MAGA is a "Make America Great Again" Donald Trump supporter.
264 posts • joined 28 Nov 2009
Yelp-for-MAGAs app maker is warned there are holes in its code. Does it A. Just fix the problem, or B. Threaten to call the FBI, too?
> Last time I ran an IRC server it took about 5 minutes to get up and running, never touched i again in three years
OK, so it takes you 5 minutes to set up an IRC server. But it sounds like you'd done it before, it would take someone who hadn't done it much longer. Also: Did it enforce usernames/passwords to prevent impersonation? Did it either integrate with Active Directory to authenticate those usernames/passwords, or have a simple way for new users to create their own account and reset lost passwords? Did it have documentation so that non-technical users can use it? Did you choose a preferred Windows IRC client and recommend it to users? Did you figure out how users outside the office are going to access it from laptops and phones? Remember that we have secretaries and managers in the office, not just engineers. All the above are important to our users. Slack provides easy solutions to all the above issues, that would take hours or days with IRC.
> Client woes are usually psychological.
That attitude is why open-source has such a problem getting to mainstream usage.
IRC clients are usually complicated and often hard to use. There are all these arcane slash commands, and/or arcane menu choices. For someone who's used to them, that's fine - there is a lot of power and flexibility there. But put a secretary or even a just-graduated programmer in front of it and they're likely to get confused and just not use it. You can claim that other people are the problem, it works for you, but in a business environment that doesn't wash. You have to provide a solution that is easy enough to use.
Slack (and its competitors such as MS Teams) provide a cut-down, secure, easy-to-use, easy-to-deploy IRC equivalent, which non-technical people can easily use, and which provides enough features to get the business benefits that IRC would give.
ARM supply the designs for the CPU core, which is part of the chip. They also supply designs for a bunch of ancillary things that you probably want on your chip - memory controllers, graphics core, etc etc. The chip designer takes whichever of those blocks they want, often takes some other blocks developed in-house (e.g. a GSM radio or Apple's security core), perhaps some blocks from 3rd parties (e.g. there are/were 3rd party graphics core suppliers), puts them together in a single chip design and connects them all together. They may also tweak some of the blocks, with small or large modifications (perhaps including some extra instructions in the CPU, or a different size cache, or a different maximum memory size on the memory controller). They then send the design to a fab to be manufactured.
The designers do need to be chip design experts, but obviously there's a lot less effort involved in taking premade parts and joining them together than writing the whole thing from scratch. It's a bit like programmers using libraries rather than writing everything from scratch.
The chip designers also get the benefit of having the ARM-supplied blocks built by people at ARM who have spent many years trying to make better CPU cores and support blocks, who have a lot of experience in what works and what doesn't, and who can spread that R&D cost across the whole industry not just one product.
The chips produced in this way are custom-designed for specific types of product or even specific products (e.g. Apple). They don't waste die area on features that the product doesn't need, which makes them cheaper - with smaller chips they can fit more chips per wafer, and a smaller percentage of chips will be defective. They can add features the product needs, which makes the product smaller and lighter and cheaper because it doesn't need as many chips.
There is also (several slightly different) standard ARM instruction sets, which are widely supported, which means that you can use existing tooling (compilers/linkers/debuggers/etc) to build code for your new chip. This means that you don't need to port the toolchain to your new chip, so you don't need compiler experts unless you've chosen to customise the instruction set. It also makes porting the OS and bootloader a lot easier, as most of it can use standard drivers, you just have to write drivers for your custom bits of the chip and some OS configuration to tell it how everything is connected.
Google recalculated its wages, and yup, raises for underpaid fellas. So can you forget those gender discrim claims?
Re: Well... go on then?
If there are 2 people in a group, and one of them is paid more... then what are you going to do? That may be discrimination (a woman and a man doing the same job for different pay), or it may just be that one is more senior / more experienced / better than the other.
Similarly, if there are 30 people in a group and only one is female, you have the same problem - the woman may be more or less senior / experienced / good than the male average.
If you have a "large enough" group, with a "large enough" number of women and a "large enough" number of men, and the average male level (seniority / experience / etc) is about the same as the average female level, then the average male pay should be the same as the average female pay.
As far as excluding groups that are too small: If you run this on most of your workers that are in suitable groups, and it doesn't find major discrimination, you can probably assume that there's no major discrimination in the company, including the other workers that are in groups too small to check.
(However, once people know that this will happen, that stops being true. Managers will know they can get away with discrimination against people who are already in small groups, and/or hide discriminated-against people in small groups. It is possible that changes their behaviour. People will always work for the metrics they're judged on. The first time this was done, people presumably didn't know it was going to happen, so it was a fair check).
We haven't yet managed to produce a secure computer program. Ever. There's no reason to think this is the first one.
Just look at the huge number of security advisories every year for Windows, Linux, iOS, MacOS, Firefox, and Chrome.
And the history of security of embedded devices is especially woeful. There may not even be a way to do a remote software update to fix the bugs; and if there is then software update mechanisms themselves have proven to be a fertile source of security bugs too. And sending out an engineer to patch isn't practical.
Even if the security between the meters and head office was perfect, people will hack the head office systems, which are going to be (indirectly, I hope) connected to the Internet so people can see online bills.
(I know that those head office systems are Internet-connected today, but disconnecting the power today requires an engineer visit and either me letting the engineer in or the power company applying to court for a warrant, which takes time and has lots of humans involved, which gives opportunity for errors to be spotted. That's very different from a computer automatically sending a disconnect command to the meter).
For comparison, you can buy add-on gadgets for £70 that will let you track your gas and electricity usage online in real time. You can fit them yourself. So if customers are actually going to reduce usage, the customer could get the £70 add-on kit and have the same effect as the £370 smart meter. So the government solution is £300 more expensive than it needs to be.
But, as has been mentioned elsewhere, the main goal has to be the ability to remotely turn off the power at the meter. That allows blackouts to be targeted at poor people, by simply raising the price of electricity at peak times to more than the poor people can afford. The poor people will either set up their account to cut them off automatically at that time, or will check the price and reduce consumption, or will accidentally run up a huge bill and then be cut off for non-payment. Rich people who lobby MPs, and the MPs who are on a good salary and an expense account, won't be affected.
The ability to turn the power off remotely will also be "fun" when people hack the systems. Are you a teenager who's just lost a computer game? Rather than SWATting someone, simply increase their meter reading, giving them a huge unpaid balance and have their electricity cut off for months while they try to fix the error in the "unhackable" system. Just want your 15 minutes of fame? Turn off the power across the entire country!
Re: Call me paranoid..
1) If everyone gets worried about online security, and stops using the Internet, or even just reduces their use, that would be bad for Google - less people online means less revenue. So Google tries to improve online security. And part of doing that is finding what we're currently doing wrong so it can be fixed. So Google looks for security vulnerabilities and lets the vendor know so they can fix them, then announces the vulnerability publicly so that other people can learn from it.
2) If Google was hacked, that would be very bad PR for Google, and might lead to people switching to other providers. So investigating the security of the hardware and software that Google uses is good for Google, because it can fix or replace it before it gets hacked.
A rare case of "doing the right thing because it's good for the bottom line".
You can't just assume you have everything set up, staff available, space available, etc. These things take time.
Either you have a permanent staff person for this, and pay them for time they're not printing, or you pay to hire temps through a temp agency who will need to cover their costs and make a profit. Either way there are going to be more senior, more highly paid staff supervising / setting up etc.
Seriously though, this is a non-core task, and it's big enough (and small enough) that most companies would outsource it to a print shop. The sensible comparison is against print shop rates, not the cost of printers / ink.
(10 pages one-off: office printer. 10000 pages every few months: print shop. 10 million pages a month every month: either long-term contract with a specialist supplier, or set up a specialist printing department in the company).
Wanted – have you seen this MAC address: f8:e0:79:af:57:eb? German cops appeal for logs in bomb probe
Re: I guess plod IQ problems are universal...
The MAC says it's Motorola. Motorola make phones. Not sure if they still make laptops, but they certainly make far less laptops than phones. They make tablets, but they are much less common than phones. So it's probably a phone.
This is Europe, so if it's a phone it's a GSM phone. The GSM standards require an IMEI number.
So it probably has an IMEI number.
Marriott: Good news. Hackers only took 383 million booking records ... and 5.3m unencrypted passport numbers
PR-speak to Plain English translation...
"There is no evidence that the unauthorized third party accessed either of the components needed to decrypt the encrypted payment card numbers"
Translation: We have no idea if the hackers got the keys to decrypt the credit card numbers or not; given how utterly useless we've been at security you should probably assume they got them.
Re: hardware problem ?
The specific files that were deleted were her malware folder. (She was an IT Security worker, so had legitimate reasons for having samples of known malware).
That sounds like she had anti-virus installed and it did a scheduled scan. If she didn't configure the anti-virus to exclude the folder of known malware, then the anti-virus would do what it was designed to do and delete the malware.
Re: It makes sense
> All very interesting, but as US States, they all come under US law.
No, they all have different state laws although they have common Federal law / Constitution / International law. This may significantly affect how the contract and the alleged breach are treated in court. Think of the US as a more top-heavy version of the European Union - the states still have different laws despite some overall laws.
> If I travel to Belize and punch another British citizen in the face then travel back to the UK, the UK court system would basically tell the "victim" to piss off if he tried to sue me here.
It was quite common for a website published in country X to be sued by a company based in country Y for libel in the UK courts, because a UK person might have seen the website and the UK has good-for-the-complainant libel laws. They were talking about fixing that, not sure if they did.
Oracle's JEDI mind-meld doesn't work on Uncle Sam's auditors: These are not the govt droids you are looking for
Microsoft lobs Windows 10, Server Oct 2018 update at world (minus file-nuking 'feature') after actually doing some testing
Re: The one use
Fails due to confidentiality requirements:
I'm sure the person with the violent abusive ex doesn't want a public announcement publishing saying where she just graduated from, along with the names of all her classmates. It makes it too easy for the nutjob to track her down. If it's published promptly, he may even be able to go ruin her graduation ceremony.
Fails due to need to change the data:
People do change their name. E.g. trans people will want their certificate re-issuing with their new name after they transition. Also witness protection. Also, grades get appealed, degrees get revoked due to discovered fraud/cheating, etc.
Fails due to authenticity requirements:
To prevent a record of a certificate being faked, you'd have to have it digitally signed by the university. So how do you know which signing certificates are valid, and not something that the "degree holder" just invented? That implies some central organisation validating signing keys ... at which point the central organisation could just run a database of degrees, or a list of links to the university websites that allow you to check the degrees from each university.
Re: I stand corrected
Because they need to communicate with their agents. That means either risky scheduled face-to-face meetings, slow and risky dead drops, radio transmitters that can be located with direction-finding equipment, or reusing some legitimate communications channel. Spies have used letters (can be intercepted), phones (can be tapped), newspapers (coded classified ads), and now the Internet.
There are a lot of advantages to the Internet, if done right. It's fast, encrypted, high-bandwidth, and you can hide the covert communications amongst lots of innocent legitimate data. However, there are obvious risks, too.
Bomb squad descends on suspicious package to find something much more dangerous – a Journey cassette
> I'd guess that most cars on the road have a tape player.
The article says it was a DAT tape. Car tape players play normal tapes, not DAT tapes. DAT has a different physical form factor and stores the music digitally - it's a Digital Audio Tape.
Well, under GDPR, EU users should have a choice about tracking. US users can be either offered the same choice, or a simpler "if you don't want to be tracked then don't use the app" choice. I was assuming that went without saying, since it's a legal requirement.
But the real issue here is online advertising. Google getting tracking data helps them sell advertising (because they can claim it is "more relevant" and the people who pay for adverts are willing to pay more for that). Google's competitors getting tracking data helps them sell advertising. App developers should be able to choose whether to sell a pay app that is ad-free, or an ad-supported app, and they should be able to choose which ad network(s) they use. The chosen ad networks will do the tracking.
It's quite reasonable for other manufacturers to want to replace the default email client and mapping apps, and to decide not to include YouTube.
Of course, that means less traffic to Google's apps, which means less ad revenue for Google, so the price might go up. That's reasonable too.
Regarding the tracking inside Android apps... so long as the app makers have a choice, that's fine. I don't think anyone is stopping other people from offering an equivalent service to the app makers?
Re: Congrats to the Windows Insider team
High build numbers are normal. It’s good practice to set up automated builds which build whenever someone commits any change.
Fix a typo in the UI? That triggers a build. Fix the Spanish translation of a different part of the UI? That triggers a build.
There will be many people at MS working on many small fixes to go in this release, it won’t just be the dataloss bug fix.
Diplomatic immunity has to be *requested* by Ecuador, and the UK government can choose to grant it or not. In Julian's case, Ecuador did ask for diplomatic immunity and the UK said no.
The treaty that provides protection for Ecuador's genuine diplomats also says that they shouldn't smuggle him out. So for their own protection, the diplomats won't want to be involved in "sneaking him out".
Regarding "diplomatic vehicles", I don't think the building has a garage? I thought it was just a flat. In that case, he'd have to come out the building and through an area where he could be legally arrested, to get in the vehicle. Then he'd have the same problem trying to get out the vehicle into a plane. I'm not even sure if a diplomatic vehicle would provide any protection if the police knew there was a wanted fugitive in there.
BT Wholesale* offer a deal where your Electric Eel ISP can set up a single datacenter anywhere in the UK, get two or more fiber links from that data to the BT core network, then you can sell FTTP, FTTC and ADSL to anyone with a BT line. BT Wholesale will set up what's basically** a VPN tunnel from each customer to your datacenter. It uses BT equipment to terminate the FTTP/FTTC/ADSL connection and the BT core network to transfer the data to you. You then have to buy a big Internet connection from someone else, and route your customer's traffic to & from the Internet. It doesn't much matter what technology your customer is using, it looks more-or-less the same to your ISP, although the ISP will have to pay BT a different set of charges.
There are other wholesale providers, e.g. TalkTalk, who can offer the same deal - in that case TalkTalk will use their own equipment in the exchanges to terminate the traffic, so TalkTalk only have to deal with BT Openreach not BT Wholesale.
Most small national ISPs will use a wholesale provider. That's because the cost of installing equipment in every exchange, and setting up fiber backhaul from each exchange, is prohibitive unless you can split it among a huge number of customers.
(* There are 3 relevant parts of BT: BT Retail, BT Wholesale, and BT Openreach. BT Retail sells phone & Internet services to consumers and businesses; in turn it pays BT Wholesale to use its national network infrastructure, which in turn pays BT Openreach to use its exchanges and "last mile" copper/fiber wires.)
(** Pedant's corner: It's not actually a VPN, there's no encryption and it's using standards that are moderately common amongst telcos but anyone else would consider wierd. But you get the idea).
Re: I find this strange.
It's not a criminal case, it's a civil case.
If it was a criminal case, the the state or feds could throw him in jail, and there's nothing Uber could do to prevent that.
But Google are suing in a civil lawsuit, so Uber have presumably promised to pay his lawyer's fees and if he has to pay compensation to Google then Uber will presumably give him the money to give to Google.
If Uber asked him to do something wrong, then Google could sue Uber too, and get money from Uber... And in fact Google did sue Uber claiming that, and Uber have already paid Google some money (actually a lot of shares) to settle that claim.
Re: The Calm before the storm perhaps?
> If someone would like to step up and provide the service I get from Amazon, then yes I'll stop using them. Until then I will not.
You'd think nowadays Internet shops could provide a guaranteed delivery date that's next-working-day or 2 working days. And provide easy, hassle-free returns. But so many don't do that. Fulfilled-by-Amazon usually does. So they get my business.
Re: Job Titles...
If the limit was 20,700 / 12 == 1725 visas a month, and about half (860) of those were used by NHS doctors and nurses, then only about 860 other people could get a visa each month.
Once doctors and nurses were exempted from the limit, all 1725 visas a month could be used by other people. So twice as many IT & other people could get a visa each month
So there's no need for people to game the system, the change naturally helps everyone who's trying to get a visa.
(And I suspect that if you're claiming to be a doctor or nurse you'd need to be able to qualify as a doctor/nurse under the UK rules, if you're an IT person then faking that would be hard and seriously illegal. It's not just a different job title).
Re: Impressive consequences
There were 2 problems:
1) Some bug that let them get hacked
2) The monitoring software that eventually detected the intrusion was broken due to the expired certificate.
It's very easy for a PHB to refuse to fund the certificate renewal for (2), or for it to get tied up in the budget/purchasing process. After all, it's only monitoring software, it's easy to claim it's not critical.
Re: 'This, in turn, lead to the problems that plagued Azure service users in Europe'
For certain uses, you want the datacenter near the users. There are plenty of users in south east USA, but the whole area is at risk from hurricanes. So putting a datacenter there is a perfectly reasonable decision, balancing the risks and benefits.
Of course, for an organisation with multiple datacenters, designing your worldwide directory service to depend on any single datacenter is very silly.
The issue here is it's supposed to be a USB port, not a debug port. The software has the *option* of doing debugging-over-USB-port, which - when enabled - would make it a debug port. But that shouldn't be enabled in production! And if it's turned off, it shouldn't be possible for an attacker to turn it back on.
Re: All a bit unnecessary?
> I am however surprised that the EU is not more mercenary in its approach. The UK cannot get automatic access as a member state, but pay-for access given a set of conditions ...
The rules that the UK helped write say that PRS is only available to EU members, so any work on PRS has to be done in an EU member country. Partner countries can work on Galileo, but not the PRS part of it. The UK insisted on this, to help the UK to win a lot of the PRS-related work.
Also, changing the Galileo rules would mean that France and Germany get less work. That's not a votewinner for French or German politicians, and the Brexit deal can't pass without their agreement. Why would they agree to that?
> such as partial upholding of EU military goals and not attacking EU allies could surely be arranged.
We're still in NATO, which covers most of that. And we're not going to agree to have our forces fight and die as part of an EU armed forces under EU command, that would clearly be political suicide for the UK government to suggest. So there's nothing significant for us to offer there - certainly nothing to persuade the French or German politicians to vote for it.
Re: Request to disable the flag?
> You have a Yes/No decision at kernel build time.
Only if you build your own kernel.
> Why would you want to disable it?
Because you are using a kernel provided by a Linux distro, not compiling your own. In this case, the distro may want to choose a default value for this flag, but the user may want to change the flag.
There are usually good reasons for using a distro rather than building your own Linux distro from scratch: it's a lot less hassle, it gives you software binaries that have been tested, and it makes it easy to get security patches. All those arguments apply to the kernel as much as the rest of the software in the distro. Of course, there are times when people have specific non-standard requirements, and have to compile a kernel themselves, but those are rare.
And yes, most of the people reading this thread are likely part of the rare group with non-standard requirements, but that's because this is a thread about a kernel patch on a tech news website...
Also programmer availability. Windows desktop GUI programmers are easier to find than Linux desktop GUI programmers. Any Visual Basic programmer can do a Windows GUI.
Also on a typical big-company Windows-based corporate LAN, developing for Windows is easier than developing for Linux because everyone has Windows PCs.
Re: Security did no homework, just gut reaction
I think that, from the context, we all read that tweet and read "attack" as "hacking attack". I suspect the hotel read it as "violent physical attack, perhaps with guns".
That makes a big difference. Try reading the tweet again with that change.
Now of course, to us it was clearly a joke about the traditional hacking that happens on DefCon's wifi network. To a physical security person who missed all the context, it could be taken as a terrorist threat.
I think the hotel took the tweet out of context, massively overreacted, and lied to him (which is never acceptable) about DefCon being involved with kicking him out. If DefCon security or management had gotten involved, they would have seen the context and tried to fix the hotel's misunderstanding.
Re: (misleading stats)
> People will only be mislead if they don't pay attention.
That old chestnut. "If you'd carefully read the contract, on page 97 out of 233, in tiny print, in grey-on-slightly-lighter grey, in Latin, we clearly explain it. If you were foolish enough to rely on the summary given by the salesperson instead of reading the contract and getting people to translate the Greek and Latin parts, then that's your lookout".
From toothbrushes to coffee makers to computers: Europe fines Asus, Pioneer, Philips for rigging prices of kit
Re: "all four accused of pressuring online retailers from discounting"
They’re different things. A manufacturer can stop their trademarked product being imported into the EU without their permission. Once the product is inside the EU single market, the manufacturer can’t control the price retailers sell it for.
Re: Warning stickers
Sadly, it would go the way of the California cancer warnings.
Pretty much everything is "known to cause cancer" as far as the state of California is concerned, so pretty much everything and every building has to have a stupid warning sign. So the signs don't actually provide any useful information, and most people ignore them. The only people who like the signs are the lawyers, who make money suing anyone who doesn't have the signs up.
Re: 1 second
The issue is logs to check regulatory compliance. Accurate timestamping helps a regulator compare logs from separate companies, when they're investigating something.
If you have a rule "no trading during the leap second", then you have to have logs to prove that you didn't trade during that leap second. So the systems generating the trading logs have to understand leap seconds and be able to log during that leap second. So you still have to do the same work to make your systems understand leap seconds.
A "no trading during leap seconds" rule actually makes things more complicated - you STILL have to do the work to make your systems understand leap seconds, and then you have to go implement the "no trading during leap seconds" rule (along with ensuring no trades are in progress when the leap second starts, etc).
It's perfectly reasonable that everyone who gets paid £X should pay the same amount of tax, whether they are a contractor or permanent employee.
It's perfectly reasonable for contractors to demand higher pay from their employer in exchange for the lack of benefits and the job insecurity. The employer gets the benefit of not paying for sick/holiday/etc and being able to fire easily, so the employer can and should pay for it.
It's not reasonable to expect other taxpayers to pay more so the contractor can be pay less tax. The taxpayers don't get the benefits of the contract.
Of course, the way this should have been done was to fix the tax system properly, perhaps by taxing dividends as income (with an allowance for any corporation tax already paid). IR35 is an abomination of a law - it's a kludge, it's unfair, it's overcomplicated, and it's unpredictable.
What about switching the pump off?
Petrol stations in the UK have a firemans's switch that allows the fire brigade to shut off power to all the pumps. This will very effectively stop people from using a faulty pump - although it would also stop people from using the other pumps. I presume the US petrol stations have them too, since they're clearly a sensible idea.
Alternatively, an employee could go stand in front of the pump, or call the police to get them to come stand by the pump.
But I expect the petrol station was being run by a minimum-wage employee who was trained to do things by the book, and there wasn't a procedure for this. Management chose to limit it's employees initiative, management can take the loss.
The GDPR link
It looks like it's related to GDPR in this way: "We changed our systems to try to comply with GDPR, but our changed code had lots of bugs in it and it broke lots of things, including transfers in of .uk domains. We can't roll back to the old system because we're so incompetent we left it to the last possible day to roll out our GDPR-compliant software, despite knowing for 2 years that GDPR was coming, so it would be illegal to rollback and now we have to try to fix the issues introduced by these changes. We've spent a month fixing the long list of other issues caused by this change, but still haven't fixed the .uk transfer-in problem."
(Above is my interpretation of the "GDPR Implementation" section of https://enomstatus.com/ )
Based on the number of bugs, I suspect their GDPR project was scheduled by incompetent manager(s) and was going well past the GDPR deadline, so they pushed it live on the GDPR deadline despite them not being finished or ready.
Re: Phone cameras
> Question: If the camera never gets used, why am I paying for it?
You're assuming that one without a camera would actually be cheaper. That's probably not true.
Suppose a phone manufacturer made a phone available in two models, with and without the camera. The camera-free one needs the cameras removing, a new back cover with no hole for the camera, a new software image with the camera support/apps disabled and the other apps (e.g. messaging) modified to not support sending pictures from the camera, it needs fully testing again, including (for legal reasons) all the legally required testing and carrier testing. It also means the manufacturer has the cost of setting up a modified production line, keeping stock, distributing both models, increased support costs, increased cost of shipping a software update, etc. That's a lot of effort and expense.
The actual cost of the camera hardware is quite small. Even if you offered people the option of "would you like to pay £10 less and not get a camera", most people would go for the one with the camera. So the sales of the camera-free one will be very small, and all those fixed costs have to be divided by a very small number of sales. That means that the camera-free one will actually be more expensive, which means almost no-one will want it, which drives up the price further. It's not worthwhile for anyone to make it.
Clearly illegal data-gathering
So, 33% didn't opt in...
And how do they know that?
The only possibility is that when you say "NO, DO NOT COLLECT MY INFORMATION" they then ... collect the information that you opted out!!! That's clearly illegal, those people did not consent to that.
What's Canonical's turnover again? The court is going to need to know to calculate the GDPR fine...
Re: What about denial of service?
To interfere you need access to the fiber. If you have access to the fiber, then a pair of low-tech bolt cutters will work perfectly well to deny service.
However, either kind of denial of service will be followed by the relevant security people driving (or flying) along the fiber route, and finding the problem. If you hang around, you would get into trouble.