* Posts by doublelayer

560 posts • joined 22 Feb 2018


Blockchain is bullsh!t, prove me wrong meets 'chain gang fans at tech confab


Re: Nor a good solution

I addressed most of those issues in my original post. I'll cover them again here and fill in some gaps.

"1. While the blockchain is secure, wallets are not. And in reality, you are at far higher risk of having bitcoins stolen than having your bank balance stolen."

True in some cases, false in others. Against your standard street criminal, the cryptography on mobile devices is a lot more of an impediment than typical antitheft systems on credit cards. Money can be stolen from online we-buy-the-crypto-for-you systems, but I'm not talking about those. I'm talking about the systems where you have your own wallet stored on your own devices.

"2. How is this more secure than Apple Pay, or a banking app on my phone?"

It isn't particularly, but that isn't supported in very many places because Apple, the bank, and the payment location all have to work together on the thing, subject to local laws, etc. In most cases, I'd rather use this, but it is worthwhile to consider that cryptocurrency processing is less centralized. If it had a value (see point 4 and the original post), payments would be more straightforward with a similar level of security, and it would be supportable in most locations. And you wouldn't have to have a specific device, accounts with any company, or credit system.

"3. You need to elaborate why using a bank to make payments is a bad thing, and using bitcoin mining companies to do it is better."

Wrong. I didn't say that. I said that banks have downsides. They include the problems of skimming (this happens more frequently in some places, and even if you can get your money back, it's not ideal to have it stolen in the first place). Crypto can deal with some of those in theory, and you would be doing it with your own wallet rather than an untrustworthy speculation system.

"4. Bitcoin performs a lot worse as a predictable store of value than almost all government issued currencies out there. To keep the value of a currency stable, you do need a central bank to control the supply, and bitcoin makes this impossible."

I specifically noted this. I said it doesn't work with the current use of cryptocurrency. However, supply is limited by the maths, and a central bank (Venezuela's, for example) can't devalue it on a whim. It isn't so necessary for us, but people who live in countries with less stable currencies might see this as a major benefit assuming we eventually create a cryptocurrency that gets used as a currency. I'm talking about the theory. The theory isn't working right now because people think that ridiculous volatility is a good investment system, but it has useful elements.

Once again, I don't trust cryptocurrency. I don't have any. I don't see it as necessary, and it doesn't hold value at this point. But it is unfair to deny that it does fix some problems that do exist, even if they aren't problems for us.


I need some help

Can someone help me with this:

"It's almost like you need to decide if you're the pipes or the water," Rowley said. "If you're the pipes, then it's not important what you're called. If you're the water, then blockchain is the thing to highlight."

So if you're the pipes, it doesn't matter what you're called? But surely you're called "the pipes" and you need to distinguish it from "the hamsters", right? Or maybe you don't care because you can put things other than water through pipes, so the pipes don't care? But you can only put a few types of things through pipes and they need to be different types of pipes for each thing. And if you're the water, then you need people to know that because they would want water service, and that's the important element. But they would also need pipes to have water service, so they need to know both that you have pipes and that you're going to put water through them. If you have water but no pipes, it wouldn't be so helpful. If you're the pipe manufacturers, you need to know that you're using these for water, both so you can build the pipes right and so the people who are hiring you for pipes can have them connected to the water systems. Which means that the people concerned are really buying water, and the pipes are just a vehicle for that. So that means we're the water, or in this analogy, we are blockchain and need to make sure that blockchain is highlighted. But if we highlight the blockchain, we are telling the politicians that we're only talking about crypto. Wasn't the original argument that we should talk less just about blockchain and instead talk about the systems you can build with it? But in that case, isn't the blockchain the pipes, not the water? The water would be the data, and the system that integrates the blockchain would be ... the underground trenching or something?

Am I the only person for whom this quote doesn't make any sense.


Re: Might be?

"How about journalism?"

That sounds wonderful! A full audit trail of how stories were written, by whom, with what modifications... That could be useful in a number of places. It would give academics a large dataset for valuable research. It would be great.

Unfortunately, it requires every person in the chain to a) record what they did on the blockchain, b) report what they did accurately, c) report all sources, even ones they don't feel proud to use or want to remain anonymous, d) explain any interference or get the interfering party to write their own blockchain entry, e) maintain the blockchain so it doesn't break, f) come up with a method of encoding all this information, for everything bigger than a tweet. So I would have to have a mechanism for citing your comment, a method for marking that I disagree because I think your theory isn't implementable, indicating that this article is how we met, citing everyone quoted in the article, the editor at The Register that looked over this article, etc. It isn't doable, especially as the thing it is designed prevent is dishonesty or laziness on the part of the writers of this stuff. If they're dishonest or lazy, they surely aren't going to build blockchain entries to point that out.


Re: Nor a good solution

It solves*1 the problems of "I want to carry money with me in such a way that it can't be robbed from me"*2, "I want to be able to send money without involving a bank or credit company"*3, and "I want a store of value that is difficult for some entity to devalue"*4.

*1: Solves the problem, problem is only solved with good implementation and good usage, which is not really there. However, it is capable of solving that problem if people started treating it as a currency instead of a high-risk investment opportunity.

*2: It can't be robbed from you: Without the encryption code for the device, the robber has only gotten your phone/computer. Your private key can and should be stored elsewhere, and you would still be able to retrieve the money. Cash would just be gone, and credit and debit cards could be used until you manage to cancel them.

*3: Pay without needing a bank: For example, when traveling in a country where skimming and fraud are common.

*4: Difficult to devalue: It is difficult for an entity to identify that you have it and decrease its value or steal it from you. This isn't a major concern in our countries, but could be a big deal in countries whose control of their monetary policy is inept. This would require its value to be stable, but unstable value isn't an intrinsic quality of cryptocurrency as a concept, but instead how it is run.

All this said, I am skeptical of most cryptocurrency ideas and very skeptical that there is any good use for the blockchain outside of that.

Fun fact: GPS uses 10 bits to store the week. That means it runs out... oh heck – April 6, 2019


Re: I've got an idea!

Most phones have GLONASS readers in them anyway, and it works better for higher latitudes. So the odds are that anyone using a phone navigation system in Europe uses GLONASS at least some of the time.


Re: Week count?

You get the locations of satellites with respect to one another, then calculate where the satellites are right now and use those two numbers to figure out where you are. If you think it's nineteen years ago, you may come up with a different answer to where the satellites are, and thus you would have the wrong answer to where you are as well.

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs



That was LM, not NTLM, although NTLM 1 worked similarly and was also bad. This is a newer NTLM that is much better for its time, but not good enough for 2019.


Re: bad programmers

Usually, an attacker has more than a database session (if they do, it's unlikely they have one with rights to the password table anyway). If they have access to the disks or the shell, they simply take a copy of the files implementing the database and open them at their leisure. Your solution only helps if they are able to get a database session and nothing else, and a proper database for passwords shouldn't allow remote accesses anyway. It's a nice tweak, but probably won't solve much.

Return of the audio format wars and other money-making scams


Re: ZpulNg

Complain about smishing if you like, as it really is just phishing over SMS, but spear phishing is a useful term. It is very different than standard phishing, directed at one victim rather than a broad sweep, and demonstrably effective as it has been used successfully by many perpetrators in the past few years. I think that large a movement, and one that has seen results, deserves an identifying word. Similarly, I do not have a problem with the creation of such words as "ransomware" and "cryptojacking", neither of which existed before they became major trends in malware production.

If you want a vision of the future, imagine not a boot stamping on a face, but keystroke logging on govt contractors' PCs


Re: What muppet agrees to pay per hour?

It wouldn't take much effort to make it work; if you write something quickly, you can have a macro replayer retype it slowly and do whatever you please. If you have to have different documents up when the screenshot system works, you figure out the schedule, load up different-looking documents or old versions of whatever you have and have the program have a different one open each time the scheduled collection happens.


Re: New Jersey? Relax ...

That takes too much intelligence. Your standard organized crime unit doesn't use their brains to get money, they use their ability to bring force to their victims and little else. Whenever they have some intelligence involved, it's usually a group of lawyers finding loopholes. What are they going to do, contract out the writing of the software?

The Lance Arm-strong of performance-enhanced CPUs: Armv8.1-M arch jams vector math into super-microcontrollers


Re: next-gen 32-bit microcontrollers????????????

I think the most memory I've seen paired with one of these is 512k, and 32k is quite typical. Of course, they probably have SOCs with more memory somewhere if they're planning to do voice recognition on them, but that gives you a sense of the typical scale of the things. They run one program, connected to a few basic hardware devices, and nothing else.

Take your pick: Linux on Windows 10 hardware, or Windows 10 on Linux hardware


"You'll always need a device specific kernel, or maybe you should steer clear of x86 specific images as well?"

Not so. An x86 image will be capable of running on any x86 processor, assuming you can get the firmware to find it and boot to it and the drivers are working. Sure, some x86 systems hide the required things to do that, but that's not many of them and you could simply not buy them. Also, some chips that are old enough won't run a x86-64 image either at all or without a 32-bit bootloader.

That's quite different from the ARM landscape, where nothing will boot at all unless someone has tailored a bootloader for the specific device running it and for the specific image being run. This is why it's hard to flash a custom ROM to an android device* and why companies seeking a system that can't be reimaged are moving to it. For single-purpose devices, that's fine, but for computing, it has many limitations. I would want a device like this only if they had a universal firmware system that could boot anything that was written for the architecture. I'm not asking for universal drivers. I'm not asking for source available on every component. I'm asking only for the right to boot to any image I want; it's my responsibility to make sure it can boot.

*Installing a custom ROM on android devices: You can't have an image for the version of ARM used by the chip, nor by the chip manufacturer and architecture, nor even for the specific chip. Your ROM must be recompiled for each device you want to install it on, with a lot of fiddling with it and it never working. That's why these alternate androids only ever run on a few flagship phones.

Oh Snapd! Gimme-root-now security bug lets miscreants sock it to your Ubuntu boxes


Re: Who the hell uses Linux


"For desktops and laptops use Windows unless you're a Mac fan in which case go ahead. Because you want proper device drivers, power management with working suspend and hibernate etc."

You know that Linux runs on a lot of machines, right? With all of those things working? That when it's not working, it's because some manufacturer didn't release proper drivers for the thing so they could be used? Your counter suggestion is to run the single monoculture desktop OS that doesn't have a perfect track record dealing with device drivers either? Well, I guess there's no arguing with that.

"For servers use FreeBSD or a Solaris or similar as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers. Also a robust filesystem for your data and there is ZFS. You don't need things like snapd . For some applications maybe even go IBM."

Well, that was a weird statement. Er...let me parse that a bit.

"For servers use FreeBSD"

Fine, but you know that a lot of the stuff above the BSD is the same stuff that is above the Linux. So there is not much difference in all the stuff running on top of the kernel and base.

"or a Solaris or similar"

Why? I know it still exists, but there are some reasons it doesn't have a bunch of market share anymore.

"as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers."

Oh, that's why. Again, Linux, BSDs, and Solaris all use pieces in common; the desktop environments are interchangeable. The major difference is the kernel, which in all cases is monolithic. It's just a different one for each case, but all were built from contributions of more than one team. None are particularly taped together, especially after the massive amounts of testing each has received while running a bunch of servers.

"Also a robust filesystem for your data and there is ZFS."

If you really want it, that runs on Linux too.

"You don't need things like snapd ."

That's a bit abrupt to switch back to the point, but I'll point out that you don't have to use snapd, and it's more likely to be used on desktops than servers. It was originally built to run on phones, and it helps with applications that need custom library versions so you don't mess up your environment. Complain about it if you have a problem, but know what it is and more importantly what it isn't.

"For some applications maybe even go IBM."

And again I must ask why. You may have had a reason, but without telling us what it is, you seem to be making suggestions at random with the only point being "don't run Linux". Your basis for this as stated here is full of holes. Try something else.

Ivan to be left alone: Russia preps to turn its internet into an intranet if West opens cyber-fire


Re: Can anyone bother to explain

Certainly. You can argue all you like that country X is being unfair to country Y, and I'm likely going to agree with you. That doesn't change the facts I mentioned. If any country tries to funnel all of its connections through a government-controlled system, they aren't doing it to deal with foreign interference because that wouldn't work.

Imagine what would happen if the Democratic Republic of A and the People's Republic of B did this. A is worried that B will attack them, so they funnel all their connections through one system so they can turn off their network at any time. B is also a country, with a lot of power, so if they are planning to attack A's systems, they will put a computer inside A that can be controlled by an agent of B. They could do this by:

1. Use an international phone line to control the system if the network gets cut.

2. Use a satellite connection that they can control to uplink data to the machine.

3. Use a radio transmission to control the system.

4. Put a spy in front of the computer to do the work for them.

5. Run a wire across the border and don't tell anyone (this works better if A and B share a border, and requires the machine to be close to the border).

6. Just use another method to take out whatever they want to take out.

You couldn't stop anyone that way. Sure, cutting off the network would prevent some international attacks from criminal groups that happen to use that way to get in. In the same way, cutting all the electrical lines and having people run their own generators if they really need electricity would protect them from a malicious party delivering a much higher than expected voltage to their building and frying things. However, cutting electricity is more likely to be a method of repression, and the same is true of cutting network.


Re: Can anyone bother to explain

It's unreasonable because they're completely disingenuous. This isn't to protect sensitive systems from outside intrusion; if they're afraid about those, they'll have airgapped some and built special networks for the rest already. That's what you do if you don't want people to get into your systems--you disconnect *those* systems. This is so they can, at will, cut off access from general citizens to specific sites (all through the runet firewall) or everything if they're feeling paranoid. Essentially, they looked at China and said "if only we had been in power when things were being set up, we'd have a system like that. Let's try to build one now.", then emitted some garbage about how the terrible hackers need to be blocked from Russian network activity.

Ever used VFEmail? No? Well, chances are you never will now: Hackers wipe servers, backups in 'catastrophic' attack


Re: Backups?

Yes, they should have. However, it doesn't sound as if they had terrible security elsewhere, as they commented that the VMs had different authentication and different setups, thus this attack couldn't be done by a single compromised set of credentials (hopefully). Still, if things are that large, they should have some place where email data was stored on offline and hopefully also offsite media.

It's OK, everyone – Congress's smart-cookie Republicans have the answer to America's net neutrality quandary


Re: I've always wondered...

Emergency data isn't just "An emergency has occurred. Details here." They can include other information, for example communications from responders to a wildfire. That's voice because the people involved can't take the time to type out a message when they are both fighting the fire and looking out for a situation that means they have to get out of there. So there may be some need to put them on their own circuit that can't be restricted. It doesn't mean that other companies or users deserve that.


Re: I've always wondered...

"[W]hat about cases where paid prioritization is in the consumer's best interests?"

And those would be? Paid prioritization always helps *some* consumers, that is the consumers whose data is being prioritized. It helps them, for now, before they are charged for that or the company on the other end raises its prices because they are being charged for it. In the meantime, it hurts everyone else. The only one it consistently helps is the ISP, which is going to make a bunch of money off the consumers or providers who have to pay for the capabilities they already have.

Your question is invalid. You can't just through out a what if that alleges something you haven't proven. You could ask "what about cases where paid prioritization prevents malware", "what about cases where paid prioritization makes the ISP improve the infrastructure", or "what about cases where paid prioritization causes world peace", but asking the question doesn't mean that there are such cases. If your view is that there are "cases where paid prioritization is in the consumer's best interests", you have to explain what those are. If you wanted to ask "Do cases exist where paid prioritization is in the consumer's best interests?", I would respond that I have not seen any thus far. If, as I assume from your question, you disagree, I'm happy to hear your suggested cases and we can discuss their merits or lack thereof.

Hold horror stories: Chief, we've got a f*cking idiot on line 1. Oh, you heard all that


Sometimes, those questions reveal good answers. However, usually the answers are these:

"1) Why can't you put them through to support?"

I can. Support is backlogged. They'll be on hold with them. That's why they're ringing me, because they're angry about being on hold.

"2) Why is your support phone line so poor they can't even answer a phone, which is their one, primary and sole purpose?"

Either there are not enough support staff (not my responsibility if I'm answering another phone), some are sick, some other customer has a major problem and they're fixing it, it's a time of day where support has ended because we don't run 24 hour support but I'm working late, ...

"3) What do you expect users to do when they can't get through on the line they are supposed to? Write you a letter to solve their support problems?"

Per the answer to 1, I expect them to wait on hold. Then, perhaps, send a letter to the responsible party (I.E. the head of support or their superior) complaining about having to wait on hold. They should not complain about that to me, as that's not my job and I can't do anything about that.

"4) Why are your sales staff - when they get a call and can't get even through to support themselves - not able to have the most basic of support functions available to clear your sales lines for what THEY are intended for. Even if this is a limited checksheet, filing a ticket direct to support on the customer's behalf, etc.?"

Because sales is not support. You don't hire sales representatives for their ability to support customers, because that's not their job. If there is a convenient page that they can give you, that's always nice to have, but many users will either refuse to read it or have a problem that is more complex. In that case, it is not the job of sales to support the systems. I also don't expect that a customer that calls the HR department will get IT help.

By assaulting a sales office when support is bad, you are punishing the wrong people. The people responsible for the problem, assuming that there is a problem, are not the people answering the phones. Those people are trying to do their job, and you are preventing them from doing that without any good reason. As fun as your autodial story was in a BOFH way, it's not the right way to deal with the problem you faced.


Re: Help desk

I suppose that's possible, as we don't know all the details. However, it sounds as if the original caller needed a problem solved by a higher level of support but the helpdesk operator believed that he could fix the problem himself and did not agree to escalate the call. Having had that happen before, I am willing to believe it could have happened this time. In that case, the operator refused to do as the customer asked but also could not fix the problem, stranding the person with the problem and wasting both of their time, and I can see anger after a long session of this as reasonable. It could be as you describe, but it is described as a perfectly possible situation.

Mini computer flingers go after a slice of the high street retail Pi


Re: Mould breakers

Pis are brilliant for tasks where they run headless, performing network tasks, serving as simple servers, and the like. They also do a wonderful job when running complex equipment (driving motors, wired into automation setups, etc.). They do an OK job as desktops. It's the remaining category where it can be hard to justify. I prefer to use them when I have the parts lying around, mostly because I can use all the tools Linux has to offer, write a program or an OS image as suits the project, and expand things whenever necessary by attaching other hardware or creating new interfaces.

However, if I was making a time lapse camera that uplinks via WiFi and I wanted multiples of them, I'd have to use phones for that. The first problem is price. A raspberry pi 0W costs $10, and the camera for it costs $20. This makes it look like the cost will be only $30, but this brings me to the second reason to choose phones. Raspberry pis don't work well with batteries. They just don't last long enough for something this large. With a phone, I could use the same power bank to keep the phone charged, and when the bank died the phone could continue its job for hours on its battery while sending me a message to swap out the batteries. The pi would only run on the battery unless you also purchase a secondary UPS board for it, $15-25. Even then, the board is more power hungry under many circumstances because it doesn't have the type of power-saving stuff in software that phones do.


Re: I wonder what many people will think...

It's not that hard to set it up, especially if you buy one of their pre-burned SD cards as well, which will walk you through the setup. You don't have to be super technical to do that. Once it is installed, they start it up by default with a full GUI which is like other computers enough that you don't really have to know that much to use it. I don't think a suitably inclined person would have any problem setting it up even if they don't have much computing experience.

That said, I agree with your major point because there are so many users that won't bother going to the tiny effort involved, even though they'd learn some things and wind up with a useful system.


Re: Mould breakers

I hope that this store provides two benefits. The first is almost certainly present, and that is that you don't have to pay for shipping. Usually, ordering parts to go along with the pi does not come with free shipping unless you are buying a bunch of things, and the shipping prices can be ridiculously high.

I also hope that this shop sells components to connect to the pi at less of a markup than online retailers tend to do. This is one of the major problems with the pi; the board itself is wonderfully priced, but all the things you connect to it are at significant markups. Components like tiny screens, communications chips, or even LEDs and buttons, jump an order of magnitude when someone has rearranged it to play well with the pi. This makes it difficult to justify a pi project with a medium amount of added hardware because it usually costs a lot more than an analogous hardware device.* Of course, sometimes I find a pi accessory that has not been hideously overpriced (at those times, I feel a strong urge to buy it whether I need it or not because I'm so glad to see that it exists). Hopefully, the shop will find some less costly components and sell them without too much of a markup.

*Take, for example, a pi project that uses a small touchscreen for display and control and also uses GPS. These functions could be accommodated by running the code on a cheap smartphone, which would probably cost $40-50 US. The pi costs $35, a touchscreen could run from $30-$50, and a GPS receiver is probably in the $40 range. I still favor the pi solution if you can do it, but I can't explain why it justifies the 2.5x price difference, especially as the phone has a better screen, battery, and a number of other hardware capabilities that haven't been added to this.

Reliable system was so reliable, no one noticed its licence had expired... until it was too late


I think the point of the original post was more "You can't rely on a specific piece of hardware running forever" rather than "All hardware has the same lifespan". In that sense, that is correct. Software and hardware never had a miraculous period where it would run forever. Some systems will run a very long time, while others would fail quickly.

Lovely website you got there. Would be a shame if we, er, someone were to sink it: Google warns EU link tax will magnify media monetary misery


Re: I'm perfectly fine with minimal text and no images

You can use it fine with no images, sure, but minimal text? Usually, the main thing that helps me to decide whether the search worked is to read the summary text where my terms appeared. I can filter whether results are useful or just happen to mention my search term much more effectively with that than I can with the page title. I can also use that to identify pages that I've already effectively read, if the term was quoted in multiple places.

I also think it should not be possible to charge for linking to a page. That is antithetical to much of the web, and should remain so. I'm directing traffic to someone. If they want to make money on that, they should view me as a positive, whether I'm making money myself or simply thought they were a useful resource. I shouldn't have to pay for the privilege of telling someone they might find something else useful. I don't pay the newspapers if I suggest that someone goes and gets one to read a great article.

It's 2019, and a PNG file can pwn your Android smartphone or tablet: Patch me if you can


Re: Great

"Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing."

Thanks for the compliment.

"1st party phone is a Google pixel"

That involves paying google a bunch of money, buying a hideously overpriced device, getting the wonderful extra google spyware unless I flash it, in which case there is no support... No thanks.

"2nd party phone is a network SIM free phone"

Sure, that is always nice to have. Some networks will make it a terrible pain to get one of those onto their network in the first place. Or maybe the person concerned got the phone from someone else, either an employer, as a gift, or from a previous owner.

"There is clearly nothing wrong with Android if some models get these patches every month, and many do."

Your logic says that there is nothing wrong with [x] if some examples of items in category [x] get good condition [y], with the clear indication that the remaining members don't get good condition [y]? So, in that case, you'd wholeheartedly agree with these statements, then:

1. There is nothing wrong with your car because some of those cars work perfectly well. The fact that it crashed yesterday, injuring the driver because the airbag didn't function properly and putting that pedestrian in the hospital because the brake pedal did not, if you want to be inordinately technical, activate the brakes, was clearly not anyone's fault, or if it was it was your fault.

2. There is nothing wrong with the lunch you had today because some people ate it and survived. The fact that yours, personally, was a little bit contaminated with antibiotic resistant bacteria and so were those of a number of others was clearly a fluke.

3. There is nothing wrong with floors because you can see many people walking on them and being supported just fine. Therefore, you are happy that you are falling through a hole in the floor because there is no problem with the floor over there where you are not right now.

4. There is no problem with Samsung Galaxy note 7s because there were one or two that never exploded. Many others did, resulting in a bit of flames and some injuries, but some didn't, so clearly it was fine.

A little tip, for there to be absolutely no problems with something means that all things in that category must work. That's why nothing is free of problems. Android is not even mostly free of problems.


Re: Oh well

And, unfortunately, devices running on old security updates are very common. Again with the anecdotes, but a friend of mine has two tablets that she uses very frequently, both of which are still on version 4.3*. My only hope is that they are too old to run the newest malware. She is, at least, a sharp person who will probably spot most scams, but it is still unpleasant to think of those things online in 2019.

*Neither received a single update of any kind.

Apple puts bullet through 'Do Not Track', FaceTime snooping bug and iOS vulnerabilities


The only site I've seen that does respect it is, in fact, adafruit. Nowhere else has ever warned me about this tracking, and of course many sites are known to completely ignore it. So you can pretty much assume the answer to what sites don't respect DNT is (*.* - *.adafruit.com). You will unfortunately have to be more active than that to stop tracking, and I'm glad that someone is killing the thing because checking that box probably provided some with a false sense of security about the whole business.

Almost £5k for a deskslab: Microsoft's Surface Studio 2 hits UK


Re: And we thought that Apple stuff was expensive tat

It doesn't compare well in price to Apple's iMac 5k; that starts lower in specs but also much lower in price. Then again, I suppose there must be people who want a 28 inch touchscreen for some reason, and Apple doesn't have that. I'm sure people have a reason. I don't know what it is, but it will come to me, maybe.

In the general scheme of things, both of these machines are much more expensive than will be needed by pretty much everybody. They price themselves out of consumer range, don't include enough processing power to run all the games that serious gamers want to play, and are too screen focused for the massive data processing people. I can see something like this being used by serious graphics users, but that's not a big market, and plenty of them have been satisfied with less.

Website programming? Pffft, so 2011. Python's main squeeze is now data science, apparently


Re: Re Good job Python isn't a syntax Nazi.

I agree, but sometimes you don't have that authority. I recently had to work with code where the writer (I don't know what is wrong with them, but something clearly is) had mixed tabs and spaces with *every* number of indenting spaces from 1 to 17 and several lines indented at random numbers above 17. This was C code, and the indentation didn't match up all that well with the brackets. Thankfully, this code was put under my branch, so I was able to thoroughly reindent the thing. However, I wouldn't mind something external preventing them from doing that to the code in the first place.

Crypto exchange in court: It owes $190m to netizens after founder 'dies without telling anyone vault passwords'


Re: Crypto-busting test case

"If an encrypted computer (I'm going to assume that means "encrypted data on the hard drive" in this case) is a ["]problem with a solution["][my statement], what is the point of encrypting any computer...?"

The point is to prevent data being stolen with a machine. If you were to rob me in the street today, you'd get my computer, but not the data on it. You could try some passwords, but it wouldn't get you in, and the security of my data would be intact. That's because it's not worth a ton of money to you. $190 million in bitcoin, on the contrary, is worth quite a bit to people, including to the people who run this company who could face some negligence cases if they don't get access to the thing. That makes it possible to invest some more resources into brute forcing passwords. For example, if the encryption is done using bitlocker on Windows, the passwords aren't super-secure*. It would be possible to brute force the possibilities of the default code if you had the inclination. For $190 million, the inclination is there more than for the random files I happen to have, and it is thus more likely to be attempted by this company than it is by a street thief who already has the main source of value, the hardware of my laptop.

*The default password for bitlocker is a 6-digit numeric pin. This machine could use a different system and/or a more secure password. This system could in fact not be encrypted at all. However, automatically typing in all combinations of digits is doable if you are willing to spend a couple of weeks on it, and other methods of trying to crack the password are doable too.


Re: Crypto-busting test case

From the sound of it, the people attempting to regain access aren't that good at it. I don't know the details, but it sounds as if they think they have access to a computer with the data on it. I'm assuming the computer is encrypted, but even so, that is a problem with a solution. They were also the people who let a store of value be set up in such a way that only one person could access it, which doesn't say much for their common sense.


Re: Bullshit

On the topic of faking one's death, if this happened, he could probably transfer the funds out somewhat easily by sending them to an exchange and getting a different currency. He'd lose a bunch of it, but you can lose a lot of $137 million and still be fine. In the meantime, while someone could detect that the money was taken, they wouldn't know how to find the thief.

Two things don't make sense here:

1. That the company would be so large and store all the passwords and other critical data in one brain and one computer.

2. That the company would put all the cold storage cryptocurrency in one wallet. That's just asking for someone to get in and take it. If you store a medium amount in each of four hundred wallets, an intrusion can be detected before you lose too much.

I would expect any crypto company to do both of these things. The fact that they have not makes them incompetent, whether these actions were done out of negligence or malice (I think it more likely to be the former).

I won't bother hunting and reporting more Sony zero-days, because all I'd get is a lousy t-shirt


Re: This is really tight

There could be a lot of benefits in having publicity. Don't publicize the errors much, just say that they were fixed, and the person reporting them got $large_amount_of_money from you. That attracts others to try to find vulnerabilities in your system so they can get $large_amount_of_money too. Not that you always pay them a large amount--that depends on the scale of the bugs they found for you--but if the bugs were indeed critical, they deserve it and you can use it.


Re: A little shortsighted

A completely accurate analogy is hard, but it is something like if a mechanic approached me and informed me that my car had a serious fault with it, and explaining why. Depending on the details, I might not care that much or I might be very interested in the risks. In the latter case, I'd be grateful that I was able to avoid the negatives and I would offer said mechanic some recompense for the useful service they provided. In the other case, I'd not do very much. However, it sounds as if the bugs found were considered very important, so a shirt, which is the equivalent of a thanks from me, seems less than justified..


Really? A shirt?

Here's a question for you. Have you ever been excited or even generally pleased about a free shirt from a company or event? For me, they've ranged from "Well, now I have another shirt" down to "Well, now I have another thing to wear if I decide to paint". That's without considering the possibility that I might not want someone else's logo displayed on my person. Of the many really cheap things you can make a bunch of and give to people, most are more generally useful.

Oh, and the bug finders don't need more shirts, people. I thought you could figure that one out. They've saved you the time and money it would cost to find the bug yourself or to deal with whatever problem would occur if someone else found it and sold it on the dark web. Show them some respect by giving them a small amount of that.

Boffin suggests Trappist monk approach for Spectre-Meltdown-grade processor flaws, other security holes: Don't say anything public – zip it


Re: An open letter

I'm aware of that, and perhaps my joke is not the style of rebuttal you would submit to the professor personally. That doesn't change the fact that he is wrong. It doesn't change all of the reports made to all of the companies that never did anything (for an example, see the tracking watches that have been known to be insecure for a year but are still insecure, about which multiple articles have been posted here in the past week). He seems to think that negligence doesn't exist. Either the company fixes their thing or they calculate that it is not important enough and are fixing something more important. That's not true; companies sometimes choose not to fix anything because they are spending all their time on the next product. That is a problem, it happens too often, and something needs to be done about it. Disclosure is a way to get something done, and if this professor refuses to acknowledge that the problem exists, he can't help to fix it. So I would argue that my comments, informal and inappropriate in tone as they would be if I submitted it as an official rebuttal, are still accurate.


An open letter

I'd like to write an open letter to people who think this professor's approach is the right one.

Dear members of the computing community:

You're wrong. No, really. Completely wrong. I don't know what leap of logic you took, but while there might have been logic when you went up, there is none where you came down. You clearly need to be let in on a few facts of how security vulnerabilities work.

When a researcher finds a vulnerability, they identify it with enough precision, and report it. They could release it publicly, but few do. Usually only if it's a thing that will never be fixed. But they usually don't both because it's a bad idea and because they might get paid for their hard work. So they report it to a company, who hopefully does its homework and figures out how bad a problem this is and how they're going to fix it.

You see that "hopefully"? That's because some times they DON'T. They leave their product vulnerable, keeping the customers at risk, completely ignoring the researcher, and making a mockery of security. And that, my friends in the audience, is not a very nice thing. So sometimes, a bug has to be disclosed so the company will get up and actually do something, or at least they can be held responsible for their negligence. Do you know the word negligence? Do you know that it happens sometimes?

Now, let us surmise that a company has proceeded with our hopefully and fixed their bug. Yay, the patch is released. The vulnerability is gone. Yeah... Do you remember that whole wannacry thing? It was kind of a big deal back in May of 2017, when a lot of things suddenly started breaking? That bug was patched in March, and a lot of people didn't have it. Maybe that is because a lot of people are lazy and incompetent. Actually it definitely was. But another set were unaware how critical the patch was. That's what publicity does. It informs the IT literate that they need to get fixing, and it alerts those who are not IT literate to find someone who is IT literate to fix their stuff because it can be broken. This, in turn, results in less broken stuff.

You can disclose improperly or in a counterproductive way. No contest. So what? You can also drive in an improper way, too, but we don't ban driving because we're better off being able to get places quickly. Having something that can be done improperly isn't fixed by never doing that thing again. It is fixed by finding the ways to do it improperly, and not doing those. If it's critical enough, it's done by putting incentives in place not to do it improperly.

Welcome back to logic. Let me help you up. Now, if you'd like to start researching again, that's fine, but maybe run your output past us next time. After all, you seem to have been doing it improperly, and we don't want anyone hearing about it and deciding there will be no more research.

Sysadmin's three-line 'annoyance-buster' busts painstakingly crafted, crucial policy


Re: Putting dates in names

Perhaps I should clarify my statement. Neither mv nor cp complain about copying a file over another one *by default*, which is how everyone runs them. Since these tools don't do a lot of, to me, more obvious things without my having to tell them with switches, I would think that -i should be on by default. So much did I think this that I assumed that it was.


Re: Putting dates in names

No, don't put dates in names. That just makes the names harder to understand. If the files are called "system_restart" and "system_test_dr_capability", they are less likely to be run by accident than if they're called "20170204_ada_lovelace_at_company_dot_com_fixes20160419_system_test_dr_capability".

The latter approach not only makes long names that are hard to remember, but it can also result in multiple versions of the file that may or may not do the same thing.

Put instructions at the top of any file that can handle them, and of course test before you push things into production. Also, if you can, don't use a system that cheerfully replaces one config with another config without asking; if they had gotten a single confirmation box or terminal warning*, this would have been detected before it caused a problem.

*As it turns out, neither mv nor cp complains about copying a file over another one. I thought they did. Time to become more nervous.


Re: Behind a locked door...

You don't even have to introduce a negative. Make the documentation very verbose, include something in it approximately 68% of the way through, and watch people lose their mind when they try to find it. Otherwise known as the irritating API reference technique, where you know there should be a function that does what you want, and it's in this category, but this category includes thirty APIs, each of which implement 60 functions. And the search box only searches API names, but not functions. They're watching me to see how long I search, aren't they?

Windows Defender update: So secure, it wouldn't let Secure-Boot Windows PCs, er, boot


What are the symptoms

What exactly happens when the machines don't boot? Usually, the machine has to do something to indicate the reason it isn't doing anything. The reason I ask is that a machine over here recently installed an update, though we don't know which update, and refuses to work normally; it boots to windows in a way but sits on a page showing only the time and date, refuses to show the login screen, and ignores input. This could be described as not booting into windows. If people here have experienced this bug, is this how it manifests? An internet search suggests that a bug like the one we're seeing has been around for a while, but I don't know exactly what this machine got hit with as no others are doing this.

Bug-hunter faces jail for vulnerability reports, DuckDuckPwn (almost), family spied on via Nest gizmo, and more


Re: SS7 hacked?

"One suspects that it's [phone hacking] easier and more lucrative now that everyone and everything is cloudy."

Easier, maybe. More lucrative, no. In general, all the things that used to be expensive are cheap now. People don't need to hack for cheap calls over long distances, because that is included. The only types of attack that are prevalent on the network are pretending to be someone else and intercepting others' messages. Given how little attention is paid to all those scammers spoofing caller ID, it is clear that the only type of hacking that is getting dealt with is message interception, which isn't that big. The attackers have to use this in combination with other things, usually social engineering, so most try the easier method of social engineering everything from the victim, rather than social engineering some things and accessing the phone system for the rest.

Want a bit of privacy? Got a USB stick? Welcome to TAILS 3.12


Re: An ARM version might be more useful...

Maybe, but you would need to connect it to an HDMI screen and USB input devices. That doesn't make it less disposable because you could keep those parts even if you were paranoid enough to destroy the pi (you don't need to), but it would be clunky. Unfortunately, there isn't a convenient system for using a pi portably. As much as I like it, battery performance isn't great and there isn't much hardware that can be carried without trailing wires behind you. For portable usage, the easiest solution is probably still the old-fashioned laptop.


Re: An ARM version might be more useful...

Other than raspberry pis, what are you going to run the ARM version on? We have ARM servers (I'm pretty sure it's not those), and most other ARM devices won't boot normal Linux, let alone one built for a much different purpose. This is a desktop OS, and we don't have many ARM desktops.

Apple yoinks enterprise certs from Facebook, Google, killing internal apps, to show its power


Re: "but it also treats mobile users like adults capable of making their own decisions"

You want more selfishness? Fine. I don't want people to give up all their information because it gives companies that seek to violate my privacy more ammunition with which to attack me. Either they will have better systems for gathering and using information I don't want them to have, or they'll have collected a bunch of my information from other people I've met. Does that logic work for you?

On the topic of saving people from themselves, that doesn't need to apply to everyone. I think most would agree it applies to children. Adults can walk into dangerous situations if they want, but if I see a child doing that, I'm going to stop them and explain why that is a bad idea unless someone else is already doing so, even if they're not my child. The app concerned here targeted older children, giving them a relatively substantial amount of money for a person in middle school while taking a bunch of information, probably without explaining exactly what information and what they were going to do with it. Am I allowed to save them from themselves?

Techie finds himself telling caller there is no safe depth of water for operating computers


Re: Ex designer of military kit

Disclaimer: I have never used military equipment. I'm not stating things, I am asking them.

All those requirements about what the machine must withstand make a lot of sense for why the prices are higher. However, I have a couple of questions. First, do they require that a device be capable of use in all of those situations simultaneously? For example, I would have assumed that machines intended to be installed in airplanes would be distinct from other classes of devices, as a ground or tank based machine would not need to sustain the G forces, the weird acceleration, or the recoil of firing plane-mounted guns. Second, do military computers really have the same specifications of top of the line machines? I don't know about the military models, but every time I have looked at or been requested to find computers for difficult environmental conditions, the options have been the following:

1. Machines with very old specs, usually something designed for windows XP or some old version of android.

2. Devices with somewhat modern specs, but with little access to the system. You stick with the OS installed on it and just write your application over that. This can be problematic when the device is running some restrictive OS like android (there are many of those).

3. Devices that seem to have a modern processor, but are very heavy, power intensive, and run very hot. These would often be unacceptable for military use per the specifications above because they use fans to dissipate the heat and, as far as I'm concerned, seem to be of somewhat dubious build quality.

I would assume that most military machines are running a slower system that is capable of running the program required, but does not have a ton of extra speed or graphics capability. From the original post, the machines described were sufficiently behind the machines of the time in terms of computing capability. From your experience, is most military hardware more advanced or more restrictively specced than I had assumed?

Texas lawyer suing Apple over FaceTime bug claims it was used to snoop on a meeting


Re: Can he actually provide proof that the Facetime bug actually caused him a problem?

If the bug was used, it can be proven. When the call comes in, the phone will ring normally, bringing this to the attention of the person in the meeting. The records will show if someone grouped themselves into the call. Whether you can prove harm can be tricky, but it wouldn't be hard to prove that the bug was used, and having that happen in a private deposition would probably be enough reason to say there was some negative outcome for you. If they did their research, they can probably prove fault by Apple. If they only have some evidence that someone listened in some way, they probably won't.

PSA: Disable FaceTime. Miscreants can snoop on your iPhone, Mac mic before you pick up call


Re: Bug?

Given that the phone is ringing, it's not that useful to a spy system, as you would only get thirty seconds of data before they answer or hang up on you. It is still a major problem, but it is a very small and mostly useless backdoor if you were in an actively malicious mood.


Biting the hand that feeds IT © 1998–2019