* Posts by Justin Pasher

133 posts • joined 13 Aug 2008

Page:

San Franciscans unite to smite alt-right with minefield of doggy shite

Justin Pasher

Re: Fines?

"I fully support your right to free speech, so long as you also accept my right to throw sh*t at you..."

Actually, that would probably be considered assault, so not actually a right you are granted.

11
0

Hey America! Your internet is going to be so much better this January

Justin Pasher

Re: The answer should be Yes and Yes

"No, no. broadband is cable/coax delivered internet. DSL is phone-based internet. And FiOS is fiber optics."

Now you're just playing a game of semantics. By this statement, you are saying a DSL and FiOS connection should not be called a broadband internet connection. Now I no longer have broadband service, along with millions of others! We need more competition, stat!

5
0

The Atari retro games box is real… sort of

Justin Pasher

Re: PC technology?

That's what I see in my mind. A redesign of the original housing with a RPi inside. Done.

You've got HDMI, four USB, and it runs an emulator. The original Atari 2600 hardware is so old, computers from 20 years ago could emulate the games at full speed with no problem.

11
0

Debian 9 feels like home with security upgrades and a flaming vulpine warming your toes

Justin Pasher

Re: libsystemd0

Are you sure that matters?

I haven't had a chance to test an upgrade yet, but all of my machines are set up using SysV (package sysvinit-core). They also all have libsystemd0 already installed. I know the key package to avoid in Debian Jessie was systemd-sysv. Perhaps it changed in Stretch? I'm hoping not.

0
0

Qubes kicks Xen while it's down after finding 'fatal, reliably exploitable' bug

Justin Pasher

Re: 64-bit

I think it's just more of a terminology semantics issue. I'm sure he just means 64-bit systems running on hardware utilizing the x86-based instruction set (versus ARM, MIPS, etc). Sure "amd64" or "x86_64" would be more correct, but I think most would understand what he means.

0
0

Tesla hit by class action sueball over autopilot software updates

Justin Pasher

Pay to play

So Telsa has brought the DLC world of gaming to cars? Before we know it, you'll be able to buy the "shell" of a car for next to nothing, but spend $30k in DLC to add functionality like braking, top speed unlock, multiple radio stations, etc.

4
1

BOAR-ZILLA stalks Fukushima's dead zone

Justin Pasher

Re: Mutant daisies

I guess you forgot the Joke Alert icon...

http://www.snopes.com/nuclear-mutant-daisies/

1
0

Google gets smooth early Android releases. OEMs are struggling

Justin Pasher

Re: Awww.... come on !

"The whole point is that Google are showing that it's entirely possible to bring updates out, consistently, and frequently."

I don't quite see why people miss the big reason why non-Google phones have a longer delivery cycle. Have you ever used a Google phone versus another manufacturer like Samsung? If you have, you'd notice the obvious difference. Samsung has put a lot of work into making their interface consistent across all of their devices via the TouchWiz interface. If you compare the S4 through the S7, you'll notice that all of them operate very similarly (interface-wise). Google simply takes what they've created as stock and slaps it on the phone. When a new release comes out, they can easily deploy it because everything in the release is basically exactly what goes on the phone. Samsung has to update, tweak, and compatibility test all of the customizations they have made to integrate them into the new release. If Samsung ran stock, I'm sure major updates would be released a lot faster. If you look at the security point releases for the S7, Samsung actually keeps pace quite well.

You also have the issue with carrier tie-in. It's why the Samsung on AT&T can receive the update on a different timeline than the exact same Samsung on Verizon. Each carrier will want their own control over how things are built to make sure their own cruft gets included.

3
0

Open source Roundcube webmail can be attacked ... by sending it an e-mail

Justin Pasher

Bad, but not critical (for some)

The article misses an important note about the security hole.

"[It's] only relevant to Roundcube installations not having an SMTP server configured for mail delivery"

If you've set it up to use an SMTP server (even just localhost), it doesn't use the mail() command to send the email. See the $config['smtp_server'] variable in config/config.inc.php to check.

5
0

Decade-old SSH vuln exploited by IoT botnet armies to hose servers

Justin Pasher

@AC

From my reading of the articles (and my own testing), the issue at hand is that many default SSH daemon configurations for IoT devices leave TCP forwarding enabled by default (AllowTcpForwarding). This basically means "open proxy for people that can authenticate".

Once a user authenticates (be it via password or public keys), even if they don't have a valid shell defined for their account, they can still do port forwarding. Since many IoT devices are going to be using default username/password combinations, if someone can access the SSH daemon on that device, they can use it has a proxy. If they don't have the credentials or the public key (when using key based authentication), they can't do anything, even if AllowTcpForwarding is enabled.

Moral of the story: don't allow unprotected SSH to an IoT device (or really any device) and make sure it's not using default or common credentials for access. Also, if you don't need it, turn AllowTcpForwarding off.

6
0

Yelp wins fight to remain morally bankrupt

Justin Pasher

Re: @Phil W

To me, it looks like Yelp wants to have its cake and eat it to. They argue that they are immune because they do not control the content of the site, yet they are pursuing someone with a bad review to get a commitment to buying advertising ... to alter the content on the site.

Not quite racketeering, since I'm sure they don't try to sell advertising just to people with low review scores. Sounds a lot more like just simple (possibly indirect) blackmail.

12
0

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Justin Pasher

Re: Dumb idea IMO..

The one-IP-address-per-site thing is very rarely an issue nowadays. Just use shared IP addresses and SNI. Unless you're trying to support IE on Windows XP, you'll rarely find a case where anything remotely modern doesn't support it.

6
0

Pains us to run an Apple article without the words 'fined', 'guilty' or 'on fire' in it, but here we are

Justin Pasher

Don't get out much?

"An ancient, single-purpose analog connector doesn't make sense because that space is at a premium"

I guess he thinks only headphones plug into a 3.5mm port. Good thing they broke away from compatibility to save a little space. I'm sure many wouldn't mind a phone that's a few millimeters thicker in order to keep the port.

15
0

Life imitates satire: Facebook touts zlib killer just like Silicon Valley's Pied Piper

Justin Pasher

Apples and oranges

It's a little unfair to compare a multi-core capable zstd to single-core zlib. Try comparing it to something like pigz and then see how much improvement there is. It looks like the compression ratio is pretty negligible, which the compression/decompression speed is a big difference (but that's where multi-core capabilities would be expected to shine).

2
0

Facebook to forcefeed you web ads, whether you like it or not: Ad blocker? Get the Zuck out!

Justin Pasher

Errrmmh....

The thinking behind the move, says Facebook, is to eliminate complaints that folks have had about irrelevant or irritating ads

... so, all ads then?

58
0

Windows Server-as-a-service: Microsoft lays out Server 2016's future

Justin Pasher

@Chika

I don't think it works that way (at least for W2K16 Standard). According to the FAQ:

The Standard Edition of Windows Server 2016 and System Center 2016 will license up to 2 VMs or 2 Hyper-V containers when all of the physical cores on the server are licensed.

and

Standard Edition provides rights for up to two virtual OSEs when all physical cores on a server are licensed.

It means even if you have a single Windows guest VM that is only assigned one processor with one core, you still have to fully license the physical server it's running on. That's how the current Windows 2012 license works (but since it's processor based, it's more straightforward).

0
0

You Acer holes! PC maker leaks payment cards in e-store hack

Justin Pasher

Re: Storing CC security verification codes

Per PCI DSS section 3.2.2:

Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.

This goes all the way back to PCI DSS 1.2 (2008). But hey, we like to treat them more like "guidelines" than rules.

26
0

Hack probing poodle sacrifice cuffed for public crap

Justin Pasher

It's Friday

Hey, Smokey back here taking a s***!

0
0

Linux greybeards release beta of systemd-free Debian fork

Justin Pasher

Re: bsd and systemd

I have bsdutils installed on a Debian Jessie system running sysvinit. The package depends on libsystemd0, not the full systemd init system. In fact, running sysvinit is officially support in Debian Jessie. You just have to do some work yourself.

https://www.debian.org/releases/stable/amd64/release-notes/ch-information.en.html#systemd-upgrade-default-init-system

Whether this will still be the case when Debian Stretch becomes stable next year is anybody's guess.

4
0

Verizon peeps gobbled by Frontier enter week two of crap internet

Justin Pasher

@CommodorePet: Re: Guess I'm a lucky one

The little bit I've used WMC, it's not that it's bad, it's just not as good as MythTV. The scheduling capabilities of MythTV completely blow other DVRs out of the water. Recording specific titles, time slots, previously recorded detection, automatic commercial flagging, etc. Then you have the Power Search feature where you can build an SQL query to choose the programs to record.

Since Microsoft has officially discontinued WMC on Windows 10 (and thus will stop supporting it on Windows 7 when its support ends in 2020), the options are getting scarce. Silicon Dust (makes of the HDHR) are working on HDHomeRune DVR as an alternative to WMC, but they've been working on it for almost a year and it still lacks a lot of features (and doesn't support "Copy Once" channels yet). It looks promising, but who knows when it will be finished, and I still won't be able to stream to my MythTV box.

0
0
Justin Pasher

Guess I'm a lucky one

I live in the Dallas, TX area and so far I haven't had any problems with my internet connection (my IP address even stayed the same). The traceroute does show it taking a path through the Frontier network now, so maybe they've only changed things a few hops upstream. However, I have heard a few people in the same general area that have been having problems (e.g. someone paying for 75/75 service and now only getting like 16/12 on a speedtest). I tested mine last night and was still getting the 50/50 service to which I'm subscribed. They did break reverse DNS though (at least for my IP address), which can cause delays on SSH connections that try to perform reverse DNS lookups (i.e. the default config).

My biggest worry is if/when they are going to start implementing "Copy Once" DRM on the channel lineup. Verizon only use "Copy Once" DRM for premium channels (along with some Fox channels starting last year), and "Copy Freely" for everything else. From what I've read, Frontier typically encrypts everything but local OTA channels. I have a CableCard with an HDHomerun and MythTV, and if they start doing that, it practically becomes useless and I'd have to resort to WMC (ewww).

I generally haven't have any problems with Verizon over the years except for the occasional billing snafu when I make plan changes or some idiots cutting a cable outside.

1
0

How NoSQL graph databases still usurp relational dynasties

Justin Pasher

Graphing nodes

The ltree module in Postgres (which has been around for over 10 years) pretty much does what you are talking about (finding node siblings, parents, children, etc). How well it does as massive scale, I couldn't say (I've only used it at relatively small scale).

0
0

The bill for Home Depot after its sales registers were hacked: $19.5m

Justin Pasher
Trollface

Surprised?

Hmmm... I wonder why they had the breach in the first place...

http://imgur.com/5lnjzBu

1
2

Microsoft traps and tortures poor little AI in soulless Minecraft world

Justin Pasher

The real problem

"We need to solve the unsupervised learning problem before we can even think of getting to true AI," wrote LeCun, "and that's just an obstacle we know about. What about all the ones we don't know about?"

And THAT'S why AI is so incredibly difficult to master. Think about how a baby learns. Sure there is some trial an error (the same as what they are doing with Minecraft), but think about how much of that learning is because they are being taught or guided by someone who already knows how to do something. If the Minecraft world was the real world, it wouldn't work at all. You can't just keep jumping into lava pits or drowning in water, learn from it, and just start over and try again. Sure you can build this "database of knowledge" over time and use that as a starting point for the real world, but like LeCun says, what about the things you've never encountered?

The complexity of the human mind and its ability to reason and rationalize things is so much greater than any existing computer, it's almost hard to fathom. Computers can only do what they are told to do. Considering they've been around for less than a century while humans have been around for much longer, the ability to essentially create a human analogue in intelligence is mind-numbingly difficult (at least to make it even at a fraction of the level of the real thing).

1
3

HTTPS DROWN flaw: Security bods' hearts sink as tatty protocols wash away web crypto

Justin Pasher

@wolfetone Re: Is SSLv2 still supported in OpenSSL?

Actually it depends. The Debian binaries removed the SSLv2 protocol from OpenSSL back in 1.0.0c-2 (i.e. post-squeeze, pre-wheezy).

https://www.debian.org/security/2016/dsa-3500

3
0

Competition? No way! AT&T says it will sue to keep Google Fiber out of Louisville, Kentucky

Justin Pasher

Pole dancing

So who owns the poles? Did AT&T pay to install them or was it paid for by the city. If AT&T paid for them, I can see their argument (to an extent). If the city paid for them, why does AT&T think they have the ultimate authority over them (barring any other agreements from when the poles were first installed).

Now I do see how the authority given to the third parties in regards to putting up their lines can be a little concerning, especially since AT&T is the ones that have to "pay" for any outages.

2
2

Google calls out Comodo's Chromodo Chrome-knockoff as insecure crapware

Justin Pasher

Trust is gone

If you've got Comodo's browser installed on your machine or using certificates issued by them on your server, get rid of it.

FTFY

21
1

Dev to Mozilla: Please dump ancient Windows install processes

Justin Pasher

Re: wrong problem to be solving.

Just grab the specific version you want directly from the "FTP" site.

http://ftp.mozilla.org/pub/firefox/releases/

0
0

AT&T, Verizon probed: 'No escape from biz broadband packages'

Justin Pasher
Stop

Ground Control to Major Tom

"in a space that is highly competitive and getting more so as cable companies and other new entrants aggressively compete."

Seriously, on what planet does AT&T live? Or maybe it's the drugs...

4
0

Cisco shipped UCS servers with rotten RAID settings

Justin Pasher

"Standard" strip size?

Does anyone with one of these devices know what the strip size was (erroneously) set to at the factory?

In all of the RAID controllers I've worked with over the past decade (granted most were Dell/LSI branded), the default strip size has been 128KB, and tweaking the value has never resulted in a 6x to 7x performance difference for my benchmarks. But considering I don't even know the typical use case of these Cisco devices, it could be an apples to oranges comparison.

0
0

Are Samsung TVs doing a Volkswagen in energy tests? Koreans hit back

Justin Pasher

Re: Unsurprising. This is *monitors* after all

@toughluck: Everything sounded great until you said "If you're using a HDMI 1.4 compliant cable". There's no such thing as an "HDMI 1.4 compliant cable". That's a marketing thing (just like contrast ratio). There are only four types of HDMI cables.

Standard

Standard with Ethernet

High Speed

High Speed with Ethernet

HDMI 1.4 is a software specification, not a hardware specification. A cable knows nothing about software, because, well, it's hardware. It's like saying an ethernet cable is "IPv6 compliant"

0
1

The last post: Building your own mail server, Part 3

Justin Pasher

Re: Wot no SPF?

If that's what the domain owner has declared, then yes. It is. That's what ownership means.

So when user B doesn't get user A's email because user B has configured a forwarder and the email is rejected due to a violation of user A's SPF record, it's user B's fault?

Well, you have some strange ideas about SPF and make that claim. I use it, and would not. Perhaps you might like to wonder if there is more than just mere correlation to that...

I HAVE been using SPF for a long time now, mainly because of "hey, it's one more thing you can try to make email deliverability work better". The fact that I say it's a joke doesn't mean I say no one should use it. It means don't put much faith behind it.

And the fact that you use it and would not make the claim that it is an ineffective anti-forgery system does not make the opposite true. Please do share anything that was not true about my anti-forgery statement.

0
0
Justin Pasher

Re: Wot no SPF?

If a domain owner lists the servers that may send email for his domain, and declares all other servers to be fraudulent if they try, then that is the decision of the domain owner.

So you're saying that some regular old joe that knows nothing about SPF or even DNS who sets up his email address to forward to another email account is equivalent to him trying to forge the original sender?

And it's effectiveness as an anti-forgery system is a joke. The envelope sender can be something that passes an SPF check with flying colors (or even has no SPF record), yet the From header in the email is what the end user actually sees. How many people do you know that are smart enough when they receive a "suspicious" email to view the headers to see if the From header matches the Return-Path or trace the Received headers to find the originating server?

By all means, have an SPF record on your domain. It (sometimes) helps deliverability. But don't think that it stops me from being able to send out email that convincingly looks like it's from you.

0
0
Justin Pasher

Re: Wot no SPF?

If you are simply forwarding mail, that has a tendency to break someone else's SPF rules

This is my point exactly. SPF falls down when someone has their email address set to forward elsewhere, because the original sender didn't "authorize" their email to be sent by another other server. You can't rely on every mail server out there that allows email forwarding to another server to have implemented SRS.

It also doesn't "stop SPAM" in and of itself. It simply makes it where someone can't impersonate your email address in the envelope sender. Spammers could just as easily create SPF records for their own throwaway domains authorizing the world (but luckily they rarely do).

0
0
Justin Pasher

Re: Wot no SPF?

SPF is a pretty big joke. If you are (incorrectly) using it to outright block mail versus using it as a scoring system, you're going to get false positives. Using it as a scoring system, it holds so little weight, it barely factors in to the overall spam score. That combined with the fact that spammers can just as easily set up an SPF record to authorize mail from anywhere (but luckily they are generally not that smart), it's never really lived up to its original hype.

0
0

For just $400 you can have this Raspberry Pi – and MINE BITCOIN

Justin Pasher

Seems legit...

Hmm... This has got to be some elaborate scam or something to try to get rich selling junk.

Like others have said, no mention of hash rate, which is key for bitcoin mining. Also, just read the "testimonials", which all appear to be made up

"If I were 21 today, I'd learn Bitcoin" - Marc Andreesen, Inventor of the web browser

"Bitcoin could be the internet's next big protocol" - Padmasree Warrior, Former CTO of Cisco

"Are you a developer? Then you need to get a 21 Bitcoin computer" - Ben Horowitz

1
0

Patch Bugzilla! Anyone can access your private bugs – including your security vulns

Justin Pasher

Expect only the best.

Ahhh, the beauty of using MySQL. Silently truncating your data for decades.

4
0

T-Mobile US CEO calls his subscribers thieves, gripes about 'unlimited' limited tethering

Justin Pasher

Re: The War on Customers (was: Unlimited doesn't mean unlimited then...)

Can I get an explanation for why these two things are actually separate to the point where one demands metering and the other not? Except for, you know, "marketing segmentation we want to impose" kind of reasons?

Seems pretty obvious to me. It's a lot easier to suck up a huge amount of bandwidth by tethering a laptop to a cell phone's data connection than being restricted to the capabilities of the phone/installed apps. Then there's also the fact that you could use tethering to set up a mobile hot spot for others that do not have unlimited data, thus "reselling" your unlimited data plan to others for free. Now you have people that are not paying T-Mobile a dime but potentially using a lot of their bandwidth.

If the problem was REALLY wide spread (which it's not), you have the situation where T-Mobile thinks "we have X million customers, so we need Y infrastructure", when in reality they would have X million customers + however many mobile hot spot users are tethering for free.

11
6
Justin Pasher

Re: Unlimited doesn't mean unlimited then...

Although I largely don't agree with the nonchalant way carriers throw around the word "unlimited" nowadays, T-Mobile clearly defines it.

If you look at their FAQ:

Doesn’t Unlimited mean Unlimited? How can T-Mobile advertise Unlimited 4G LTE when T-Mobile doesn't offer it on all T-Mobile devices?

Yes, at T-Mobile, unlimited mean unlimited. Every T-Mobile Simple Choice™ Plan includes Smartphone Mobile HotSpot at no extra charge, and when customers reach their paid high-speed data allotment, speeds are reduced so they never worry about overages. Our standard Unlimited 4G LTE smartphone plan includes unlimited high-speed data on your smartphone and also comes with 7 GB high-speed Smartphone Mobile HotSpot data, followed by unlimited reduced-speed Smartphone Mobile HotSpot data.

Regular, non-tethered 4G LTE is unlimited. The ability to use your phone as a hotspot is an add-on they give you for free. They're also talking about people who are deliberately circumventing the check put in place to avoid people abusing the free tethering.

For comparison, I am on a grandfathered AT&T unlimited data plan, but I don't have any (legal) tethering allotment, because that's a paid add-on.

20
5

Honor 7 – heir apparent to the mid-range Android crown

Justin Pasher

That says it all

I guess this really shows the direction of the world today when a phone has an explicit scene mode called "food".

2
0

$100m fine? How about, er, $16k? AT&T teabags FCC with its giant balls

Justin Pasher

No text message here

"AT&T also claims that it did let its customers know about the constraints it was imposing by posting a disclosure online and texting customers – once – about the fact they would have slower speeds past a certain monthly data usage."

I've had an unlimited data plan through AT&T since the last year they were offering it (2010 I think). I never received a text message from them about throttling speeds after a certain usage. Granted my usage is well below anything that would set off alarms (generally less than 1 GB because I'm on WiFi so much), but unless they (erroneously) only notified actually abusers, I never received their alleged "head up" message.

4
2

James Woods demands $10m from Twitter troll for 'coke addict' claim

Justin Pasher

You do realize that something called libel still exists, even in the days of the internet, and it's illegal, right? Whether this will constitute that is up to the courts.

48
1

'Untraceable' VoIP caller ID-spoofing website accepts Bitcoin

Justin Pasher

Re: No legal use...

"You could route VOIP through your VPN/Firewall so that your calls from home are coming from work."

And if your work uses a traditional PBX without VoIP support? Maybe the UK is different, but VoIP is far from universal in the US for businesses.

1
0

OpenSSH server open to almost unlimited password-guessing bug

Justin Pasher

Re: PermitRootLogin no

Although I wouldn't necessarily say that "not a lot of people permit root login any more" (at least intentionally), in Debian Jessie they finally made the default config option "PermitRootLogin without-password" to help with people that just run out-of-the-box setups.

3
0

Arctic ice returns to 1980s levels of cap cover

Justin Pasher

Re: Arctic sea ice extent for June 2015 was the third lowest in the satellite record.

You realize that the two reports are measuring two different things, right?

Sea ice extent vs Sea ice thickness

Which one is more important? I would imagine volume is a bigger deal than surface area, considering you can have a little visible surface area with a lot volume (and vice versa), but I'm not a climatologist (for lack of a better term).

12
0

Microsoft to Windows 10 consumers: You'll get updates LIKE IT or NOT

Justin Pasher

@Pheasant Plucker: Silverlight

"They certainly do with Silverlight. Still do with Silverlight."

Technically it is not being overridden. It is released under a new KB number, so it's treated like a different update.

0
0

Apple pulls Civil War games in Confederate flag takedown

Justin Pasher

Fast track to offense

And just like that, the flag which has been around for over a century has suddenly become "offensive imagery" overnight and requires immediate eradication. This is the state our world now lives in.

26
4

So what are you doing about your legacy MS 16-bit applications?

Justin Pasher

Why mess with Ghost when CloneZilla does it for free (and with a Live CD/USB)?

2
0

Verizon promised to wire up NYC with fiber... and failed miserably – audit

Justin Pasher

Promising the world

"In particular, Verizon said that while it can lay fiber under the streets, actually getting it into buildings is another matter."

Hmmm... Maybe they shouldn't have come up with that agreement if it's something they couldn't do, eh? The article doesn't make it clear if this was some sort of signed contract or just mutual agreement.

6
1

Amazon cloud to BEND TIME, exist in own time zone for 24 hours

Justin Pasher

Re: Sounds complicated

Obligatory xkcd

https://what-if.xkcd.com/26/

4
0

Page:

Forums

Biting the hand that feeds IT © 1998–2017