Posts by Hugh McIntyre

Re: Click Fraud

RE: "Which shows the fundamental flaw in pay per view and pay per click advertising. This type of fraud will continue until the gullible morons who place adverts stop placing ads on that basis."

Not disagreeing there's 'a problem, but unless advertisers buy ads on the basis of "please place adverts on theregister.co.uk, newegg.com, <other specific sites>" then they want some way to charge more when more copies of the advert are displayed. Pay-per-play schemes on Spotify or Youtube have the same risk.

Periodically advertisers have complained to Google about click fraud and demanded that "Something Should Be Done". So there is some effort to crack down, although right now this seems to be just treated as a containable cost of doing business. In particular the fact that the fraud uses a botnet is because it would be a bit obvious if all the fake requests came from the same IP address.

Re: H1B visas

Coincidentally the Mercury News had an article on this on Friday, at http://www.siliconbeat.com/2017/08/02/apple-h-1b-workers-average-139000-pay-outsourcers-dominate-visa-program-pay-far-less/

This claims 59,184 visas for major outsourcers (Cognizant, Infosys, Tata, Accenture, and Wipro) versus only 7,248 for Amazon,Google, and Apple for example, which seems kind-of lobsided. And it claims those 3 tech firms paid an average of $115K-$139K versus $72K-84K for the outsourcers.

So maybe treat outsourcers differently from H1B's for full-time engineering jobs? Although it may be difficult to define criteria for this :(

The other comment is that it's possible for both things to be true: regular employers struggle to hire junior/mid-level engineers (I have seen this as well as ckm5) but at the same time senior/older people can't find senior jobs, and/or there may be vacancies in software/RTL design but engineers with different types of hardware of software experience maybe can't find jobs.

Ideally there wold be a way to separate the visas for full time engineering jobs from outsourcers though, since the latter seem to be more of the problems.

Re: "must not have any known security vulnerabilities, must have the ability to be patched"

Re: "So..... if no known security vulnerabilities, why, errr, patch?"

Presumably, no known vulnerabilities when you buy the thing and needs to be patched if/when new bugs are found later.

Since the lack of patchability is one of the main problems of IoT, mandating the ability to patch seems like a good thing?

Re: KeePass to LastPass to 1Password

RE: "But at last check 1Password 6 doesn't support local vaults (forcing me to stay on 1Password 4)."

Nope, I have iPassword 6.7 here and have always used local vaults.

The only (main) missing feature with local vaults is that the sync only seems to work to mobile devices, not to other local computers :(. Very unhelpful.

I have to agree with the complaints about dropping the local vault version -- the fact that legacy 1Password keeps your data entirely on locally controlled systems is a major benefit. I would have recommended 1Password to others except that it seems impossible to get the one-off purchase any more, and who wants to recommend people sign up for yet another subscription?

Re: Satellites would do just as good a job against surface ships

I should have clarified:

Yes, I'm sure the Russians and others will use satellites in part to find surface ships. For one thing, oceans are big and you need to know where to start since sonar has limited range.

But satellite may not work in all cases -- clouds may mean you only see heat signatures which won't be as precise, you may not know which ship you are looking at unless you can track from source port, etc. So they no doubt *also* want the sonar signature.

Having said that, I'm sure they would get the signature eventually, so this is only a question of timing.

Re: memory encryption

Re: "Building a transparent hardware encryption of memory is conceivable, but I don't know of anyone who has done it."

AMD EPYC (Zen core) CPUs have hardware memory encryption, so someone has done it:

"Secure Memory Encryption (SME) encrypts system memory. Secure Encrypted Virtualization (SEV) isolates the hypervisor and guest VMs to prevent access to data in shared guest data areas."

More details are under http://www.amd.com/system/files/2017-06/Trusting-in-the-CPU.pdf. Some OS/hypervisor enablement is required, but no change needed for application software.

Re: "Barclays still make you have a debit card in order to use PIN-Sentry for online banking"

Not true, I have a pale blue card with "Authentication" on the top right which only works for PIN-Sentry, not ATM or Debit. It may be that you can't use a non-debit ATM card, but you definitely could get an Authentication-only card in the past at least. Contact your Barclay's branch ...

One of the complaints in the linked articles is that John Deere does not provide access to troubleshooting diagnostics. ("The EDL is the required interface which allows the Service Advisor laptop to actually communicate with the tractor controllers").

Perhaps what's needed is the same rule as cars, since all cars are required to come with OBD-II access and at least most of the trouble codes can be read with consumer-accessible OBD tools? Seems easy to extend the same OBD rule to other vehicles such as tractors?

In terms of John Deere they probably don't want their competitors using the same software in competing products. For example if John Deere spends a lot of cash developing some traction control software to make a tractor work better, they don't want a cheapskate competitor copying this. Even being able to see the software without copying may let competitors know what to do. Much of this was also possible in the past with mechanical reverse engineering, but probably not as easily.

It does seem though that updated sale-of-goods laws or OBD regulations may be needed to make sure people can reasonably diagnose products they have bought, either themselves or a requirement to provide service access to reasonably 3rd party repair shops at commercially reasonable prices, subject to not just copying the full software.

Re: Missing the obvious solution?

My first thought was also "why not just use a caching resolver, if the primary is not available?". If the default TTL is 1 day, small outages for common domains should be survivable.

But this proposal seems to be a solving a different non-outage problem i.e. ignoring malicious changes for common domains if you think it's more likely the domain owner didn't change it's IP addresses. For example people redirecting nytimes.com to a malicious IP address.

The problem remains how to distinguish intentional changes by domain owners from malicious ones. It does seem that signing DNS replies by the owner (with DNSSEC) would be a cleaner solution.

Re: Dear gods...

Most or all of the Integrated Circuit CAD packages run on Linux (only or at least mostly). It's true that package and board level design may run on Windows but IC tools use Linux. This includes Mentor's LVS/DRC and similar tools which are definitely up to date on Linux.

Re: 32/128Gb only

The iPhone 6s did the same - 32GB/128GB only, And the iPhone 7 only supports 32/128/256GB.

I assume the reason is to push people to 128GB since if people decide 32GB is too small and want 64GB, they will be forced up to 128GB since there's no way to add memory later. If they offered a 64GB version with a price in the middle, fewer people would pay for 128GB.

The 32GB version is definitely limited nowadays but Apple probably wants a lower spec for the entry-level model to keep the cost down, and the fact that 64GB is a better choice for many people will force them to 128GB :(

Re: Wait! What? They have our MAC Addresses?

Nope, don't see the local LAN IP address here from https://www.whatismybrowser.com/. Only the public DHCP IP address on the ISP WAN.

Some of the other info it displays clearly depends on JavaScript, so there may be more info visible with Javascript. Stack Overflow also claims that ActiveX on IE may give the MAC address (not an issue for those not using IE). TBH I'm slightly impressed the warrant knew to ask for the MAC address, but this is probably boilerplate request language from other computer warrants. For example, Google does not have payment info for most of us, I hope, but boilerplate ISP warrant language might ask ISPs for MAC addresses.

@ David Nash

Re: "How on earth did an online backup service (if that's what it was) allow content to be indexed by Google and accessible to anyone without credentials?"

I assume from the article that the files were backed up to something like OneDrive/GoogleDocs/Dropbox, i.e. not a real on-line backup service.

Re: Bullshit

I agree with the complaints about extra-territoriality. Definitely seems that it should be declined for this reason.

However, asking for draft messages is understandable because people including David Petraeus have been found out for sharing classified information and having two people sharing the same email account and reading messages in the draft folder to avoid actually sending messages in the hope of not being intercepted. This is almost certainly why the FBI wants the draft folder:

From the NY Times:

"In September 2012, Broadwell told agents that she and Petraeus would use the same email account, saving messages in the “draft” folder instead of sending them. "

Re: It is quite disturbing that Amazon has the ABILITY to satisfy this request

Re: "What purpose is served by keeping data Alexa hears longer than a minute? If they want to use it for other purposes like training speech recognition, it should be anonymized and filed away."

I assume their training wants to group what you say today with what you (same person) said yesterday. So the data stored today would need to be stored with the same anon ID as yesterday, which implies storing a mapping from your real->anon ID somewhere :(. Or less good training.

As such it's not fully anonymized, the same as your Google/Amazon search history may be anonymized when stored and when people do analysis but somewhere they need a mapping so your history can go together.

Personally I don't have such a listening box at home...

Re: And in practice ... ?

Re: "I won't be too chuffed if I can't get at my accounts because little Johnny has turned off his PC for the night, or been capped ..."

Or lots of other reasons including "little Johnny decided to delete this big folder they didn't understand which is filling their disk, thereby deleting a 3rd party's data".

It's one thing to have something like "CrashPlan backup to a friend" where you and the friend presumably have some agreement not to randomly nuke data. But it's hard to see how you'd put any valuable data on this system, unless it's only a controlled system within a company (or group of companies) controlled for safety with an IT department.

Highly doubtful unless they are only targeting business users.

Re: Big three … ?

Presumably "big three cloud companies" = AWS, Azure, and Google? (or some other three?)

And then adding Apple and Facebook makes 5.

Re: Clear Violation

If you try to read the actual "H visa" laws the details are impenetrable because of too many references to "as defined in regulation <foo>". But at least one of the categories says you cannot fire Americans and then hire foreign replacements directly.

In this case Disney seems to have gotten around this because they switched to a contacting company so they were not directly hiring the replacements themselves and then acted totally shocked that the contractors were H1Bs. Presumably they will claim they had no idea this would happen ...

Obviously the cleanest solution would be to fix the law to prevent this "switch to H1 contractor" cheat. It's also not clear to me why the respectable tech companies hiring "normal" H1's don't lobby for this -- right now there's an H1 lottery every year and people sometimes can't get visas for college graduates because of other contract visas. You'd think people like Google would lobby to tighten up the rules so the contracting companies don't use up the whole quota.

The other issue is an H1B was historically for a specific job at a specific company and specific location. It's not clear how the visa should apply to a contractor position if it's not tied to the specific Disney job, or at least this seems to subvert the original intention if you had a contractor who could work for more than one end company.

In the meantime Disney seems to have acted outrageously here even if they found a legal loophole. We'll see what the court says..

Re: Apple phone prices have rocketed!

Just checked in the USA:

Last year the iPhone 6s was $749 for the 64GB, 4.7inch version, I think.

This year the iPhone 7 is also $749 for the similar 128GB mid-point version.

So seems to be no change in price, and I think the iPhone 6 was the same $749 for 64GB at launch.

Still not cheap, both previously and now, but not really changed in dollars.

Re: Time for a change...

Presumably the indie labels would argue that they are providing a bunch of work for the 50% including advertising, order fulfillment, production assistance, etc. The artists are certainly free to stop using labels, find a label offering a better deal, or set up their own label. (Several large rock bands in the past did set up their own labels after releasing the ~ 3 albums their initial contracts required, once they were famous).

Likewise, artists are free to rely on your "solution" of only live performance revenue if they want. But some musicians clearly want to be paid for recordings as well, either directly or by using a label to handle the details. You're free to boycott such musicians/labels, just like you're free to give your own recordings away for free if you're a musician. But not free to force others to follow the same model if they don't want to.

Now, if 99% of musicians switch to live-performance-only then the few remaining die-hards may find it hard to charge money, much like Open Source means there's no big market for paid web browsers and servers any more. Not sure this would be a good thing though, not least because payment-for-music means that consumers can direct payment only to the good bands.

In terms of: "I don't think the artists personal situation with regards to poverty or not has anything at all to do with the discussion." -- sorry, but I do think it's relevant that if thousands/millions of people are enjoying someone's music, telling that musician "you get nothing, go live in poverty" is wrong.

Re: Contempt of Court

Yes, the equivalent offence is also called "Contempt of Court". However, that means the same thing as in the UK, i.e. "not doing what a court orders you to do". That's not this case, where it's just a vexatious plaintiff.

At least this case is not as bad as the following one from the NY Times last year: http://www.nytimes.com/2015/12/23/business/dealbook/sued-over-old-debt-and-blocked-from-suing-back.html?smprod=nytcore-ipad&smid=nytcore-ipad-share&_r=1

Debt collectors wrongly sued someone and got default judgement, then prevented him suing back to recover the money because of a forced-arbitration agreement in the small print. Yuck!

Re: Zip code for non-US cards @Simon 49

For travelers to the UK, what I did last time is to buy a voucher on mobiletopup.co.uk.

This charges a 99p transaction fee but otherwise gives you a usable top-up voucher.

Re: Nutters

In terms of V1:

Based on the the ATSB article they were past V1 by the time it failed the second time, so continuing the takeoff makes sense. See https://www.atsb.gov.au/publications/investigation_reports/2013/aair/ao-2013-212.aspx:

"During the second take-off roll, the crew became aware of an airspeed discrepancy after the V1 decision speed and the take-off was continued"

In terms of 2 sensors:

Reading the other details, the blockage was apparently not detected on the ground when they checked the aircraft after the first failed takeoff, and they didn't have 2/3 redundancy for the second takeoff because "The aircraft was dispatched with the ADR part of ADIRU 2 inoperative (switched off) in accordance with the MEL". So arguably if they'd continued with takeoff #1 they would have had 2 working sensors, although not meeting the flight rules and would still have had the problem with the flaps.

Re: "DVR service TiVo" @JeffyPoooh

At least when they started TiVo did indeed sell DVRs, and (along with ReplayTV) were the first to commercialize many of the concepts behind a DVR. In the past their user interface tended to get better reviews than the cable company in-house DVRs. As such the buyer is probably buying a bunch of patents, although the key ones may not have too much time remaining if they were filed when TiVo started back in 1999.

But then they suffered because the satellite/cable companies chose to build their own DVRs rather than paying a TiVo tax.

For a while though, the non-TiVo DVR's were generally clunky presumably because of not being able to use some features that TiVo or Replay may have patented, which sucked for end users put presumably helped TiVo get bought.

Re: I'd have assumed that their test code suite would catch something like that...

Re: "...And to preempt the too-predictable rebuttal about 'obscure timing of interrupts' etc., the Test Code (and associated hardware) can be left running for weeks x GHz clock speed. Test coverage should be a long string of '9's. [...] I shouldn't have to explain this. The interrupts' timing can be (should be) walked back and forth."

You're assuming that AMD (and the other CPU vendors) don't already do this - they do. Specifically random code running on a huge number of systems for weeks as well as all through the design process. And also directed tests where "the interrupt timing is walked backward and forward".

But even with this it's not possible to cover every possible bug. While I've not seen the full details of this specific bug the article contains this hint for the VMware/ESXi bug report: "Under a highly specific and detailed set of internal timing conditions, the AMD Opteron Series 63xx processor may read an internal branch status register while the register is being updated, resulting in an incorrect RIP".

So this is more complicated than just walking the NMI timing -- it only fails if the timing also hits "while the BSR is being updated", so you need other specific unlucky event(s) as well, and possibly requires other specifics such as a particular set of cache hits/misses or VM state to trigger the failing case. Put another way, the fact that Piledriver has been shipping for years with this bug only found now means that "running prototypes for weeks" does not cover everything, because there has been an enormous amount of random customer code running for a lot more than "weeks" on a lot more than prototypes before this bug was found.

Re: Why do we accept flaky network hardware?

Re: "Yet we don't extend the same leeway to storage hardware, for example: write a block of data from memory onto a disk and there's no checksum to protect against bus errors in the transfer."

Systems like ZFS do indeed use checksums (or other techniques in some non-ZFS servers) to protect against errors in server or storage hardware, including errors in data busses, disk firmware, etc.

Re: Disruptive Business Model

RE: "can a driver for Uber also be a driver for Lyft? Or are there clauses in the employment contract that forbid this"

Lots of drivers seem to drive for both Uber and Lyft.

Re: *Facepalm* You don't invest in proprietary standards

RE: "you need open standards ... DNLA"

Not sure that really helps :(. I have a Pioneer TV which includes DNLA but in practice both MPEG2/4 have a dizzying list of possible video/audio codecs and you end up with 99% of files not playing. The fact that the TV does not really document the supported formats doesn't help either.

So in practice the easier and better-supported solution is an external box (Roku/AppleTV/WDTV/Chrome stick/etc.)

Back to the original article: either one of the video services or TV companies is going to get it's act together and become known for making things just work for a reasonable lifetime of the TV, or consumers will learn the rest of the apps are just toys and give up on Smart TV's in favor of external boxes. "Airplay transmit video from app on phone/tablet" is the other option, in that the TV only needs to support that, not the individual apps.

Re: So, networking then

NFS works with MacOS as a client, but I agree that it can be a bit of an adventure, although some of the problems can also be because of Linux being a problematic NFS server, probably more picky than Solaris.

One of the unexpected tricks is that you need to set "resvport" as a mount option on recent MacOS, and can try NFSv4 versus v3 or other debug tricks if that fails.

It does work in the end, but may need some googling :(

Re: KeePass

Or 1Password which lets you store the DB locally (not in the cloud) and sync to mobile devices over Wi-fi (e.g. at home).

Probably want to avoid the browser plugins as well unless you want to trust code running in the browser's address space with access to all of your passwords (I don't).

Re: "Knowing you only have 36 exposures at a time can impose discipline."

Back when I did some medium format, the long time that it took to manually focus, meter, and compose a tripod-based shot meant that you spent a long time really looking through the viewfinder and then often deciding "no, this shot is not worth it" or correcting the composition to get a better shot. Rather than quickly click-click-click with a 35mm camera with auto-exposure. So it's not surprising the fraction of good pictures is higher for medium format, and 4x5 is the same.

Whether 35mm is any better than digital in this regard is questionable though. And, you can take the time to check and compose digital shots too.

Also, film was a big PITA in a studio if you were taking tons of shots with medium format and needed to keep switching 12-exposure film backs at a rate of knots all day :(

Re: "The subject of the photograph does not generally have any control or rights"

Actually in at least one small county (USA), someone recognizable in a photo has the right to restrict it's use for advertising or trade, and celebrities generally get a "right to publicity control" which means they get to control use of their images (because this is considered part of their trade). So the subject of the photograph *does* have control/right over the photograph in these cases. Hence model releases to avoid complaints later. OTOH newsworthy/editorial use is protected via freedom of speech, but even then a Release avoids debate about whether the use counts as news.

But I do agree with Cynic_999, that even if the person in the photo has signed away rights via a model release, Reddit is under no obligation to publish photos it does not want to, in somewhat the same way that theregister.co.uk doesn't have to publish user content/comments it doesn't want to either. So Reddit is free to have a policy banning photos based on taste or the subject not wanting them published, if Reddit wants.

@BristolBachelor, Re: Strangled by vested interests

Indeed. All the new plans around here seem to be unlimited voice and SMS and only varying cost depending on how much data you use, which implies the carriers have noticed this.

Re: Erm, wrong

Firstly I agree with all the other posts that Blackberry cannot force people to write apps for them and this should not be made a rule. That's the cost (for BB) of being a minority platform, just as lots of platforms no longer get Flash or AcroRead [*].

The one area where there might be a valid argument, though, is to require enough of the protocol to be public so that Blackberry (or someone else) could write their *own* iMessage compatible app. Similarly to the way Microsoft was required to open up APIs and file formats, but not forced to write a copy of Office for other platforms. This could also have the consumer benefit, long term, of being able to buy a phone from company A and tablet from company B and more compatibility between the two.

The obviously problem though is how you'd decide which protocols would have to be open and which were small enough, so it's very unlikely Mr Chen will get help from the FCC. Presumably you'd just require "dominant/monopoly" content such as iMessage or Skype, with even Netflix being much less obvious, but really it's hard to see this being a rule. In the past some of these open formats were forced by government purchasing i.e. "open the protocol or no US Gov sales", which was enough leverage in many cases.

BB probably shouldn't hold their breath ...

[*] sometimes a blessing?

For some reason the bash update does not show up in Software Update :(

You need to go to the web page in the Apple security advisory and install it manually. And no, I have no idea why Apple chose not to bother to include this by default.

Re: Used to be a remedy for home sickness

There are already products you can buy to watch your TV away from home, for example a Slingbox. Or some satellite/cable companies (e.g. DirecTV) have an app that you can use to watch your DVR away from home. So you may not need to roll your own solution. However both of these require that you already have TV reception at home, and avoiding this monthly cost was presumably kind of the point of Aereo.

What the Supremes seem to have objected to was that Aereo has a profitable business collecting revenue based on people viewing the broadcasters' programs, but without any of this revenue going to the networks. This sucks for Aereo, but presumably they could get legal again by putting the per-user antenna in people's houses (ala SlingPlayer and an old-fashioned antenna on the roof) or paying some money to the broadcasters. And in the mean time, you may be able to use something like a SlingBox.

Disclaimer: I have an old Slingbox in the garage which I used to use round the house, until the delays versus a real TV got too annoying. So I'm neither recommending or non-recommending this. If you need to watch TV away from home it may work though.

Re: Really?

I agree it's strange to say the least.

But maybe the hardware is not sitting there ready to be shipped? For example if it's a replacement server someone else is using, and the existing user needs to move their data off first (this does seem a bit cheap), or some hardware is not in stock 7 miles away? Or, more plausibly, the message is garbled and the two weeks is the time needed to restore the replacement servers to working order after unraveling backups and data brokenness?

Re: Back in the day ...

Containers with HTML and plain text (or RTF and plain text, etc.) are actually MIME multipart/mixed. Back in the early 90s when this was introduced Microsoft was actually sending the markup in a proprietary "winmail.dat" attachment (very annoyingly for non-Windows users), so they were late to multipart/mixed.

PS: even in 1989 (rfc1123), >=64KB was more likely: "Although SMTP does not define the maximum size of a message, many systems impose implementation limits. The current de facto minimum limit in the Internet is 64K bytes. [....] and a much larger maximum size is highly desirable"

Re: 2007 hardware obsolete?

I ran into a similar issue a month or two ago on my 7 year old MacPro1,1 and gave in on Snow Leopard when the latest Adobe software wouldn't run any more :(

Lion or Mountain Lion are not obviously available on apple.com, but there's a link to still download a copy of Lion for $19.99 if you need it at http://store.apple.com/us/product/D6106Z/A/os-x-lion. (Similarly for Mountain Lion, but that won't run on the old systems either so you're stuck with Lion). Not free as with Mavericks, but not impossibly expensive either if you want to keep the old system running.

Re: I see some difficulty

Presumably the idea would be for one group of ISS-operating western/Russian governments to beam free internet to non-ISS Internet-censored countries like North Korea, in the style of Radio Free Europe? The website also claims natural disaster broadcasts as a goal.

As you say there may be an issue getting all of the ISS governments to agree on content though. Plus this is not free since even a small increase in launch weight adds fuel and cost.

The website explicitly says this is broadcast, not a regular 2-way network connection (except for "a small number of users"), and this makes sense since you'd presumably need a larger and possibly Internet-censored antenna to transmit data to space. So no sending email or random web browsing - more like waiting for your page to come round in the style of Ceefax. Maybe also a not-easy-to-obtain antenna for receiving data, presuming they don't expect to deliver useful 802.11 power levels from space?