Posts by Michael Wojcik

Re: Don't forget the users with reading difficulties

The "too cheap to license Helvetica" canard is a myth.

IBM paid Monotype to supply fonts for a pair of typesetters, in the 3800 and 4250 lines. Monotype licensed Helvetica for the latter but created Arial for the former.

MIicrosoft subsequently paid Monotype a whole bunch of money to do further work on Arial. They could have easily licensed Helvetica with that budget.

Mind you, I think Helvetica is overrated – it's one of those geek touchstones heavily promoted by its fans but not objectively all that interesting (and, yes, I know about the damn movie) – and Arial is no more exciting.

Re: Microsoft’s new default font options, rated

Sure, if you're writing in crayon.

Re: Microsoft’s new default font options, rated

I think the miniscule e's are significantly different. There's a substantial difference between Bierstadt's e, which almost doesn't have any opening at all, and the others; and Seaford's e is way too wide (like many of Seaford's glyphs).

I prefer Skeena, and I see nothing wrong with its g. Bierstadt is just boring, like most grotesques. Seaford and Tenorite are too damn wide, and Tenorite is like My First Typeface with its open g and closed a. Seriously, is it intended to be printed on lined paper? Will Microsoft make "pencil graphite" the default color?

And, as the TechCrunch article notes, the hinting for Tenorite is way off. It looks like it was kerned by ... well, by Word, but even worse than usual.

Ain't none of 'em Palatino.

Re: Who got the extra time?

I've been working from home for almost a quarter-century, and I do just the opposite. I work at my job when that's what I'm in the mood to do. I make sure I'm available for a while in the morning when my colleagues in further-east timezones are about, and I'm on my scheduled calls; but if I want to take three or four hours in the middle of the afternoon to work on the house, that's what I do. Then I may work at the job in the evening when I'm not inclined to do physical labor.

As long as my work gets done, everyone's happy. It's easy for me to track the time I'm actually doing the job to make sure I'm putting in at least 40 hours (I enjoy my work, and often like to do more, particularly of R&D). I've never felt any desire to keep to a strict schedule.

In theory my colleagues could phone me if they needed me when I'm not around, but in practice that very rarely happens – only a few times a year.

It shouldn't be part of CI/CD – at any rate, not part of the CI/CD pipeline – but it shouldn't be manual, either. Manual processes are difficult to perform consistently and to audit. Access to them is usually too broad, because humans aren't reliable. Repetitive processes, particularly those that involve security controls, are tiresome, and people will first stop being vigilant, and then actively try to circumvent safeguards.

A manual traditional (one-and-done) signing procedure might be safe if you only sign a few releases a year, but even then it's just a matter of time until someone screws it up.

Signing should be automated but invoked under human control, as part of promoting a build to release. Or it needs to be architected completely differently, e.g. using collaborative signing as in CHAINIAC.

Fortunately, there are precious few masterminds on any side in IT security (or any other field of endeavor). Also, with so much low-hanging fruit, economics don't favor trying to regain control of the Emotet network. Just move on to the next malware package.

Re: Investigative reporting

Investigation and analysis are certainly welcome, but don't deceive yourself into thinking governments will ever cease this sort of thing. Now that they've done it successfully, they'll fight to the bitter end any attempt to constrain them; and even if people pushed through changes to restrict it, they'd just do it quietly.

Re: Bad-Good

I expect that even the most backwards company would get those systems offline in less than 24 hours.

Your optimism is adorable.

Also, of course, this proposal has technical issues, such as identifying infected machines and their owners; and legal ones, such as an unclear basis for threatening charges against companies (much less officers).

We have a vast body of experience with using regulatory regimes against private-sector offenders. I think it's the mechanism most likely to be broadly efficacious in improving IT security. But it's neither precise nor fast. There's no reason to believe it will be either of those things in this case. So "just enforce the law" is not a solution.

And like it or not, these sorts of actions by law enforcement will almost certainly continue. Now the government has a taste for it, they will be loathe to surrender the power.

Re: with so much head wind its obviously a good idea

So do you want to know what the alternative for people like me out in the "sticks" currently is?

I'm in "the sticks" (at the Mountain Fastness). We don't get mail delivery or trash collection at the house. We're on well water and have a septic system. But we have fiber right to the home, because the electric co-operative ran it alongside the power lines on their poles.

It can be done. Just apply some regulation and shift the broadband subsidies to the power companies who actually roll it out. They already have most of the physical infrastructure in place, and they have to maintain their existing lines anyway. Defund the telcos who aren't running fiber to their rural customers – they've been feeding from this trough long enough.

Re: Tablet?

Yeah, but then at the end of the process you just have tea. It's not worth the effort.

Re: Banks across America test facial recognition cameras

Are organisations legally permitted to monitor people in a public place in the USA?

In the US, there's a greatly reduced expectation of privacy in public spaces. So, generally, yes.

As the article mentioned, some local jurisdictions are constraining the use of some privacy-invading technologies. I'd be interested to see someone sue over this sort of thing in Illinois under their biometrics law, too, since facial recognition could certainly be construed as collecting biometric data.

Frankly, though, I don't know why most people would do retail banking with a large US bank. Most of the population has access to a decent Federal credit union (essentially a mutual bank) and/or a local bank. In Michigan we bank with an FCU that offers the same services, better terms, and much better service than any national bank I've ever dealt with, and in New Mexico with a local bank that has deep community roots and therefore a reputation to protect.

Re: Good for EFF, Proctorio on Chrome is a Privacy Nightmare

Agreed – Proctorio is a horrible product from a horrible company. There have been numerous exposés and papers pointing out how invasive and ableist it is.

As someone who attended Miami, I'm very unhappy (though not surprised) to see they're using it.

In context, it's obvious he meant "families in lower income brackets", which is how "class" is typically used in the US.

Re: "In January 2019, Foxconn said making TVs in the US was unprofitable"

Look, every business blessed by the golden hand of the Donald has been wildly successful. They just need to tweak things a bit.

Personally, I'm rather chuffed about the Foxconn plant, since it led to Walker's downfall. That dude needed to go.

Re: On a more serious note...

The mere possibility taints all evidence gathered using Cellebrite.

In theory, perhaps. In practice US courts at least have routinely accepted evidence and "expert" testimony on much shakier grounds, and judges often refuse to allow counter-testimony challenging forensic evidence.

We see this very frequently with malware (and Cellebrite's products are malware, regardless of whom they sell them to).

Malvuln has been running a series on the Full Disclosure list of exploitable vulnerabilities found in malware samples. Typically this stuff is poorly written and, as Marlinspike wrote, uses outdated components. Malware tends to be created by developers who specialize in finding vulnerabilities, exploiting them, and chaining the exploits; they often have abysmal software-development practices.

Re: Colophon

Never found "colophon" useful? How do you talk about them then? I mean, it may not come up as often as indicia, but surely at least once or twice a week.

Why, I don't know how many times I've invited a young lady up to see some colophons.

Sometimes owners of books will add their own colophons. No doubt you remember one such forms a plot point early in Ransome's Missee Lee.

Re: "less accurate when people don’t fit the norm"

Younger man with very short hair and mustache = very likely homosexual

Based on the appearance of the students in the last couple of college courses I taught, I'd say that's statistically unlikely.

Of course, much of this thread has been wild, unsupportable generalizations about appearance. What else is new?

Re: "less accurate when people don’t fit the norm"

Very few men have long hair

Clearly you don't live anywhere near the Mountain Fastness. I'd guess around 15%-20% of the adult male population around here has long hair. It's so unremarkable most people don't even notice.

Worldwide, maybe the proportion is small enough to merit "very few", but I certainly wouldn't want to put money on that.

Re: Guy Montags worst nightmare...

Not that simple in fact. Stuff we do without thinking such as stepping over an obstacle that wasn't there last time we walked on that route, for example.

Hell, I routinely screw this one up. Some times I trip over obstacles that are no longer there.

Re: Robo Dog PC

Boston Dynomutt.

Now, now, let the lad have his inane conspiracy theory. What else has he got?

Oh, good, Disgusted has now degenerated into No True ScotsmanTwitter arguments.

Twitter doesn't have a monopoly; there are a great many channels for expression, public and private.

And Twitter isn't abusing anything. Freedom of the press belongs to the press.

Honestly, there's nothing sadder than butthurt right-wingers bitching about "cancel culture" and people being kicked of Twitter. Leaving Twitter, voluntarily or otherwise, has never harmed anyone's ability to communicate with any audience that's actually interested. If part of your audience is too damn lazy to seek you out elsewhere, that's not Twitter's problem.

I don't know. The whole exercise is so pointless and pathetic that few people might even bother to attack it.

Then again, it's probably built from misconfigured open-source components that are vulnerable to automated attacks by botnets, so it may just be killed by computer before any competent human attacker gets to it.