* Posts by c1ue

140 posts • joined 10 Nov 2015


Apple hardware priced so high that no one wants to buy it? It's 1983 all over again


Re: No, you don't wish you'd have bought it.

If you were into vintage PC gaming - why not just run Dos Shell?

Big Red's big pay gap: $13,000 gulf between male and female Oracle staffers – reports


I understand the indignation, but the cure doesn't seem workable.

First: companies never want employees to know what other employees make. This is counterproductive as it never helps the corporation - it only makes labor costs higher since no one ever advocated for a pay cut to decrease the average on "their side" - sex or whatever.

Second: Even if averages were the same, there would still be complaints about he/she being paid more than they're worth. Publishing averages forces companies to have to answer difficult, if not impossible, questions on why anyone is below average. It also introduces a mechanistic quality to pay - much like past Japanese salaryman views on "lifetime earnings". Is this really beneficial, especially given that nobody has lifetime employment?

Third: I am fascinated to see how this dynamic plays out, should these precedents get set. Male/female must have the same averages. What about married/single? gay/straight? female gay vs. male gay? Hispanic straight male vs. Asian trans-sexual (to) female?

What if one high paying member of a given demographic quits, and drops the average of that demographic significantly - should someone else be bumped up to compensate?

Could be a great jobs program for Maths PhDs to try and balance all of the demographics into a "fair" average.

Equitable pay is absolutely a problem, but I really don't see how focusing on averages helps.

DNAaaahahaha: Twins' 23andMe, Ancestry, etc genetic tests vary wildly, surprising no one


Maybe its science.

Or maybe it is a somewhat less egregious Theranos.

$24m in fun bux stolen from crypto-mogul. Now he fires off huge fraud charge. Like, RICO, say?


Re: All the King's horses ...

$24m wasn't carried on the phone. The phone was 2nd factor in multi-factor authentication. Sim clone then "forget password" and reset.

Or in other words, the real world of password attack.

Cell phone based 2nd factor is convenient but cell phones are really, really easy to attack. This "gang" used a particularly high effort one; in reality you just need to find an appropriate cell phone store location with a manager who needs money fast...3 or 4 digit payments to these low paid people goes a long way...

Brit hacker hired by Liberian telco to nobble rival now behind bars


Re: Sentences for white collar crimes really are soft

Yes, but the comment doesn't go far enough.

This fellow isn't very smart because white collar crime in the form of market rigging, front running, other bankster tactics would yield millions in his own pocket rather than just millions of damages and tens of thousands in pocket.

Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'


My view is this is more an attempt at setting a precedent than "getting" Mondelez.

The cyber insurance sector has had an overall 60% loss ratio (% of premiums paid out to claims) for many years - NotPetya *might* significantly shift this for the industry overall, but definitely would shift this for Zurich in particular. Individual insurance orgs in cyber insurance have loss ratios ranging from 0% to 150%+.

The litigation does, however, guarantee to shift the actual balance sheet hit out at least a year or two, possibly more. Tactically this is probably worthwhile (from Zurich's perspective) in its own right...


Re: Irony ?

Pretty bold claim - just how cheap do you think a $100M policy is?

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters


Re: People stil falling for the fake email.

There was a report out of Verizon at the 2016 Black Hat: roughly 1/4 of users surveyed clicked on everything regardless of training, background whatever.

Likely these people are the ones glued to their phones/computers, obsessively grinding through every email and social media message.

1/4 don't click on anything - the paranoid/security types.

The middle 1/2 can be educated but would still be fooled by attacks like the one noted in the article.

Mark Zuckerberg did everything in his power to avoid Facebook becoming the next MySpace – but forgot one crucial detail…


Re: Facebook's shadow profile.

I don't disagree that the method you describe "can" be used.

However, that's not the question.

The question is if the much more bog simple methods of straight abrogation of privacy work better, faster and cheaper. And were.

Tesla autopilot saves driver after he fell asleep at wheel on the freeway


Re: "Socially acceptable levels"

Humans who are at fault for causing accidents get fined or jailed.

What should be the penalty for equally faulty AI?

Cathay Pacific hack: Airline admits techies fought off cyber-siege for months


Re: Flight Pattern

I would be less surprised that attackers are not tip tier. The airlines, just like the banks, insurance companies, utilities and what not all are running 40+ year old hardware underneath the tangle of glittery modern add-ons.

The likelihood that these rats nests of 4 decades' of IT upgrades is secure is zero.

Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim


Re: I don't get it

No, because you don't use a "fake" bank account. You use a person's real bank account who thinks their helping an offshore trading company process invoices.


Re: Umm...

Sadly, wrong. Windows has more vulnerabilities than Linux, true, but the highly effective SMB attackers aren't using "spray and pray", they're doing targeted intrusions, then recon, then ransomware as the final monetization step.

In this respect, Linux is no better than Windows because neither is really the issue. It is routers, firewalls, phishing emails, poor passwords, etc which are used.


Cyber security today is simply not meant for SMBs. If you have a $10M budget or more and have reasonable execution capability, you can have a fairly decent cyber security setup in the sense of preventing attacks.

However, cyber security in a more holistic sense isn't about preventing attacks. It is about preventing attacks from destroying your business.

Backups are fine from a business recovery perspective - but that assumes that the business can withstand a 1 or 2 week recovery cycle. Many can not.

What every SMB truly must address is business continuity: what must be done in order to ensure that the business will survive if it is attacked by ransomware? By DDoS?

The tools to mitigate these impacts are *not* actually prevention of attack, rather they need to be resilience focused.

Similarly, what is the impact on the business from a whaling expedition? an HR PII theft? A data or IP theft?

The answers to these scenarios are mostly process. Two factor authentication as in calling to confirm whenever a new payee is requested. Never sending more than XX records of HR data unless independently confirmed by 2 or 3 real people in authority. Not putting all your data/IP in one spot, and locking away portions that aren't actually used frequently to specifically be hard to access.

Tech hub blames tech: San Francisco fingers Uber, Lyft rides for its growing traffic headache


Re: 30 years SF driver here..

I don't disagree there is at least some militancy among bike riders in SF, but lane reductions aren't just for bike lanes.

There are many bus only lanes now, at least in downtown SF.

However, my view is that a big part of the congestion is due to construction and events. There are now 2 events / 2 weeks a year where a key road in downtown is completely blocked off for the Sales Force and Oracle conferences. Both events also deploy masses of private buses to ship conventioneers around to the many venues being used to wine and dine them.

Ultimately, many people aren't going to use public transit unless forced to. The only way to fix the congestion problem is going to be big city congestion pricing as seen in Singapore, London and other places.


Re: Just using Uber and Lyft as whipping boys

I can't speak about Uber because I don't ever use them, but Lyft has a shared ride option. It means the driver picking up multiple passengers going more or less the same way.

This is much better for both drivers, traffic and cost.


Re: Just using Uber and Lyft as whipping boys

Actually, I would point out that few taxis circle the roads looking for passengers. In real life, they get routed to some, but many hang out in hotel or other major venue taxi lines.

TNCs, on the other hand, are *always* forced to travel to the passenger. I would not be surprised at all if TNCs travel 0.5 to 1 mile per mile of passenger transported - in other words, miles driven per passenger mile delivered is low.

This is very much a structural difference vs. private cars, and is likely a significant difference vs. taxis because taxis can pick up anyone they see.


Re: Just using Uber and Lyft as whipping boys

Heavily disagree.

It is well researched that ride share takes passengers out of public transit.

Could you hack your bosses without hesitation, repetition or deviation? AI says: No


The problem with UEBA is context.

In particular, baselining assumes that bad behavior is outside the baseline behavior set - in reality, bad behavior is context dependent. A sales person copying a customer list into their phone is not a bad behavior...unless he's quitting the next day.

There's also the issue of alternate data capture. The ignorant crims today will try to copy into USB hard drives in one go; the smart ones will space copying out. Particularly sensitive data - just take a phone snap. etc etc.

No, no, you're all wrong. That's not a Kremlin agent. It's someone with 'inauthentic behavior'


Re: Sheryl Sandberg was/is considering a run for President


Trump is the *SECOND* actor as President.

We already had 2 different father-son pairs.

Almost a husband wife.

Looks like a banana republic, walks like a banana republic...

Conference alert: Think you can save money by going Serverless?


Indeed. The real question is whether it is easier to switch cloud providers (servers) than serverless functions. I'd bet on the former, although neither vertical is particularly competitive due to enormous entry barriers.

Hackers faked Cosmos backend to hoodwink bank out of $13.5m


Re: It is all about penetration testing

Yes and no.

I've never heard of any institution that permits pen-testing of its actual deployed core infrastructure.

I very much doubt pen-testers were ever allowed to touch the ATM backbone. A penetration which compromises functionality - even for a short period of time - would immediately result in people getting fired.

Japanese dark-web drug dealers are so polite, they'll offer 'a refund' if you're not satisfied


Always important to keep in mind that residency in Japan, even "fluency" in the language, does not equate to either understanding the culture or being an integral part of it.

One example: Most of the foreign men who have learned to function in Japanese talk like gay men or women.

It is because the Japanese language is highly contextual: tone and words used are different between a man to woman vs. woman to man, as well as different from boss to subordinate, parent to child, etc.

Teaching Japanese to foreigners is also an extremely low status occupation - which is why the vast majority of such teachers are women.

Last fact: the vast majority of foreigners in Japan are men.

So, Japanese women teaching the Japanese language to classes composed almost exclusively of men. The men learn tone and word choice from the women.

I have friends who have been in Japan for 20 years - and no Japanese ever told them of their Japanese language equivalent of a lisp - another cultural thing to keep in mind. Foreigners are such unreliable, unspeakable barbarians that pretty much anything is expected from them except "proper" behavior.

SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages


Interesting that no one has commented on the admission of sock puppet accounts to drive traffic.

I guess this must be standard accepted practice.

'Unhackable' Bitfi crypto-currency wallet maker will be shocked to find fingernails exist


Given that cryptocurrency wallets are open to all to view - only the most idiotic physical attackers would not check the wallet's contents.

A physical attacker going after a cryptocurrency wallet is almost certainly knowledgeable about what he's going after.

The 2 codes presumes an attacker who is randomly selecting victims *and* just barely cognizant of cryptocurrencies and technology. Or in other words, a straw man attacker.

I will also add that cryptocurrency wallets are delightful from a physical attacker point of view in that they combine the hostage and the ransom all in one. No more messy negotiating with 3rd parties.

I would be very nervous if I held any significant amount of cryptocurrency in a nation with kidnapping for profit...

Spectre/Meltdown fixes in HPC: Want the bad news or the bad news? It's slower, say boffins


Re: Stop me if I'm wrong here but...

The issue is that attackers don't have to have admin access to attack, they just need to have access to something running on the same physical machine.

Do the HR and payroll people have the same security practices and standards as the R & D folk?

Worse, a lot of companies use cloud - there can be literally dozens of different companies running on a given big iron.

Vet short sighted to just talk about single specific big iron installs

OK, so they sometimes push out insecure stuff, but software devs need our love and respect


I'm all for educating developers more, but it is naive to think that education is the way to fix the problem.

The real issue is that security thinking is dramatically different than coding.

There are people who like to focus on all the ways that code can be broken, and there are other people who like to think of all the ways code can be used to implement some capability.

It isn't clear at all to me that both can be done, well, by one person - much less as an industry practice across tens and hundreds of thousands of developers.

The Cyber Independent Testing Lab with its UL-type approach probably has the right of it - flagging the most common coding conventions that are vulnerable, but it is far from clear that significant progress can be standardized at beyond their approach.

In the meantime, UL itself is getting into the game with a "standards-based" approach. Ugh?

The cybercriminal's cash cow and the marketer's machine: Inside the mad sad bad web ad world


The major platform owners - "Don't be evil" and Z - get about half the revenue of the digital advertising market.

Proctor and Gamble cut their $1.2B-ish ad budget by $200M - and saw no change in results at all. This gives a real world idea of just how much fraud there is.

Overall, digital advertising is a shade under $400B. A Proctor and Gamble percentage of fraud would mean $65B in advertising fraud. It is probably that the actual fraud is higher.

Why would the platform owners want to stop this?

Top banker batters Bitcoin for sucky scalability, security


Cross of Bitcoin

Follow the Bitcoin Road

Creep travels half the world to harass online teen gamer… and gets shot by her mom – cops


Re: Isn't he supposed to be ...

Concurrent sentences aren't automatic.

Furthermore, the additional charges are added later to keep you in the s**thole jail for months and years, until the general crappiness of living there makes even innocent people plead out, which in turns pumps up the prosecutor's track record for when he goes for judgeship.

Tesla fingers former Gigafactory hand as alleged blueprint-leaking sabotage mastermind


Yes and no.

More accurately, there *were* lots of alternative energy generation before the cryptocurrency miners burned it all up.

'Autopilot' Tesla crashed into our parked patrol car, say SoCal cops


The real problem is likely that the 90% (or higher) times that AutoPilot does work, disarms people's ability to handle the remaining bits.

This is a serious, architectural problem. If 90%(or even 99.5%) success is accompanied by 10% or 0.5% catastrophe, the technology is fundamentally unsafe.

Brit Attorney General: Nation state cyber attack is an act of war


Re: Imagine a future of the "election interference" bullshit in your face ... forever

Actually, Pravda is now Musk-ian: https://www.wsj.com/articles/elon-musks-latest-proposal-a-website-named-pravda-to-rate-media-credibility-1527116737


Oh good

I await the self naming and shaming for the creators of Stuxnet.


No doubt, "good" hackers - I.e. your own - have different rules.

EU considers baking new norms of cyber-war into security policies


Re: Good luck with that

Haven't read much history, have you? Armies "foraging" off the countryside. The menfolk getting conscripted on the spot. The women being forced to serve other ways. Then there's Genghis Khan in the central Eurasian plains, Magdeburg and the rest of the Reformation and Counter Reformation wars, Romans salting the ruins of Carthage... I'm seeing a pattern and it isn't the one you're espousing.

Great Scott! Bitcoin to consume half a per cent of the world's electricity by end of year


Re: Great Scott

Nice try but a fail.

The entire US' energy consumption for computing was calculated by the NREL back in 2001: http://www2.lbl.gov/Science-Articles/Archive/net-energy-studies.html

To put in terms of the article - which is presumably GW per hour - total computing and networking electricity consumption in the US in 2001 (peak of the Internet 1.0 bubble) was ~2 percent or ~8.4 GW per hour rate.

Or put another way: Bitcoin electricity consumption today uses 30% as much juice as the entire US computing and networking infrastructure in 2001 - the peak of Internet Bubble 1.0. The US consumes about 1/4.5 of the overall world's electricity; if the computing percentage is equivalent worldwide (which it is not clearly either higher or lower), then bitcoin alone is consuming 6.7% as much as the entire world's computing and network electricity usage. This is ludicrously high.

While internet usage has increased since then as has computing, efficiency has also increased - so it is unclear if the overall US computing consumption number has increased or decreased. Certainly overall US electricity consumption has not changed much since 2001 (3,9__ TWh in 2001 vs. 4,0__ Twh today).

Equifax reveals full horror of that monstrous cyber-heist of its servers


Re: And how...

I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.

The individual who has bad credit is highly incentivized to kill all such data, for example.

And if you say that this can be compensated for - it can, but the cost is treating all people with little or no credit history as bad credit. This penalizes those who legitimately are just starting their financial histories (usually young people).

The management of fraud and other criminal activity is another legitimate use case although personally I think credit ratings enable far more than disable. Many of the more sophisticated criminals know very well how to jack up credit ratings artificially.

Risky business: You'd better have a plan for tech to go wrong


Nice writeup.

I am curious, however, as to what other people's experiences with "4-9s, 5-9s, or 6-9s" guarantees or past uptime have been.

From what I have personally seen as well as what is seen publicly, these numbers are neither backed by real guarantees (i.e. cash put forward to compensate for failure to deliver) or by reality (all sorts of games played to manipulate results).

One easy example is the Dyn attack. Any company using AWS in the East Coast for that period could not possibly have had 5-9s uptime that year, and that outage is hardly the only one by AWS.

Smaller outages occur all the time as well - from local power outages to a backhoe taking down a fiber optic line - stuff happens.

Warren Buffett says cryptocurrency attracts charlatans, AI won’t change investing


Berkshire Hathaway/Buffet/Munger doesn't invest the same way as even your typical hedge fund manager.

For one thing, they are using free money. Unlike just about every other non-government in the world, BRK is investing free money via the enormous float from their insurance operations.

And also unlike just about every other non-government in the world, BRK's only objective is return *of* investment first, followed by return *on* investment.

Since they don't have a time limit (i.e. annual returns to compare to other hedge fund/mutual fund/whatever managers), they invest for 20+ year time frames. Nobody else does that.

Combine enormous scale with enormous time frames, you get a fundamentally different investment framework. Kudos to them for executing very well since other insurance companies are not able to generate even 1/4 the annual returns irregardless of time frame.

Pentagon in uproar: 'China's lasers' make US pilots shake in Djibouti


Re: Laser canon and sonic death rays.

Really easy? How is that?

You can't see the laser beam in the air unless there is a lot of dust.

If you're the one being blinded/hit, you also can't see the source.

So how exactly is it easy to see the attacker, particularly if they are 2 miles away?

What about if they are 1.9 miles away - the difference in angle is 18 degrees - you can see the difference from a point (laser head on)?


Re: Laser canon and sonic death rays.

If the pilots are being blinded - who exactly is attributing the source? It isn't like you can follow a laser on radar, and the blinded pilot can hardly be the one.

Also, if we're talking about a couple of miles away, we're talking some serious targeting capabilities. I'm not at all sure any normal weapon system is so accurate as to place a beam on a pilot's face while landing, from 2 miles away. Atmospheric conditions alone would introduce a lot of error.

Lastly, the attribution is strangely lacking detail. There is mention of anti-drone systems, but there would be more than just lasers - there would be radar. Are the lasers detection devices or attack devices? Are they radar guided or human directed?

All in all, a very poorly sourced and written story.

Drone 'swarm' buzzed off FBI surveillance bods, says tech bloke


Re: Next step

Sounds good in theory, until the taser or detonator firing anti-drone goes up in the air.

How nice, self-destroying drones...

Medic! Orangeworm malware targets hospitals worldwide


It isn't clear that "upgrades" are that easy. For example: if the XP machine is the interface to a 10 year old MID (medical imaging device, i.e. X ray, CAT Scan, MRI), the XP machine may be literally the only way to access data coming out of the MID.

Upgrading it might even require a recertification of the MID under US Food and Drug Administration rules.

GCHQ boss calls out Russia for 'industrial scale disinformation'


Re: From the department of bleeding obvious

Perhaps you might be clear which nation is being referred to.

A quick glance at the Forbes 400 shows a whole lot of non-Russians...

Death in paradise: 'Cyber attack' takes out national government's IT


A couple of interesting anecdotes about the unusual legal status of the French and Dutch sides of Saint Martin:

1) Thieves on one side can flee to the other. It isn't far and there is no border at all other than flags on the side of the road

2) Immigration is different: some nationalities can fly into the Dutch side without a visa but not the French side. Found this out a hard way as a person I was traveling with was informed they were on the French side illegally - excursions to Antigua require a passport and constitute and international border crossing.

The Dutch side is ridiculously expensive, food wise, the French side is amazingly cheap especially vs. the Caribbean in general.

Russian regulator asks courts to disconnect Telegram


Re: How is Telegram funding itself?

Billion dollar plus ICO

Watchdog growls at Tesla for spilling death crash details: 'Autopilot on, hands off wheel'


Frankly, this focus on the poor quality of the lane markings is severely misplaced.

Yes, in the ideal world, the markings - lane and otherwise would be prominent and fresh.

However, in the real world, this is rarely the case.

The real question is: how many non-"Autopilot" drivers have crashed into this poorly marked barrier?

If that number is zero, or even crashes but with zero deaths, this underscores the fundamental dangers of "automated driving" whether Level 2, 3 or 4. If humans aren't running into these barriers, then partial or full automation shouldn't be either - and if they are, they should be severely regulated and/or banned.

Remember we aren't even talking about enemy action. If morons with laser pointers are blinding aircraft pilots, I can only imagine the "fun" with lidar spoofers or (in)appropriately placed markers/signs.

Tech’s big lie: Relations between capital and labor don't matter


The commentariat has so far failed to mention the well documented, top level collusion between titans of the tech industry to depress worker wages through non-compete agreements.

Isn't this indication that the playing field is far from fair?

Sure, there are overpaid, underdelivering people of older age - but there are also overpaid, underdelivering people of younger age as well. Those who have inside connections or play the political game will often "overperform".

The real issue is whether labor is getting a fair shake in the overall corporate pie.

Focusing on the absolute value received is, frankly, a fool's game because the other side doesn't play it.

Don't get me wrong - the management is far from always predatory. I've gone unpaid for many, many months while my employees have not - in order to get my business on a proper footing.

This doesn't occur in large enterprises though.

Grindr: Yeah, we shared your HIV status info with other companies – but we didn't charge them!


I wonder, since HIV is medical information, does this mean Grindr violated HIPAA?

Less than half of paying ransomware targets get their files back



At least some part of the problem is poor methodology.

If you don't verify that the criminal can decrypt, then paying the ransom is stupid.

A likely additional factor is RaaS: Ransomware As A Service.

While there isn't honor among thieves necessarily, the reality is that a paid ransom that doesn't yield a return means people will stop paying the ransoms quite quickly.

There is therefore a very clear incentive for a ransomware creator to maintain "brand".

However, with RaaS, the attacker isn't the creator of the ransomware. They therefore don't care about the "brand" since it impacts them much less, especially if the commission structure is one where the attacker pays the commission to receive the decrypt key from the ransomware creator.

Lastly, there were a series of high profile attacks last year where the ability to decrypt was either nonexistent to start with or was compromised by LE and/or poor ransomware design. NotPetya and Wannacry, for example.

Lastly, the dynamic of survey respondents also certainly skewed results. Much as negative reactions are far more common in feedback, so too would unrewarded ransoms likely have far higher response rates.

The study is interesting but far from definitive.


Biting the hand that feeds IT © 1998–2019