Posts by Charles 9

"The suggestion can be improved with an additional attribute in script tags to revoke API permissions. Third party adverts script? Vibrate off, XHR off, Bluetooth off, USB off, file system off, locations services off, camera access off, etc."

The big thing is that browsers can just ignore them, probably because users (who don't know better) demand the browsers have more holes than a wheel of Emmentaler. Plus third parties can probably just disguise their scripts or otherwise find ways to get more permissions than they should.

The REAL real solution is to simply not offer them, in spite of user protests, because it's too much a security risk. Users are demanding too much of their browsers and are essentially opening themselves up to trouble. JavaScript, extensions, and interactivity in general opened a real Pandora's Box IMO, because it opened a back channel, and that's where the trouble really started.

Re: There is a political decision behind this

IOW, every browser maker wants to be like Google, where they can actually make the browser INTO the OS itself.

Because each separate apps only has the permissions it actually uses instead of the browser being forced to have all of them at once and becoming more an OS unto itself.

Except that the web designers don't code for the least common multiple in mind. Meaning trying to use Lynx or some other simple-minded browser is an exercise in trying to drink sludge. Not even the damn Freenet frontend seems to appreciate an honest attempt to limit the attack surface and expects features that probably should never have seen the light of day.

IOW, the ONLY way to get things done, it seems, is to overly expose oneself to danger. Do we really want this?

Why not switch to standards they were meant to use? Why cram interactivity onto a protocol designed for passive reading instead of using something designed for the job like VNC?

"It's all about the adoption of mobile web and away from native apps. The biggest reason for native apps has always been the access to hardware. Access to these APIs allows a developer to create web apps instead and not rely on downloads, installs and wrappers. They aren't really designed for 'normal' websites so much."

Which again feels like cramming a square peg into a round hole. After all, didn't we try this with Java? Why not make it simpler to create multiplatform native apps? What makes the Web so useful over things like Java anyway?

Re: even if the chance of cryonics working is only 1%

But isn't the legal definition of death loss of blood flow to the brain? As in a brain is like DRAM in that it needs constant cycling?

Re: Perhaps developers should work offline

"I’ve been at a conference where they held a ‘Hack the (Hello) World’ competition; to do exactly what you suggest."

So they managed to hack a computer that had no code in it but the equivalent of "PRINT 'HELLO, WORLD!'"? Changing the source code is one thing; hacking a fixed program with so little functionality is another.

Re: Perhaps developers should work offline

"Whilst it is true that more eyes making finding things easier the actual reality is that larges software house release a lot of bug fixes. Suggesting that whilst they could they do not"

IOW, is it a case of more eyes or too many cooks?

Re: So the obvious solution here is...

And if you can't afford two computers because, for example, you're a one-man shop?

Re: Perhaps developers should work offline

So what happened in the days BEFORE the Internet, where the limited methods of distribution pretty much meant you only had one shot at getting it right?

Re: A complete wipe?

Two problems.

One, you could end up with more of the same, or even something worse than before.

Two, how do you deal with natural accretion which seems to be able to get past any law known to man?

Re: A complete wipe?

"The only way to get around that would be to have a firmware persistent malware at which point you'd have to wipe and reinstall the firmware for everything as well, probably over USB."

Except if something like BadUSB hoses the USB controller, you can't trust it, either. Some malwares are getting SO bad that they can permanently brick hardware.

Re: Surely the bigger story is...

They didn't. They infected the actual source tree BEFORE it was signed. IOW, this was an "Outside the Envelope" attack.

Re: Everybody's ethical

"Under Communism the State is supposed to wither away, and people will have evolved to the point at which they voluntarily work for the good of everybody."

Which as reality notes is probably too utopian to be believable. It goes against the primal human instinct to compete. After all, the world's not infinite, and another primal desire is to be the one to leave progeny instead of the neighbor. That's likely why human social structure doesn't stay too stable beyond tribes and clans.

Communism requires everyone to play nice, which isn't going to happen. Pure libertarianism is similarly too utopian, though from a different angle.

Re: Everybody's ethical

"Alt-left is what Mac users call option-left, and what Emacs users call meta-left."

I thought that was Command-Left (The Command key being the one with the loopy graphic on it).

Re: Everybody's ethical

"Semi-true: That can happen (DDR) but by that definition US and UK are overbearingly socialist countries now.

By US standards Germany is definitely a socialist country and they've specifially made the point of big brother not watching you, so I don't really buy this definitiön."

One, by your standard Germany is not overbearing. And two, how can one be sure Germany isn't actually watching its citizens on the sly?

Re: Everybody's ethical

I think part of the problem with your thought is the human condition itself. You NEED some coercion, or people will cheat. Libertarianism sounds too utopian without someone there to keep things fair, and the human condition means ANY position of control can be corrupted beyond any checks or balances that can be made by man.

Re: Everybody's ethical

Look, either way can get you into trouble. Overbearing socialism means Big Brother Is Watching You. Meanwhile, unfettered capitalism means Robber Barons Have You For Lunch. Both are extremes of control, and unfortunately that's a natural consequence of the human condition. Apply it to a sociopath or two, and this is the natural result. And because of their extreme need to control (which includes other humans), any attempt to thread the needle has to defy their gravities or you just end up gravitating toward one or the other extreme. It doesn't help that the average human is amenable to these sociopaths.

Not necessarily. Does the left hand know what the right hand is doing and so on?

Re: Everybody's ethical

Also the less likely one is to accept a dissent since an overbearing sense of right implies anyone else is dead wrong and cannot be trusted. Even contrary facts can be dismissed as hearsay or, in the extreme case, self-delusion caused by The Enemy.

Re: We need companies like Purism

"In the end you only have but, Two options. Either do the job, you were tasked to do, Or find someone else who can."

There MUST be a third option because you may lack the skills to do it yourself and can't trust anyone else to do it.

For example, how can one be sure the government can't subvert every phone using their airwaves if all radio chips must go through them first?

Re: Rational vs irrational behaviour

Except one must know that edge cases tend to stop being edge cases.

Re: Really?

Or it could simply be a case of a different party funding the study. Always follow the money trail, and one shouldn't take a study at face value unless it contradicts the view of the funding party. After all, independent endorsement is fine and all, but it pales compared to being endorsed by the enemy.

Re: Rational vs irrational behaviour

Unless, of course, someone particularly devious plays to the camera and exploits lack of context to get off or get the cop in trouble. Every coin I know has two sides.

Re: This is a waste of time

"We rely on the free market to keep the purveyors of insurance cover honest - not perfect, but good enogh. When driverless cars are rolled out, there would be no good reason for the risk of meatsack driven cars to go up, so there's no good reason for all insurance companies to suddenly jack prices up unless they've got some other reason for doing so."

Statistics will be used against the meatsacks. Once you have a critical mass of automated cars who are demonstrably much less likely to get into accidents, simple human error becomes the main reason for jacking up insurance for those who insist on driving themselves, especially since meatsack incidents are more likely to domino and involve other vehicles (think things like DUIs and ghost driving).

"It's possible, but it would be a bold move in a society where lots of people actually like their cars."

Is this backed up with unemotional statistics, because from where I sit, most people don't like their cars so much as tolerate them as an unfortunate necessity in a world where the weather's bad, the mass transit isn't very timely, and cabs are too expensive for one's budget.

But it'll be the next logical step. As ASLR becomes commonplace, mallard will take it slower, spying on systems to learn the critical locations before striking. The logical way to beat that is a moving target.

Don't know if you really can perform a live relocation of something so heavily used like the kernel. It's especially tricky to move live code being executed (which for the kernel, is practically all the time).

Re: You have been warned

So? Is this any different from Valve Anti-Cheat?

Re: TruePlay sounds like another method of data mining Win10's users

Except this IS aimed at developers and publishers. They're simply providing an anti-cheat system a la VAC, it's up to them to actually USE it.

There's no catch-all, unfortunately, as each device is different.

Re: Code monkeys X don't-give-a-f**k PHBs X time to market --> IoT

"Reducing the attack area is so much easier."

Oh, but what about false positives? Shrink the surface too much and you'll get complaints.