* Posts by DougS

12895 posts • joined 12 Feb 2011

J'accuse! Amazon's Rekognition reckons 1 in 5 Californian lawmakers are crims in ACLU test

DougS Silver badge

Re: 99%?

The problem is that people who understand statistics can be told this, and will see the problem. The overwhelming majority of the public (and legislators) have little understanding of statistics, and are blinded by "even if it catches one criminal that would have otherwise been left to walk free and murder someone, it is a positive for society".

The only way people will understand why it is bad is for it to be deployed, and news stories to begin to come out about the number of people detained due to false matches, along with some high profile people in government falsely detained. Unfortunately at that point the money has already been spent, so the talk will be about how to fix it.

You can reduce the number of false matches to any arbitrary level by requiring a higher confidence of match, but that reduces the number of true matches to where it was never worth the money in the first place. Except to the company that got the contract, and the politicians who got campaign contributions from them or lobbying jobs from them after they left office. And that's all that really matters to the politicians - they aren't spending their money, after all.

Pokémon Red and Blue-era trading cards just made their owner a load of green: Complete set sells at auction for $107k

DougS Silver badge

How hard would these be to counterfeit?

A high resolution scanner, and high quality printer, and whatever type of cardstock they are printed on, and you could make $100K? Seems worth a shot.

Researchers peer into crystal ball to see future where everyone's ID is tied to their smartphone

DougS Silver badge

Re: Health insurance provider

Who the hell carries their insurance card with them everywhere they go? People who have back pain because their overly thick wallet in their back pocket is messing up their posture every hour they sit, that's who!

DougS Silver badge

Re: Health insurance provider

Why? They are probably doing that because people like me have been taking a picture of their card on their phone for years, so you don't have to remember to bring your card with you to an appointment (to say nothing of what you do if you end up in the ER when you won't have your card on you)

I haven't carried a health insurance card for a decade now. I probably still have a picture of my insurance card from 2009 if I go back far enough in my iPhone's photo roll.

I think my insurance carrier has an app, but I haven't bothered to install it because the photo works just as well. If they didn't send me a physical card, I'd take a picture of the computer screen displaying the numbers. That's what the receptionist wants when you show up, I can read it off a photo just as easily as I can read it off a physical card.

DougS Silver badge

If done right nothing will go wrong. It is the "something you have" to go along with "something you know". So "done right" would mean not using finger/face ID as a password, but require typing in a password - at least for really important stuff like transferring money out of your investment account.

For less important stuff like posting on El Reg I'd be fine with a simple ID based on having my phone near me talking to my computer via Bluetooth to give it a challenge/response to login to El Reg without a password on my PC.

What I don't like about this article is saying it will be worth $7 billion to mobile operators by 2024. My carrier has no business being involved in this, and I would never use any service that tried to charge. Though I'd like to see them introduce a service that charges, then see Apple & Google steal their lunch money by building it into iOS/Android using the Secure Element / ARM equivalent of Secure Element on Androids. Any time the mobile carriers get a good comeuppance I'm favor of it!

HTTP/2, Brute! Then fall, server. Admin! Ops! The server is dead

DougS Silver badge

They designed it to be more efficient at delivering ads. Resistance to DoS attacks wasn't a consideration.

Apple is a filthy AWS, Azure, Google reseller, gripe punters: iPhone giant accused of hiding iCloud's real backend

DougS Silver badge

Re: A contract is a contract

Why would they have an obligation to disclose this? They are selling a service, and don't claim anywhere that it is delivered entirely on Apple owned and operated infrastructure.

It isn't exactly a secret that they do, so people who claim to care so much about this should have done a little research. They don't care of course, they're just out to sue a company with deep pockets, hoping to make a quick buck.

DougS Silver badge

Whether or not Apple encrypts the data is irrelevant to the agreement. All it states is that Apple is the provider of the SERVICE called iCloud. It doesn't matter that that data on iCloud may be stored on Microsoft's cloud any more than it matters the servers may be manufactured by Dell or they may run RHEL or the drives may be made by Seagate or the electricity they use may be provided by PG&E.

Nowhere does it state in the agreement that the equipment iCloud data is stored on is owned or operated by Apple.

Oh chute. Doubts cast on ExoMars lander's 2020 red planet jaunt after another failed test

DougS Silver badge

Re: International cooperation

Surely redundant chutes are less expensive than all this engineering and testing of a new solution, especially if it causes the entire mission timeline to be pushed back.

DougS Silver badge

International cooperation

Would come in handy here. NASA has already solved this problem, why don't they talk to NASA and use one of their proven solutions instead of inventing a new unproven one with a high risk overly complicated parachute deployment scheme?

Donald Trump blinks in his one-man trade war with China: US govt stalls import tariff hike on Chinese phones, laptops, electronics

DougS Silver badge

Trump is always negotiating with himself

He announces something, then takes it back. Him caving on yet another deadline shows how weak his position is. China will "win" this dispute by simply being willing to wait him out, knowing he will be forced to give in before next year's election to prevent the economy from going downhill. If the economy turns sour, the democrats could beat him running Walter Mondale's corpse.

Let's see what the sweet, kind, new Microsoft that everyone loves is up to. Ah yes, forcing more Office home users into annual subscriptions

DougS Silver badge

I've been recommending it to people for years

They always find it is more than adequate for their home needs. I suspect the reason it hasn't taken over the business world is PowerPoint is so much better than the LibreOffice equivalent and managers love their PowerPoint.

Probably also a few underground Excel jocks with complicated spreadsheets that have grown over the years and the business is now dependent on, but they could buy those guys real Office.

An Army Watchkeeper drone tried to land. Then meatbags took over from the computers

DougS Silver badge

Re: So the project is on track then

A military project that requires only 180% of the initial budget is in fact WAY under budget by comparison to other military projects.

US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' files

DougS Silver badge

How come web sites with nothing important

Seem to generate URLs with dozens and in a few cases I've seen HUNDREDS of characters of gibberish, and an insurance company with personal information to protect use sequential numbers in theirs?

Outsource to the lowest cost provider, who hired the lowest cost offshore team, who were probably freshly out of "college" but faked their degrees to get the entry level IT job and this is what you get, I suppose.

Header aches in Firefox, Tor, Brave and Chrome as HTTP opens new security holes

DougS Silver badge

The HTTP extensions Google pushes are to serve Google

If you think they want to make the web faster to improve your experience, you're wrong. They want to make the web faster so they can deliver more ads, and reduce the speed gain you get by blocking ads so you (hopefully) have less reason to do so.

It's a God-awful smell affair.... is there life on Mars? Rocks ruled out as source of mystery methane on Red Planet

DougS Silver badge

Re: The plot thickens

The anal probes are to detect the source of the methane?

US still 'not prepared' in event of a serious cyber attack and Congress can't help if it happens

DougS Silver badge

Re: You want help?

Don't forget violent video games, there was a lot of mention from that by politicians including Trump. Somehow countries like South Korea and Japan that have a much bigger gamer culture than the US don't have this problem, so that doesn't hold any water.

The "restrict crypto" and "we need more good guys with guns" solutions are not attempts to solve the problems that lead to mass shootings, but an overly hopeful attempt to head them off at the last moment.

DougS Silver badge

Re: You want help?

They will never stop asking, and are just waiting for the right narrative to make their next big push. They thought they had with San Bernadino, but when they managed to access that iPhone they found there was nothing of value.

They're looking for that golden opportunity where a terrorist or mass shooter is found after the fact to have used a messaging service that uses end to end encryption where the plan was detailed in advance, so they can claim "see, if we had a backdoor we could have stopped him". When they make such a claim, there's probably an equal chance they simply faked it because they were tired of waiting for the right circumstances. At some point they'll magically find something a shooter/terrorist left behind detailing the entire plot in advance, then AG Barr will point to that as a reason they need to force companies to provide a backdoor.

Unfortunately they would probably get a lot of people on their side, not only Trumpies who will go along with anything he pushes, but enough others to create a majority. Too many people have an unreasonable fear of terrorist or mass shooting type incidents even though the odds of dying in one are lower than dying in a car crash or even falling in your bathtub. They may be willing to give up their rights in exchange a bit of illusory safety. The democratic candidates would go along with it, no one wants to appear weak on terrorism/mass shootings, so even if they don't agree with the plan they won't be willing to take a hard position against it (except maybe Bernie) Both parties are pretty willing to give more power to authorities except for funnily enough the extreme right and extreme left neither of whom trusts them with such power, though for different reasons.

Looming US immigration crackdown aims to weed out pre-crime of poverty. And that may be bad news for techie families

DougS Silver badge

Re: Such transparent racism

Its racism because it will obviously be used against non-whites much more so than whites. Every one of his immigration policies has been targeted that way, and he's even said he'd be fine with more immigration from Europe.

DougS Silver badge

Such transparent racism

They aren't even trying to hide it any longer, because Trump has shown that overt racism doesn't scare away his base and in fact makes many of them like him more!

US military swoops into DEF CON seeking a few good hackers for debut aviation pwning village

DougS Silver badge

Re: Is it just me...?

More likely the top prize is a job offer. Even if you aren't interested in working for the military, that exposure can't hurt a security professional looking for a job involving say connected cars or SCADA type systems that would have some similarity as far as threat models and exploit methods.

No one is forcing anyone to participate, so if they need to be paid they should start looking for those $1 million iPhone exploits.

DougS Silver badge

Re: That's what you get when you ignore ethics

So it is better in the Euro conferences you refer to to have military/spy agency recruiters in the shadows? Surely you're not naive enough to believe they aren't present! Maybe the "artists" in your example simply didn't fool anyone into believing they were who they portrayed and that's why nobody took the bait. That doesn't mean there weren't real recruiters there also, who aren't going to tell anyone whether their recruiting efforts met with success or not.

Isn't it better if this sort of business is conducted out in the open? Those who aren't interested can more easily stay away if everyone is on the up and up about who they represent. And isn't a laudable goal to try to harden military aircraft against hackers? Hijacking a jet would be a terrorist's dream, hopefully that is as difficult as possible (though I'm still very leery about this idea of giving them an IP connection in flight, that's just asking for it)

Green search engine Ecosia thinks Google's Android auction stinks, gives bid a hard pass

DougS Silver badge
Go

They should have bid one cent

If everyone else did the same, Google wouldn't be able to use their punishment as an opportunity to make more money.

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

DougS Silver badge

Skynet

Security is hard. It's because of users.

Skynet starts as an AI told "make the internet secure", and determined the only way to accomplish that would be if there were no more humans.

I could throttle you right about now: US Navy to ditch touchscreens after kit blamed for collision

DougS Silver badge
Facepalm

What a stupid idea

If they realized a ship still needs a 'wheel' why couldn't they realize it needs a physical/tactile throttle too. Touchscreens have their place, for functions that are not critical to the operation of the ship. Anything that ships did 100 years ago they should have physical controls.

I hope they don't have the button to fire a missile on a touchscreen, I hope it is still a physical button with a plastic cap over it, and lights up when a target has been entered and only allows firing when it is lit up and the plastic cap is lifted - you do not want to accidentally fire if you are quickly working the touchscreen, get onto the wrong screen before you realize and fire a missile!

I hope the same is true for lowering the anchor, you don't want to accidentally do that while you're executing a tight turn in shallow waters or you may cause hundreds of injuries.

I guess whoever designed this watched too much (non TOS) Star Trek and fell in love with an all touchscreen interface, because "futuristic"!

Crunch time: It's all fun and video games until you're being pressured into working for free

DougS Silver badge

Re: It's like new lawyers or investment bankers

So not that different than doctors then, who go through a similar hell of overwork during residency, knowing it will all be worth it when they come out the other end. I dated a girl during most of her pediatric cardiology residency and fellowship where she averaged 80-90 hours a week for about 48 weeks a year for four years. The stress of it all is what ultimately broke us up.

I've heard rumblings that the AMA wants to change things, but hospitals are resistant because they'd need to cover all the hours they are getting for free, and argue that they'd have to extend residencies for several years for residents to gain the same experience. If that was the choice I'm sure a lot of residents would prefer the current system where they can get it over with in fewer years. Not sure whether experience in the 41st hour of the week and the 81st hour of the week really stick in your memory to the same extent though, but that's what they seem to be claiming.

SELECT code_execution FROM * USING SQLite: Eggheads lift the lid on DB security hijinks

DougS Silver badge

What about browsers?

Chrome, Firefox and I believe Safari all use SQLite, but obviously don't permit filesystem access where the db is stored. But couple it with an exploit that allows filesystem access via the browser (we've seen a few of those over the years) or one that lets you store unconstrained data in the db, and this bug could be leveraged for full code execution in the browser as the user running it.

That's going to be a problem for the owner of a smartphone, and if you couple it with privilege escalation exploit, something we see regularly on smartphones, then you have a way to completely p0wn a smartphone if you can get them to surf to your web page. Not quite enough to get $1 million from Apple (requires no user interaction so you'd need yet another exploit where you could e.g. send them a link via iMessage and cause the phone to open it without the user doing anything) but it would be worrying nonetheless.

Rather than hackers taking over popular sites and defacing them, they could leave the site alone and have it p0wn phones. That would take the site owners longer to notice and correct, since defacement is pretty obvious.

Now granted what I'm talking about here depends on several other exploits since this SQLite exploit by itself doesn't do all that much, but chain exploits are what we really need to worry about especially for smartphones. Something like that will be the first widespread attack on smartphones that changes perceptions, like I.LOVE.YOU was for Windows. Maybe a month from now, maybe a year from now, maybe five years now, but someday hundreds of millions of people will have their phones p0wned within days of each other.

DougS Silver badge

I wouldn't assume this isn't serious

Just because this particular exploit requires direct filesystem access, that doesn't mean this in combination with a separate exploit that let you feed data formatted in a certain way (remember little Bobby Tables) into the database couldn't allow you to take advantage of it without filesystem access.

Those Bobby Tables type exploits are probably easy to overlook if you have - or more to the point think you have - controlled/sanitized input to a database. I mean, why waste time fixing stuff like that when there are real bugs to fix? They don't become a problem until a second exploit like this new one comes along to weaponize it.

I'll bet it turns out this causes problems even where filesystem access is not possible.

Talk about unintended consequences: GDPR is an identity thief's dream ticket to Europeans' data

DougS Silver badge
Facepalm

Sorry, EU law can't control what a US company that happens to also operate in the EU collects on US servers about a US citizen located in the US. If you think it can, then the US government could pass a law saying "people regardless of citizenship or location have no right to know what information a US company has collected about them" which would conflict with the EU law. How exactly would that be resolved?

People who live outside the US are always (rightly) complaining about the US overreaching and trying to enforce its laws worldwide, but it does that cause no favors to support this stupid idea claiming that your laws should impact how a US company can interact with US citizens on US soil!

DougS Silver badge

If they have her social security number she's American (unless there are other countries who have something called a "social security number") and if they collected it is almost certainly an American company because EU companies have no reason to collect it. GDPR doesn't apply to that transaction. The EU can't make a law that controls what a US company collects from a US citizen just because they do business in the EU. They can only control what that US company collects about an EU citizen.

Before someone tries to claim that the GDPR DOES (or should) let the EU control what an American company collects about an American citizen, consider first what happens if the shoe was on the other foot, and the US made a law that companies can collect any information they like about their customers and those customers have no business knowing what was collected. How would the two conflicting laws be reconciled? Obviously by applying them only to the citizens of the country/countries that passed such laws.

DougS Silver badge

"No mere company has anyone Social Security number"?

Where the hell do you live, obviously no the US! Just about every company you do any business with involving credit (even of the monthly recurring payment type like a cable TV company) has your SSN since it is the "key" used to identify one to credit reporting agencies like Equifax.

DougS Silver badge
Facepalm

The issue isn't that he got his fiancee's info

The issue is that anyone can get anyone else's info, by just saying they are that person - apparently there's nothing stopping me requesting his fiancee's info if I had a few scraps of information about her. I find it ironic that the GDPR, passed in a continent where I've never lived or have any citizenship and supposed to help privacy of Europeans, has made it easier for people to steal to the identity of Americans who have no dog in this fight!

They just need to make a GDPR request in my name to some company that will answer and is likely to have my social security number, birthdate, etc. such as a big US bank. HOpefully I have only done business with the 5% to refused to respond!

You lot better better fix your broken law and make it clear exactly how GDPR information requests are to be authenticated in a secure manner. You made the mess, now fix it!

Xbox daddy bakes bread with 4,000-year-old Egyptian yeast

DougS Silver badge

Re: Eh?

Oops you're right per second vs per minute confusion! And hardly anyone can reach 240 bpm no matter how hard they exercise. Maybe a kid on a sugar high at a Disneyland...

But now I'm really unsure what the guy who claimed that 60 Hz is closer to "the body's own signals" is talking about.

DougS Silver badge

Re: Eh?

If you're in good shape, your heart will beat closer to 50 Hz than 60 Hz so 50 Hz would be more dangerous.

The far more important factor is the voltage, twice the voltage overcomes resistance more easily and results in more milliamps potentially crossing the heart. You'd rather be shocked with 120 volts than 240 volts regardless of Hz, though both can kill in the right circumstances.

DougS Silver badge

Wow look at all the downvotes

From any of us yanks questioning the Brit's tea.

No wonder dumping their tea in the harbor was such a powerfully symbolic act, the equivalent piss off for Americans would be strangling a bald eagle with the stars and stripes while singing the national anthem off key :)

DougS Silver badge

Re: Eh?

How long does the British kettle require to boil? Add 40% to that time, and that's what it would take the US kettle. Hardly a big imposition.

And many US kitchens are wired for a 220/230/240v socket for an electric oven (even if the installed oven is gas) so you could get your tea EVEN FASTER if it means that much to you!

Hey dudes, we need to start living together in Harmony: Huawei puffs up new distributed OS

DougS Silver badge

Re: Yeah but, no but...

Doesn't matter. The Android Huawei uses for the overwhelming majority of their phone sales is AOSP, not Google's Android, so don't have access to the Play Store anyway. The Chinese market has never used the Play Store, they have their own, so Huawei is in a FAR better position than say Samsung to drop Android and not miss the Google Play Store or Google services.

They only use Google's Android for sales in the US/EU, which is a small part of their market.

DougS Silver badge

Yes, a microkernel can be fast or it can be secure, it can't be both. Though even Mach is too fat to really be considered a true "microkernel" these days. It gets called that because the filesystem isn't part of it, but it is still far too large to formally verify. When Apple needed a microkernel for their Secure Element they could formally verify, they didn't use Mach, they used L4. I wouldn't consider it completely out of bounds to suggest that someday L4 might replace Mach in iOS/macOS. It would be a lot of work, but the security benefits would probably be worth it.

Another 3,900 staffers gone, 3 data centres to be closed, and yet DXC revenues keep falling

DougS Silver badge

Re: Can't earn anything if there's nobody to do the work

Probably they have laid off most of the experienced (i.e. well paid) staff and replaced them with overseas staff and kids fresh out of college who don't know anything.

That sort of cost cutting looks great to Wall Street, until you can no longer serve your customers and the business falls apart. But no matter, those responsible have been making bonuses for years and will walk out rich men so it was a successful strategy from their perspective!

Alexa, can you tell me how many Chinese kids were forced into working nights to build this unit?

DougS Silver badge

This is worse than prison labor in the US

At least prisoners have a choice of whether to work for pennies or sit around in their cell. Apparently these "students" need to work full time or 50% over full time in order to graduate. How sticking film on an Alexa "educates" them eludes me, but I'm sure the instructors collecting a bounty for selling out their students can come up with some excuse.

DougS Silver badge

After several years of bad news on this front they've probably got their monitoring and compliance set up pretty well, it has been some time since there have been any stories about Foxconn labor abuses involving Apple.

This is probably Amazon's first time dealing with Foxconn, it will take them time to learn all the ways Foxconn can screw them over and give them a public black eye until they get things under control.

DougS Silver badge
Devil

Re: Amazon claimed the report came as a terrible shock

Whether or not they knew, what was a terrible shock was that the information became public!

Here's to beer, without which we'd never have the audacity to Google an error message at 3am

DougS Silver badge

Bullshit

Google is only useful if you have the kind of easy problems that someone with a clue can resolve on their own. If you know your stuff, and run into a problem you can't solve and try Google, 99% of the results are irrelevant, useless, misleading, wrong or all four.

Once in a while you will find the right answer, but only because someone took the time to post to a question to some type of forum, and someone who knows their stuff took the time to answer (or the original questioner eventually solved it and was nice enough to come back and provide the answer)

That's bang out of order: Threesome hookup app 3Fun leaked lovers' data, locations, pix – report

DougS Silver badge
Devil

People who use the internet to look for threesomes

Probably aren't big on privacy anyway!

Top 5 greatest anime crossovers: Samsung deploys Microsoft at Note 10 hootenanny

DougS Silver badge

Re: How does that make DeX more useful?

Why in the world do you need to run Whatsapp off your phone and display it on your PC, rather than simply running it directly on your PC? That makes no sense.

If you argue "my work doesn't allow me to run Whatsapp" then they likely aren't going to allow you run the app on your PC that lets you access your phone, either.

How powerful are Russian hackers? One new law could transform global crime operations

DougS Silver badge

Re: Who is "threatened" by not having access to the Russian internet?

That's fine but my point is that that Russia has NOTHING people outside the country need to access, so those of us who don't live in Russia have no reason to care if they cut off their internet.

If China is cut off, that's a different matter - you need access to all the support sites for stuff that's made in China. Though they could mirror those sites on the outside (and maybe they do, I don't really know which sites I visit are actually physically in China or not even when the company itself is)

You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier

DougS Silver badge

People voting more than once is even less realistic way to compromise an election. That requires a lot of dedicated people and NO ONE making the conspiracy known. If one of them talks and fingers the person organizing them, its game over.

If you want to compromise an election in that way you don't do it on election day, you do it via absentee ballots. Far easier since you have plenty of time to do it instead of trying to crowd it all into a single day.

This is why voter ID as "fraud prevention" is so stupid. There aren't huge numbers of imposters voting on election day, there are cameras in and around most polling places and it would be trivial to be caught even after the fact (i.e. if you voted using someone else's name and then they showed up and were told they were marked in the rolls as having already voted) You'd do it via absentee ballots, like the crooks in North Carolina's 9th district who were caught doing this in the last election (and it sounds like they'd been doing this for other elections in the past too) None of the voter ID plans address absentee voting at all.

DougS Silver badge

Re: Sure there are potential exploits against paper

Well once again if you own state government enough to totally own the voting process, your party has strong enough control that it would win even in a fair election. Just by less.

DougS Silver badge

Sure there are potential exploits against paper

Auditing techniques can sniff out ballot stuffing attacks, but even if you assume they can't or that the auditers can be corrupted...

The important thing is that ballot stuffing requires one or more people with physical access to the ballots, in every single precinct where you want to "stuff". You can't hack paper from halfway around the world, or compromise 10,000 precincts at the same time. Ballot stuffing doesn't scale the way hacking does, and you only have to get caught once and have someone spill the beans for the whole scheme to unravel.

Plus the US has a really great defense against ballot stuffing even if you assume every person in the government of an entire state is corrupt and makes laws against audits - the electoral college. If one party has such control over a state that they could successfully attempt this, that party would win the delegates for that state anyway so there's nothing to be gained at least not on a national level.

Biting the hand that feeds IT © 1998–2019