Re: Sigh. Those were the days.
Remember when there were books (you know, those things with paper) that told people about all "the best" websites?
137 posts • joined 2 Feb 2008
by generating fictitious people you can get past the problem of having to put faces in presentations without violating anyone's privacy.
Anyone know what usage rights thispersondoesnotexist images are out there under? I just know I'm going to be asked if I suggest this to a few people.
but nobody is hand ploughing the fields any more
Maybe not where you live. And truth-be-told, it's not as common as it was a decade ago here, but it still happens. Judging by how long the neighbour spent trying (failing) to get his tractor going at the weekend, he might be tempted to go back to hay-power.
Oh.... just read the original problem report... It's NOT tampering with the checksums, it's bypassing them, because (A) the inter-process channel (between apt-aquire and apt) quotes some progress stuff literally from the HTTP communication. and (B) the signature file can include pre-signature junk. e.g. an entire .deb!
Thanks to the extra junk in the channel, the master process gets fed the wrong signatures and dpkg gets told to install the signature file not the verified package, and I guess it ignores the trailing signature.
So it's really an out-of-band data / injection attack that sneaks in an extra payload after the cryptographic checks have passed, and it basically means that someone controlling a mirror can inject anything she likes to her users.
To my mind the roles of master/worker roles probably need rethinking, so that the type of filename replacement used here and such-like aren't possible in future versions, not to mention that the downloader shouldn't be responsible for only half of the security checks.
Yes, they are, but the checksums are equally unsafe, because ... they're downloaded via HTTP :)
But the checksums are in files which are themselves digitally signed, aren't they? That's why you can't just start using any old repo, but need to tell GPG about the repository signing key too.
And the public key arrives over https, from a keyserver.
Are they saying that despite requiring a key they're not using it properly? I don't understand...
I thought hyperthreading was basically a set of alternative registers for the same hardware?
My definition of core is probably wrong, but I'd have thought a core was defined by a patch of silicon that would continually (barring interrupts) burn cycles given "NOOP; JMP -1" and had a its own set of general purpose registers.
Hyperthreading fails at "continually" bit. it's just clever time-sharing. branch prediction units, etc. don't have a complete set of their own registers (unless I'm wrong), so they're not cores either. On-chip caches, FPU, prefetch and all the rest of the fluff that keep the bits flowing and feed spectre/meltdown so well cannot be part of the definition of a CPU core, otherwise you're saying that a 6502 / Z80 / 286 / atmega-328p don't have a core.
They bought X houses, and it turned out they were semi-detached. Sorry, you should have read the spec, it's still a house. Round here you can't even guarantee indoor plumbing in a house. Maybe you want it, maybe (because of where you're from) you expect it, but it's still a house without it.
Someone who's endpoint IP address said they're in the Ukrainian Republic has told their browser it's a
googlebot.... Which shows an odd attitude to security, since they' were about the only browser that can't talk TLSv1.2. connecting to a site I administer. They need to pretend to be something different or update their browser if they want to pretend that now.
I'm told that there are those who think the market is seeking the stuff's true value which is very likely $0.
I'm looking forward to the time when owning bitcoin is taken as strong evidence of operating some kind of bot-net, selling something illegal or dining on the blood of polar bear cubs (or other global-warming victim), and thus the value in several sectors of society is negative.
Then I can say 'told you so' as I get my coat.
Then high spec machines would include extra separate modules hanging off the bus/network so that eg. game engines didn't interfere with google docs.
And there'd be a some kind of manager thingy on the main computer to make sure that let you interact with the different untrusted-compute devices while maintaining isolation. Actually, maybe the display/HID ought to be a separate device, maybe with a really simple RO filesystem, and everything work via that main UI box too. ...
Oh. prior art, my UI box has just basically become an X server hasn't it?
As a parent of teenagers and youger, it's quite handy knowing that my kids are not going to be able to do some involuntary bitcoin mining for nasty.smut.site without going to extreme measures, nor stumble on disturbing rubbish. Blocking DNS except via trusted (blacklisting) servers does that for me, has done that for me, and I hope will keep doing that for me.
Except that firefox has now published a 4 step process to break that entire model.
Given that practically everything uses SNI and so sends the destination host out as plain text these days, the 'poor guy in china' security red-herring is just that, unless he's also using a VPN. In which case, why are we having this conversation?
To my mind this is at least 95% about ensuring that the smut industry can deliver their filth. I really cannot see any other party that benefits from it.
This sounds like a great ignoble prize research topic: (chipped) animal behaviour influenced by external RF sources, via the nice warm neck (or wherever the chip got put) syndrome. What you need to do is set up another (identical) router a few feet away and alternate which one has it's WiFI transmitter on. Correlate with cat's favourite resting place...
"Add a small UPS, and it will keep on working - the other endpoint should already have it. That should become part of the standard install, though."
It should but they don't, not even round here where power cuts are commonplace.
FYI, there are loads of CCTV type sealed lead-acid battery-backed up 12v power supplies out there, some of which are complete with a nice box and low voltage cut-out to stop you under-voltaging the cells. Cost is around 30quid. Add a low-drop 12v regulator (or a step-down DC-DC converter if you need 5v) just in case your ISP's box doesn't want 14v with ripple, and Bob is the brother of one of your parents, as they say.
I now get at least 8 hours's internet/phone compared to around 1 hour if the thing was going up to mains freq and back to 12v again.
It's probably just a little bit of consumer preference/user interface testing. Where are people most likely to click? The link at the bottom or the one in the middle of the screen the user accidentally triggers while trying to persuade their stupid phone to do respond to that really complex user interface interaction known as "scrolling back up to find the delete button".
Or is that just me?
Yes, this would be the point that makes me think of rolling out HSTS. But I'm also thinking of dumping TLSv1, and those two decisions put together means some of our readers (the ones with android 4 devices) get kicked off the site....
Maybe I need to convince relevant people we need a mobile version of the site which does older TLS versions, and conditional redirects / header setting.
In Europe, the half-hearted attempt at safety shutters on Schuko/french sockets relies upon the pins pushing sloping shutters out of the way, a motion which is only made possible by the presence of some kind of lubricant. When said lubricant has melted/vanished/gone sticky or when the track/pivot on which the shutters are laughingly described as moving is no longer in perfect condition, the only way to get the pins into the socket remaining is wiggle, twist and apply extreme force, e.g. with a large hammer. Said tool of course further damages the shutters and does bad things to the cable, and the whole process may lead to bruising of the head against nearby brick walls.
Add to this the disaster known as "switched socket, what's that?" and you have to unplug / plug in the stupid things far more than you would in the UK.
32K? Thirty two? What luxury! You could play acorn invaders and rat race in 3K, as long as you could get the volume right on the tape player.
3K of RAM really taught you how to watch your code for bloat.
The first Linux distro I used fited on 2 floppies, if I remember right that was including including gcc.
Whats the baud rate for a tin cup and and a piece of string?
If you can get hold of some light, inextensible string, as beloved by high-school physics teachers, then your signals arrive instantaneously (0 propagation delay, since the string will not extend) and depending on the mass of your cup then your data rate could exceed that of all known network cables.
Unfortunately the last time I looked, they'd stopped making it. Something about the laws of physics.
C15? C15? Wow, you lucky guy!
Try finding your program when it's somewhere on a C90 and the tape counter's broken.
Not to mention the pain of discovering that even after upgrading to a whopping 3k of RAM you don't have the space to implement a high-score table well as use colour graphics.
Youngsters these days...
One little-discussed 'gotcha' of SNI is that, unexpectedly to the user who's been told 'no one can see
what you're browsing with https' ... with SNI they can. Because SNI isn't sent encrypted.
This gets significant when you, say, live in Iran and want to visit 'www.how-to-become-a-christian.org', (or in USA and want to visit 'diy.nuke.designs.nk')
Back in the days pre-Y2K, I was a postdoc researcher in space debris impact science, we had various bits of data about the properties of highly compressed metals we were using (for entirely peaceful purposes) that originally came from one of those ^^^ .
The nice guys who let us play with their data would have been rather unhappy at the thought of, say, a (very strictly internal!) report that included such gems being exported to wherever MSoft decided to send it.
I vaguely seem to remember that thermite was one of their recommended disk-disposal methods to ensure compliance with arms non-export / non-proliferation regulations, when more serious tools weren't available. Just imagine the help-desk call for that one.. Hello, I have reason to believe you've just slurped some nuclear secrets. Where do Uncle Sam's guys with the thermite need to go to ensure that it doesn't proliferate?
Excuse me for being stupid... if I was designing something to connect the engine management system to entertainment system - presumably for display purposes? - it would be strictly one way, probably with 1-way, physically separated opto-couplers, so that some kid pouring coke into the entertainment system had zero chance of inflicting, say, 50w of audio signal onto the can-bus.
Why would anyone want to let the stereo muck about with engine management?
Isn't this wrong? There are multiple options for the legal basis, consent is only one of them. They might decide they ought to be able to claim that knowing my browsing habits is a legitimate business requirement.
The biggest "problem" is when they used to rely on 'we could do it, and we're too big to bother with fines, so we did it.' For some reason that isn't in the GDPR.
I wonder what happens if/when someone (on May 26th) demands MS (a) hand over all the data they have on them (b) delete it, (c) never collects any more, (d) does not contact them for advertising purposes.
Does MS send them a complementary copy of Windows 95, freedos, or ubuntu?
My wife half-expects that at some point the sum total of IT/networking/power distribution will become so complex and (for want of another term) balkanised into specialisms, that it essentially becomes impossible for humanity as a whole to maintain it, and then something will break and we'll be back to heating with wood and communicating with pen an ink (or maybe IT jobs will become more critical to society than doctors/nurses and we'll all die from treatable diseases??).
When you add in obsolescence, shortening product-lifecycles and lost/outdated skill-sets (is anyone anywhere employed as a thermionic valve designer any more? How many people can read amd64 assembler compared to the numbers who could write 6502 or Z80 30 years ago?) then I tend to agree with her.
I <it>have seen</it>, in a book my son was lent by his school teacher, about a year ago, exactly this sort of code. Take variable from $_GET, build string by concatenation, pass to SQL. No input checking at all.
Someone - big name publisher - made money selling that book. Someone wants to make money selling the revised version, which I'd hope talks in detail about sanity checking and prepared statements.
Someone ought to be offering a permanent recall on the early version of the book and free-replacement including shipping to anyone with a copy, because it was plainly never fit for sale. Instead, copies are still being lent to school kids by teachers because the school budget can't afford to restock the library.
Ob disclaimer: I have no connection with anyone in the above certificate fiasco. And I expect that no one bothered fixing it because that would take time. WHY do CAs who ask for your private keys still get any custom?
I thought the whole thing about the one pin, was that assuming you don't want to be subject to the evil overlord, you needed to throw it into Mount Doom? (see icon for effectiveness >>>>)
Now all we need to do is work out how you that to the customer services bod....
Biting the hand that feeds IT © 1998–2019