* Posts by doublelayer

581 posts • joined 22 Feb 2018


Linus Torvalds pulls pin, tosses in grenade: x86 won, forget about Arm in server CPUs, says Linux kernel supremo

doublelayer Silver badge

Re: We need architecture diversity for gaurd against vulnerabilities

The theory being that when one is found to have a vulnerability, we switch over to another one and wait for that one to have a vulnerability? I want multiple architectures to prevent the monoculture problem, but I don't see how this helps us in the event of a security problem. Whenever there is a problem in security, the issue is rarely the processors being purchased now, because they can hold back on them until they've fixed it, but all the old ones that are running vulnerable in the field.

doublelayer Silver badge

Re: Apple PC

This doesn't solve his complaint. If the tradition of ARM continues, you won't be able to boot anything else on these ARM-based macs, and you won't be able to use ARM Mac OS on a server. Depending on whether Apple really hates multi-boot, you might see a port of Linux to the ARM mac. However, that won't happen immediately; it will take quite a bit of development to get right, and even then your code is running on a slightly different version of the ARM core.

I don't see this as a problem, but I also don't see writing on x86 and running on ARM as a problem either. His complaint is that you can't run exactly the same system on the development machine as the production machine because the closest thing we have to an ARM desktop is a raspberry pi. If he is right that this is an important factor, an ARM apple machine does not change it.

doublelayer Silver badge

Re: "Intel has tremendous amounts of institutional [money]"

For most people, including IT people and developers, the specific processor type they have is not particularly important, with the main question being whether the chip can provide the performance they need. This is probably different for those doing kernel work, but above that, things matter significantly less.

If you ask a member of the public which ISA the processor in their device runs, they have no clue. If you ask a person who deploys code onto a device, they know what ISA is involved, but they probably don't know which company made it or which specific version it is (did the code I ran yesterday run on an intel or AMD box? I don't know because it didn't matter).

A product is certainly necessary to get into this business, but AMD managed it when they didn't have much market share, and someone else with a good enough product can as well.

OK, team, we've got the big demo tomorrow and we're feeling confident. Let's reboot the servers

doublelayer Silver badge

Re: Why?!

Those rights are nice, but not fundamental. The analogous rights are rarely available. For example, if I buy a table, I am given a table. Nothing more. I have the right to use the table as I wish, and to disassemble, modify, or destroy my table. If I rented the table, I may not have all those rights. I don't have the universal right for the table manufacturer to give me their engineering plans for the table, although it might be useful if I was modifying the table. That is a thing I have to figure out on my own if the company doesn't want to get those for me.

The same is true of software. I have a problem with people who sell me a license to use their software in its shipped, compiled, form but implement that software in a way at odds with their license (for example, saying the license will work perpetually but requiring it to be renewed, or saying the license will function on airgapped machines but requiring an online check). I have a problem if companies sell the software as something it is not. I do not have a problem if they refuse to let me see their source code. Sometimes, this is enough for me to choose not to buy their software, as there are major benefits to having the source, but other times, this is not as important.

Either way, I do not have the right to look at their source if they have not agreed to give it to me, any more than I have the right to look at your email if you would rather I didn't.

Artificial Intelligence: You know it isn't real, yeah?

doublelayer Silver badge

Re: Logical fallacy alert.....

I'm not sure that's good enough. For self-driving cars, they should reach a safety level of an average driver before they're used, which they have done and exceeded in tests. That's why they are acceptable, though of course they need to verify that they'll pass those tests under more difficult conditions. However, even if we do get a system to perform judgements at the level of an average person (difficult to quantify for topics like bigotry), it can degrade the situation. If we can quantify negative events like this, we can also identify parts where their frequency is excessive, increasing the average. We can also find methods of reducing the likelihood of those events when things are more important, for example moving a trial of a person likely to face discrimination to a location with less connection. With an automatic tool, the parameters can't easily be changed without outright manipulating the result, and a great deal of oversight is needed to ensure that no unforeseen biases are impacting those who the model affects.

A uniform mediocrity is not always enough, and that's still assuming we can achieve that with these tools. I think the evidence shows that, sometimes, we fail even to reach that threshold.

doublelayer Silver badge

Re: It's Just Pattern Recognition

Effectively, this is true. We see patterns in observation, then make predictions about how each possible action will affect the situation before choosing a set of actions to take. So any functioning artificial sapient system should also need this. However, pattern recognition and statistical analysis are slightly different, and human pattern recognition and limited pattern recognition based on a subset of available data are also quite different. I don't have as many problems with the term machine learning, because the creation of a model does learn from its training set. If the set is faulty, it will learn the wrong thing and use that, just as you could teach someone that circles have straight edges, the bright thing in the sky is called a tree, and certain types of people have ingrained qualities that can be applied to any other person in that category, and they will act on those flawed notions.

AGM X3: Swoon at this rugged interloper mobe then throw it on the floor to impress your mates

doublelayer Silver badge

I agree completely. However, my points still stand about the processing differences between raspberry pi zero and any modern smartphone (if only making calls, this isn't a factor). Also, many of the touchscreens that work with the raspberry pi are less capable and more expensive than ones available on consumer devices. I am not familiar with all of the raspberry pi phone projects going on, but the one I did see simply recommended classes of parts to be purchased on eBay and cobbled together by the user. The software looked interesting, but the semifunctional build I saw was fragile and less like the typical rectangle phone factor and more akin to an octopus shape. Unfortunately, the economies of scale available to the mass manufacturers of phones are not as available to those of us who only want one or two of the components concerned.

doublelayer Silver badge

"Given that the electronics for that, I can get from a Raspberry Pi Zero, a camera module and a GSM hat, for way, way under £100 even for a single unit, I don't think it's much to ask."

I like raspberry pi as much as the next person, and prefer it to phones in many circumstances, but let's be realistic. Your three components are not enough to have a functional phone at all, let alone something comparable to a smartphone.

Let's start with the things you need to build a raspberry pi phone. You of course need the board, and the GSM module itself. You also need audio input and output devices that can be attached to the pi, probably via GPIO. Then, you need an interface in the form of a touchscreen, keyboard, or some buttons to select your number and place the call. If you didn't opt for the touchscreen, you'd also need an output system so you could see what you're doing, though I suppose you could have the output by voice only. You also need a battery, and although you could power it with an external battery, it would be much less convenient than a device with one in the case. That's quite a bit more than you originally planned.

Here are some differences between that and a modern smartphone. First, the wireless comms on that are serviceable but not great. You have WiFi, but 802.11N, not AC, and no support for 5gHz networks. Your bluetooth is limited in range. There is no NFC and no GPS. Second, you will not get some of the features that modern smartphones have (though often you don't need them). Fast charging, a front camera for videoconferencing, the various noise-reduction features people bring in, etc. Next, there is a difference in scale for the computing power involved. Smartphones have quad or octacore processors, and your pi has one. Phones have at least 2GB of memory, and some have 8, but your pi has 0.5. Finally, there is a difference between the hardware too. A phone's screen is much higher quality than the touchscreens available for the pi. They have a greater pixel density, helped by the fact that their GPUs are more modern than the pi's, and they have multitouch, which is not available on any of the screens I've seen from standard pi retailers.

I want a raspberry pi phone too. However, I don't want it for the hardware. What I'd like is for someone, and the raspberry pi people would probably do quite a good job, to make a phone that has the same style of hardware as normal phones do, but running the open and replaceable software that makes the pi so useful.

doublelayer Silver badge

Here are some use cases for a phone to be waterproof:

1. I pull it out to set a navigation app running. It's raining today, I get bumped on the walk, and my phone falls into a puddle.

2. I am trying to take a picture of my children who are swimming, something from a boat, etc. where I am outside the water but close to it. I get jostled and the phone falls in.

3. This one happened to me. I am going to check a neighbor's swimming pool because they are away and asked me too. I am not going to go in, but I make a wrong step.

4. I live in a flood zone, and my house has become flooded. The phone was on the bottom floor. More importantly, I might want a phone to inform emergency services in case the flooding is becoming a risk.

Some non-accidental situations now:

5. I enjoy going out into nature and swimming around lakes and rivers. I need a phone in case an emergency arises or just to have some of its features when I come out.

6. I like to use small boats, and could really use a phone in addition to the radio on the boat to contact people.

7. I need a phone for a child or someone else who may not be as careful as I am.

I'm not saying these apply to everyone. Only one ever happened to me, and I can say that my phone was not prepared for it. Still, these are pretty logical things for which waterproofing might be useful.

Oracle: Major ad scam 'DrainerBot' is rinsing Android users of their battery life and data

doublelayer Silver badge

Re: Hangon

They can. If they routinely monitor their bandwidth usage. If not, they will still see it. On their bill. With a request for overage charges right under it. You don't think the mobile companies are going to warn them of unusual and possibly risky activity on their device that would make the mobile network less efficient do you? They don't have the time for that, and it's definitely not because they like to dole out overage charges.

Samsung pulls sheets off costly phone-cum-fondleslab Galaxy Fold – and a hefty 5G monster

doublelayer Silver badge

Re: Looks pretty cool..

The specs are certainly nice, but also they are weird. I don't know what types of memory-hungry apps people are running such that running three of them at once is going to get a lot of benefits from 12 GB of memory. Did someone make a VM host for android that I haven't heard of? Meanwhile, I somehow doubt that the gigantic screen will last all that long on the battery provided. It's not for me, anyway, but I think these things may not be as useful as they sound.

Chrome ad, content blockers beg Google: Don't execute our code! Wait, no, do execute our code – just don't kill us!

doublelayer Silver badge

Watch out. At some point, they may just preload all the javascript for you and shove the whole page at you. No real difference, as the javascript does all the requesting rather than the HTML*, but now served from the same server, so a bit slower if that's possible.

*If you also block the javascript from loading remote resources, they can implement a proxy system so all javascript requests are sent through the server from which the page was retrieved and sent on. A bit of overhead for the small pages, but child's play for Google. And given their current use of javascript, they will probably not have too much trouble breaking things if you don't have javascript enabled.

U wot, m8? OMG SMS is back from dead

doublelayer Silver badge

Re: I use SMS...

There are usually usage charges for SMS unless you're on an already-too-expensive plan that makes them unlimited. When those charges exist, they are the ones that don't make any sense because they're orders of magnitude greater than they should be. It's nice that it just works, but most mobile providers figured that out and will charge you as much as they can, either by the message or to give you the ability to send maybe a couple megabytes each month (unlimited, though).

doublelayer Silver badge

Re: You Can Phone Me Or SMS me; Period

I sympathize with your complaint about signal. However, there are two things to keep in mind. The first is that they don't send the list to the servers; they hash the numbers and send the hashes to the server. So they don't have information about your contact list other than the numbers included, and don't need to keep that either (I'm pretty sure they don't). The second thing is that, because they've decided to link signal accounts to phone numbers, this functionality lets you use signal for the real security and privacy benefits to find people and only ever use signal to contact them. Usernames would work, too, but you'd have the same scenario as usual where you don't know a person's username and have a limited number of memorable ones.

On balance, I'd prefer that signal just use usernames and we all learn to live with that, but the benefits of an encrypted message system that doesn't require a mobile connection at all times makes the hashing of phone numbers acceptable to me. Meanwhile, I do not want to use the other message apps, as they lack this benefit.

Secret mic in Nest gear wasn't supposed to be a secret, says Google, we just forgot to tell anyone

doublelayer Silver badge

Re: TL:DR version

It sounds more like

"We weren't caught. Sorry about that ... typo. Yeah, it was a typo."

Accused hacker Lauri Love loses legal bid to reclaim seized IT gear

doublelayer Silver badge

Re: Something not ringing true here ...


I suggested two reasons the drive could be encrypted in the middle of an access. They were these:

1. "I suppose one possibility is that the drive could not be read when powered down, and needed a machine to access it. That machine, in turn, could identify that a lot of data was being accessed rather than a standard use, and locked down."

For example, someone modified the drive, and it could not be read without a controller. It couldn't be imaged correctly without disassembly, but if you connected it to the controller, it would show a filesystem that could be read. However, the controller would be programmed to notice anomalous read patterns and lock itself down, blocking further access. This controller could be at various levels, including at the drive firmware level, in a separate hardware device connected to the drive, or in a computer that reads the drive (although the mechanics of getting a computer to do that and boot to it would be painful).

2. "Maybe they were able to get data from a running machine which timed out as well, denying further access to the drives."

For example, the computer was found running, with the drive accessible. They knew or expected that the drive was encrypted, so copied the files from the drive from the running machine. The machine noticed, timed out, or otherwise caused the drive to be locked before they could get all the data.

Was I really that unclear? Are either of these that unreasonable? I do not understand the confusion.

doublelayer Silver badge

Re: Something not ringing true here ...

I suppose one possibility is that the drive could not be read when powered down, and needed a machine to access it. That machine, in turn, could identify that a lot of data was being accessed rather than a standard use, and locked down. That's the most logical option I can think of right now. Maybe they were able to get data from a running machine which timed out as well, denying further access to the drives. Either way, this ambiguity doesn't seem very related for the reasons not to extradite.

Uptown func: Serverless types Nuweba trouser $4.8m as investors eye faster FaaS

doublelayer Silver badge

Re: Admins are increasingly looking to serverless computing

As a dev, I don't see my team advocating a switch either. At least on my team, we like having our code run on a system that we know about, rather than a system we don't know about that gets created and destroyed but we don't have any control over when or how. We also don't need a function layer that already needs an external layer to retrieve stuff from and store stuff in when we could just run our code on the one layer and forget about the second billing system. When we decide that's dead, I'll post again.

What did turbonerds do before the internet? 41 years ago, a load of BBS

doublelayer Silver badge

"I'm impressed. Do they have fibre and Gmail in the heavenly kingdom now?"

Is this a joke? The original quote reads "A distant relative of a friend who had recently died contacted me". The person who contacted them is "A distant relative of a friend", and the friend had recently died. The relative was alive at the time.

doublelayer Silver badge

Re: Booting

You can reduce the boot time of a raspberry pi by dropping things from the OS's autostart system, and it will work somewhat. You can also get shorter boot times on computers with slimmer sets of software. Sadly, that only reduces things to a smaller positive integer number of seconds. Why don't we build a firmware image for raspberry pis whose only purpose is to boot and give whatever capabilities it can in under a second? What do you think we can/should get it to do with that small an image?

Mini computer flingers go after a slice of the high street retail Pi

doublelayer Silver badge

Re: Mould breakers

Which is why I want to use a pi over a phone whenever feasible. However, the price of extra components and performance in portable scenarios make some projects that are pi-based less feasible.

doublelayer Silver badge

Re: Mould breakers

Pis are brilliant for tasks where they run headless, performing network tasks, serving as simple servers, and the like. They also do a wonderful job when running complex equipment (driving motors, wired into automation setups, etc.). They do an OK job as desktops. It's the remaining category where it can be hard to justify. I prefer to use them when I have the parts lying around, mostly because I can use all the tools Linux has to offer, write a program or an OS image as suits the project, and expand things whenever necessary by attaching other hardware or creating new interfaces.

However, if I was making a time lapse camera that uplinks via WiFi and I wanted multiples of them, I'd have to use phones for that. The first problem is price. A raspberry pi 0W costs $10, and the camera for it costs $20. This makes it look like the cost will be only $30, but this brings me to the second reason to choose phones. Raspberry pis don't work well with batteries. They just don't last long enough for something this large. With a phone, I could use the same power bank to keep the phone charged, and when the bank died the phone could continue its job for hours on its battery while sending me a message to swap out the batteries. The pi would only run on the battery unless you also purchase a secondary UPS board for it, $15-25. Even then, the board is more power hungry under many circumstances because it doesn't have the type of power-saving stuff in software that phones do.

doublelayer Silver badge

Re: I wonder what many people will think...

It's not that hard to set it up, especially if you buy one of their pre-burned SD cards as well, which will walk you through the setup. You don't have to be super technical to do that. Once it is installed, they start it up by default with a full GUI which is like other computers enough that you don't really have to know that much to use it. I don't think a suitably inclined person would have any problem setting it up even if they don't have much computing experience.

That said, I agree with your major point because there are so many users that won't bother going to the tiny effort involved, even though they'd learn some things and wind up with a useful system.

doublelayer Silver badge

Re: Mould breakers

I hope that this store provides two benefits. The first is almost certainly present, and that is that you don't have to pay for shipping. Usually, ordering parts to go along with the pi does not come with free shipping unless you are buying a bunch of things, and the shipping prices can be ridiculously high.

I also hope that this shop sells components to connect to the pi at less of a markup than online retailers tend to do. This is one of the major problems with the pi; the board itself is wonderfully priced, but all the things you connect to it are at significant markups. Components like tiny screens, communications chips, or even LEDs and buttons, jump an order of magnitude when someone has rearranged it to play well with the pi. This makes it difficult to justify a pi project with a medium amount of added hardware because it usually costs a lot more than an analogous hardware device.* Of course, sometimes I find a pi accessory that has not been hideously overpriced (at those times, I feel a strong urge to buy it whether I need it or not because I'm so glad to see that it exists). Hopefully, the shop will find some less costly components and sell them without too much of a markup.

*Take, for example, a pi project that uses a small touchscreen for display and control and also uses GPS. These functions could be accommodated by running the code on a cheap smartphone, which would probably cost $40-50 US. The pi costs $35, a touchscreen could run from $30-$50, and a GPS receiver is probably in the $40 range. I still favor the pi solution if you can do it, but I can't explain why it justifies the 2.5x price difference, especially as the phone has a better screen, battery, and a number of other hardware capabilities that haven't been added to this.

Blockchain is bullsh!t, prove me wrong meets 'chain gang fans at tech confab

doublelayer Silver badge

Re: Nor a good solution

I addressed most of those issues in my original post. I'll cover them again here and fill in some gaps.

"1. While the blockchain is secure, wallets are not. And in reality, you are at far higher risk of having bitcoins stolen than having your bank balance stolen."

True in some cases, false in others. Against your standard street criminal, the cryptography on mobile devices is a lot more of an impediment than typical antitheft systems on credit cards. Money can be stolen from online we-buy-the-crypto-for-you systems, but I'm not talking about those. I'm talking about the systems where you have your own wallet stored on your own devices.

"2. How is this more secure than Apple Pay, or a banking app on my phone?"

It isn't particularly, but that isn't supported in very many places because Apple, the bank, and the payment location all have to work together on the thing, subject to local laws, etc. In most cases, I'd rather use this, but it is worthwhile to consider that cryptocurrency processing is less centralized. If it had a value (see point 4 and the original post), payments would be more straightforward with a similar level of security, and it would be supportable in most locations. And you wouldn't have to have a specific device, accounts with any company, or credit system.

"3. You need to elaborate why using a bank to make payments is a bad thing, and using bitcoin mining companies to do it is better."

Wrong. I didn't say that. I said that banks have downsides. They include the problems of skimming (this happens more frequently in some places, and even if you can get your money back, it's not ideal to have it stolen in the first place). Crypto can deal with some of those in theory, and you would be doing it with your own wallet rather than an untrustworthy speculation system.

"4. Bitcoin performs a lot worse as a predictable store of value than almost all government issued currencies out there. To keep the value of a currency stable, you do need a central bank to control the supply, and bitcoin makes this impossible."

I specifically noted this. I said it doesn't work with the current use of cryptocurrency. However, supply is limited by the maths, and a central bank (Venezuela's, for example) can't devalue it on a whim. It isn't so necessary for us, but people who live in countries with less stable currencies might see this as a major benefit assuming we eventually create a cryptocurrency that gets used as a currency. I'm talking about the theory. The theory isn't working right now because people think that ridiculous volatility is a good investment system, but it has useful elements.

Once again, I don't trust cryptocurrency. I don't have any. I don't see it as necessary, and it doesn't hold value at this point. But it is unfair to deny that it does fix some problems that do exist, even if they aren't problems for us.

doublelayer Silver badge

I need some help

Can someone help me with this:

"It's almost like you need to decide if you're the pipes or the water," Rowley said. "If you're the pipes, then it's not important what you're called. If you're the water, then blockchain is the thing to highlight."

So if you're the pipes, it doesn't matter what you're called? But surely you're called "the pipes" and you need to distinguish it from "the hamsters", right? Or maybe you don't care because you can put things other than water through pipes, so the pipes don't care? But you can only put a few types of things through pipes and they need to be different types of pipes for each thing. And if you're the water, then you need people to know that because they would want water service, and that's the important element. But they would also need pipes to have water service, so they need to know both that you have pipes and that you're going to put water through them. If you have water but no pipes, it wouldn't be so helpful. If you're the pipe manufacturers, you need to know that you're using these for water, both so you can build the pipes right and so the people who are hiring you for pipes can have them connected to the water systems. Which means that the people concerned are really buying water, and the pipes are just a vehicle for that. So that means we're the water, or in this analogy, we are blockchain and need to make sure that blockchain is highlighted. But if we highlight the blockchain, we are telling the politicians that we're only talking about crypto. Wasn't the original argument that we should talk less just about blockchain and instead talk about the systems you can build with it? But in that case, isn't the blockchain the pipes, not the water? The water would be the data, and the system that integrates the blockchain would be ... the underground trenching or something?

Am I the only person for whom this quote doesn't make any sense.

doublelayer Silver badge

Re: Might be?

"How about journalism?"

That sounds wonderful! A full audit trail of how stories were written, by whom, with what modifications... That could be useful in a number of places. It would give academics a large dataset for valuable research. It would be great.

Unfortunately, it requires every person in the chain to a) record what they did on the blockchain, b) report what they did accurately, c) report all sources, even ones they don't feel proud to use or want to remain anonymous, d) explain any interference or get the interfering party to write their own blockchain entry, e) maintain the blockchain so it doesn't break, f) come up with a method of encoding all this information, for everything bigger than a tweet. So I would have to have a mechanism for citing your comment, a method for marking that I disagree because I think your theory isn't implementable, indicating that this article is how we met, citing everyone quoted in the article, the editor at The Register that looked over this article, etc. It isn't doable, especially as the thing it is designed prevent is dishonesty or laziness on the part of the writers of this stuff. If they're dishonest or lazy, they surely aren't going to build blockchain entries to point that out.

doublelayer Silver badge

Re: Nor a good solution

It solves*1 the problems of "I want to carry money with me in such a way that it can't be robbed from me"*2, "I want to be able to send money without involving a bank or credit company"*3, and "I want a store of value that is difficult for some entity to devalue"*4.

*1: Solves the problem, problem is only solved with good implementation and good usage, which is not really there. However, it is capable of solving that problem if people started treating it as a currency instead of a high-risk investment opportunity.

*2: It can't be robbed from you: Without the encryption code for the device, the robber has only gotten your phone/computer. Your private key can and should be stored elsewhere, and you would still be able to retrieve the money. Cash would just be gone, and credit and debit cards could be used until you manage to cancel them.

*3: Pay without needing a bank: For example, when traveling in a country where skimming and fraud are common.

*4: Difficult to devalue: It is difficult for an entity to identify that you have it and decrease its value or steal it from you. This isn't a major concern in our countries, but could be a big deal in countries whose control of their monetary policy is inept. This would require its value to be stable, but unstable value isn't an intrinsic quality of cryptocurrency as a concept, but instead how it is run.

All this said, I am skeptical of most cryptocurrency ideas and very skeptical that there is any good use for the blockchain outside of that.

Fun fact: GPS uses 10 bits to store the week. That means it runs out... oh heck – April 6, 2019

doublelayer Silver badge

Re: I've got an idea!

Most phones have GLONASS readers in them anyway, and it works better for higher latitudes. So the odds are that anyone using a phone navigation system in Europe uses GLONASS at least some of the time.

doublelayer Silver badge

Re: Week count?

You get the locations of satellites with respect to one another, then calculate where the satellites are right now and use those two numbers to figure out where you are. If you think it's nineteen years ago, you may come up with a different answer to where the satellites are, and thus you would have the wrong answer to where you are as well.

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

doublelayer Silver badge


That was LM, not NTLM, although NTLM 1 worked similarly and was also bad. This is a newer NTLM that is much better for its time, but not good enough for 2019.

doublelayer Silver badge

Re: bad programmers

Usually, an attacker has more than a database session (if they do, it's unlikely they have one with rights to the password table anyway). If they have access to the disks or the shell, they simply take a copy of the files implementing the database and open them at their leisure. Your solution only helps if they are able to get a database session and nothing else, and a proper database for passwords shouldn't allow remote accesses anyway. It's a nice tweak, but probably won't solve much.

Return of the audio format wars and other money-making scams

doublelayer Silver badge

Re: ZpulNg

Complain about smishing if you like, as it really is just phishing over SMS, but spear phishing is a useful term. It is very different than standard phishing, directed at one victim rather than a broad sweep, and demonstrably effective as it has been used successfully by many perpetrators in the past few years. I think that large a movement, and one that has seen results, deserves an identifying word. Similarly, I do not have a problem with the creation of such words as "ransomware" and "cryptojacking", neither of which existed before they became major trends in malware production.

If you want a vision of the future, imagine not a boot stamping on a face, but keystroke logging on govt contractors' PCs

doublelayer Silver badge

Re: What muppet agrees to pay per hour?

It wouldn't take much effort to make it work; if you write something quickly, you can have a macro replayer retype it slowly and do whatever you please. If you have to have different documents up when the screenshot system works, you figure out the schedule, load up different-looking documents or old versions of whatever you have and have the program have a different one open each time the scheduled collection happens.

doublelayer Silver badge

Re: New Jersey? Relax ...

That takes too much intelligence. Your standard organized crime unit doesn't use their brains to get money, they use their ability to bring force to their victims and little else. Whenever they have some intelligence involved, it's usually a group of lawyers finding loopholes. What are they going to do, contract out the writing of the software?

The Lance Arm-strong of performance-enhanced CPUs: Armv8.1-M arch jams vector math into super-microcontrollers

doublelayer Silver badge

Re: next-gen 32-bit microcontrollers????????????

I think the most memory I've seen paired with one of these is 512k, and 32k is quite typical. Of course, they probably have SOCs with more memory somewhere if they're planning to do voice recognition on them, but that gives you a sense of the typical scale of the things. They run one program, connected to a few basic hardware devices, and nothing else.

Take your pick: Linux on Windows 10 hardware, or Windows 10 on Linux hardware

doublelayer Silver badge

"You'll always need a device specific kernel, or maybe you should steer clear of x86 specific images as well?"

Not so. An x86 image will be capable of running on any x86 processor, assuming you can get the firmware to find it and boot to it and the drivers are working. Sure, some x86 systems hide the required things to do that, but that's not many of them and you could simply not buy them. Also, some chips that are old enough won't run a x86-64 image either at all or without a 32-bit bootloader.

That's quite different from the ARM landscape, where nothing will boot at all unless someone has tailored a bootloader for the specific device running it and for the specific image being run. This is why it's hard to flash a custom ROM to an android device* and why companies seeking a system that can't be reimaged are moving to it. For single-purpose devices, that's fine, but for computing, it has many limitations. I would want a device like this only if they had a universal firmware system that could boot anything that was written for the architecture. I'm not asking for universal drivers. I'm not asking for source available on every component. I'm asking only for the right to boot to any image I want; it's my responsibility to make sure it can boot.

*Installing a custom ROM on android devices: You can't have an image for the version of ARM used by the chip, nor by the chip manufacturer and architecture, nor even for the specific chip. Your ROM must be recompiled for each device you want to install it on, with a lot of fiddling with it and it never working. That's why these alternate androids only ever run on a few flagship phones.

Oh Snapd! Gimme-root-now security bug lets miscreants sock it to your Ubuntu boxes

doublelayer Silver badge

Re: Who the hell uses Linux


"For desktops and laptops use Windows unless you're a Mac fan in which case go ahead. Because you want proper device drivers, power management with working suspend and hibernate etc."

You know that Linux runs on a lot of machines, right? With all of those things working? That when it's not working, it's because some manufacturer didn't release proper drivers for the thing so they could be used? Your counter suggestion is to run the single monoculture desktop OS that doesn't have a perfect track record dealing with device drivers either? Well, I guess there's no arguing with that.

"For servers use FreeBSD or a Solaris or similar as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers. Also a robust filesystem for your data and there is ZFS. You don't need things like snapd . For some applications maybe even go IBM."

Well, that was a weird statement. Er...let me parse that a bit.

"For servers use FreeBSD"

Fine, but you know that a lot of the stuff above the BSD is the same stuff that is above the Linux. So there is not much difference in all the stuff running on top of the kernel and base.

"or a Solaris or similar"

Why? I know it still exists, but there are some reasons it doesn't have a bunch of market share anymore.

"as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers."

Oh, that's why. Again, Linux, BSDs, and Solaris all use pieces in common; the desktop environments are interchangeable. The major difference is the kernel, which in all cases is monolithic. It's just a different one for each case, but all were built from contributions of more than one team. None are particularly taped together, especially after the massive amounts of testing each has received while running a bunch of servers.

"Also a robust filesystem for your data and there is ZFS."

If you really want it, that runs on Linux too.

"You don't need things like snapd ."

That's a bit abrupt to switch back to the point, but I'll point out that you don't have to use snapd, and it's more likely to be used on desktops than servers. It was originally built to run on phones, and it helps with applications that need custom library versions so you don't mess up your environment. Complain about it if you have a problem, but know what it is and more importantly what it isn't.

"For some applications maybe even go IBM."

And again I must ask why. You may have had a reason, but without telling us what it is, you seem to be making suggestions at random with the only point being "don't run Linux". Your basis for this as stated here is full of holes. Try something else.

Ivan to be left alone: Russia preps to turn its internet into an intranet if West opens cyber-fire

doublelayer Silver badge

Re: Can anyone bother to explain

Certainly. You can argue all you like that country X is being unfair to country Y, and I'm likely going to agree with you. That doesn't change the facts I mentioned. If any country tries to funnel all of its connections through a government-controlled system, they aren't doing it to deal with foreign interference because that wouldn't work.

Imagine what would happen if the Democratic Republic of A and the People's Republic of B did this. A is worried that B will attack them, so they funnel all their connections through one system so they can turn off their network at any time. B is also a country, with a lot of power, so if they are planning to attack A's systems, they will put a computer inside A that can be controlled by an agent of B. They could do this by:

1. Use an international phone line to control the system if the network gets cut.

2. Use a satellite connection that they can control to uplink data to the machine.

3. Use a radio transmission to control the system.

4. Put a spy in front of the computer to do the work for them.

5. Run a wire across the border and don't tell anyone (this works better if A and B share a border, and requires the machine to be close to the border).

6. Just use another method to take out whatever they want to take out.

You couldn't stop anyone that way. Sure, cutting off the network would prevent some international attacks from criminal groups that happen to use that way to get in. In the same way, cutting all the electrical lines and having people run their own generators if they really need electricity would protect them from a malicious party delivering a much higher than expected voltage to their building and frying things. However, cutting electricity is more likely to be a method of repression, and the same is true of cutting network.

doublelayer Silver badge

Re: Can anyone bother to explain

It's unreasonable because they're completely disingenuous. This isn't to protect sensitive systems from outside intrusion; if they're afraid about those, they'll have airgapped some and built special networks for the rest already. That's what you do if you don't want people to get into your systems--you disconnect *those* systems. This is so they can, at will, cut off access from general citizens to specific sites (all through the runet firewall) or everything if they're feeling paranoid. Essentially, they looked at China and said "if only we had been in power when things were being set up, we'd have a system like that. Let's try to build one now.", then emitted some garbage about how the terrible hackers need to be blocked from Russian network activity.

Ever used VFEmail? No? Well, chances are you never will now: Hackers wipe servers, backups in 'catastrophic' attack

doublelayer Silver badge

Re: Backups?

Yes, they should have. However, it doesn't sound as if they had terrible security elsewhere, as they commented that the VMs had different authentication and different setups, thus this attack couldn't be done by a single compromised set of credentials (hopefully). Still, if things are that large, they should have some place where email data was stored on offline and hopefully also offsite media.

It's OK, everyone – Congress's smart-cookie Republicans have the answer to America's net neutrality quandary

doublelayer Silver badge

Re: I've always wondered...

Emergency data isn't just "An emergency has occurred. Details here." They can include other information, for example communications from responders to a wildfire. That's voice because the people involved can't take the time to type out a message when they are both fighting the fire and looking out for a situation that means they have to get out of there. So there may be some need to put them on their own circuit that can't be restricted. It doesn't mean that other companies or users deserve that.

doublelayer Silver badge

Re: I've always wondered...

"[W]hat about cases where paid prioritization is in the consumer's best interests?"

And those would be? Paid prioritization always helps *some* consumers, that is the consumers whose data is being prioritized. It helps them, for now, before they are charged for that or the company on the other end raises its prices because they are being charged for it. In the meantime, it hurts everyone else. The only one it consistently helps is the ISP, which is going to make a bunch of money off the consumers or providers who have to pay for the capabilities they already have.

Your question is invalid. You can't just through out a what if that alleges something you haven't proven. You could ask "what about cases where paid prioritization prevents malware", "what about cases where paid prioritization makes the ISP improve the infrastructure", or "what about cases where paid prioritization causes world peace", but asking the question doesn't mean that there are such cases. If your view is that there are "cases where paid prioritization is in the consumer's best interests", you have to explain what those are. If you wanted to ask "Do cases exist where paid prioritization is in the consumer's best interests?", I would respond that I have not seen any thus far. If, as I assume from your question, you disagree, I'm happy to hear your suggested cases and we can discuss their merits or lack thereof.

Hold horror stories: Chief, we've got a f*cking idiot on line 1. Oh, you heard all that

doublelayer Silver badge

Sometimes, those questions reveal good answers. However, usually the answers are these:

"1) Why can't you put them through to support?"

I can. Support is backlogged. They'll be on hold with them. That's why they're ringing me, because they're angry about being on hold.

"2) Why is your support phone line so poor they can't even answer a phone, which is their one, primary and sole purpose?"

Either there are not enough support staff (not my responsibility if I'm answering another phone), some are sick, some other customer has a major problem and they're fixing it, it's a time of day where support has ended because we don't run 24 hour support but I'm working late, ...

"3) What do you expect users to do when they can't get through on the line they are supposed to? Write you a letter to solve their support problems?"

Per the answer to 1, I expect them to wait on hold. Then, perhaps, send a letter to the responsible party (I.E. the head of support or their superior) complaining about having to wait on hold. They should not complain about that to me, as that's not my job and I can't do anything about that.

"4) Why are your sales staff - when they get a call and can't get even through to support themselves - not able to have the most basic of support functions available to clear your sales lines for what THEY are intended for. Even if this is a limited checksheet, filing a ticket direct to support on the customer's behalf, etc.?"

Because sales is not support. You don't hire sales representatives for their ability to support customers, because that's not their job. If there is a convenient page that they can give you, that's always nice to have, but many users will either refuse to read it or have a problem that is more complex. In that case, it is not the job of sales to support the systems. I also don't expect that a customer that calls the HR department will get IT help.

By assaulting a sales office when support is bad, you are punishing the wrong people. The people responsible for the problem, assuming that there is a problem, are not the people answering the phones. Those people are trying to do their job, and you are preventing them from doing that without any good reason. As fun as your autodial story was in a BOFH way, it's not the right way to deal with the problem you faced.

doublelayer Silver badge

Re: Help desk

I suppose that's possible, as we don't know all the details. However, it sounds as if the original caller needed a problem solved by a higher level of support but the helpdesk operator believed that he could fix the problem himself and did not agree to escalate the call. Having had that happen before, I am willing to believe it could have happened this time. In that case, the operator refused to do as the customer asked but also could not fix the problem, stranding the person with the problem and wasting both of their time, and I can see anger after a long session of this as reasonable. It could be as you describe, but it is described as a perfectly possible situation.

Reliable system was so reliable, no one noticed its licence had expired... until it was too late

doublelayer Silver badge

I think the point of the original post was more "You can't rely on a specific piece of hardware running forever" rather than "All hardware has the same lifespan". In that sense, that is correct. Software and hardware never had a miraculous period where it would run forever. Some systems will run a very long time, while others would fail quickly.

Lovely website you got there. Would be a shame if we, er, someone were to sink it: Google warns EU link tax will magnify media monetary misery

doublelayer Silver badge

Re: I'm perfectly fine with minimal text and no images

You can use it fine with no images, sure, but minimal text? Usually, the main thing that helps me to decide whether the search worked is to read the summary text where my terms appeared. I can filter whether results are useful or just happen to mention my search term much more effectively with that than I can with the page title. I can also use that to identify pages that I've already effectively read, if the term was quoted in multiple places.

I also think it should not be possible to charge for linking to a page. That is antithetical to much of the web, and should remain so. I'm directing traffic to someone. If they want to make money on that, they should view me as a positive, whether I'm making money myself or simply thought they were a useful resource. I shouldn't have to pay for the privilege of telling someone they might find something else useful. I don't pay the newspapers if I suggest that someone goes and gets one to read a great article.

It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can

doublelayer Silver badge

Re: Great

"Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing."

Thanks for the compliment.

"1st party phone is a Google pixel"

That involves paying google a bunch of money, buying a hideously overpriced device, getting the wonderful extra google spyware unless I flash it, in which case there is no support... No thanks.

"2nd party phone is a network SIM free phone"

Sure, that is always nice to have. Some networks will make it a terrible pain to get one of those onto their network in the first place. Or maybe the person concerned got the phone from someone else, either an employer, as a gift, or from a previous owner.

"There is clearly nothing wrong with Android if some models get these patches every month, and many do."

Your logic says that there is nothing wrong with [x] if some examples of items in category [x] get good condition [y], with the clear indication that the remaining members don't get good condition [y]? So, in that case, you'd wholeheartedly agree with these statements, then:

1. There is nothing wrong with your car because some of those cars work perfectly well. The fact that it crashed yesterday, injuring the driver because the airbag didn't function properly and putting that pedestrian in the hospital because the brake pedal did not, if you want to be inordinately technical, activate the brakes, was clearly not anyone's fault, or if it was it was your fault.

2. There is nothing wrong with the lunch you had today because some people ate it and survived. The fact that yours, personally, was a little bit contaminated with antibiotic resistant bacteria and so were those of a number of others was clearly a fluke.

3. There is nothing wrong with floors because you can see many people walking on them and being supported just fine. Therefore, you are happy that you are falling through a hole in the floor because there is no problem with the floor over there where you are not right now.

4. There is no problem with Samsung Galaxy note 7s because there were one or two that never exploded. Many others did, resulting in a bit of flames and some injuries, but some didn't, so clearly it was fine.

A little tip, for there to be absolutely no problems with something means that all things in that category must work. That's why nothing is free of problems. Android is not even mostly free of problems.

doublelayer Silver badge

Re: Oh well

And, unfortunately, devices running on old security updates are very common. Again with the anecdotes, but a friend of mine has two tablets that she uses very frequently, both of which are still on version 4.3*. My only hope is that they are too old to run the newest malware. She is, at least, a sharp person who will probably spot most scams, but it is still unpleasant to think of those things online in 2019.

*Neither received a single update of any kind.

Apple puts bullet through 'Do Not Track', FaceTime snooping bug and iOS vulnerabilities

doublelayer Silver badge

The only site I've seen that does respect it is, in fact, adafruit. Nowhere else has ever warned me about this tracking, and of course many sites are known to completely ignore it. So you can pretty much assume the answer to what sites don't respect DNT is (*.* - *.adafruit.com). You will unfortunately have to be more active than that to stop tracking, and I'm glad that someone is killing the thing because checking that box probably provided some with a false sense of security about the whole business.


Biting the hand that feeds IT © 1998–2019