* Posts by Donn Bly

311 posts • joined 10 Jan 2008


Never mind that naked selfie scandal... Brazil lights the, er, kindling, dot-Amazon saga roars back into life

Donn Bly

Its just another bureaucratic money grab

In my recollection, the official language of Brazil is Portuguese, and in that language the name of the river is spelled "Amazona". I would concede ACTO *may* have considerable rights to that version of the name, but their rights are a bit shaky when they claim to have the rights to the anglicized version of the name when it is being used by a company outside of their region in a manner that does not even refer or relate to the river. Especially when the origin of the name actually comes from GREEK mythology and does not have a corresponding origination anywhere within the geographic region that ACTO was formed to represent.

If ACTO has rights that supersede Amazon Inc., then any publisher that publishes the works of Homer, Herodotus, Strabo, or any other other ancient Greek historians translated to English from their original Greek would have rights that supersede ACTO. Where would that end?

I am not a fan of the .{whatever} GTLD craze. It was a clear money-grab by a supposed not-for-profit organization that did not have legitimate expenses to justify raising funds in that matter. However, ICANN set up the rules and should abide by them -- or refund ALL of the monies earned in that manner (for ALL GTLDs)

Our vulture listened to four hours of obtuse net neutrality legal blah-blah so you don't have to: Here's what's happening

Donn Bly

Does the FCC have the authority?

Regardless of anything else, if the FCC had the authority to create the rule, then the FCC has the power to change or scrap the rule.

What should happen is that the Legislature should be the ones creating the rules (it is, after all, their ONE job)

Appointed people shouldn't be in the business of making rules. They should be in the business of implementing them.

And Kieren, thank you for another balanced and informative article.

Texas lawyer suing Apple over FaceTime bug claims it was used to snoop on a meeting

Donn Bly

Re: I guess this is going to be tossed out

First, he is going to have to prove that the meeting was even recorded, and he will have to state who did the recording. In his filing, he didn't even provide a date of the alleged meeting.

He will have to provide sworn affidavits from either the person who did the recording (self-incriminating) or someone who has first hand knowledge (anything other than first-hand knowledge is inadmissible hearsay.)

Once that has been established as fact, THEN he will have to prove that the Apple product was used to record the meeting. Then he is going to have have to establish that he didn't have any other applications on his phone that could be used to remotely record the meeting.

Now, this is civil court and not criminal court, so he doesn't have to establish proof beyond a shadow of doubt. He only has to establish a preponderance of evidence -- meaning that it is more likely than not.

However, he is going to have a very tough time doing that. The only way that he is going to prove that the meeting was recorded is to provide a copy of the recording. He could also find someone willing to testify under penalty of perjury that they have personally listened to the recording and that they have first-hand knowledge that the recording was of the meeting in question -- meaning that they themselves would have to have been at the meeting -- but if they can do that then they could have made the recording themselves using any number of means unrelated to this bug, and it IS more likely that someone used a standard digital recorder than used an undisclosed bug, especially as the bug doesn't have the ability to create a recording in an of itself. He will also have to provide affidavits for all in attendance that they didn't record the meeting, and explain what due diligence he undertook to insure privacy at this meeting.

Additionally, he is not just suing Apple -- He is also suing the developers, distributors, and advertising agents. He is claiming that each of them not only knew of the bug, but recklessly proceeded in bringing the product to market knowing ahead of time that the bug existed. The discovery is to get the names of the people who acted in that capacity so that he can add them to the suit by name.

No, he is trying for an out-of-court settlement because he knows that the cost of discovery is going to be high and is hoping that SOMEONE (he knows it won't be Apple) would rather pay off a nuisance lawsuit than undergo the expense of fighting it. He is leveraging the "vast experience" that he has gained in his less than 4 years of practicing personal injury law on the claim that within the less than 90 days that it has been since the bug was introduced that an event has occurred that has resulted in irreparable harm and PHYSICAL pain and suffering, but can't even give the date of the alleged event. He is smart enough not to have himself for a client and is using another attorney to file the suit -- however if he was serious about taking this to court you would think that he would pick someone who is well versed and has lots of experience in this area of law -- but instead he hires a personal injury lawyer who specializes in car accidents with just of a year of experience as an attorney.

If it goes to court he is going to have to affirm, under oath, under penalty of perjury subject to incarceration and disbarment, to the events alleged in his filing. He certainly doesn't want to do that, otherwise he risks irreparable harm to his future as an attorney and it will have been at his own hand.

I kind of hope that Apple doesn't settle. Lawyers like this shouldn't be practicing law.

Big Red's big pay gap: $13,000 gulf between male and female Oracle staffers – reports

Donn Bly

Re: All else being equal...

An as employee in a free market YOU get to decide how much you make. A prospective employer makes an offer, and you are free to accept or decline the offer.

If you accept it, it is YOUR OWN FAULT if you accepted an offer lower than average. Furthermore, you are only WORTH as much as the person behind you on the list is willing to take for the same job, no matter how much you think you are worth. Your labor is essentially a commodity, treat it as such.**

The solution? Know your worth, and don't accept less. Don't wait for them to tell you what they think you are worth, step up and make your worth known. If you remain unemployed then you overestimated your worth. If you want to increase your worth, learn some marketable skills.

It is up to you and you alone. Quit blaming others. It is not the job of society to train or educate you, and it is not the job of society to employ you.

** Think of your labor as a gallon of milk. As a consumer you can go into any number of grocery stores to buy your milk. The price is going to vary from store to store. Some decide go to the cheapest store, some decide to go to a more convenient store and pay more. The fact that someone else paid more for the milk at a convenient store doesn't make the lower price of the grocery store "unfair" to the milk or to the farmer who produced it. It also doesn't mean that the person going to the convenient store was price gouged. There are many more factors than just price that go into a purchasing decision.

US midterms barely over when Russians came knocking on our servers (again), Democrats claim

Donn Bly

Re: Always blaming Russia

The thing about spear-fishing email, I'm confident it doesn't take the CERN experts to figure out where it came from and who it benefits. I'm sure there's a whole industry around tracing down the who, what, and why.

The thing about spear-phishing is that it NEVER comes from where they say it comes from. That is, after all, the point of the phish. I can send a message and make it look like it came from any number of countries, doing so is trivial to anybody who knows what they are doing. The harder part is getting around SPF, domain keys, and message signing so that the phishing messages don't end up in a spam folder.

As to who it benefits -- You can try to guess who it benefits but all you would really be doing is bias confirmation. This week the DNC wants the bad guys to be Russian, so they will ignore any evidence that says otherwise or interpret any evidence to justify their conclusion. Next week it they could want it to be a Trump staffer or North Korea and make the same case. Do you really think that ONLY the Russians would be interested in a tap on DNC internal communications?

In order to really track it and find origin you have to set some bait for them to take, and then follow it back. You have to gain access to the mail server where the replies to their messages go to see if the server has been compromised, and then trace whomever accesses the mailbox to trace it back. You have to see if the machines used to access the server have been compromised, and go back further. They would have to establish a dialog with the phisher to keep them on the line so that all of this could happen without them finding out. All of that is very time consuming, expensive, and requires cooperation from friendly judges issuing warrants and lots of IT people sworn to secrecy.

None of that has occurred, therefore they are guessing and don't REALLY want the facts because the facts may not support their accusations. They are more interested in controlling perception for the purposes for political persuasion than they are establishing fact. Of course they are a political organization, and that is what political organizations do (no matter what side of the isle). Nothing unusual, just the normal day-to-day operations of a political organization.

Donn Bly

Always blaming Russia

My servers are targeted on a weekly, if not daily, basis from IP addresses in a variety of countries - especially Russia, South Africa, China, and India. It is such a routine occurrence that I don't even bother to take action unless they are doing something that causes me other problems.

Unlike the DNC however, I realize that these are probably not state actors but just compromised systems that are part of a botnet, and probably not even being controlled by an organization headquartered in the same country as the compromised machines.

It baffles me why a competent IT security person would even try to connect a nationality to an attack based on the limited information found in logs and message headers. Still, the lawyers and the media want to keep blaming Russia -- when it just as likely to be a 14 year old kid in Albuquerque New Mexico hooked into his neighbor's WiFi.

Man drives 6,000 miles to prove Uncle Sam's cellphone coverage maps are wrong – and, boy, did he manage it

Donn Bly

Re: I'm sure the FCC will get right on it

As though Obama and Wheeler, or Clinton and Hunt, were any better. Unfortunately incompetence in federal bureaucracies is a problem that transcends political party.

Oh, SSH, IT please see this: Malicious servers can fsck with your PC's files during scp slurps

Donn Bly

Re: WinSCP 5.14...

I thought that this was fixed in the WinSCP 5.13.5 hotfix last November, though it would be nice to get a confirmation on that from someone connected with the project.

Error pop-up? Don't worry, let's just get this migration done... BTW it's my day off tomorrow

Donn Bly

Re: It definitely happens

Never ever use personal email addresses for things like that. Use an administrative name that is really a distribution list.

I have come across more and more vendors and services, such as SSL Certificates, that no longer allow that. You have to resort to using a email address that LOOKS like a personal address even though it is a distribution list.

Poor people should get slower internet speeds, American ISPs tell FCC

Donn Bly


You might be confusing the quote (the part in italics) with my post, because I don't make such assumptions.

In addition, I don't have to imagine investing my own money. I used to own a wireless ISP back in the time-frame with WISPA was starting, and some of my friends/friendly local competitors were even among their officers. I am quite aware of the market and its challenges. Some 12-15 years ago when the municipality where I live looked at doing their own fiber rollout I saw the writing on the wall and sold off the ISP, even though we were the ones supplying the municipality with their bandwidth, and signed up my home to be on the waiting list for the municipal network. It took a few years before it got connected (and I suffered with DSL in the meantime) but it was worth the wait.

I wasn't happy at the time with public money being used to compete with private enterprise, but today I would be among the first to admit that in my local situation it was the right thing to do -- even though I was one of the private enterprises with which they were competing.

Donn Bly

It isn't about being cheaper for themselves

Well ISPs in the US already get a subsidy to pay for them rolling out broadband to less well off areas. This whole article is about how they'd like to reduce the definition of 'broadband' to make it easier (and cheaper) for themselves.

Actually, this article was about a meeting with WISPA. WISPA is a trade organization of local independently owned ISPs that deliver services over license-free wireless. The problem is that license-free wireless does not support the speeds of "broadband" as currently defined, even though they supported broadband as it was defined when they first started. Most WISPA members don't currently get subsidies, so your premise is incorrect.

WISPA members' problem isn't that their networks are worse, it is that the definition of broadband changed. Since the definition changed, they are no longer eligible for the subsidies. Since they aren't eligible for the subsidies, their growth rate is slower and unserved areas still don't get any service.

The areas we are talking about here aren't cities and urban areas, they are small towns and farms out in rural America where the antennas go on top of tall buildings and grain silos. The networks are slow and fragile, but in many parts of the country they are the only thing short of satellite service or dialup for Internet access. Many of these areas don't even have reliable cellular service.

Part of their problem is they use obsolete technologies that were never originally intended for outdoor point-to-multipoint use, the other part of the problem is that the cost to change exceeds the price point that consumers will pay. In effect, they are the obsolete wagon makers being superseded by the automobile. In that sense they will die off by attrition on their own without outside life support, so the question then becomes should public money be used to support them?

If yes, then people complain about the subsidies, but if no then areas will continue to go unserved.

Any area in the United States that is currently unserved is because it isn't economically feasible to do so. Internet access is a commercial venture so the companies have to operate to make a profit, and they aren't going to willingly enter a market where they know that they are going to lose money. That's why you don't see cable companies or phone companies building in those areas.

Note that I use the term "unserved". Unserved and Underserved are two different things, and you cannot equate the two. Since the subsidies go for both unserved and underserved, the larger players are taking subsidies to build out in the "underserved" areas where they can make money, but not in the "unserved" areas where they cannot.

Quite frankly, none of the choices are a good ones. Either you put public money into a dead business model or citizens don't get any Internet access at all, and even if you spend the public money the citizens still don't get broadband. Is half a loaf better than none?

My hope is that newer technologies will evolve to fill this gap, but I've been waiting for decades. Technologies have improved, but they haven't outpaced the consumer demand in this area.

Let the downvotes begin by all of the people who are too ignorant to know that there are more flavors of wireless and more types networks than cellular.

Linux.org domain hacked, plastered with trolling, filth and anti-transgender vandalism

Donn Bly

Re: Ooooh...

It may be easy to steal domains from them, but it is a real pain in the @ss to try to transfer any away from them. Sometimes it is easier just to pay their extortion fees for another year than spend the amount of time it takes.

Cops called after pair enter Canadian home and give it a good clean

Donn Bly

Re: Ooooh...

In my college days I can remember one of my roommates going out on a cold and snowy morning to warm up their car, which also involved cleaning off about a foot a snow and digging it out from where it had been plowed in by the plow truck. However, when he went to leave for classes he noticed a problem in that the car he warmed up was a stick, while his was an automatic.

Alexa heard what you did last summer – and she knows what that was, too: AI recognizes activities from sound

Donn Bly

Re: Failure of Understanding

Your standard household land-line telephone had an always-on microphone. Your cell phone has an always-on microphone. Your bluetooth headset has an always-on microphone.

Just because it has an "always on" microphone doesn't mean that it can do the things they claim. In this case, the author implied that an echo "skill" has direct access to the audio as a background process. That is false, and it isn't how the equipment works.

That is not to say that someone cannot design such a system, just that the system named in the article doesn't have the hardware capabilities attributed to it, and the phone in your pocket is definitely a more attractive target than an echo or google home.

Donn Bly

Failure of Understanding

Alexa, informed by this model, could in theory hear if you left the water running in your kitchen and might, given the appropriate Alexa Skill

Once again someone doesn't understand how these things really work, and wants to impart into them capabilities that they don't really have.

1) Unless you say "Alexa" (or "Amazon", depending on model and configuration) first, the ambient sounds aren't even sent up to Amazon's servers for processing.

2) The "skill" only receives what Amazon's servers decoded in speech to text, they don't receive the raw audio.

Now, that being said, it is certainly possible to hack an Echo with different firmware and make it do something different, but with its underpowered CPU hacking a phone (or just writing and deploying an app without hacking its firmware) would give you access to greater computing horsepower attached to an always-on microphone.

"Hey Siri" or "Ok Google" are a much more likely attack vector.

Uncle Sam gives itself the right to shoot down any drone, anywhere, any time, any how

Donn Bly

Re: Inevitable

Only if it is unmanned.

So if you are sitting in it, no. If you get out and instruct it to park itself, yes.

Couldn't give a fsck about patching? Well, that's your WordPress website pwned, then

Donn Bly

Re: Ooooh...

It's not just "newer versions" automatic update - automatic update was introduced in version 3.7, which was released on October 24, 2013. FIVE YEARS AGO.

Take ANY five year old server OS and there are lots of security issues - why would you expect a web application to be any different?

If someone is still running something that old then it is obvious that they DON'T have a "web admin" so telling "web admins" that they need do update isn't going to do any good.

It does, however, create a market opportunity for someone who wants to scan websites looking for potential customers. Nothing illegal as it doesn't require a deep probe, just grab the index and see if there is a "<meta generator=" line with a version of wordpress that is old. If there is one, then you know that (1) they are using an old potentially vulnerable version and (2) they aren't using any kind of security plugin. All you then have to do is convince the site owner that they need an upgrade.

Microsoft gives Windows 10 a name, throws folks a bone

Donn Bly

Re: Java

Thank you, I was unaware that the Java requirements had been refactored out. The dependencies on Java were the reason I stopped using Open Office years ago and stopped following its forks and development. Looking now it appears that it is only required by the database and related functionality such as mail merge.

Donn Bly

Re: Java

Wow, already 11 thumbs down because I don't want to make my OS which is already riddles with security holes any worse by voluntarily installing Flash, Acrobat, and Oracle's Java runtime? I didn't realize that there were so many malware writers hanging out in these forums.

Donn Bly


Last time I looked LibreOffice still required Java. There is no way that I am going to allow the Java runtime and all of its security holes on my home machines - Just like I don't allow Flash and Acrobat.

I don't know the current percentage, but I banned them when those apps combined hit 90% of all commonly-used infection vectors. I mean, think about, Java is worse than IE....

AI biz borks US election spending data by using underpaid Amazon Mechanical Turks

Donn Bly


Popcorn isn't exactly nutritious, but it isn't fattening either. Just cut down on the butter and salt and you can continue to enjoy the spectacle without the guilt of indulgence.

No need to code your webpage yourself, says Microsoft – draw it and our AI will do the rest

Donn Bly


Great, for years I have been saying that the designs I've been forced to work with look like they have been derived from a crayon drawing -- now it may actually be true.

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

Donn Bly

Re: This bug cannot be used to infiltrate a network

The reason it cannot be used to infiltrate the network is, by the nature of the bug, that you have to ALREADY be on the network in order to trigger it. Can it be used to make things worse? Sure, but it can't be used for the initial infiltration.

Donn Bly

This bug cannot be used to infiltrate a network

This bug cannot be used to infiltrate a network, because the only way to trigger the bug is is you are ALREADY on the same network of the device.

If you are already on the same network you could just as easily send the commands to turn the TV on or off directly, or deliver any other payload, and with that level of penetration then hacking the Wemo switch is superfluous.

Ex-UK comms minister's constituents plagued by wonky broadband over ... wireless radio link?

Donn Bly

Re: A microwave link to populated areas?

if you have more than 10 people you're likely to run into capacity problems with microwave links, let alone reliability issues.

Properly spec'd and installed, a microwave link is reliable and you aren't going to have capacity issues. Remember "Microwave Link" and "WiFi" are not the same thing. Carrier grade equipment isn't cheap for a reason and that even at the low end there are plenty of gigabit+ options.

Microsoft: We busted Russian Fancy Bear disinfo websites

Donn Bly

Microsoft accuses the Russians - but just like most other accusations there is no credible evidence released to support the conclusion. Not to say that there isn't any -- but if there is they haven't released it for review.

Russia is the proverbial "boogeyman" in American cyber-threats these days - but I'm getting more than a little tired of the baseless accusations. A state-sponsored actor with enough skill to hack a website is certainly going to have the ability to hide the origination of their attacks - or to deflect evidence of origination to someone else.

Is Russia posting disinformation and propaganda trying to create dissent within America? Of course, but then again, so is almost every American political organization. Russians may have bought some facebook ads targeting Clinton, but Clinton probably outspent them in their ads targeting Sanders. The AFLCIO outspent them by more than 10x in their ads targeting Trump. None of the ads had much if any actually influence on the election itself, and they certainly didn't "hack" the election to change any vote once the vote was cast.

So do they have a "track record" or attacking politicians? No more than anyone else.

Donn Bly

Re: Why

The courts seem have forgotten that Microsoft has no jurisdiction or right of ownership -- just like they forgot it when Microsoft submitted perjurious and otherwise false affidavits to the court to STEAL 22 domains from No-IP a few years ago, taking down some 1.8 million websites that relied on those domains for DNS services and potentially intercepting their private email. At least then they were caught red-handed and the domains were returned within days.

So phar, so FUD: PHP flaw puts WordPress sites at risk of hacks

Donn Bly

Re: Does anybody use phar://?

Since phar:// is a PHP construct, not a Wordpress one, whether or not you touch the GOLIATH that is WordPress is immaterial. Like it or hate it, WordPress is the most commonly used CMS on the web and we all have to deal with it on occasion even if we don't want to do so -- even if just as a website visitor.

The framework itself is actually audited and pretty stable, but I shudder whenever one of my clients wants to add a plugin.

Haven't looked at this announced vulnerability yet, but since it requires users to be authenticated AND have the ability to upload a file (presumably an image since thumbnail generation is mentioned), the vast majority of sites aren't going to be affected.

Democrats go on the offensive over fake FCC net neut'y cyberattack

Donn Bly
Thumb Up

Thank you for a balanced article

Those who follow my past comments know that I have periodically pointed out what I felt was rather one-sided reporting by this reporter, that his articles on FCC matters often felt more like propaganda than technology press. This article, however, was much better -- Balanced and calling out the FCC on where they failed, but instead of jumping on the bandwagon correctly pointing out many of the current attacks against the FCC and Pai are partisan politics and not policy-related.

Kieren, thank you for a well-written and balanced article.

Windows is coming to Chromebooks… with Google’s blessing

Donn Bly

Re: It's happening...

Even with virtualization the chromebook has more computing horsepower than mainline desktop systems of 10 years ago. The problem isn't lack of beefy hardware, it is bloated applications.

Surprise, surprise. Here comes Big Cable to slay another rule that helps small ISPs compete

Donn Bly

Re: How to lie with statistics?

Competition certainly provides more options, and it may depress prices and lessen the amount of price gouging, but it won't really keep them from ripping you off unless the competition is organically generated through the free market.

If you have "no option" to any anything but Comcast, then what that really means is that there is a market opportunity for a new player. In a free market, that new ISP could put in their own lines and provide service, and if they can provide the same or better service for less money then they will win the market.

If a municipality or other government mucks with the free market by creating an artificial monopoly, it is rather hard for them to complain that there is lack of competition. Regulations should be put in place to ensure a free market, not limit it. Laws passed to keep Google or any other provider out of a city are bad, but laws that require an ILEC to let a CLEC use any infrastructure without the CLEC having to pay any build-out expenses can be just as bad because those laws not only discourage investment in overcapacity, they actively discourage rolling out new technology that has a high build-out expense but a low maintenance expense -- such as fiber.

Donn Bly

Re: What benefits does a "Nationwide" ISP give you?

The perceived service certainly isn't better. After all, customer satisfaction on cable and phone companies ranks at the bottom.

What it does give you, however, is that the nationwide ISP has more exit points. It has more diverse connections to the Internet "backbone" than a smaller regional ISP.

As such, the regional ISP may have better customer service, but be more susceptible to an outage caused by an upstream provider. With the nationwide ISP if there is an outage it is generally caused by an internal problem. In theory that should mean that they will be able to address and fix it faster, but of course theory and reality are often in disagreement.

Donn Bly


To get real competition municipalities need to re-take ownership of the last mile. When you don't own your infrastructure you are at the mercy of monopolistic corporations and their pet legislators

Have you seriously thought about this? You want to take the private property away from the companies that built it, only to then let the government control who can provide you with services? And you think you are the mercy of pet legislators now but won't be once the lines are nationalized?

All you would do is trade one monopoly for another.

Donn Bly

How to lie with statistics?

The article/report talks about ILECS and CLECs -- which are phone company manifestations, then switches years to cable without any correlation and acts as though they are equivalent. They are not.

The report talks about CLECs not having equipment in exchanges -- and that is blatantly false. CLECs often/usually have equipment in exchanges, as they use the incumbent lines but their own switching equipment which is how they can gain their competitive advantage.

I don't know if it is something that crept in as an editing error, whether the author just copied something from the report without reading it, or whether the author honestly doesn't know the difference between a CLEC, ILEC, and white label reseller.

The report talks about how CLECs have installed fiber in 8% while ILECs have installed in only 6%, and uses that as justification that ILECs don't make investment. The entire cable plant of the ILEC is an investment. For a CLEC a fiber run is an green-field buildout. A new line is always going to be implemented using now-current technologies. For an ILEC the fiber run is just maintenance and expansion because they ALREADY have copper plant installed. To compare one against the other is like saying that the guy who buys a car is making an investment but the guy who changes the oil on the car already purchased does not. It is not an equivalent comparison.

Likewise, saying that the newer, smaller companies have invested more in comparative terms than the established players ignores in newer and faster technologies ignores that ALL of the investments in a startup are going to be in new stuff, so of course the percentage of investment is going to be higher. Is the new carpenter that buys all new tools better than the guy who is already working and has been using the same hammer for the last 20 years? Tooling is not something that you can use to make an accurate comparison. You have to look at what they do with the tooling. From THAT you can say that the smaller companies are doing a better job at serving the consumer.

I am sceptical of the statement in the article that that there is no place in the country where an ILEC or cable company, in the absence of competitive carrier reusing their lines, offers broadband as currently defined by the FCC. If true, it says more about the FCC and their changing definition than it does about ISPs, because I've been on broadband for over 20 years.

And you really expect me to believe that an incumbent carrier only offers faster lines when they are pressured by competition? If that were true, we would still be on 128K DSL because the lack of competition would never have driven carriers to improve. Heck, we might even still be on dialup.

Consumer demand is what drives growth, not competition. Competition can SOMETIMES help drive consumer demand, but it does not directly drive company growth. Consumer demand is more than just the consumer wanting it, it is the consumer willing to PAY for it. When consumer demand exceeds the existing supply, a new supplier will form to pick up the slack. When consumers were willing to pay for service above what Sprint offered, Sonic was formed to take up that slack. Good for them, good for the consumer, and that is how the free market is supposed to work.

"Big Cable" is bad enough that you don't have to make stuff up to discredit them. It looks like the report on which this article was based would have been better subtitled "how to lie with statistics"

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

Donn Bly

Re: Code

They are running code in my machine without my explicit consent for their own benefit..

That statement is correct for just about any website that you visit, including this one. If that alone were the problem then every website that uses and kind of browser scripting would run afoul.

You didn't explicitly give the site permission to validate that you entered a valid date before submitting the form? Then that would be a violation in your eyes.

I don't use the bank, but I can definitely see the utility of doing a mini-scan warning you of potential RAT or remote access software being active before you are given the chance to enter your userid or password. However, it should probably be put on the page as a first step, ie, a message displayed that says "click continue to run a prerequisite security check before entering your userid".

Alaskan borough dusts off the typewriters after ransomware crims pwn entire network

Donn Bly

Using Old Backups

Seriously? For most people having a recovery plan that involves using backups is not only normal, it is part of best practices.

The fact that some of the backups are a year old isn't abnormal either. If the source code of a software package hasn't changed in years, artwork for logos, etc. then why NOT use a years-old backup that you know is safe.

When restoring a backup in this situation you want the OLDEST backups that have the data you need, not the newest.

They had "disaster recovery" servers. I read that as hot spares with automatically replicated data. Unfortunately, automatically replicated data means a lack of air-gap, so they got infected with everything else because they didn't consider this type of "disaster". How do you recover from that? Well, you bust out your second-tier recovery solution which is generally archived backups.

Yes, this "security event" was enabled by insecure policies and practices. Most likely some administrator had made a decision that a network-wide share that housed executables needed to be read-write (or the applications used demanded it), and/or one or more people with admin access used their admin account daily instead of having a second account. Those two situations - found in the MAJORITY of small networks, cause this type of problem to go from "annoyance" or "major catastrophe"

Basic bigot bait: Build big black broad bots – non-white, female 'droids get all the abuse

Donn Bly

Re: A next step?


(1) The the voice used does not match the robot's visual characteristics and the lips aren't synced.

(2) The paper says that they took some of the comments from ADOLESCENTS when they deployed the robots as teachers.

(3) They claim racism but make no effort to categorize the racial diversity of the group making the comments.

(4) they put up a video of female-styled telepresence android and have a women give her a hug and grab "her" behind, and they don't expect to get sexualized comments?

Yes, the "study" is a joke.

Did you know: Lawyers can certify web domain ownership? Well, not no more they ain't

Donn Bly

Email from the same domain?

Since it is so trivial to spoof an email, how could they even CONSIDER email from the domain as a "secure" method of validation?

On whois information not being valid, while the whois system has imploded if someone puts false information in whois and gets a certificate with it, it certainly isn't any LESS secure than allowing them to authenticate with a DNS TXT record or place a file on a webserver.

I did notice about a month ago when I went to try to get a certificate for a new domain name that Comodo no longer accepted gmail email addresses as contacts, even though that was how the domain was registered. Since the domain wasn't going to be used for email we hadn't even considered setting up email for it, so I had to jump through some hoops to make dns changes to set up MX records and set it up on a mail server JUST so that we could get the cert - only for us to revert back to no email as soon as the certificate was issued. Not overly complicated, just an extra hurdle on a Friday afternoon for an already rushed job. For the next one after that we just used "Lets Encrypt" and didn't bother going back to Comodo.

Friday FYI: 9 out of 10 of website login attempts? Yeah, that'll be hackers

Donn Bly

Re: An honest question.

Dozens of websites are compromised every hour, let alone day. How many times a day do you want to reset all of your passwords?

Don't panic about domain fronting, an SNI fix is getting hacked out

Donn Bly

Re: Or we finally switch to IPv6

After further thought, I think you are right and SNI isn't necessary over IPv6 -- but it may not be for the reason you might think.

With IPv6 and every device having its own globally unique address, snooping on the packet for SNI would be pointless because the unique IPV6 address would have already given away any of the information you would have otherwise gained by snooping on the host header.

Congratulations, you just gave me another reason to dislike IPv6, and I didn't realize that was possible.

Donn Bly

Re: How does Encrypted SNI protect against censorship from DNS Providers?

I get that -- but that isn't what the article says. Encryption between you and the DNS provider is a good thing, but at the provider level censorship can still occur and SNI visibility has nothing to do with it one way or the other.

Donn Bly

Re: How does Encrypted SNI protect against censorship from DNS Providers?

But DNS over TLS does not prevent a DNS provider from censoring. The DNS provider still knows the hostname, otherwise they couldn't do the name resolution.

Donn Bly

Re: Or we finally switch to IPv6

So you think that forcing every web site on a single server to have its own, separate IP address is less of an ugly hack than SNI?

Donn Bly

How does Encrypted SNI protect against censorship from DNS Providers?

I've seen this mentioned a few times, including in this article, that SNI visibility can be used by DNS providers for censorship. I question the accuracy of that statement.

I fully get that a "man in the middle" can listen and censor, but that is someone in the middle, not the DNS provider. SNI visibility, or lack thereof, has no impact of the ability of a DNS provider to censor.

First, when talking about SNI we are generally talking about requests to the web server, and those do not go to the DNS server.

Second, in order to resolve the request the DNS provider has to know the host name. DNS protocol transmits the hostname in the clear, but even if the protocol was enhanced to send it encrypted to avoid a man-in-the-middle attack the DNS server would still have to be able to decrypt the packet in order to resolve or forward -- and either way it would have the hostname and could do whatever filtering or censorship desired by the operators.

'Fibre broadband' should mean glass wires poking into your router, reckons Brit survey

Donn Bly

Re: I suspect that as a percentage of the total the number is quite small.

Actually the survey clearly shows the exact opposite - that people DO NOT understand the details of the connection. The proof of that is that they think that "fibre" means fibre all of the way to the premises when in fact only 3% of the country has that infrastructure, and if they DID understand the details then they wouldn't be confused about the difference between FTTP and FTTC.

People may think that they care, and say that they do, but that is usually because they have been confused by the marketing hype. All they REALLY care about is that they can stream their cat videos and porn without interruption. The method of delivery is as meaningless as the video codec used - as long as the video flows they really don't care how it was encoded or compressed.

Yes, FTTP is nice. I have it as several of my locations. Every building can have their own light channel all of the way to the headend, on a circuit that is not subject to RF interference and new enough that the problems that face aging infrastructure such as water incursion aren't going to be a major problem.

However, most people don't actually want to PAY for it if less expensive alternatives that are "almost" as good are available.

In my experience if a consumer is provided with two choices, even if one is clearly superior to the other, then they will still usually choose the less expensive one (and then complain because it isn't as good as the more expensive one).

I am all for clear and accurate advertising so that consumers can make informed decisions. However, instead of worrying about HOW the product is delivered, why not concentrate on the product itself? Advertise true rates, have actual service level agreements with committed information rates, and let the consumer decide. If you have a 1 GB low-latency low-jitter circuit do you really care if it is handed off to you as fibre, coax, or twisted pair? If so, then you should ask yourself why, because the only difference is marketing hype.

Apple emits iPhone cop-block update – plus iOS, macOS, Safari patches

Donn Bly

Re: Preventing it from going into USB restricted mode

Why would the phone allow ANY connection via USB if it is locked?

I know that my Android phones don't. If I want to access them via USB, I must unlock them first.

Sueball claims Apple broke hacking laws with iOS batt throttling code

Donn Bly

Re: Trespass to chattels?

Well, if you run that OS you have already given your express permission - at least in their mind.

The reason this case should fail, however, is that the processor throttling code was designed to preserve the advertised functionality of the equipment to ensure that continued to meet the advertised fitness of purpose. They advertised battery life in hours, not how many iops the processor gives any particular app at any time. As part of basic system maintenance they extended battery life so that it came closer to that of when the unit was new, and did so without taking away any of the abilities of the device.

Contrast this to Samsung, who slowly killed off each of the features on my S6 Active that I used until the phone no longer performed the functions for which I purchased it.

Yes, Apple should have been more transparent - but when has Apple been transparent about anything other than their store furnishings?

They grow up so fast: Spam magnet Hotmail turned 22 today

Donn Bly

Re: GMail

You will need your GMail passwords once you replace the phone and the tablet - or need to do a factory reset.

And even the passwords might not be enough when you have turned on two-factor authentication. Guess what happens when your authentication device is the one that needs to be replaced, and you have to log into your account first in order to do it....

In my case luckily I had one machine that I had marked as "trusted" and was still logged in -- I had to drive to that location to turn off two-factor authentication, then drive back to the store to get the phone replaced. Back up SMS authentication? Well, that also went to the dead device... Back up phone number? That went to a land line whose anti-telemarketer protection rejected the calls from Google as spam.... Then I had to re-setup everything that I had using Google Authenticator for two-factor since you can't restore them or transfer them to another device....

USB-C for Surface owners arrives in form of a massive dongle

Donn Bly

Re: Ooooh...

I'll take it off your hands for you. I'll even pay shipping....


Biting the hand that feeds IT © 1998–2019