doesn't mount as a mass storage device" is going to save you. It's more likely to be posing as a HID device or similar.
That's how I'd start off, anyway.