* Posts by Donn Bly

160 posts • joined 10 Jan 2008

Page:

New York Attorney General settles with Bluetooth lock maker over insecurity claims

Donn Bly

Equipment Lockout != Security

It comes down to fitness for purpose. Standard equipment lockout locks are not generally all that secure, are easily defeated, and often don't even have unique keys. Lockout locks are even less secure than TSA locks! It sounds like these Bluetooth locks are actually MORE secure than the existing standard mechanical locks that they are replacing.

The reality is that anybody that says that they won't be using the locks based on this report would most certainly never have been using these locks anyway, thus their boycott or threat of one is empty and meaningless.

That said, there is no additive production cost for encryption. If they are using wireless communication such as Bluetooth then it should have been baked into the design from the beginning. Even though it sounds like the software they generally provide is a "reference design" not intended for production use, we all know just how often those reference designs get implemented with little more than a branding change.

6
0

Ransomware scum have already unleashed kill-switch-free WannaCry‬pt‪ variant

Donn Bly
Mushroom

Re: If they're selling their operating system to clients for use in everything

Debian derivatives are used in dozens of pieces of equipment around my office -- when there is a flaw who is the one responsible for getting all of the that equipment updated? Should Public Interest be blamed for a unpatched hole in a 10 year old router and expected to fix it -- even when newer versions that fixed the flaw have already been shipped? Of course not.

So why should Microsoft be blamed for the same situation? They sold operating system, but they aren't the one putting it in medical equipment. That was done by the manufacturer of the equipment, which, by the way, as an OEM assumed all ongoing support. The end-of-life date on the OS was well known before it was installed. It is the equipment manufacturer that screwed you over, not Microsoft.

The systems integrator that put Windows on Warships is the one who made the claim of fitness for purpose, not Microsoft. THEY are the one who should be held accountable. If that integrator needs to go back and pay Microsoft for ongoing support that's their problem -- they made the choice to integrate Microsoft and they have the live with the results of their decisions.

10
0

Amazon's Alexa is worst receptionist ever: Crazy exes, stalkers' calls put through automatically

Donn Bly

Re: Why would anyone buy this junk?

Everything about it sounds creepy

Perhaps the reason that eveything sounds creepy is because most of what you read is from people who have never used the device, don't really know how it works, and whose knowlege is limited to the mostly inaccurate information that they have read on the Internet.

I have several Echo devices, at both home and office. They are limited in what they can do, but even in their limited form they provide sufficient value for me to keep them around.

When the last software update asked if it could have access to my contacts, I declined. I didn't intend to use the calling features so I didn't see the need - but the point is that it ASKED me, it didn't just go out and grab them. As the user I had the choice.

2
6

No more IP addresses for countries that shut down internet access

Donn Bly
Childcatcher

attempt, failed or successful, to restrict access to the internet to a segment of the population

That definition as written includes any attempts at censorship - including mandatory or opt-out filtering.

I kind of like it ;-)

11
0

Startup remotely 'bricks' grumpy bloke's IoT car garage door – then hits reverse gear

Donn Bly

Re: Why would you need to control your garage door

Perhaps to let my brother-in-law into the garage to borrow/return a tool. Perhaps to know when the garage door went up so I know when someone got home. Perhaps to make sure that the garage door is closed if I am out of town. There are LOTS of reasons for these types of devices, just because none of them apply to you doesn't mean that valid reasons don't exist.

My last garage door opener came with this capability as a free add-on. It was an interesting toy, but I unplugged it from the network long ago because I didn't trust it and it didn't integrate into anything else that I have. I have other ways to remotely unlock a door so it wasn't that important to me.

2
5

'Sorry, I've forgotten my decryption password' is contempt of court, pal – US appeal judges

Donn Bly
Holmes

Re: Actual case aside

<quote>That's where you are absolutely wrong. Evidence on an encrypted drive is the same as evidence in a safe - you have no right at all to keep that evidence unknown to the police if they have a search warrant, and no right to keep it secret from the court.</quote>

While you have no right to keep that evidence unknown, similarly the court has no right to force you to give them the combination out of your mind (although they can order you to produce a physical key). If they want access they are required to gain access to the safe via other means.

The police now have physical possession of the drives, and that is the full extent of cooperation from the defendant they are entitled to demand. Interpreting the encrypted 1's and 0's they have to do on their own.

If it were a physical safe, and they used a torch or grinder to cut the lock to gain access and found documents encoded with a one-time cipher pad, they would still be on their own to decode them and they aren't entitled to demand that the defendant give up the cipher. This situation is no different. The government is NOT entitled to suspend the constitution whenever they like.

8
0

Amazon relinquishes data from Echo that could have dropped eaves on a killing

Donn Bly

Re: It is quite disturbing that Amazon has the ABILITY to satisfy this request

Voice recordings are kept longer than a minute so that you, the user of the device can go into the web interface, provide feedback, and train the voice recognition. You don't anonymize the recordings as they are tied to your device and your voice. If you anonymized them then you make them worthless for tuning the voice training. Of course you have the ability to dump the voice recordings - but that would reset you back to defaults and hurt the accuracy of your voice recognition.

It is also VERY helpful when adding things to lists. Your "Shopping" and "To Do" lists are available on your phone, so If I tell Alexa to add something to my shopping list and the voice recognition doesn't decode it properly (or I misspoke something when I added it) when I'm in the store I can actually play back the recording on my phone to hear exactly what I said instead of relying on an interpretation of what it thinks I said.

Early on Amazon provided the police with credentials that allowed them access to the accused Amazon account - including the voice data. So either the cops were too ignorant to know how to use it, or they found something and wanted Amazon to provide it so that there was a pristine chain of custody. I would like to think the latter, but the former is much more likely -- because if it was the latter they would have asked for specific information, not presented an overly-broad blanket order.

3
0

WordPress photo plugin opens 'a million sites' to SQLi database feasting

Donn Bly

Paying Users?

Paying users of Wordpress? Surely you jest.

1
0

Google to cough up $20m after Chrome rips off anti-malware patents

Donn Bly
Devil

Re: Litigation from beyond the grave?

The politicians have already made sure that people can vote (via proxy) after they die, is it that a far stretch to let them litigate (again, via proxy) as well?

0
0

Trump's new telecoms chief bins broadband subsidies for the poor

Donn Bly

Re: Program Expansion

I don't have a problem with vouchers - it allows the consumer to pick their own supplier, thus increasing competition and driving down prices.

However, if the tax and voucher are for "voice lines", then you shouldn't apply the voucher to Internet access any more than you can apply a voucher for school choice to your car payment.

If the money was coming out the general fund it wouldn't be an issue, however in this case we have a directed tax - a tax specifically passed and implemented to fund a very specific task. To use that money for anything else is fraud. Cancel the first tax and create a new one if necessary, but be HONEST about it.

0
0
Donn Bly
Pint

Program Expansion

It is my understanding is that the changes were made to keep the program from expanding beyond its original mandate through the 11th hour changes that were put in place against the advice of those overseeing the problem.

Basically, the changes boil town to:

(1) The program cannot spend more than it takes in

(2) A program to be used for voice lines cannot be used to pay for anything BUT voice lines.

I am not opposed to programs used to subsidize low-income citizens in need. I do, however, oppose the constant unchecked expansion of government programs.

If we pass a specific tax to fund project "A", then that is how the money should be spent. You don't spend it on "B" then turn around and ask for more money for "A". If the government wants to spend money on "B", then it should either take it from the general fund.

If I give you money with the condition that you spend it on baby food, and you spend the money on beer, don't come back and say you need MORE money for baby food. Be honest enough to say that you want the money for beer (because the water isn't safe to drink and it's cheaper than bottled water) and you just might end up with it. Or might not - but as least you won't be taking money under false pretenses.

1
3

CHEERS! Office 2013 now on Wine 2.0

Donn Bly

Re: Ooooh...

Why would you sue Microsoft? I'm sure the games would run just fine on the computer you had when you bought them, if you still had it. It isn't their fault that you wanted different functionality and upgraded (Though I am not sure that upgrade is the right word, as progressing through the Windows versions is more of a lateral slide into a cesspool)

1
4

Fake History Alert: Sorry BBC, but Apple really did invent the iPhone

Donn Bly

The iPhone was not invented by Apple

The iPhone was not invented by Apple - particularly because it wasn't an INVENTION at all. It was a well-received innovation in an existing market.

1
0

US cops seek Amazon Echo data for murder inquiry

Donn Bly

Re: afaik it only stores the text output

Both the recorded sound clip and the translated text are stored, that way when Amazon doesn't translate something you added to your shopping or to-do list properly you can play it back to hear what you actually said.

However, it does NOT stream real-time recording to the cloud - as I verified myself using wireshark after I purchased my first echo. It has a limited processor that is hardcoded to listen for "amazon" or "alexa" (user configurable) and then it records from that point to the first quiet period and THEN sends up that small clip in a burst up for processing.

I'm sure that if a PROPERLY EXECUTED search warrant is issued Amazon will be willing to comply and deliver up the data - as they have already delivered the account information requested. However, as evidenced by the filing the police are clueless as to what the Echo does. They already have the perp's Amazon account information so they could log in and play back the clips themselves. They really don't need anything else from Amazon other than to hold the data pending future prosecution. The current search warrant asks for information that either doesn't exist or they already have.

Until that properly executed search warrant is issued Amazon has a fiduciary responsibility to reject it and hold them to account. Not only does it protect Amazon and their customers, it protects the police against themselves even if they don't realize it.

32
0

It's now illegal in the US to punish customers for posting bad web reviews

Donn Bly

Re: What a world

Constitutionally protected speech is limited to speed about the government. So while a tirade about a government official or policy is protected, a similar tirade against a private individual company, or company policy is NOT similarly protected under the US constitution.

I'm of mixed feelings on this law, while I welcome the additional protections I feel it will only embolden and encourage more fake reviews. Fake reviews are already a problem, particularly those that have been posted anonymously.

I really don't like the government getting involved and unilaterally changing the contract between two private individuals. If I have a contract that contains a non-disclosure that says you can use my software but you can't give anyone details about its proprietary functions or use my name to enhance your brand, then the government shouldn't be able to go back in later and remove the non-disclosure.

0
2

Standing out from the crowd with an Android phone? You and 90 per cent of the market

Donn Bly

Re: Numbers of handsets is not everything

Perhaps because Market Share and Profit are two different, often unrelated, metrics and not every study needs to study or report on both?

Manufacturer's profit is a meaningless metric if you are a developer looking to set priorities on how you are going to allocate resources. If 87% of the market is Android, then I am going to do an Android app first and the remaining 13% of going to be an afterthought. I could care less which phone manufacturer is making more money, as it has absolutely zero impact on those decisions.

If you are an administrator responsible for deciding which devices you are going to support, or trying to project what types of devices are going to be coming in the door, then you look at market penetration of the devices not how much profit is being made by the manufacturer.

Profit is as meaningless as the color of the aftermarket case the user has slapped onto the handset.

19
1

Ex-soldier slapped with sex offender order after flouting private browsing mode ban

Donn Bly

Re: Am I reading this right ?

The device DOES have the capability of retaining and displaying history - he just didn't have it turned on. Seems like he was following the letter of the law, just not its intent.

The order should be changed to reflect intent, that is, it should state that a log must be kept and presented on request. It should also state how long such logs should be kept (so that "delete on logoff" or some such would still be a violation). It should also be clear on the definition of "Internet", as it appears that the original intent of the order means "Web".

My DVD player has the ability to access the Internet but doesn't keep a log. Should he be prevented from using such devices? How about a refrigerator that has some stupid IOT interface to order milk? Or any stupid home based router that doesn't have logging -- if it is part of his connection to the internet then he is "using" the "device".

Rules should be clear and unambiguous.

19
0

Lenovo downward dogs with Yoga BIOS update supporting Linux installs

Donn Bly

Since the internal antenna aren't calibrated for 5 Ghz, you would have had sub-optimal performance anyway.

+1 for pointing out that their stock cards are a decade out of date, but -1 for not reading the specs and thinking that you can just slap a different radio in it and make it work.

1
0

6-in-10 punters return their self-destructing Samsung Galaxy Note 7

Donn Bly

No. Samsung is the manufacturer of the device, but they don't have remote access to it.

0
0

Wait, wait – I got it this time, says FCC as it swings again at rip-off US TV cable boxes

Donn Bly

Re: We want it Simple.

In fact, why not mandate the standard so that it's easy to just stick a module into the back of your TV (not built-in as that allows Planned Obsolescence) and be on your way?

Well actually, if you think about it, that is the way it is now. The "module" is the proprietary cable box, and the interface is (if you are lucky) HDMI. Otherwise, component and composite are alternative interfaces.

0
0
Donn Bly

Re: ...expose customer data

The problem is that people don't WANT "live" TV programming outside of sporting events. They want to watch their content on their own schedule.

0
0

US Supremes won't halt class-action legal battle against Google Adwords

Donn Bly

Since advertisers were charged by click, not by impression, the bottom line is that they suffered no MONETARY loss by having their ads displayed on low-traffic or "junk" pages. They only paid when someone actually clicked on their ad.

Loss by having their brand diluted because their ads were showing up on junk pages? Maybe. However, the fact that the ads were displayed on such sites was fully known and disclosed at the time and the advertisers chose to advertise via the network anyway.

This is just another case of someone trying to abuse the court system to raid the deep pockets for another, and they don't come much deeper than Google.

0
0

Our pacemakers are totally secure, says short-sold St Jude

Donn Bly

Re: 7 Foot range for an immobile target

Actually, most people with pacemakers (well, at least 100% of the people that I know that have them) are quite active, often more-so than the average person of their age.

The reason is that since they have already had a close call they generally aware of he ramifications of a sedentary lifestyle and go out of their way to make sure that it doesn't happen again.

1
0

Did Donald Trump really just ask Russia to hack the US govt? Yes, he did

Donn Bly

re: Have you considered the possibility that Trump's words...

.. are being reported quite accurately indeed?

Considered - then I found the actual footage of the interview and watched it. Found that the facts don't substantiate the story, and contradict the headline.

I would add an icon, but what we really need is one with a bowel of popcorn.

2
4

Cats, dogs starve as web-connected chow chute PetNet plays dead

Donn Bly

Re: More dead Birds:)

I've only hit a bird once in all my years of driving -- and it was a large white goose that tried crossing over the road from one pond to another. It went under my 1-ton van and thew a cloud of feathers behind me that looked like someone had opened a down pillow and emptied it out the window, causing almost white-out conditions. Luckily nobody was right behind me, as the road curved as it went between the two ponds...

When I had a cat, it would bring me a present of wild poultry about once a week.

2
0

Did the Russians really hack the DNC or is this another Sony Pictures moment? You decide

Donn Bly
Holmes

Russian Connection?

I doubt very much that a legitimate Russian security service would spell their directorate name in ENGLISH on a Russian-language mail server. That easily understood fact alone soundly discredits any "expert" that tries to claim or substantiate a Russian connection using that piece of information.

If someone is skilled enough to compromise the supposedly-secure DNC email accounts and servers, and to do so for the extended period of time necessary to extract everything that they extracted, then there is a pretty good chance that any server or service that they are using to communicate with the world is similarly compromised.

In short, there is no "Russian Connection". There is only the spreading of FUD after their dirty laundry was aired for the public to see.

1
1

BOFH: Free as in free beer or... Oh. 'Free Upgrade'

Donn Bly

re: They were Canon right?

With a password of 111111? They had to be Xerox

10
0

Net neutrality victory: DC court backs full rules

Donn Bly

Re: @steve todd - you obviously have no experience in the area

Steve, you obviously have no experience in this area.

First, since broadband wasn't even an issue when most cable companies were started or when they were issued operating licenses, it is impossible to TRUTHFULLY state they they promised coverage and service levels - because those products didn't even exist then.

Competition does exist for broadband, but it exists between technologies - ie, Cable vs Telco. Cable companies don't compete between themselves, and landline landline carriers don't compete between each other, but cable and telco most DEFINITELY compete against each other.

I have watched two different local cities where I own property start down the road to municipal broadband. In both cases incumbent carriers had already made massive investments in infrastructure and were rolling out continuous improvements. In both cases the cities LIED to the public about the needs and in the investments that private enterprise had made. In both cases existing ISPs stopped investing, and in some cases abandoned existing infrastructure.

For you to say "bullsh*t" is, well, bullsh*t itself. Because unlike you I have personal experience. I was there.

0
0
Donn Bly

No. Telco vendors and others responded to consumer demand and increased speeds and capacity all on their own.They did so because the free market provided a financial incentive to do so, and without any such rulings or government interference.

If the GOVERNMENT had their way, access would have been limited to institutions of higher learning and defense contractors. You are, after all, talking about a ruling body that isn't the most technologically competent and thinks that you can get pregnant via a sexually explicit email, that an island will flip over if everyone stands on one side, or that if you place a standard bullet in a brass casing inside of a steel box that the steel will shield it and allow it to pass through a metal detector undetected..

Now, whether the major providers CONTINUE to advance, that is a matter up for debate. However, if the government removes all profit motive then vendors aren't going to do much of anything in the way of improvements. The only time they will improve is when it is cheaper to upgrade than maintain the status quo.

We have already seen in under-served areas that when municipal fiber networks are deployed that for-profit organizations reduce or exit the market, spending their expansion funds in areas where they can get a better return. Net Neutrality regulation - whether good or bad - is going to slow private deployments in those areas and FORCE the government to build out using tax dollars, probably via increases in USF and Rural Access funding taxes. Again, whether good or bad is a matter of debate, but it WILL be a consequence.

Personally, I saw the writing on the wall several years ago, which is why I sold my ISP while I could still do so at a profit, then hooked up to municipal fiber so that I could take advantage of the cheaper rates. If you can't beat 'em, join 'em.

4
24

Bloke flogs $40 B&W printer on Craigslist, gets $12,000 legal bill

Donn Bly

The "Jerk" (I would have used stronger language) doesn't have any lawyers, he represents himself.

Being from and in Indiana, I took a special interest in this case.

First, this "Jerk" isn't even from Indiana - He is Ukrainian here on "political asylum". Having gamed that system, he now tries to game all others.

Indiana, like most courts, has a policy in civil courts of "default summary judgement". Basically, if you get sued, and don't bother to even respond to the suit or show up when the hearing is held, then you are going to lose the case. To respond all you have to do is send the court a letter saying that you deny the claims.

It isn't that he "admitted" anything - that is just bad reporting, something that has been repeated elsewhere in many articles about this case. It is more factually described as a default "Nolo Contendere" / "No Contest" plea.

As such, the judge who granted summary judgement wasn't necessarily wrong,but the judge who didn't immediately overturn it on appeal was. After all, The "Jerk" couldn't even provide evidence of notice, which is a REQUIREMENT. It should have been tossed. Judges are human. They screw up. This one screwed up big time. At least the appeals court, after having actually LOOKED at the evidence, tossed it.

And yes, the seller COULD go after the Jerk and get damages, but that would have to be a separate suit - and he has already stated that he wants nothing to do with any more lawsuits.

Personally, I think we should find out what the Jerk was running from in the Ukraine. If it was legitimate political asylum I don't think that he would be advertising his location in the international press. Perhaps it is time to send him back.

26
0

Score one for the patent trolls: US appeals court says it's OK to shop for patent-friendly judges

Donn Bly

Re: Wait just a minute

This isn't a patent troll case - in this case both defendant and plaintiff are real companies that manufacture and distribute goods, and have done so for many years. This is a straight up infringement case.

Also in this case both the Defendant and the Plaintiff are in Indiana -- yet the Plaintiff wants to sue in Delaware court. That was the issue here. Convention holds that you sue in the district where the defendant resides.

(disclaimer: I too am in Indiana - which is why this case caught my attention)

1
0

Getty Images flings competition sueball at Google Image Search

Donn Bly

Re: I think they have a point here

> it should be pointing you to the place where the image is hosted.

Well, actually it already does, with the very first button being "Visit Page"

1
0

Amazon attempts rule fudge to take exclusive control of new dot-words

Donn Bly

I have seen a couple in passing, including one that I procured and set up for a friend's coffee house, but the vast majority of them are just spam sources to the point where I am weighting them as such with spam assassin rules.

8
0

Google found 760,935 compromised web sites in a year

Donn Bly
WTF?

Re: CSS breaches

WTF are you calling a "CSS Breach". While I have seen stylesheets hacked to include image urls from other compromised domains to avoid antivirus scans on the primary server, those types of attacks are definitely a minority.

0
0

Google yanks Chrome support for Windows XP, at long last

Donn Bly

Re: So much for Extended Support then..

Agreed - My home machine which I only use for light web surfing and remote desktop runs Vista, and has been stable doing to since day one. If it wasn't on a docking station with three additional monitors I probably would have replaced it, but why spend money to replace something that is (1) still supported and (2) does everything that I need it to do?

I've always got my tablet (Surface Pro 3, won as a door prize at a Microsoft event running Windows 10) if I truly NEED something that only runs in a more modern operating system.

0
0

Websites take control of USB devices: Googlers propose WebUSB API

Donn Bly

Re: Where to begin?

Or you could just get an independent scale/printer with its own network attachment. You can still connect your PC to it over the network, but you don't need to waste energy powering your PC to use it.

There are already PC-independent solutions; don't invent half-dependent solutions and pretend they're better.

So instead of having a IP with attached peripherals which gets its IP address via DHCP, you would instead prefer the novice PC user to self-install a switch, install and configure two rather expensive pieces of network-enabled equipment with static IP addresses, download and install the drivers and the application software, configure the application software with the static IP addresses, etc. -- and now you have three devices on your network to monitor instead of just one AND you have an application installed on your workstation that isn't part of the company standard.

-- or --

you would prefer a stand-alone proprietary solution, and have IT tasked with auditing and keeping this one-off piece of non-standard equipment on their network up to date, secure, and operational.

-- or --

The user can use a web-based application, connect to a cheap usb-attached scale and label printer, and IT doesn't have to worry about keeping the application up to date every time there is a change in shipping rates. There aren't any foreign devices on the network, and the only downloaded code is JavaScript that runs in the browser.

I don't know about your environment, but I would be seriously investigating the third option before discounting it.

Shadow seems to think this is about drivers and such. It isn't. It is about the ability to use web-based applications in place of native code APPLICATIONS. Think Google Docs vs Word.exe, not video card drivers. Right now any web-based application that needs that kind of functionality has to use security abominations like Flash or Java, or the vendor write some sort of custom protocol driver which will usually only work with some subset of available hardware to accomplish the task. All this API does is create a standard where a manufacturer can "web-enable" their devices and expose a subset securely to a third-party web application that uses the same API.

Nobody is saying that it is the best technology for every business solution. This is a technology that addresses an existing security hole in an existing niche market, and is extensible to new device classes. It defines a standard that allows for vendor interoperability, reducing lock-in to proprietary architectures. It allows software vendors to have a single, cross-platform application that truly runs the same on Mac, Windows, and Linux out of a single code-base because actual execution takes place on the server and not on the workstation.

The API is in its early stages, with a draft spec only two months old. It may or may not flourish, but is IS better than the existing methods, or at least aspires to be.

0
12
Donn Bly

Re: Where to begin?

If your current workstations and servers don't have access to the Internet, then they aren't running web applications, and as such would have no need for this technology.

Of course, if your current workstations don't have access to the Internet, just how are you posting to this forum?

3
9
Donn Bly

Re: Where to begin?

The web also has illegitimate uses alone with legitimate ones - by your thinking the entire web should be forbidden and nobody should be able to use it because someone made illegitimate use somewhere along the way?

I'd swear that none of you have even looked at the spec, or the explainer. If you had and even a basic understanding of it you wouldn't make these kinds of statements.

1
13
Donn Bly
Thumb Down

Re: @Donn Bly.

You are operating under a couple of fatal misconceptions.

1) Windows Update. If you plug a device into your windows computer, and it doesn't have the driver already installed, you know that box that pops up asking if you want to search for a driver? Pay close attention next time and you will see the button that says "check windows update for driver". Windows update is more than updating existing drivers, it is where most of the NEW drivers come from for your "plug and play" devices.

2) Downloading Drivers. This WebAPI is *not* about downloading device drivers. In fact, there is nothing in the current spec about downloading and installing ANYTHING. You go on and own about companies not including drivers or not being able to download drivers - but this is NOTHING of the sort. I can understand your confusion if you based your argument on the (factually inaccurate) line in the article about websites updating firmware.

This technology is about allowing manufacturers to expose their devices to web applications in a standard, secure way. Before you accuse someone about lack of critical thinking, you should at least have a basic understanding of the technology you are lambasting. Have you even READ the spec? There was a nice link to it at the beginning of the article. Try reading it, THEN discussing it.

2
13
Donn Bly
FAIL

Re: Where to begin?

Windows update takes the hardware id's and searches a database of compatible drivers, the underlying premise behind this is much the same except that it allows makers of specialized equipment to implement a similar system without relying on Microsoft. You want us to believe that you have never allowed windows update to search for and install a driver for a new piece of equipment, or update an existing driver?

This technology isn't designed to used on your USB Ethernet dongle, your CPU temperature sensor, or anything like that. Do you think that the manufacturer WANTS to provide servers and bandwidth to push a driver for a device like that every time you reboot? No, of course not.

This is an attempt to create a web standard API for directly accessing equipment connected via USB, for equipment specifically designed for that purpose, without having to use something like Flash or Java as a layer in-between. I for one WELCOME a secure alternative.

Real-life example: USB Attached scale & Printer. The ability to have a web/thin client application be able to weigh a package and generate a shipping label WITHOUT having to install specific drivers, without having to have the user click on anything every time it prints, etc. Right now you have to install the drivers, install the stand-alone software, which then has to use a web api to exchange information with the shipping company. This moves the API level so that the software and data can be stored on web server and nothing needs to be installed on the workstation other than a standard, reusable API layer which is restricted by device and destination.

Is this a solution for everyone and everything? Of course not. Nor is it intended to be.

Next time learn a little about the technology before you slam it, sometimes there ARE legitimate uses.

2
22

Microsoft adds 'non-security updates' to security patches

Donn Bly

Re: I'll jump in before everybody starts to state the obvious....

I ran into this today as well, countdown timers that windows would NOT allow them to abort. I also concur about GWX Control Panel, it saved the day for me on multiple machines today.

One of them was only a couple of blocks away so I walked over. Sure enough, even if I ended the task with task manager it automatically restarted. It would let me schedule the upgrade any time within the next 72 hours, or start immediately, but explicitly stated "once you set a time it cannot be changed".

It would NOT let me abort, it would NOT let me check for windows updates. My solution was to go into installed updates, remove KB3139929, let it reboot (which didn't do the install), then use GWX Control Panel to turn it off.

4
0

LastPass in 2FA lock down after 'fessing up to phishing attack

Donn Bly

Re: A real shame - a good product

Just to verify, why do you say that "export to CSV" was canned in LastPass? I still use LastPass, and I just checked and verified that the option to export to CSV is still there.

As a LogMeIn user, I wasn't too happy that they killed off the free edition, however, since I had a mix of free and pro they upgraded all of the free clients to pro for a year for no charge. Sometimes you have to take the bad with the good, but if you are going to preemptively trash a product because you THINK that they might change something then you are never going to use anything.

2
1

No escape: Microsoft injects 'Get Windows 10' nagware into biz PCs

Donn Bly
Alert

So, when this update comes down and trashes my Hamachi VPN (we've already tested and know that it doesn't work quite right, even though it is supposed to be compatible) who is going to pay for the remediation work to get the business back up and running?

16
0

Researcher claims Facebook tried to gag him over critical flaw

Donn Bly

There is a difference

There is a big difference between letting someone know that their door is unlocked, and using that unlocked door to ruffle through their underwear drawers to determine their preferences.

One is responsible, the other isn't.

As much as it pains me, I would have to side with Stamos. Wineberg admittedly made unauthorized use of a company's credentials on a third-party service (Amazon AWS) to gain further unauthorized access on that third-party service. It wasn't about discovering a bug, it was about seeing how far he could penetrate with the stolen credentials even AFTER he had already been paid for reporting the bug.

Furthermore, Wineberg did represent himself as a representative of Synack in his communications with Facebook when reporting the bug. I'm somewhat surprised that Facebook paid the bounty to him and not directly to Synack, and a CSO to CSO call between companies when unauthorized access is detected is certainly not out of the ordinary.

11
23

Hapless Virgin Media customers face ongoing email block woes

Donn Bly

Hard SPF Policy

A hard SPF rejection policy ( -ALL ) means that unless the email is being delivered to you by one of the listed sources, then it is completely disavowed by the sending domain and isn't legitimate. Such messages should be rejected with a 5xx response and never come close to your inbox.

2
0

EU urged to ignore net neutrality delusions, choose science instead

Donn Bly

Re: QoS != Net neutrality

Unfortunately, your definition of "Net Neutrality" does not match the definition that the lawmakers are using.

That really seems to be the biggest problem with Net Neutrality discussions on this site - everyone has a different definition because the term isn't a technical term to which we have an established definition. In fact, that was one of the points of this article.

While your definition is a good ideal, the government definition is less so. In their definitions, no traffic may be discriminated against based on origin, destination, or content. Similar, but VERY different. Because with their definition there is no such thing as priority traffic. Everything is equal. Yes, that means that your itunes traffic and your netflix traffic are equal, but so is your VoIP traffic and the spam email and the guy next door seeding torrents.

3
0
Donn Bly

Re: How can this "Markablejones" be so ill informed

First, on network management, while the GOAL isn't to prevent reasonable network management, in many cases it is an unattended side effect - stripping QOS so that SIP and HTTP traffic run at the same priority across peering points.

Lets look at your statement "ISPs will be incentivized to not upgrade their networks in order to sell priority delivery" and compare that to past actions.

Without "Net Neutrality" laws ISP's had the ability, and did, sell "fast lanes". Thus, if your argument held true, ISPs never upgraded their networks and we are all still on dialup. or ISDN, or 256K DSL, or... well, the point is that ISP networks are in a constant state of upgrade, and they did it even with fast lanes in existence. In fact, the extra money from those "fast lanes" may have actually helped drive those capital improvements.

Now, lets look at the second half of your argument, "The higher the price, the more easy it is for company's like Google and Netflix and Amazon to set barriers to market entry that price potential competitors out of the market".

Amazon and Google already paid high prices for entry - what you are suggesting is that others should not have to pay because Amazon and Google already have. Nonetheless, lets take that part at face value and look at the rest -- if there is that much money to be made selling "fast lanes", then additional companies (ie, ISPs) will be formed to take that money, increasing competition and driving down consumer costs.

Giddes may or may not be a shill - I don't know - but his arguments are just as valid, if not more so, than yours - and he at least signs his name to them.

2
2

Cobweb 'fesses up to failure to renew SSL certificate

Donn Bly
FAIL

Unencrypted Traffic?

An expired certificate still encrypts data.

If Mr Adrian Smith "Security Consultant" set up systems that allow the customers to bypass SSL, then that ability is there whether the certificate is expired or not - and the level of security has not changed.

While I suppose that it is POSSIBLE for someone to write some sort of client software that would downgrade to clear text should a certificate expire, it would seem to be a rather poor choice for system design. If the data must be secured, then a certificate error should force the connection to fail with no data exchanged.

With no actual details as to the certificate, how it was used, when it was issued, etc. we can only guess as to what happened, but I have more questions about the technical abilities of the consultant than I do about a hosting provider that lets a certificate on a control panel expire. That in turn leads to questions of motivation.

Mr. Smith will now have to justify exactly HOW his customers managed to exchange un-encrypted data even though encryption was available to them.

6
0

AT&T, Verizon probed: 'No escape from biz broadband packages'

Donn Bly
Terminator

Re: For the love of all that is holy THERE'S A BRIDGE FIRE!?

Not only would you let him, you would probably be giving him a "gentle" push so that he could join his friends a the bottom.

0
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017