* Posts by c1ue

150 posts • joined 10 Nov 2015


Decoding the President, because someone has to: Did Trump just blow up concerted US effort to ban Chinese 5G kit?


Re: @RealFakeDonaldTrump

Indeed. GIGO works even when unintentional.


Re: And yet...

The issue isn't brains.

US companies spend far more buying back their own stock than on R & D.

The next largest category is generally marketing.

This focus extends to employees: a young, cheap employee is far better than an older, expensive and not-puppy-like one. H1B is even better: should they become skilled, the poor sap is stuck in green card limbo for 7 years or more - a literal indentured servant.

Lastly, the notion that "training" is all that is needed is bollocks.

Society can not survive with everyone being a coder any more than society can survive with everyone eating cake.

The real issue is whether all parts of functional society deserve a reasonable share of revenue as opposed to the 1%. As the inequality numbers clearly show, the battles of the past 2+ decades have clearly swung in the 1%'s favor.

Where's Zero Cool when you need him? Loose chips sink ships: How hackers could wreck container vessels


I have no doubt the vulnerabilities noted exist, however, the connection between an XP terminal and the actual ship's controls and systems is far less clear to me.

The XP based PCs are no doubt used for communications, shipping orders, paperwork, entertainment and whatnot but that is a far cry from steering, ballast control and so forth.

And given the age of the PCs, it seems highly unlikely that the ships are networked such that such control capability is even possible.

Mischief, in this case, is largely a command and control type interference such as was seen with NotPetya damage.

The bigger they are, the harder they fall: Peak smartphone hits Apple, Samsung the worst


Re: Profit Share & Invention

Theft goes on by Chinese companies, but it goes on by American, European and Korean companies too.

Your commentary would be a lot more credible if you left the politics out and inserted more objective data.

Blockchain is bullsh!t, prove me wrong meets 'chain gang fans at tech confab


Nicholas Weaver says it all about blockchain and cryptocurrencies here: https://www.youtube.com/watch?v=xCHab0dNnj4

Crypto exchange in court: It owes $190m to netizens after founder 'dies without telling anyone vault passwords'


Re: Someone had wikipedia open when they wrote that

The problem with sharing secrets is that any individual member of the chain can hold the rest hostage.


Re: Bullshit

There are more possibilities than the 2 mentioned.

The strongest possibility IMO is this is the final act of a Ponzi scheme.

Jammy dodgers: Boffin warns of auto autos congesting cities to avoid parking fees


Re: I said that!

Cities in Asia - Tokyo and others - have shown that public transportation, both rail and bus, can work just fine.

The issue is density. Cities with low density - the existence of public transport is irrelevant. Cities with high(er) density - insufficient coverage of public transport, poorly maintained/operated/designed public transport, etc will still yield poor transport scores.

Self driving autos don't fix anything. Beyond the orbiting to avoid parking, the real issue is that any form of shared vehicle paradigm requires more miles per passenger transport mile than personal car use.

Bicycles aren't really a solution either - at least in cities with cars. You either have lots of dead bicyclists, lots of slow bicyclists or you have really, really slow drives. The bicycles simply cannot operate in an environment optimized for car transport, for example, because their usual top speeds and acceleration profiles are significantly slower than autos. This disparity is also why so many bicyclists run red lights - they end up stopping almost every block because the cars will have gone (traffic lights synced for cars) or else simply run the lights, and a bicyclist has to spend sweat to get up to speed.

Big Red's big pay gap: $13,000 gulf between male and female Oracle staffers – reports


It all depends - Norway is safe. Would you be comfortable knowing that anyone could look up your income and assets in a less safe nation and/or local area?

Norway also has Scandinavian high taxes - which, I believe, causes leveling out incomes.


The government and military jobs aren't in an organization that works for profit. I would posit that this introduces a fundamentally different dynamic.


I understand the indignation, but the cure doesn't seem workable.

First: companies never want employees to know what other employees make. This is counterproductive as it never helps the corporation - it only makes labor costs higher since no one ever advocated for a pay cut to decrease the average on "their side" - sex or whatever.

Second: Even if averages were the same, there would still be complaints about he/she being paid more than they're worth. Publishing averages forces companies to have to answer difficult, if not impossible, questions on why anyone is below average. It also introduces a mechanistic quality to pay - much like past Japanese salaryman views on "lifetime earnings". Is this really beneficial, especially given that nobody has lifetime employment?

Third: I am fascinated to see how this dynamic plays out, should these precedents get set. Male/female must have the same averages. What about married/single? gay/straight? female gay vs. male gay? Hispanic straight male vs. Asian trans-sexual (to) female?

What if one high paying member of a given demographic quits, and drops the average of that demographic significantly - should someone else be bumped up to compensate?

Could be a great jobs program for Maths PhDs to try and balance all of the demographics into a "fair" average.

Equitable pay is absolutely a problem, but I really don't see how focusing on averages helps.

Apple hardware priced so high that no one wants to buy it? It's 1983 all over again


Re: No, you don't wish you'd have bought it.

If you were into vintage PC gaming - why not just run Dos Shell?

DNAaaahahaha: Twins' 23andMe, Ancestry, etc genetic tests vary wildly, surprising no one


Maybe its science.

Or maybe it is a somewhat less egregious Theranos.

$24m in fun bux stolen from crypto-mogul. Now he fires off huge fraud charge. Like, RICO, say?


Re: All the King's horses ...

$24m wasn't carried on the phone. The phone was 2nd factor in multi-factor authentication. Sim clone then "forget password" and reset.

Or in other words, the real world of password attack.

Cell phone based 2nd factor is convenient but cell phones are really, really easy to attack. This "gang" used a particularly high effort one; in reality you just need to find an appropriate cell phone store location with a manager who needs money fast...3 or 4 digit payments to these low paid people goes a long way...

Brit hacker hired by Liberian telco to nobble rival now behind bars


Re: Sentences for white collar crimes really are soft

Yes, but the comment doesn't go far enough.

This fellow isn't very smart because white collar crime in the form of market rigging, front running, other bankster tactics would yield millions in his own pocket rather than just millions of damages and tens of thousands in pocket.

Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it's 'an act of war'


My view is this is more an attempt at setting a precedent than "getting" Mondelez.

The cyber insurance sector has had an overall 60% loss ratio (% of premiums paid out to claims) for many years - NotPetya *might* significantly shift this for the industry overall, but definitely would shift this for Zurich in particular. Individual insurance orgs in cyber insurance have loss ratios ranging from 0% to 150%+.

The litigation does, however, guarantee to shift the actual balance sheet hit out at least a year or two, possibly more. Tactically this is probably worthwhile (from Zurich's perspective) in its own right...


Re: Irony ?

Pretty bold claim - just how cheap do you think a $100M policy is?

Fake 'U's! Phishing creeps use homebrew fonts as message ciphers to evade filters


Re: People stil falling for the fake email.

There was a report out of Verizon at the 2016 Black Hat: roughly 1/4 of users surveyed clicked on everything regardless of training, background whatever.

Likely these people are the ones glued to their phones/computers, obsessively grinding through every email and social media message.

1/4 don't click on anything - the paranoid/security types.

The middle 1/2 can be educated but would still be fooled by attacks like the one noted in the article.

Mark Zuckerberg did everything in his power to avoid Facebook becoming the next MySpace – but forgot one crucial detail…


Re: Facebook's shadow profile.

I don't disagree that the method you describe "can" be used.

However, that's not the question.

The question is if the much more bog simple methods of straight abrogation of privacy work better, faster and cheaper. And were.

Tesla autopilot saves driver after he fell asleep at wheel on the freeway


Re: "Socially acceptable levels"

Humans who are at fault for causing accidents get fined or jailed.

What should be the penalty for equally faulty AI?

Cathay Pacific hack: Airline admits techies fought off cyber-siege for months


Re: Flight Pattern

I would be less surprised that attackers are not tip tier. The airlines, just like the banks, insurance companies, utilities and what not all are running 40+ year old hardware underneath the tangle of glittery modern add-ons.

The likelihood that these rats nests of 4 decades' of IT upgrades is secure is zero.

Cyber-crooks think small biz is easy prey. Here's a simple checklist to avoid becoming an easy victim


Re: I don't get it

No, because you don't use a "fake" bank account. You use a person's real bank account who thinks their helping an offshore trading company process invoices.


Re: Umm...

Sadly, wrong. Windows has more vulnerabilities than Linux, true, but the highly effective SMB attackers aren't using "spray and pray", they're doing targeted intrusions, then recon, then ransomware as the final monetization step.

In this respect, Linux is no better than Windows because neither is really the issue. It is routers, firewalls, phishing emails, poor passwords, etc which are used.


Cyber security today is simply not meant for SMBs. If you have a $10M budget or more and have reasonable execution capability, you can have a fairly decent cyber security setup in the sense of preventing attacks.

However, cyber security in a more holistic sense isn't about preventing attacks. It is about preventing attacks from destroying your business.

Backups are fine from a business recovery perspective - but that assumes that the business can withstand a 1 or 2 week recovery cycle. Many can not.

What every SMB truly must address is business continuity: what must be done in order to ensure that the business will survive if it is attacked by ransomware? By DDoS?

The tools to mitigate these impacts are *not* actually prevention of attack, rather they need to be resilience focused.

Similarly, what is the impact on the business from a whaling expedition? an HR PII theft? A data or IP theft?

The answers to these scenarios are mostly process. Two factor authentication as in calling to confirm whenever a new payee is requested. Never sending more than XX records of HR data unless independently confirmed by 2 or 3 real people in authority. Not putting all your data/IP in one spot, and locking away portions that aren't actually used frequently to specifically be hard to access.

Tech hub blames tech: San Francisco fingers Uber, Lyft rides for its growing traffic headache


Re: 30 years SF driver here..

I don't disagree there is at least some militancy among bike riders in SF, but lane reductions aren't just for bike lanes.

There are many bus only lanes now, at least in downtown SF.

However, my view is that a big part of the congestion is due to construction and events. There are now 2 events / 2 weeks a year where a key road in downtown is completely blocked off for the Sales Force and Oracle conferences. Both events also deploy masses of private buses to ship conventioneers around to the many venues being used to wine and dine them.

Ultimately, many people aren't going to use public transit unless forced to. The only way to fix the congestion problem is going to be big city congestion pricing as seen in Singapore, London and other places.


Re: Just using Uber and Lyft as whipping boys

I can't speak about Uber because I don't ever use them, but Lyft has a shared ride option. It means the driver picking up multiple passengers going more or less the same way.

This is much better for both drivers, traffic and cost.


Re: Just using Uber and Lyft as whipping boys

Actually, I would point out that few taxis circle the roads looking for passengers. In real life, they get routed to some, but many hang out in hotel or other major venue taxi lines.

TNCs, on the other hand, are *always* forced to travel to the passenger. I would not be surprised at all if TNCs travel 0.5 to 1 mile per mile of passenger transported - in other words, miles driven per passenger mile delivered is low.

This is very much a structural difference vs. private cars, and is likely a significant difference vs. taxis because taxis can pick up anyone they see.


Re: Just using Uber and Lyft as whipping boys

Heavily disagree.

It is well researched that ride share takes passengers out of public transit.

Could you hack your bosses without hesitation, repetition or deviation? AI says: No


The problem with UEBA is context.

In particular, baselining assumes that bad behavior is outside the baseline behavior set - in reality, bad behavior is context dependent. A sales person copying a customer list into their phone is not a bad behavior...unless he's quitting the next day.

There's also the issue of alternate data capture. The ignorant crims today will try to copy into USB hard drives in one go; the smart ones will space copying out. Particularly sensitive data - just take a phone snap. etc etc.

No, no, you're all wrong. That's not a Kremlin agent. It's someone with 'inauthentic behavior'


Re: Sheryl Sandberg was/is considering a run for President


Trump is the *SECOND* actor as President.

We already had 2 different father-son pairs.

Almost a husband wife.

Looks like a banana republic, walks like a banana republic...

Conference alert: Think you can save money by going Serverless?


Indeed. The real question is whether it is easier to switch cloud providers (servers) than serverless functions. I'd bet on the former, although neither vertical is particularly competitive due to enormous entry barriers.

Hackers faked Cosmos backend to hoodwink bank out of $13.5m


Re: It is all about penetration testing

Yes and no.

I've never heard of any institution that permits pen-testing of its actual deployed core infrastructure.

I very much doubt pen-testers were ever allowed to touch the ATM backbone. A penetration which compromises functionality - even for a short period of time - would immediately result in people getting fired.

Japanese dark-web drug dealers are so polite, they'll offer 'a refund' if you're not satisfied


Always important to keep in mind that residency in Japan, even "fluency" in the language, does not equate to either understanding the culture or being an integral part of it.

One example: Most of the foreign men who have learned to function in Japanese talk like gay men or women.

It is because the Japanese language is highly contextual: tone and words used are different between a man to woman vs. woman to man, as well as different from boss to subordinate, parent to child, etc.

Teaching Japanese to foreigners is also an extremely low status occupation - which is why the vast majority of such teachers are women.

Last fact: the vast majority of foreigners in Japan are men.

So, Japanese women teaching the Japanese language to classes composed almost exclusively of men. The men learn tone and word choice from the women.

I have friends who have been in Japan for 20 years - and no Japanese ever told them of their Japanese language equivalent of a lisp - another cultural thing to keep in mind. Foreigners are such unreliable, unspeakable barbarians that pretty much anything is expected from them except "proper" behavior.

SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages


Interesting that no one has commented on the admission of sock puppet accounts to drive traffic.

I guess this must be standard accepted practice.

'Unhackable' Bitfi crypto-currency wallet maker will be shocked to find fingernails exist


Given that cryptocurrency wallets are open to all to view - only the most idiotic physical attackers would not check the wallet's contents.

A physical attacker going after a cryptocurrency wallet is almost certainly knowledgeable about what he's going after.

The 2 codes presumes an attacker who is randomly selecting victims *and* just barely cognizant of cryptocurrencies and technology. Or in other words, a straw man attacker.

I will also add that cryptocurrency wallets are delightful from a physical attacker point of view in that they combine the hostage and the ransom all in one. No more messy negotiating with 3rd parties.

I would be very nervous if I held any significant amount of cryptocurrency in a nation with kidnapping for profit...

Spectre/Meltdown fixes in HPC: Want the bad news or the bad news? It's slower, say boffins


Re: Stop me if I'm wrong here but...

The issue is that attackers don't have to have admin access to attack, they just need to have access to something running on the same physical machine.

Do the HR and payroll people have the same security practices and standards as the R & D folk?

Worse, a lot of companies use cloud - there can be literally dozens of different companies running on a given big iron.

Vet short sighted to just talk about single specific big iron installs

OK, so they sometimes push out insecure stuff, but software devs need our love and respect


I'm all for educating developers more, but it is naive to think that education is the way to fix the problem.

The real issue is that security thinking is dramatically different than coding.

There are people who like to focus on all the ways that code can be broken, and there are other people who like to think of all the ways code can be used to implement some capability.

It isn't clear at all to me that both can be done, well, by one person - much less as an industry practice across tens and hundreds of thousands of developers.

The Cyber Independent Testing Lab with its UL-type approach probably has the right of it - flagging the most common coding conventions that are vulnerable, but it is far from clear that significant progress can be standardized at beyond their approach.

In the meantime, UL itself is getting into the game with a "standards-based" approach. Ugh?

The cybercriminal's cash cow and the marketer's machine: Inside the mad sad bad web ad world


The major platform owners - "Don't be evil" and Z - get about half the revenue of the digital advertising market.

Proctor and Gamble cut their $1.2B-ish ad budget by $200M - and saw no change in results at all. This gives a real world idea of just how much fraud there is.

Overall, digital advertising is a shade under $400B. A Proctor and Gamble percentage of fraud would mean $65B in advertising fraud. It is probably that the actual fraud is higher.

Why would the platform owners want to stop this?

Top banker batters Bitcoin for sucky scalability, security


Cross of Bitcoin

Follow the Bitcoin Road

Creep travels half the world to harass online teen gamer… and gets shot by her mom – cops


Re: Isn't he supposed to be ...

Concurrent sentences aren't automatic.

Furthermore, the additional charges are added later to keep you in the s**thole jail for months and years, until the general crappiness of living there makes even innocent people plead out, which in turns pumps up the prosecutor's track record for when he goes for judgeship.

Tesla fingers former Gigafactory hand as alleged blueprint-leaking sabotage mastermind


Yes and no.

More accurately, there *were* lots of alternative energy generation before the cryptocurrency miners burned it all up.

'Autopilot' Tesla crashed into our parked patrol car, say SoCal cops


The real problem is likely that the 90% (or higher) times that AutoPilot does work, disarms people's ability to handle the remaining bits.

This is a serious, architectural problem. If 90%(or even 99.5%) success is accompanied by 10% or 0.5% catastrophe, the technology is fundamentally unsafe.

Brit Attorney General: Nation state cyber attack is an act of war


Re: Imagine a future of the "election interference" bullshit in your face ... forever

Actually, Pravda is now Musk-ian: https://www.wsj.com/articles/elon-musks-latest-proposal-a-website-named-pravda-to-rate-media-credibility-1527116737


Oh good

I await the self naming and shaming for the creators of Stuxnet.


No doubt, "good" hackers - I.e. your own - have different rules.

EU considers baking new norms of cyber-war into security policies


Re: Good luck with that

Haven't read much history, have you? Armies "foraging" off the countryside. The menfolk getting conscripted on the spot. The women being forced to serve other ways. Then there's Genghis Khan in the central Eurasian plains, Magdeburg and the rest of the Reformation and Counter Reformation wars, Romans salting the ruins of Carthage... I'm seeing a pattern and it isn't the one you're espousing.

Great Scott! Bitcoin to consume half a per cent of the world's electricity by end of year


Re: Great Scott

Nice try but a fail.

The entire US' energy consumption for computing was calculated by the NREL back in 2001: http://www2.lbl.gov/Science-Articles/Archive/net-energy-studies.html

To put in terms of the article - which is presumably GW per hour - total computing and networking electricity consumption in the US in 2001 (peak of the Internet 1.0 bubble) was ~2 percent or ~8.4 GW per hour rate.

Or put another way: Bitcoin electricity consumption today uses 30% as much juice as the entire US computing and networking infrastructure in 2001 - the peak of Internet Bubble 1.0. The US consumes about 1/4.5 of the overall world's electricity; if the computing percentage is equivalent worldwide (which it is not clearly either higher or lower), then bitcoin alone is consuming 6.7% as much as the entire world's computing and network electricity usage. This is ludicrously high.

While internet usage has increased since then as has computing, efficiency has also increased - so it is unclear if the overall US computing consumption number has increased or decreased. Certainly overall US electricity consumption has not changed much since 2001 (3,9__ TWh in 2001 vs. 4,0__ Twh today).

Equifax reveals full horror of that monstrous cyber-heist of its servers


Re: And how...

I'm no fan of banksters, but credit reliability is very much a "social good" in financial terms.

The individual who has bad credit is highly incentivized to kill all such data, for example.

And if you say that this can be compensated for - it can, but the cost is treating all people with little or no credit history as bad credit. This penalizes those who legitimately are just starting their financial histories (usually young people).

The management of fraud and other criminal activity is another legitimate use case although personally I think credit ratings enable far more than disable. Many of the more sophisticated criminals know very well how to jack up credit ratings artificially.

Risky business: You'd better have a plan for tech to go wrong


Nice writeup.

I am curious, however, as to what other people's experiences with "4-9s, 5-9s, or 6-9s" guarantees or past uptime have been.

From what I have personally seen as well as what is seen publicly, these numbers are neither backed by real guarantees (i.e. cash put forward to compensate for failure to deliver) or by reality (all sorts of games played to manipulate results).

One easy example is the Dyn attack. Any company using AWS in the East Coast for that period could not possibly have had 5-9s uptime that year, and that outage is hardly the only one by AWS.

Smaller outages occur all the time as well - from local power outages to a backhoe taking down a fiber optic line - stuff happens.

Warren Buffett says cryptocurrency attracts charlatans, AI won’t change investing


Berkshire Hathaway/Buffet/Munger doesn't invest the same way as even your typical hedge fund manager.

For one thing, they are using free money. Unlike just about every other non-government in the world, BRK is investing free money via the enormous float from their insurance operations.

And also unlike just about every other non-government in the world, BRK's only objective is return *of* investment first, followed by return *on* investment.

Since they don't have a time limit (i.e. annual returns to compare to other hedge fund/mutual fund/whatever managers), they invest for 20+ year time frames. Nobody else does that.

Combine enormous scale with enormous time frames, you get a fundamentally different investment framework. Kudos to them for executing very well since other insurance companies are not able to generate even 1/4 the annual returns irregardless of time frame.

Pentagon in uproar: 'China's lasers' make US pilots shake in Djibouti


Re: Laser canon and sonic death rays.

Really easy? How is that?

You can't see the laser beam in the air unless there is a lot of dust.

If you're the one being blinded/hit, you also can't see the source.

So how exactly is it easy to see the attacker, particularly if they are 2 miles away?

What about if they are 1.9 miles away - the difference in angle is 18 degrees - you can see the difference from a point (laser head on)?


Biting the hand that feeds IT © 1998–2019