Posts by Lee D

Re: So that means...

I'd happily pay more if they got rid of or vastly increased the stupid data limits.

But you can't really argue with £20-something a month for 40Gb plus several data-not-measured services (Netflix etc.) via Three, or even £30-something for 50Gb and LOTS of data-not-measured services via Vodafone (with their pass things that exclude everything from Amazon Prime to Netflix to Spotify to Whatsapp from your data usage).

Bear in mind that I *only* have a 4G Internet connection and no landline, and it's actually cheaper for me that way. Sure, if I had a big family I'd want more but I'd also pay more too. Cheapest broadband I can get from any kind of decent name (i.e. not TalkTalk) is £20-something plus £20-something line rental, plus install, plus a 2-year-contract, plus buying a better router, etc. etc. etc.

Re: Despite coding in it ...

From a non-developer point of view, it's just a HUMONGOUS library, no different to any other, except that for some reason it takes 30+ minutes to install / update sometimes.

There are also numerous (and seemingly "not compatible") versions of it that all have to be installed to actually run that tiny little program that does not-very-much (e.g. run https://simplednscrypt.org/ on something that's a fresh machine) and where you have to keep around a copy of all the previous .NET Frameworks (some of which no longer install nicely on modern Windows, some of which are integrated into Windows as a "optional feature" that you have to install, etc.

And which multiple major software vendors either a) don't upgrade so you have to keep .NET Framework 3.134784374387 around because that's what they base their code on and reinstall it on every machine you want to run the program on or b) have to do a humongous Framework install / Windows Update / etc. every time they change it.

Then you call all those frameworks the same thing with slightly different numbers (3.0, 3.5, etc.) and hide them on the Microsoft site, and hide the "full installers" even further away so people spend half their life downloading them all.

Then, at the end of it, you get something approaching an "ordinary" Win32 program that may or may not work depending on whether you go it all right, with no clue as to what was wrong except from the developers who have a "recipe" for installing their particular variant of it in the right order.

Meanwhile, you've downloaded 5Gb of Framework, wasted hours of your life, churned the disks on the machine for hours while it "searches for previous installs / updates components" and can't push the software that uses it in any sustainable fashion as you can't guarantee that the end machine will have the right version at the right time.

Honestly, just statically compile the damn thing into the binary because I'm sick of it by this point...

"there's zero reason why anyone should be unwilling to upgrade..." "and 12.0.1 would inevitably follow to clean up any lingering issues"

(raises hand)

Oooh, oooh, me, sir, I've seen the answer!

Re: The weakest link....

We really, desperately need to stop making systems where a browser-click compromises the system.

For a start, if all this stuff does is show flight info, why the hell is there even a browser installed?

Until we relearn least-privilege principles, where people don't get any button they don't need and programs don't get any access they don't absolutely require, we might as well just hand the hackers an open pass now.

The magic words they have "no plans" to.

Give it a week and I'm sure someone could knock up a plan now that it's been mentioned.

I have no plans to marry a supermodel, but you can be sure if the opportunity arises it will become a serious consideration, especially if - as in this case - there'll be almost no obstacle to doing so at all.

Re: Problem-solution dichotomy

Have you people not heard of trolleys?

Re: DFS

I've never had a problem with DFS on Linux.

The \\domain part just resolves to a server within the AD heirarchy, which handles the request (even if it's not serving that share itself).

Googling around, people have been doing that just fine since at least 2012, and it doesn't involve Samba at all, just the CIFS filesystem modules, the kernel keystore using "keyutils" and a WINS server setting. Certainly none of those are doing any clever interrogation or whatever.

http://mattslay.com/connecting-ubuntu-to-windows-shares-and-dfs-trees/

Literally set up your system properly, connect to DFS shares the same as you would any SMB share.

It's about setting up the system to trust that one machine is capable of giving you Kerberos tickets valid for a share where you may have to use another server in a little while. Nothing to do with the SMB protocol, really.

Re: Oh dear, a fan

The PoE hat only works with the 3B+. Only that has the pins to support it (that pull through the Ethernet pins to the board).

And, no, it *doesn't* need the fan. Because the 3B+ doesn't need the fan and you can turn the fan off entirely perfectly safely.

Pah.

https://gist.github.com/jwieder/7e7e643cc71c81f63958

That's an x86-bootable chess game in 512 bytes.

Re: Email is absolutely broken...

Email protocols are real garbage and drastically need a complete overhaul for the modern world. There is no reason why we can't, but nobody has yet posited a standard that would work.

We need a decentralised, encrypted end-to-end, certificate-verified system where even if GMail are receiving your email for you from the wider net, they AREN'T able to read your messages. Then we need an "opt-in" requirement where you can select who you want to receive emails from (which will come about accepting THEIR certificate).

Then we can start thinking about the more complex solutions of email forwarding etc. or just change the system entirely. You can then remove all the SPF, rDNS, greylisting, etc. stuff.

However you *won't* escape a dependence on DNS though if you have half a brain you'll insist on the relevant records being provided over DNSSEC.

Until we literally throw SMTP, IMAP and POP out permanently, we can't progress on email security.

Re: How long have you kept them on the line?

The robocallers cost them nothing.

The call costs them pence.

About the only thing they're paying for is the person to listen to it, likely way below minimum wage in a foreign country somewhere.

And yet they wasted how much of your time, and what's your normal hourly rate?

And if you want to hold customer's liable for their choice of PIN, they have to have chosen it.

As in, they have to have logged in with the temporary credentials, changed it to something of their own choosing, and THEN get compromised.

Which isn't what happened.

Re: The layers keep piling up

Please describe how that's any different from the state-of-the-art, quantum-effect-reliant, billions-of-transistors electrical-number-cruncher in front of them when they are just "clicking on the box" anyway?

1) You can't expect people to understand how everything they use works, beyond a primitive knowledge (like my knowledge of the internal combustion engine... I can draw you all kinds of diagrams, I wouldn't have a clue how to go about making one actually work though)... and that's *at best*.

2) Most people, even if they could, don't care about how the machine works.

3) The DNS / IP system is nothing but a pretty layer over ugly technicality anyway. It literally exists so people can type in things like google.com and have stuff happen.

4) Nobody has really cared about the www. part for years, possibly decades... exactly the reason some sites don't serve the base domain only the www subdomain, or vice-versa. Don't even get me started on emails going to name@www.domain.com

5) SSL CA's have always included one where you request the other. It's literally that common.

5) Unless you have a really good reason, I can't see why the base domain or the www. should do anything different to each other. When someone accesses port 80/443 of your IP, surely you want to send them to your website, no? I can understand not advertising, say, server1, server2 etc. subdomains, that are used internally to serve the content, but what are you expecting someone who just types in yourdomain.com or www.yourdomain.com to do differently?

6) The pool.ntp.org example is a classic "techy" solution - I know, because I run a bunch of servers for them. And typing in pool.ntp.org will send you to a random-guys web port of a random time server. I'm pretty sure that's not a very bright idea at all and they should have used an entirely differently sub/domain. For example, pool.ntp.org and www.pool.ntp.org should go to the website. But time.pool.ntp.org gives you a time server. No different to how mail.domain.com (or equivalent) should be your mail server, or smtp. or time. etc. - not just using the raw domain for that (because then it's tricky to separate one service from the other when you want to migrate one to an entirely different IP and you end up hard-coding IPs into things like SPF records rather than use mail.domain.com and then give that an A record to point to a different IP)

You can't cover up decades of convention, tradition and bad design *now*, as an excuse for a browser doing what some browsers have been doing for years. Especially not when apart from real-oddballs like NTP pool (who really should have done it better) hardly anyone could ever be affected. Now, if the edit didn't give you the full URL when you went to copy/paste but the shortened version instead... yeah, then I'd have serious issues with it.

I'm sorry, but if you're buying your PC from PC World, it's already game-over for you.

Literally, no hope.

Give up now.

Go back to an Etch-a-Sketch.

Especially if you're reading a tech site online and are "shocked" that PC World are somehow useless.

Re: Isn't this easy to fix?

"It seems easy, doesn't it? But you're going to have to use the same data set and so on every time and that will be difficult. Games? You're going to have to find a way to cycle exactly the same game sequence."

Gosh. If only lots of games allowed you to play saved replays since, say, the days of Doom/Quake.

The second the program you run is NOT the game the user will run, it can be detected (hell, my nVidia drivers do it automatically and "patch" shaders in games that it recognises... and you can tell it to force Intel Optimus for one program and nVidia for another. If nVidia can do it for game settings profiles, they can do it for benchmark programs to cheat. But try cheating when the game being run is the game being benchmarked and the only difference is that the reviewer loads in a replay of a game that he's created on one machine and loaded on all the others (so you can't even detect a "standard" benchmark replay file, etc.).

And what kind of insane person would benchmark email (but it's very easy to do)? You would benchmark, say, Chrome against a WebGL test suite. Good luck detecting that, especially if you use a different test suite for each review (not each device, but each comparison of devices).

Comparing review models is really easy. Hell, you don't even have to load a huge set of licensed benchmark suites on every machine to do so. Literally a Steam account with a bunch of games... just like... a user with a bunch of games on Steam.

With phones etc. it's even easier - have a profile of the App Store apps you're pushing down to them and push down the same apps on them all.

As soon as you get into "benchmarking software", it's a lazy review. It's "let's just load this and check the number". Not, as stated, the temperature, CPU usage, whether it's getting priority, real-world use, etc. etc. etc.

Re: Not just GDPR

And Microsoft Eire disagreed and it would take an EU court ordering them to do anything to make it legal.

Microsoft US might even *go to jail* for not complying with the US order. But it's an order that's impossible to fulfill for them. Literally, any employee of Microsoft Eire who allowed, facilitated, permitted, assisted or even provided an avenue for Microsoft US to get such data is breaking the law in the country they live in. Whether before, during or after that court case. And as they are separate legal entities, they would not be able to actually co-operate to do anything anyway. No more than Microsoft could ask Google to "just give us your data".

The US court could rule that Microsoft Eire is now a badger and the property of the US. Nothing would or could happen about that. The legal jurisdiction for such actions always did, still does, and probably always will end at the border of the US. If they want data from an EU company, they can write to the EU court. Or make ridiculous, unenforceable orders to their heart's content.

And if Microsoft US could obtain the data with a warrant, for damn sure the FBI could apply for the same warrant and get it themselves (which is an argument you could use in court... why am I being required to act as your policeman over a third-party that you could serve yourself?).

It always was a nonsense case. The Cloud Act doesn't change that in any way - in fact it recognises that position, gives such companies the right of appeal on that basis, and was the reason that the original case was shut down... because the Cloud Act existed to basically say "No, that's not how it works".

Re: How long...

Personally, I'm quite happy with not being able to get a better deal than others.

It makes the process so much easier, because NOBODY has any choice, and it's not worth the faff.

That doesn't mean "we should all pay inflated prices", but "normal customers get the same deals as those who are just more diligent" isn't a bad thing.

As you hint: People don't move until there is sufficient gradient difference to overcome friction. My times costs money and saving £10 a year on electric isn't worth any amount of the most minor research and clicking buttons and tracking who I need to pay now. But when there is a differential, I invest time and effort to get a better deal.

Not having those deals means that the differential becomes zero. So we all get a decent deal. I don't spend time faffing. And electric "just costs that much". If it's too much, I'll find another utility. Same way that when phone+broadband+TV cost too much, I just bought a 4G Wifi box.

But it's a nonsense to suggest that screwing over little old grannies whose son set them up on the deal 10 years ago (and who might not be around any more!) when they don't know they could save hundreds is a good thing for any one involved. Price controls exist to protect the vulnerable like that.

Personally, I think the whole thing would be a damn sight easier if we all just paid one rate for electric from one supplier. Average it out over the country, make it so that companies make decent profit (or else they won't want to take part), everyone gets the same deal, sorted.

The time, effort and faffing saved if we did that for all such utilities would translate to everyone having more time/money.

As someone who cut £300 off my car insurance this year (literally an annual "GoCompare" so I did nothing fancy), doesn't have gas, a phone, landline broadband, a TV, etc. I assure you that I know how to save money. But for the most part it just isn't worth the time and effort, and when it is, it's for unfathomable and unrealistic reasons (e.g. my car insurance is still BISL... I just changed the company that administers on the front end with the EXACT SAME details... saved £300... there's no sense in that whatsoever... Halifax lost a customer for nearly £800, rather than lose £300, and their rival RAC picked up £500 for doing nothing but running a front-end on an existing insurer with the same details. The real irony is that the RAC included breakdown cover which I was paying for as an extra with Halifax... from the RAC...).

I wanted an electricity supplier change, but they would need to call someone out to do it because of the archaic meter. Turns out that just one day spent home waiting for them is about 3 times the cost of anything I'll save in the first year. And I might not be here in 3 year's time. And that's assuming the company I go to don't raise their prices in the future.

It's a false economy to suggest that having these companies "play off against each other" is doing anything to lower prices at all, even for the deal-seekers.

The government fixing the prices kills the commercial market overnight and customers pay what they would have paid anyway, without the faffing and advertising and paperwork and admin and duplication of effort that all those companies are doing to "win" customers, not to mention shareholder deals etc. It also means we can all just get on with our lives and not have to waste time changing suppliers and checking prices in the first place. Hell, it would kill all the price comparison sites overnight too. What's to compare?

I think it's just a placebo, "getting the best prices". If you fail to do it, sure you will lose out. But doing it doesn't mean you'll get something any better than what you'd get with just blanket regulation and fixed prices. Just the sheer removal of so many private-owned, shareholder-paying, corporate middle-men should remove enough to get you a better price that ever. The trick is to "nationalise" without letting government cronies get their 10% either. You can only do that with transparency and calling them out, and yet no-one cares that most ministers are profiting from exactly the industries they are supposed to be regulating because there's a bit of paper somewhere that says that.

Re: Am I being over cynical?

When they're already charging something like 4 or 5 times the production cost for the phone, they can damn well afford to give out some free replacements to fix their own mistakes.

The question is: Why would you want to buy a device from a company that makes such mistakes, uses your money to fix them, and then still charges over-the-odds for the device, AppleCare, etc. and STILL makes the largest profit of just about any business in the world?

Everyone has to make a profit. Sure. But Apple literally make disgusting amounts of money from their customers, whom they could have twice as many of if they charged a sensible price.

Re: We've asked the Information Commissioner's Office to confirm it is aware of the issue. ®

I am more concerned that account data is stored in a manner by which an off-by-one on the customer index just gives you all the access to that other data no matter who you are (i.e. poor permission control) and that there's no attempt to test that customer indexes match across tables (i.e. that you put in a "where this.index = that.index" kind of clause that would just return empty results if you mess up one of the indices.

I'm more concerned however that modern companies are still just keeping huge tables of customer data that even they don't need access to in that manner, where a slip of a coder's finger results in actual real results of other customers.

We're still just designing these systems incorrectly, shoving everything as rows into the same tables with no thought of restricting data.

Hint: If your customer index table contained nothing more than an index and a decryption key, and your customer address table contained only an unencrypted index and everything else encrypted, then index-mismatches like this would stop you hitting this class of bug. Not everything, but the simple things at least.

Or permission controls. Or some kind of audits and checks rather than just trusting the result out of the database. Some kind of script checking why suddenly 10,000 accounts are returning different data to ten seconds ago, after you just updated, etc. etc.

But, no, lob it all "in the database" and just blindly spaff results around with no checking.

Re: Wack a Mole

Who cares?

Say my messenger program is legally required to copy all messages. It's now an untrusted communications medium.

What do we do with untrusted communications media? We run encryption over them to produce a tunnel for a trusted communications medium.

In messaging it's called "OTR" (off the record) plugins. And just as we used to use OTR over MSN, Yahoo, AOL IM, etc., so we can use OTR over WhatsApp, Facebook, messages printed in The Sunday Times, etc. In most cases, it could be as simple as just running another app on your phone or a "special" keyboard program that "encrypts" your messages as they are typed.

If your communication medium is untrusted because an unwanted third-party (legally or not) gets into it, you layer encryption over it to make a trusted tunnel. That's what you do. That can't be beat. That works over anything.

I could literally encrypt my dastardly plans for world domination, print them out and publish them in a national newspaper. If the encryption is anywhere NEAR useful, it will make no difference whatsoever and nobody will be able to read it.

Nobody's going to "trust" a foreign entity more just because it's foreign. What you do is not REQUIRE yourself to trust your ISP, government, messaging provider or anyone else, ever, except the intended recipient.

We have spent decades making protocols to make this true. And even "initial key exchange" can be done in full public view with nobody any the wiser what keys we ended up with. That's the whole POINT of encryption.

Re: IPv4 Address Pool Has Been Expanded Significantly

Measuring traffic size against queries is very disproportionate traffic to compare.

20% of Google queries come in over IPv6. It's that simple.

But one MP4 on YouTube could easily equal millions or billions of such queries. That the content providers aren't pushing stuff over IPv6 for their video CDN doesn't mean it isn't being used.

The rest of the implementation is just reminiscent of the whole range of 6to/in/over/etc.4 technologies. It's basically proxying "extra" IPv4 to/from a reserved address, over IPv4 packets to an endpoint capable of expanding them as necessary. Though traditional routers may be able to route such traffic, it requires all kinds of intermediaries to actually do the work, who could do the same work for IPv6 instead and you'd never need know.

I can't see it. Maybe 20 years ago. Maybe if there weren't everything from 6rd to 6-in-4 to all the other tunnelling protocols then you might able to do something. Fact is, you're not in any mainstream OS or router - they already are. With a 20 year headstart. And actually progressing out - they are all a ladder to the final salvation of native IPv6 for everyone, you're just circling round the bottom of the pit chopping rungs off the ladder.

I can't see it getting or going anywhere.

Re: Cute, but not for long

Unfortunately, few guns are ever required to survive even the first shot in order to kill someone.

The problem is not that designs exist... you can make a gun out of a bit of tube if you care enough to.

The problem is that you'll never get an accurate weapon, and it'll turn into an even-more-indiscriminate killing tool.

Honestly, if you wanted to "make something yourself", you'd do more damage to the intended target by throwing a dart at them.

Re: Lacking any kind of incentive to upgrade constantly

I never understood the "yearly cycle" in the first place.

Philips C12 "Savvy"

Some Nokia Thing

Samsung Galaxy Ace

Samsung Galaxy S4 Mini

Samsung Galaxy S5 Mini

That's every phone I've ever owned since... 1998.

I make that a "once every 4 year" cycle at best. Hell, laptop buying cycles are even less. I've probably owned... 4 in the same time (one every 5 years on average).

Like hell am I going to drop any significant portion of a grand on a whim for a gadget, however useful when my laptops don't cost that and last longer, and I certainly wouldn't do it every year.

In the era of market saturation, you have to be DIFFERENT by being BETTER than your competitors. Not carbon-copying their stupid ideas.

I would happily pay £250 for a device which had a removable battery, a headphone socket, and all the cheapest features you can shove it, and just run plain Android. I can get an Android tablet that does everything I want for half that price, and I bought a toy phone the other day that's 5cm tall and is fully working, dual-SIM with Bluetooth. You're telling me you can't put one into the other with a slightly smaller screen and a battery compartment?

At this rate, I could easily be forced out of using a smartphone and just carry something like a GPD-Win around with me for such things.

Re: Is there a point where we get to feel sorry for them?

I compare both projects as being very similar.

Both of them were caused by the directors completely mismanaging the business, lying through their teeth and stealing backer's money while throwing it away on things they didn't need to.

In the OpenPandora case, EvilDragon stepped up and made his own business out of it but not before it had lost an AWFUL lot of people's money (i.e. you had to pay ED more to actually get one of the promised things even if you'd already paid OP). Very pyramid-schemey in the end but ED was a nice guy trying to make the best whereas everyone else involved was pretty much trying to splash money on themselves.

In the RCL case, the directors were all pretty much responsible and there was just too much politics to ever have a coherent business. Two directors bowed out, the rest have resigned, and yet only a tiny portion of the units could EVER have actually been finished and the lawyers are vying for monies that haven't been paid, IndieGoGo is (supposedly) chasing with debt collectors, backers are building a class-action-suit-type-thing on other sites, etc. etc. Though Janko may be "innocent" in those matters, they still were associated with the companies until post-release, and the release software is atrocious.

However you look at it, it's not a company that you want to do business with. I followed the OP scandal very closely as I very nearly bought one (I used to program for the GP2X, the OPs "predecessor" if you like, from Gamepark Holdings who just delivered stuff and didn't have this hassle) and though ED personally saved some backers... pretty much I wouldn't want to touch any product that was developed that way.

These people, in particular are being huge con-artists - the project is severely delayed, there's been any number of "next week" promises that never materialised and the final product is a shoddy copy of what you could achieve with a GP2X from 10 years ago, with an off-the-shelf compiled binary of FUSE, and some silly "Hall of Fame" bit plugged into the software that - I think - was never properly paid for and all development on the firmware stopped because of that.

Even Lee Fogarty (another of the RCL contracted-out guys) says that the second firmware was shoddy and unfinished and released in the state he last saw it in, with thousand of bugs filed against it with the authors... who weren't paid so never fixed them.

It's a business scam that I wouldn't touch with a bargepole, and it has NOTHING to do with the product itself (but the product is extremely sketchy precisely because of that). It could be a ground-breaking device, there's no way I'd buy it from those people.

Re: Pretty obvious really

No, the problem is that unless you specifically tell it what to look for (i.e. an algorithm that can identify four legs meeting a seat at right-angles, etc.) then it's picking up arbitrary correlations that you have zero insight into or control over.

It could be recognising bananas by the fact they have 10 yellow pixels, that there's a curve, that they have a blue sticker on them, or any of a billion indescribable criteria that no human would ever attribute as the "essence" of a banana. And you have no (reasonable) way of telling what criteria that is, modifying it without literally shoving your hand in its brain and wiggling it about, or determining what criteria it'll modify that detection with when you next train it on an image.

For all you know, it's training itself on the (C) Getty Ltd copyright on the bottom-right-hand corner, not the photograph at all, but just got lucky enough that you think it's detecting bananas.

While such AI is nothing more than throwing a box of papers at a shredder and hoping it only shreds out the bit of information you want, you have no control over what's coming out of it and thus you get whatever nonsense you're given.

In a million years of training a "conventional" AI, you'll never get it trained on something like this. And you'll never understand it well enough to rely on it, and then you'll never get it trained on something new without a million years of "untraining" on what is a banana and what's a Cavendish.

"Certainly, Mr D. You just need to pay Vodafone the £99.99 unlock fee before we can transfer your number."

They aren't allowed to do that now, and you just make it so that they wouldn't be allowed to do that in the future. Unless you owe them money, they are obliged to give you a PAC code for your phone number, which is just the same kind of process. All we're really talking about is going one level down to eSim number instead of PAC code (at worst, making eSims - which can handle dozens of virtual SIMs - add a new fresh virtual SIM, then getting GiffGaff to port your number to that eSim... same phone, same process, some end result).

Look at the wording: Giffgaff take over the eSim, not Vodafone give it up.

At worst, you're in exactly the same situation as now.