Posts by Michael Wojcik

Re: Good

I thought that most USians would want potable water, affordable healthcare, infrastructure that's not on the verge of crumbling, affordable education and less war.

You're not very familiar with people, I take it.

We're not rational economic actors. We don't act in our own interest. Political activity in particular is heavily influenced by two non-rational factors: ingrained ideology (which for most people seems to become largely fixed early in adulthood) and psychological traps such as the "backfire effect" and the first-person constraint on doxastic explanation.

The dominant ideologies in the US all incorporate themes, typically coded as "freedom", "opportunity", and "industriousness", which discourage acting in group interest where it would conflict with an idealized aggressive individualism. These themes were advantageous to the landed plutocrats and upper-middle-class entrepreneurs who shaped most of the political discourse and structures of the early US, at the expense of most of the rest of the population. They endure because the elite have a powerful vested interest in keeping them in place.

(It's worth noting, as an aside, that those ideological themes are rarely deployed for anything resembling the categories they supposedly name. It's tough to get most of the US population to defend civil rights, for example, in any meaningful way, even though those rights are critical to freedom, necessary for equitable opportunity, and an important constraint on government for industry.)

Re: "(...)we are temporarily suspending driving operations in San Francisco on 11/3 and 11/4”

Any date format other than ISO 8601 is anathema. The US convention is particularly dumb (and I write that despite having grown up with it), but any ambiguous form is foolishness in this era of worldwide communication.

Of course if you don't like ISO 8601 (heretic!) you can always employ a longer, unambiguous style, like "the third and fourth day in the month of November, as commonly reckoned in these United States of America, during the fourth and by grace of the electorate final year of the tumultuous reign of Mad Despot Trump".¹ No one will confuse that for 11th March.

¹I tried writing that on the date line of a check, but I couldn't make it fit. Then I remember that no one uses checks anymore.²

²I kid. Here in the backward USA we still average half a dozen or so paper checks a month. At least that number has dropped substantially; 15 years ago, maybe even 10, I was still writing enough checks to have a date stamp so I could avoid writing the date over and over.

Actually, this is just the sort of thing I'd like to hear at fireworks parties.

No, I'm not any fun either.

Re: Finnish Them Off!

Pff. That's not "really cold". According to the climate info in Wikipedia, Helsinki compares favorably with Lansing, Michigan, which I rate as "moderately cold" in the winter. Lansing's generally more comfortable in the winter than some other places I've lived, including Boston, Massachusetts and Lincoln, Nebraska. (And winter nighttime lows here at the Mountain Fastness fall pretty damn low too, though the extremely low humidity means that you lose heat significantly slower, so you don't feel it as much. It might be -25 C but it feels like maybe -5.)

Forget that cold record (which doesn't seem to be in the Wikipedia table, but whatever) and look at the normal lows. They're very reasonable.

Personally, if I were single, I'd be very tempted to give this a try.

Good luck with that

Thanks!

I don't know about where you live, friend, but here in the US there are a variety of older cars for sale. We call them "used cars".¹

I'm already assuming I'll never buy another new car for myself, since they all seem to come with fucking touchscreens now. I hate touchscreens, and having one (for controls the driver might want to use) in an automobile is the height of stupidity.

¹Some people refer to some of them as "pre-owned". Those people should of course be forbidden from speaking or writing until they learn to avoid moronic, unnecessary neologisms.

Yes, no one has ever worked for two employers simultaneously. We have no idea how that might work. It's inconceivable.

Yeah, I was quite surprised that high-level execs were physically involved in this, and not just giving orders. They (allegedly) drove to the victims' home? After flying across the country, since presumably they're based at eBay's HQ in California. (And like most of the Boston Metro area, Natick^1,2 isn't exactly fun to drive around.)

This whole thing just gets more and more bizarre as the details come out.

¹At first I misremembered and thought the victims lived in Nahant, which is more pleasant to drive around, but more tiresome to get to in the first place. Nice beaches, though, by Massachusetts standards.

²For driving around Natick, I recommend listening to "Driving on 9"³ by Ed's Redeeming Qualities. Listening to the cover by the Breeders is also permitted.

³There's some debate about whether "9" refers to Massachusetts Route 9 or the one in California, but the song was released the same year that the band moved from Boston to San Francisco, which suggests to me that it was written before the move. In any case it works for either.

Re: Google Responsibly

Sigh.

The github issue was disclosed to them 104 days ago: 90 days plus the 14-day grace period. That's how responsible disclosure policies work.

github themselves disclosed technical details about the Github Actions vulnerabilities.

Google have disclosed the Chrome issue discussed in the article. They just haven't released technical details.

Are these details really that hard to understand?

Re: Acrobat.

People go on and on about "Acrobat" (be honest people, it's just PDF)

PDF != Acrobat. It's entirely possible to have a PDF renderer which doesn't support scripting and much other Acrobat idiocy.

I'm not a huge fan of PDF; for the vast majority of documents I'd prefer HTML¹, or Markdown², or plain UTF-8 text.

But there's a place for proper typographic layout. Book-length works, and even many shorter articles, are far more pleasant to read when they're laid out well. HTML+CSS simply can't do that. It can't do proper ligatures or kerning or digits with descenders or micro-protrusions or any of the other things you'll get with, say, pdflatex output.³ And for those applications, PDF remains the best choice. None of the other widely-available formats really handle that properly.

¹Real HTML: POSH, cleanly formatted, with minimal CSS, and no scripting. Minimal scripting which degrades gracefully if it's disabled is acceptable for web pages.

²I generally find Markdown unnecessary, but if for some reason people feel compelled to have some markup and formatting in documents that would work just fine as plain text, it's safer and more readable in source than HTML.

³Yes, in principle, you can get some of those things with CSS and fonts, if you can find suitable high-quality fonts and you go through a lot of trouble. But anyone who lets the browser download arbitrary fonts from arbitrary sources ... well, you might as well use Acrobat.

music tracks, such as Taylor Swift's Shake It Off, which irked the RIAA

To be fair, "Shake it Off" irked me too.

Re: there's no travel on it

How did the sage Strongbad put it? "Your computer has too much television and not enough typewriter!"

Re: Nobody likes X11

I used SunView, NeWS, and Display Postscript. I'll stick with X11, thanks.

Re: collaboration platform

To be fair, it also eats a grotesque amount of CPU during conferences.

No one (who knows anything about it) thinks it's "random" at all. "Deterministic Random Bit Generator", the phrase NIST actually uses, is their (unfortunate) term for cryptographically-strong PRNG.

Everyone always knew Dual_EC_DRBG was a CPRNG, which meant it deterministically generated a bit stream with statistical properties that were indistinguishable from random under a series of assumptions. The concerns around Dual_EC_DRBG were, first, there's no way to tell whether there's a backdoor (i.e. whether the default constants provided by the NSA via NIST¹ were chosen to allow someone with an additional piece of information to predict the output²); and second, it's a rubbish algorithm anyway and so there's no good reason to use it.

Ever. Even if you don't think there's a back door. And if there isn't a back door, why recommend it in the first place? Probably just an honest mistake.

¹It's worth noting that these constants can be changed, and in fact NIST tells you how to compute a suitable set of alternatives and use them in the DRBG. Of course doing so invalidates any backdoor, and the backdoor is the only reason to use Dual_EC_DRBG.

²Specifically, SP800-90 specifies the form of the DRBG and provides parameters P, the curve's generator, and Q, both points on the curve. It's not explained where Q comes from. It's a prime curve, so there's some e such that Q^e=P (mod p). Given Q, e is hard to find. But say you're proposing an EC-based DRBG, and instead of picking a random point Q, you set Q to be a multiple of P. Then you can easily compute e. And you can recover the internal state of a Dual_EC_DRBG instance by observing about 32 bytes of output. That is a Bad Thing.

Re: Security by obscurity?

The main problem with security by obscurity is Kerckhoff's Principle: The information you're trying to keep hidden is in effect part of the secret key, and it's a part that 1) has lower information entropy than key material should have, and 2) can't be managed easily, because it's not pure key material. So it's inefficient security at best. Its contribution to security and resistance to attack can't be easily or accurately measured, and there's no recovery from compromise.

In any case, it's not so much the hardware platform as the OS that matters. The only currently maintained OS for Itanium I'm aware of offhand is HP-UX; I don't know if Linux or FreeBSD are still supported (and OpenVMS?). Because HP-UX is obscure relative to the market leaders there's less total reward for exploiting it, and it has an overall smaller attack surface; the same would be true of other non-Linux alternatives.

But I wouldn't even bother mentioning that, if I were in charge of security for these systems. It might reduce exposure to broad attacks - the typical portscanning script-kiddie stuff - but it won't help with targeted ones.

Re: Is that Barbara Streisand I hear in the background?

Perhaps it will distract people from their awesome parade of vulnerabilities.

Re: They try to flog us donkeys 24/7

Some of us organize our lives on some principle other than financial compensation.

I work when I want, as much as I want. I happen to be well-compensated for it, and that's useful for the other things I do. But I don't feel the need to extract some fixed amount of money for every second I spend improving my employer's position. What a sad mental state that would be.

Of course, most of my work involves thinking about things. It would be tiresome to try to keep track of that.

Re: Grammar, please!

The subject of the verb is "none" ("of them" is a prepositional phrase acting as an adjective modifying "none"). Grammatically, "none" has long been either singular or plural depending on the whim of the writer - there's no conventionally dominant number for none in English usage.

And, of course, all of the comments claiming that either a singular or plural verb is "correct" here are prescriptive, and prescriptivist comments on English usage are false pedantry.

In short: none of you is correct, and none of you are correct. Either is acceptable.

Re: Open Letter

I've decided to fork TDF's letter and replace the entire text with "At TDF, we're a bunch of wankers who have decided we know what's best for everyone and will now graciously share that wisdom with the world."

Re: 'Sends HTML5...

No, it converts the output of the layout engine into a serialized display list for the renderer, and sends that over the network.

Whether that's a good idea is a separate question (I'm not a fan), and as discussed above it's hardly a new idea, but it is considerably different from sending HTML.

Re: A warning!

No.

First, it's "Micro Focus". Two words.

Novell bought SUSE (2003). The Attachmate Group bought Novell (2011). TAG merged with Micro Focus, with the latter retaining control of the combined entity (2014). Micro Focus spun SUSE off last year.

Re: You missed off...

Yes, Wiener coined "cybernetic" to refer to any self-regulating mechanism.¹

Then Clynes and Kline co-opted it for their daft "cyborg" portmanteau, which doesn't even make sense, since all organisms are already self-regulating to some extent. Why they thought "cybernetic" meant "biomechanical" I do not know.

In their article they begin by referring to the "cybernetic aspects" of biological homeostasis, which is fine; but then they coin cyborg to mean "the exogenously extended organizational complex functioning as an integrated homeostatic system functioning unconsciously". Now, I admit the latter phrase is a bit of a mouthful (though I am tempted to drop it into conversation whenever possible²), but surely the "homeostatic" part is not the innovative aspect vis-a-vis the extant a priori organism, as C&K might put it. (Their piece is well worth reading just for the prose, which leaps beyond "turgid" to some new realm of awesomely over-written.)

Anyhoo, Clynes and Kline started the rot in "cybernetic" in 1960 with their "cyborg", which then became popularized by Halacy, Kaidin, and others. Donna Haraway³ introduced it to critical-theory circles in 1985, which then trickled down to middlebrow venues. Meanwhile there was some use of "cyber" and other forms in IT; the CDC Cyber range launched in the early '70s, for example. And "CYBER" was a standard Library of Congress index term in 1990, and probably earlier.

But the term didn't really pick up steam until the early 1990s, judging by Google Books Ngram data, as people began to tire of prefixing everything with "e-" to indicate it had something to do with IT. Then it snowballed.

It was always etymologically unfounded for this use, though. And it carries rather a non-technical whiff; someone who sprinkles their conversation with cyber-this and cyber-that rather comes across as the sort of person whose expertise is derived mostly from reading the popular press.

It's long past time to retire "cyber-".

¹From Greek "kybernetes" or "steersman", which now of course has been adopted by the Cloud People.

²It's never possible.

³Much of whose work I like. Not this piece, though.

Re: I believe them, don't you?

Yes, this is a loathsome product category. Troy Hunt wrote a good exposé on the TicTocTrack last year.

Re: Status quo?

I'm not sure that's really a good way of defining the status quo.

It doesn't matter whether it's a good way. It's the court's way, so in the context of the claim in the article - that SCOTUS is likely to uphold the status quo - it's the only relevant definition.

Re: As it could have been done *decades* ago

I did a fair bit of work remotely over a 1200bps dialup link (which was prone to dropping spontaneously; saving your work often, or using an editor that could recover a dropped session, was a good idea).

1200bps sync connections, for example to IBM midrange or mainframe machines, were even better, since they had less overhead than async dialup.

I did a little work over 300bps dialup, but to be honest 300bps was very tiresome. 1200 was where it became reasonable.

These days 500MB is not enough

500MB is more than enough for me. Not everyone is you.

Re: Credit where credit is due

It is WELL KNOWN that BLOCK CAPITALS make an argument MORE PERSUASIVE, and possibly even MORE FACTUALLY CORRECT.

Re: "We rather regard any resort to the privilege against self-incrimination as a black mark."

if people ask you all sorts of questions and you refuse to answer, any reasonable person would infer something from that

For example, a reasonable person might infer that you consider civil rights more important than law enforcement's right to conduct bullshit interrogations.

In the US, the right to silence is absolutely critical and should always be exercised, except as specifically advised by counsel, because the federal government has made any misstatement to federal officers a felony, and is very happy to imprison people based on that principle.

The UK version is an institutionalization of the principle that "only the guilty have something to hide", and as such is inherently immoral. That should be obvious to anyone capable of critical thought and with a decent grasp of the human condition.

Re: Never store your card

Actually, all of the credit-card breaches I can recall, or could find in a few minutes of searching, from the past couple of years were the result of one of:

- A skimming attack against POS terminals or backend systems.

- A web skimming attack (Magecart being the most common).

- An attack against an issuer, credit agency, or some other non-merchant.

All the breaches I found that included credit-card data retained by a merchant were from several years ago.

That doesn't mean no merchants retain CC data, but that particular class of exposure seems to have become much less common than physical or web skimming. The move to dedicated payment processors seems to have more or less have the effect claimed by disgustedoftunbridgewells.

Relatively recent (i.e. going back a couple more years) breaches against merchants that yielded stored CC data are mostly against hotels, most notably the big Marriott breach.

I still think we should recommend virtual cards and/or other payment options (I don't personally like Paypal, but it does provide some protection against card-data theft), but more as a defense against skimming. As for whether you let merchants retain payment-method information in whatever form: that's a different part of the attack tree. Some consumers feel it's worth the risk; others don't, or are willing to assume it only in particular cases. But it's not the same as a CC-data-exposing breach, which is a more serious failure because it lets the attacker clone the card and use it at multiple merchants.

Re: Loss of human contact

It's almost as if people are not all identical, and generalizations about them are suspect.

I've been working from home for over twenty years. I've worked remotely from my teams for most of my career - about 5/6th of it.

I get plenty of human interaction: In person from family, neighbors, shopkeepers, doctors, strangers I pass on the street; by phone, text, and email from family and friends; many times a day from my co-workers by various means. I have daily calls with members of two of my teams, and weekly calls with others, and ad hoc calls with all sorts of folks. I get quite a bit of work email, which I genuinely enjoy.¹

I used to have face-to-face meetings with some of my teams once a year or so, and I did like that, even if (indeed, partly because) it involved international travel. But do I need it? No, I do not.

I'm sure there are many people who work best in a group setting. That may be true of most people. But people are adaptable, and I have yet to see any reliable evidence that a broad shift to working from home will have the dire consequences some are predicting.

¹I realize this is unusual, but I'm a compulsive reader. Two of my degrees are in writing.