Posts by Ben Tasker

Re: Get out

> More people die of CANCER, HEART ATTACKS, CAR ACCIDENTS and DRUG OVERDOSES per capita in the USA

None of which are communicated onwards to other people (though I suppose technically you could argue you communicate a car accident onto the person you hit)

> If I Remember Correctly.

The USA lost 301.27 people per 100K to COVID (that's mortality alone, it doesn't include those who were debiliated by it): https://coronavirus.jhu.edu/data/mortality

The cancer mortality rate in the US is dropping, but at it's peak it was 215 per 100,000 (https://www.healthline.com/health-news/cancer-status-report-overall-death-rate-continues-to-drop) - less than covid

Heart disease is normally one of the leading causes of death in the US (https://www.cdc.gov/heartdisease/facts.htm), apparently 1 in every 4 deaths is heart disease. But heart attacks are a smaller percentage of that - 805,000 people every year (actually I'm being generous, that's the number of people who have a heart attack, not those who die). With a US population of 329.5m that gives us 8.05 per 100K people.

Drug overdose is apparently 21.6 per 100,000 (https://www.cdc.gov/drugoverdose/deaths/index.html)

This has turned into a blob of text though, so lets list these in descending order

- COVID: 301.27 / 100K pop

- Cancer: 215 / 100K pop

- Drug overdose: 21.6 / 100K pop

- Heart Attack: 8.05 / 100K pop

So, no, Bombastic Bob you do not recall correctly. In fact, you're so far wrong as to be talking out of your arse.

Re: Content moderation

> If the world ends up misinformed or polarized, that's the world's fault, not Elon's.

Worse, he'll claim that the best way to address fake/false statements is more speech telling the truth.

Which is true, in principle, but tends to fail when you've got someone setting their millions of followers on anyone who points out that they're spreading bullshit and/or putting lives at risk for their own commercial gain.

Re: Cloud vs On_Premise

> This is why moving your "stuff" to the cloud is probably not the best option for a lot of people.

Statistically, there are likely some affected users who were all but forced into the cloud.

Atlassian axed their on-prem versions (unless you want to pay for a datacentre license) about a year back.

Re: Never risk it

> It can sound harsh, but you've simply got to do it - no matter how much you may think you can trust that person.

I always position it as it protecting that person too.

If someone does something on the system shortly after you've been dismissed, you don't really want there to be any question about it might have been you (if nothing else, you want to be sure you won't be scapegoated).

It protects both sides, which is far less harsh (though still won't feel that way when they come out of the office to find themselves locked out).

Re: Fact checkers need fact checkers

Well, to be fair, you're not going to state right wing opinions in court having said "I swear to tell the truth, the whole truth and nothing but the truth".

Seriously though, got a link to back that up? There's a world of difference between "demonstrated in court" and "found by a court".

Adding MFA does improve security.

Putting all your eggs in one basket, though, not so much.

The problem with Okta etc is that they're also an authentication provider - they handle your username/password as well as your 2FA. Which makes them both a juicy target and a single point of failure.

But, the counter argument is: do you leave authentication to a specialist, who has the expertise on hand to detect, prevent and deal with stuff like this, or do you keep it in house where you don't have the resources?

Using a 3rd party supplier also helps to potentially avoid a facebook like outage where your own engineers can't get in to fix things because your inhouse auth is down.

But, Okta's failure to tell customers about a suspected compromise really does undermine both arguments, if you can't trust your auth provider....

> And how many of these vocal complainers are actually paying Github for service?

Surely, as they're not paying then, GitHub should *not* give them this new feature and only foist it onto people who've paid for the privilege?

I've only take a quick scan over mine, and there's nothing in there I could ever imagine being worth inclusion in a personalised feed.

Re: HP Are no better

Convenience.

It's as simple as that, the app orders new ink for you when the ink runs low. It's pushed hard and is an easy sell because they aren't upfront about their habit of locking out printers *and* the cost is lower than just buying cartridges (from HP/Epson direct at least)

I've had to spend a lot of time explaining why it's a bad idea.

Re: Why bother at all ?

> guns over .50 caliber (including artillery and grenade launchers)

What the ACTUAL fuck America?

Re: Won't work.

> If, however, these 'giants' are proposing a closed garden standard, they'd also need to run the access networks and CDN infrastructure, globally.

I can understand you never having heard of Tencent, But Alibaba?

Hint: They've got global CDNs already. Bytedance has been building one too.

If they *don't* share, but are able to show dramatic improvement, then they potentially have a unique selling point to draw publishers to their CDN(s). It never works _quite_ that smoothly in practice, of course.

> I bet they haven't addressed legacy users either, which would be illegal in some territories.

I'll bet you're wrong :)

Flash video is still pretty common in the Chinese market. It's often not played with a Flash plugin anymore though - someone implemented some javascript (flv.js) to consume it and feed it into the browser's native video support.

In my experience, the Chinese video companies is never a lack of support for legacy technologies, if anything it's moving forward onto newer/better standards that's the issue. So the challenge they really face is simplifying that enough to drive adoption - although between them, they own enough of the market that they can focus on their own customer base.

Re: sigh

> There really is no technical difference between blocking a government-sponsored generator of attacks and a criminal sponsored generator of attack. Likewise for government-sponsored fake news outlets.

But these decisions aren't purely technical.

You're right, at a technical level they're basically identical. The difference lies in the aftermath.

A criminal group cannot use that blocking as "justification" for moving their entire country over to using - in effect - a giant intranet and balkanising their citizens away from inconvenient news sources.

But, it's also not purely a political decision. If you view things as purely political, you get things like politicians trying to hand-wave away things like how encryption works.

You need the input of both, and that's where things tend to be lacking.

Politicians want the war to end, and recognise that one of the ways that happens, is for the truth to spread within Russia. What they may not be so versed on is ways in which that information can be spread. ICANN and the regional registries are in a position to talk authoritatively about the feasibility of a course of action (can we cut them off?) but are not well placed to talk about what it'd impact - a registry doesn't tend to be that involved in trying to infiltrate information.

So now you're looking at a much broader swathe of expertise needed - even before you start to ask the really difficult questions (

- do we have people on the inside?

- how are they exfiltrating information?

- Is any action likely to hamper their ability, or put them in danger?

- How do we even begin to gauge that, given the intelligence services aren't going to tell us?

If the aim is to try and stop the war, then fucking with connectivity is the wrong answer. If the aim, in the longer term, is to try and reduce Russia's ability to attack others then that doesn't need to be rushed, and things can be properly considered.

Governments have access to a whole swathe of information, some of which will never be made public (for obvious reasons), so they can assess some of the impacts. Private bodies do not, and should not, have access to the same level of detail - so they're poorly placed to be making this kind of scale of decision.

Re: "Putin may not be insane"

> Except for the fact he published that 5,000 essay at the beginning of the year about how Ukraine didn't really exist, and that Ukrainians were only Russians with funny accents, misled by evil Westerners and Nazis into believing otherwise. Before his videotaped screeds after recognising the Donbas republics and then on the day of invasion - where he said Ukraine didn't really exist and was a historical mistake of Lenin's - and should really be part of Russia.

And of course that, a few days after the invasion started, both RIA Nostova and Sputnik accidentally published a declaration of victory including a statement that "Vladimir Putin took upon himself a historic responsibility, by deciding not to leave the resolution of the Ukrainian question to future generations".

https://web.archive.org/web/20220226051154/https://ria.ru/20220226/rossiya-1775162336.html

Re: They won't and can't get everything they ask for.

> Update all those DNS records to stop sending traffic to/from Russia until/unless Russia stops the electronic warfare via the global network. Over their own infrastructure without using global resources, sure, but absolutely not over the general global internet.

That's not how DNS works, at all.

It's basically a distributed phonebook, it doesn't control the flow of traffic.

If your suggesting everyone should reconfigure their recursors not to respond to Russian IPs then - slow clap - at best you've just slowed the flow of truth into Russia. Russian ISPs run their own recursors, so the majority of users won't notice.

If you're suggesting everyone should update their authoritatives to not respond to russian recursors, good luck with getting that in place.

The internet is part of how we get the truth into Russia - showing what's really happening, and undermining the states lies. Fucking with connectivity harms that goal, whilst doing very, very little in terms of positive impact

Me too. It was a KeePassX generated password that fell foul of the stupid requirements earlier.

It's generator lets you exclude characters (or only include specific ones), which is great - but only when the site tells you what they'll accept.

Re: confused

> But they have a duty to use them only for the reason I am obliged to give that to them, and not collect more than is needed.

That, incidentally, was why a lot of people objected to the expansion of questions in the UK census - technically you're obliged to answer all questions, but those questions now cover things that people consider private.

I don't mind providing information when it's necessary, but where you're legally compelled to it should absolutely be minimised.

Re: RIPA

That about sums it up.

I don't know if you remember, but not long after RIPA came in, it turned out local councils were using it's powers to catch people who put their bin out the day before, and/or not cleared up after their dog.

I know, I know, it sounds like I should be making it up, and yet:

- https://www.theguardian.com/world/2016/dec/25/british-councils-used-investigatory-powers-ripa-to-secretly-spy-on-public

- https://www.telegraph.co.uk/news/uknews/3333366/Half-of-councils-use-anti-terror-laws-to-spy-on-bin-crimes.html

Examples:

> are using the powers to hide cameras on lamp posts, in tin cans, or even in the homes of other neighbours in order to catch people who put their rubbish bins out early.

> ..

> It put a family under secret surveillance for two weeks to find out if they really lived in a school's catchment area.

RIPA has always been an utter bonfire of sanity. They "fixed" that power so that criminal activity now needs to be suspected, but it just goes to show just how far officials will go if given a little bit of power.

Re: Don't people need a DBS check?

> caused them physical and psychological harm

Playing Devils advocate here, whilst there's no physical harm, his actions have impacted many more people than your average assault. The article contains a couple of examples of families who've lost some irreplaceable photos too, so there is *some* harm.

Then factor the background in: it's not like he was fired because the boss didn't like him. He failed to declare fraud convictions, so was sacked when they came to light - then *years* after did this.

This isn't someone who acted in the heat of the moment after being wronged: he was sacked for something of his own doing and held a grudge, and acted years later. His actions impacted not just his ex-employer but the students (who the measures that got him sacked are supposed to protect) and their families.

If you're comparing sentences,I wouldn't say this is especially harsh - I'd say your assualt conviction examples were perhaps lenient (though circumstances play a part there).

Re: Privacy. We've heard of it.

I wonder if it comes down to interpretation of the question itself ?

When I first read the title, in my mind it was asking something more like "Should we not be able to expect our communications to remain private?" - i.e. is it reasonable of us to continue to expect there to be some attempt to protect that privacy. I guess the current climate - with the Govt trying to knacker E2E - feeds in some additional context.

I don't expect anything I transmit to remain private (so I'd vote For), but I *do* think we should expect Government not to try and outright nobble the protections we do have.

If I'd read the title and not the article body, I'd have ended up voting against - I wonder if that's part of why the result is skewed the way it is?

Re: How much power do DC UPS's have anyway

> If you can get 50x the size of battery you would otherwise install or more for the same price

But as DevOpsTimothyC has pointed out, your bigger batteries are now taking more space in the datacentre.

You can argue some of the space was "dead" anyway, but not all of it will have been, and space in a room full of server racks is most valuable when used for.... renting out racks.

With your suggested approach

- you still have the capital cost of the UPS (because the utility is only really covering the extra)

- you'll have higher install/compliance costs because of the massively increased capacity of the system (but, the utility may subsidise that)

- Ongoing maintenance will likely be more expensive, but you've said the utility is covering that

- You've got more floor space taken up by the UPS (you don't get 50x capacity without an increase in size), so may have had to remove a couple of racks

Essentially, you've saved on some UPS maintenance costs (which aren't that high for the routine stuff) whilst reducing your source of income. Unless the utility has also significantly reduced the per-unit cost of your electricity, you've made a loss. You certainly aren't going to make that back from payments for what you feed back in.

And that's *before* you get onto the issues with trusting the utility's commitment that they'll maintain it (and ensure you have enough power). If it turns out they cut corners, then at best you get an outage (losing you customers) and at worst you follow the path some of OVH's datacentres took last year.

For the DC provider, there really isn't much of an upside.

Re: So if

That's not what you need to do though - all you need to do is to have the user consent to it/give them the choice to object.

Your example of open street maps isn't the same either - fonts can quite trivially be self-hosted, it's not nearly so simple to self host Open Street Maps (there's stuff like OpenMapTiles, but it's still more involved than downloading a font).

Re: Let the Lynching Begin

I think they were suggesting the locals would dispense some extra-judicial "justice". Which is even more insane than you seem to have thought they meant.

> so why would you expect strong opinions either way?

That only matters if we were talking about another vote - we're talking about comments on a forum.

Even those who didn't feel strongly enough to go out and vote at the time are likely to hold an opinion, and it doesn't need a strong opinion to have a grumble about how Brexit's negatively affected them.

It's weird one too, because whilst 36%ish voted for Brexit, it's not a given that all (or even the majority) of those support the Brexit that we've been delivered, so you might also see them grumbling in comments (even if they'd still vote for Brexit given another chance).

Re: "The finding is a massive victory for HPE"

I don't think it's an either/or to be honest.

I agree that HPE _should_ have paid more attention and applied a more common sense, but that doesn't and shouldn't let Lynch off the hook.

Take this as an example

> there was a carousel of cash flowing back and forth to generate a fake impression of real sales and real revenues

That's not the action of a company acting in good faith.

We're not talking about a bloke who was simply offered an unbelievable sum and went "Oh, all right then", the allegation is that he went out of his way to artificially inflate the perceived value.

If you apply caveat empor and let him off the hook, then you're saying it's OK for others to do similar with all the fallout that potentially entails.

Essentially, HPE's auditors failed to do their jobs properly, and in doing so, failed to pick up on stuff that Autonomy should not have been doing in the first place. They're both in the wrong.

Whether it should be extraditable is a whole other matter, of course.

Re: Just great.

> I have no idea if Google lets that go quickly, or if they hit you with bandwidth throttling after a certain amount of data

FWIW, my 15GB mailbox took about 4 hours - not lightning fast but not terribly slow either.

Just in case noone else has linked it, there's a small possibility of a u-turn: https://twitter.com/RonAmadeo/status/1486407745867849728

I use cookie autodelete - you can whitelist domains or even individual cookies. It kills the cookies a set time after leaving a site

Re: Probably not a bad idea

> IT is in our lives which presents a risk to our lives. I would like to think there is at least some governance of compentency and standards.

The problem is, taken to it's extreme, this might well result in a reduction in security.

There are lots and lots of little issues that get reported to companies by independent researchers - none on their own are particularly ground breaking, but each of those reports helps fix products/systems in little ways.

If we consider two points together

- Those independent researchers don't generally bring in much in the way of bounty money, so they're not going to be up for paying fees of a professional organisation.

- The Govt has already hinted that they'd like to tie this to CMA protections, so in effect, if you haven't paid your fee you could end up being prosecuted (not unlike someone practising medicine without paying their dues to the GMC).

it's hard not to reach the conclusion that more than a few of those researchers just won't bother any more.

Bigger companies might have some "certified" people on-board, but there's plenty that slips past in-house teams (it just the nature of the beast).

This is no less dumb an idea than the idea ages back (christ, it has been a while) to require a license to possess "hacking tools" (which ended up encompassing Perl, if you read it literally enough).

What's actually happened, is the UKCSC has failed in one of it's core missions - driving engagement. They've failed to win the trust of organisations and professionals. Rather than doing that hard work of investigating why, and how to do better, they're instead pushing for legislative capture as a "quick fix".