Posts by Donn Bly 478 publicly visible posts • joined 10 Jan 2008
If they are air-gapped, then someone needs physical access, and if they have physical access then no amount of security patches will make a difference, because, well, because it is Windows. That is why the most up-to-date security patches aren't a priority on those systems, touching them periodically to check logs and hardware health and apply any necessary updates at that time is generally sufficient.
I wouldn't go so far as the "sponsored article" trigger warning, but the rest of your points are valid.
The nice thing about air-gapped systems is that I don't have to worry very much about security updates. Updates on initial deployment, however, can be a pain.
I can't even do a manual install of an update on Windows 11 that was previously downloaded from the update catalog without the machine having a connection to the Internet. Even with Windows 10, I could do an offline install and then run a batch file that would install each of the updates to bring it current, all from a single USB without it requiring a network connection. Many locations I support have minimal Internet connections, and going cloud-based for everything is not always an option.
I support small businesses that are large enough or have software requirements that result in them having an on-premise file server, but for various reasons do NOT use Microsoft 365 or Entra.
Our process for these businesses is to take any hardware purchased or turned in during turnover and start with a fresh repartitioning, format, and operating system load of Win 11 Pro. These steps all take place offline. Then we disable automatic updates and put this known-clean system on a designated VLAN, load OEM drivers, an initial set of pre-downloaded Microsoft updates, and install our RMM application. Then we use the RMM to finish the updates, log system inventory, etc.
It then goes back on the shelf until needed, at which time I join it to the domain. All of the preceding steps take place at a location that is inaccessible to the domain controller, in fact, we often don't even know to which site or domain the machine will eventually be deployed. Of the machines that we DO know, we usually have no idea who the end user will be. It may be a new hire or be used to exchange existing equipment.
At no time during this process is a Microsoft account wanted or needed. If a user is using Microsoft 365, THEN a Microsoft account can be added.
Given these changes, what will be the "Microsoft recommended and supported" method of preparing these machines?
As someone who writes WordPress plugins, hosts websites (including some developed in WordPress), and manages WordPress sites hosted elsewhere, I have used the phrases "managed WordPress", "hosted WordPress", and "self-hosted WordPress" many times over the last 10+ years in bother verbal and written communications with my clients when referring to some of the work that I do. I don't claim to be original with them, but just giving examples of how others used the phrases in commerce long before the WordPress Foundation (which neither manages nor hosts websites for others) have been used in commerce.
If Mullenweg was successful in obtaining these trademarks, can you imagine how this would affect the rest of the industry in terms of other products if companies could start just sticking "managed" or "hosting" in front of their product and exclude all others from using the terms?
My preference is on the side of a hill at 100 yards as I sight in a new rifle. Although as an American I don't NEED an excuse for another rifle, I will take whatever excuse I can muster ;-) The hard drives just get the 3/8" drill bit in the drill press. Quick and easy.
This isn't an AI problem. Editors in news media have been creating "click-bait" headlines for shock value since long before the days of the Internet. How often have you picked up a newspaper or read an article from a mainstream news source where the headline contradicted the article that followed it? The only thing here is that computers are doing it faster, putting hard-working editors out of work.
Thieves, miscreants, and EVERYONE ELSE gets their loots mixed -- just like at your local bank.
If I deposit $1000 from selling a bike, and you later withdraw $500 to hit the casino, and some of the bills you withdrew came from my deposit, did the money you withdrew come from the sale of my bike or from the paycheck you deposited last week?
If you have made five $1000 deposits via check over the last month, and then later withdraw $100, which of the five deposits did that $100 come from? None of them? All of them? Since they were check deposits, the serial numbers of the $100 you withdrew would have absolutely no correlation to the source of the funds.
Mixing is a fact of life. Yes, it happens when criminals launder money -- but it also happens in legitimate transactions every day. So yes, it is the same.
It has been known for years that 90% of all US $20 bank notes were contaminated with measurable cocaine residue. A study published in Forensic Science found that 92% of $1 notes were contaminated. These are the small bills in your pocket, in the tills of every bank and cash register in the nation, not the $100 bills used in bulk to fund the large illegal transactions. We are talking about two completely different things.
You could say the same thing about your paycheck, as a portion of that money may have been used for a murder for hire at some point.
If you have a $20 bill in your pocket, there is a 90% chance that banknote is contaminated with cocaine from the drug trade.
If you have any currency, physical or virtual, then you have a mark on your back.
"WP Engine can and always has been able to access the WordPress software and plugins available on WordPress.org, as can anyone."
That is a very interesting claim, considering that this started with Automattic BLOCKING access. Everyone who has been following this fiasco knows that they are lying through their teeth. Not that they had a lot of credibility left, but they certainly lowered it even more.
When it comes to the ACF plugin, I don't think that "forked" is the right word to describe what they are doing. They made a copy, renamed it, and are apparently pushing the renamed version out to existing websites without the website owner's explicit consent under the guise of a "security fix" on an issue that has already been patched. To me it looks more like a Hijacking.
Yes, but just because Mullenweg says that WP Engine doesn't contribute doesn't make it true. If WP Engine didn't contribute to the community, then we wouldn't be talking about how WP Engine isn't going to be allowed to continue to sponsor community events such as WordCamp, how their employees and developers are no longer going to be allowed to participate in events or contribute code, or how a WordPress plugin developed and maintained by WP Engine is being forked by Automattic and renamed. Those are all contributions to the WordPress community, they just aren't direct contributions to Mullenweg's bank account.
The problem I see is that if existing licenses aren't transferrable, then anybody who has such a license and has developed products or intellectual property with it cannot put any kind of a value on that IP or product design, as it would go away in any sale or merger.
The second problem is that if ARM is trying to build a business model on non-transferrable licenses, then they really can't consider those licenses to have recurring revenue because all a licensee has to do to terminate is sell themselves to themselves.
There are ways to send SMS without revealing the number, but the recipient cannot reply to such a message. I used to get harassing text messages that were sent via an API that my cellular provider maintained and the messages all came through with a number of all zeros.
But to get a reply I can use an Email to SMS gateway, and if the recipient replies I get their reply back as an email message.
Those aren't my words, those are the words of the WordPress Foundation, one of their stated goals when Matt Mullenweg helped create it in 2009. The idea behind the foundation was that no one person or company should be able to control the direction or future of WordPress or any other project supported by the foundation. A year later he transferred the WordPress trademarks to the foundation. Now over a decade later and after receiving hundreds of thousands of hours of donated labor from community members that were integral to making the project a success, he apparently wants to walk that back.
There are a LOT of companies that have based their business model on producing products and services that run on top, under, or alongside WordPress. Good or bad, it is the most popular website framework with more than 40% of all websites on the Internet using it. Quite a few of those companies have "WP" in their company or product names, as it is not a trademarked term.
I'm wondering if "WP Beginner" is going to be the next company in Automattic's crosshairs -- or is he only going to go after the companies that compete with his hosting company?
It seems that Automattic is now offering WP Engine customers free migration services to migrate their websites to Mullenweg's hosting company. This entire dispute couldn't be about Automattic just trying to increase market share, could it? Sure is looking that way.
I wonder if those servers are being run for and by Automattic, or if they are run for and by the WordPress Foundation. If they are Automattic's then there is no issue with them blocking access, but if those servers are being run for the foundation, even if Automattic donates the hosting, then I see huge red flags with Automattic cutting off access to the customers of their competitors. Because that is what they did, they didn't just cut off WP Engine, they cut off every company that uses WP Engine for hosting even if those companies don't use WP Engine's management services.
Automattic is trying to frame this as some sort of trademark dispute, but we should note that the WordPress foundation owns the rights to the WordPress trademark, not Automattic. The WordPress Foundation has licensed the trademark to Automattic, but the trademark does not extend to the letters "WP". Neither the foundation nor Automattic have exclusive rights to "WP". That is why "WP Engine" or any other business name that contains those letters is not a trademark violation, whether related to WordPress or not.
But 8% of the GROSS TURNOVER? That is more than the net profit of many hosting companies. WP Engine is a hosting company, and they have built their business around hosting open-source applications, particularly WordPress, but Apache and Linux certainly make a bigger contribution to their bottom line in terms of dollars per line of code. Yet while WP Engine makes money from hosting WordPress websites, Automattic somehow feels that they are entitled to all of their profit from all lines of business?
This is nothing more than Automattic trying to weaponize open source to take out a competitor.
Will they try to take 8% of GoDaddy's profit next? Are they going to start demanding a percentage of all sales from WooCommerce sites like the credit card companies do?
And that term sheet -- they want to prevent someone from forking open source software? They want someone to agree to terms and conditions for branding for seven years when they haven't even defined what those future conditions would be? Nobody in their right mind would sign any sort of contract like that, and Automattic knows it. Mullenweg could be a poster child for "negotiating in bad faith".
Full disclosure - I am a developer who has developed WordPress plugins and themes for my clients to extend functionality to their unique needs. I don't use WP Engine (or Wordpress.com) for hosting.
This isn't about WP Engine being a leach, this is about WP Engine being competition for Automatic's Wordpress.com hosting
WP Engine doesn't really make money directly from WordPress per se - they make their money from people who use WordPress and pay WP Engine to host and help them with their WordPress sites. They are a great ambassador for WordPress, and contribute to WordPress by driving customers to WordPress and theme and plugin developers who have built businesses around WordPress, but Matt Mullenweg doesn't see it that way and in his short-sightedness he is trying to weaponize the open source to which thousands of others have contributed.
What this really means is that every plugin developer will need to set up mirrors and create alternate means for distribution, because we can no longer trust WordPress to have the best interests of the community. It isn't a big deal for me since I already have that infrastructure in place for updates to the plugins that I developed, but it will be for others.
But it also creates a business opportunity from anybody who wants to write a plugin to independently monitor the versions of other plugins and then proxy the updates. If I wasn't already over-committed on other projects, I might do that myself.
ok, I'll bite... I think that they wlll make a touch screen a requirement, and you have to slide the screen up with a multi-touch gesture and then tap a button in the middle of the screen.
I know, I shouldn't give them ideas, but that's about as accurate as any other prediction
I get why they expelled him. Private organizations can expel members who they feel violate their codes of conduct. But to bill Hussain £450K for an investigation that he did not likely request smacks of the type of fraud (inflated numbers) of which he was accused and convicted. If anything, it makes me wonder if Hussain's actions were more of the norm than the exception, and his only crime in their eyes was being caught.
It looks like the data brokers are trying to establish a loophole, all they have to do is make sure that some of the information is inaccurate and they can't be held accountable. Being able to identify data as belonging to a single user, and being able to prove that you are that single user, are two different things. If the user is unemployed, and the uuid that they are requesting to have removed is marked as a student or being employed, then the mismatch would "prove" that they AREN'T that particular user and thus wouldn't have the right to have that data removed - even if everything else matched.
I really do miss the days of untargeted advertising. When a web ad was a just digital billboard and it didn't matter which eyeballs saw it, and no data was collected other than the number of impressions on the page.
But I do have to shake my head, because we have one side of governments that want to eliminate anonymity and track every action on the web back to a specific user (for the children, for course), while the other side of the same governments simultaneously want all traffic to be anonymous. Of course, these are the same government that want "secure" encryption with a back door. In the mean time, I will just do my part to continue to feed bogus information to the algorithms so that the data brokers really DON'T know who I am.
Not sure what making it free does for us. I have already paid for it, but cannot download it to put it on my new laptop. In fact, I can't get to ANY of my entitlements. Even created a support case the first of the week and provided them with copies of the contract numbers and everything, but now when I try to log in to see the status of the case I just get an "error, please try again later".
Intuit is a predatory company, and I am not going to defend them per se. But EVERY tax return can be filed for free if you want to fill out and file the forms yourself, and $133 is much less than what a CPA would charge if they prepared the return. Someone has to pay for the knowledge and training that a tax preparer has if they want to use that preparer to file their taxes, and Warren complaining that companies charge for the service is a non-starter.
Charging after the fact while claiming to be free is a different issue, and some C-level execs seeing the inside of a prison cell for fraud is a reasonable expectation.
However the government created the US tax code, so it is the responsibility of the government to fix it so that there is no need for private enterprise to step in and fill the void. It is legislators like Elizabeth Warren who are the ones responsible for overseeing that. Intuit can charge because Warren and her ilk haven't done THEIR job, and then are blaming free enterprise for filling the void that they left. If legislators would do their job instead of passing the blame this would be a non-issue.
Rapid7 published the disclosure to hurt JetBrains and the users of their software. THAT action, by all definitions, is malicious. Also, as far as I am concerned, the guy who publishes your address on Craigslist with the note "come and get it while the owner is out of town, the key to the garage is in the lockbox, and the combination of the lockbox is "8675329" is just as culpable as the criminal that steals your stuff -- and that is basically what Rapid7 did.
Given the number of data breaches over the years, anybody who does NOT have a listing on "Have I Been Pwned" probably lacks sufficient experience for anything much more than an entry-level or low-level position. And since LinkedIn was compromised in 2012, that means that many (most) people with 12+ years of industry experience (pick any industry) will be on the list since Circa 2012 companies would mandate LinkedIn profiles even though the employees didn't want or use them.
I am surprised that the percentage of people with listings wasn't higher.
I didn't write the rules, I just have to play by them.
Besides, My company is not the only tenant. Why should my company, which does IT work, own the building and be a landlord to some other company? Plus, if I sell off the IT company and retire, I still have the buildings and the rental income from them - as I have more than one commercial building. Those buildings are my retirement fund, and to still generate passive income from them means that I don't need to draw as much from other investments when I retire.
Of course they do. A sizeable chuck of my income comes from rent of the building that my company rents from me. It is a very good way to structure the income (active vs passive) and if I wasn't paying myself then I would just have to be paying someone else.
That said, I work from home too, only going in to get the mail and do the small part of maintenance to the server room that can't be done remotely.
Our mail robot (circa early 1980's) followed a chemical trail in the carpet. We also used removable carpet squares. So to show displeasure with management, swapping the tile that had the "stop" signal from in front of the department secretary's desk and putting it just past the boss's door so that it would stop and block him in had been known to happen a time or two. For the more ambitious, swapping a line of carpet tiles so that it followed a route into someone's cubical and stop had also been known to happen.
Sure, you an cryptographically sign a watermark. All that would mean is that you could establish that the image was watermarked by a specific entity, at a specific time and place. Like an SSL Certificate, you would rely on the authority and reputation of the signer. But there isn't just one entity that would be doing the signing, or even dozens. Because of the proliferation of technology you have MILLIONS of potential generators, thus millions of potential signers. Relying on a cryptographically signed watermark would be like relying on a self-signed certificate - it would prove that it is watermarked but would NOT prove whether the source was legitimate, or whether the source was AI generated.
if you can inject a detectable watermark, then I can build something that would detect it. If I can detect it, then I can make subtle changes to the source to corrupt, obscure, or entirely remove that watermark to the point where it is not detectable. That completely negates the idea that an image without a watermark wasn't generated by AI. Even a visible watermark like you would have on the comp images from any stock photography outlet can be obscured so that you don't know the source of the image. Invisible watermarks are even easier.
Conversely, I can take an existing image and watermark it. As mentioned above, you have millions of potential generators and signers. My camera doesn't watermark the images, so the existence of a watermark or lack thereof on an image I publish does not in any way change the underlying fact as to whether or not my original photo was created by me. A watermark just attests to the claim of whomever is signing it.
Reminds me of the time when I was trying to explain the difference between mapped and physical drives, and how some things didn't work quite the same, to a client who thought that he knew more than the Novell consultant (me) he hired. So I typed "format f: /y" and pressed enter to demonstrate the point and he nearly had a heart attack. Nearly 30 years later, he is still a client.
From my understanding of the permission structure, access to Bluetooth and WiFi under Andriod version 8 thru 11 and is lumped into the location permission - something that was changed under Android 12 and later. Of course it should never have been put there in the first place, but that isn't the fault of the app developer. For these researchers to state that they have "no idea" why an app that has to use Bluetooth or WiFi to search for devices might request or require location permissions shows a lack of understanding profound enough that it undermines the credibility of the rest of their research.
But it couldn't handle the FIFO buffer of the 16550 UART unless you used a FOSSIL driver, and if you used a FOSSIL driver you could use BASIC, or Pascal, or C, or whatever you wanted.... Ah the amount of things that we went through in the old days - back then I ran a FidoNet Node, and I still shudder on how much I spent on hardware.
This kind of "feature" is when you use machine learning to analyze the actions of human drivers and emulate them. If they want to make the car behave more like a human driver, then it is going to mimic the bad behaviors as well as the good.
I am waiting for the "feature" when the car starts telling off any police officer that pulls it over that "I pay your salary with my taxes"
People and companies do it (settle without admitting liability) all of the time because it often costs more to prove that you are in the right than it is to defend yourself against the accusation.
Have you ever had a traffic ticket and entered into a ticket deferment program, even though you felt that you weren't guilty? I know that I have, because if you use the ticket deferment program you don't end up with points against your license AND you don't have to take days off of work, hire a lawyer, etc. It is cheaper to pay the ticket than it is to defend yourself against it.
On the civil side, you see it all of the time in copyright and trademark infringement cases. In employment law or consumer liability, it is often cheaper just to pay them to go away than it is to pay lawyers to fight it - because you have to pay your own legal fees even if you win.
I have been on the receiving side of this kind of thing too, where their lawyer walks in and asks "what will it take to make this go away, he has $50K in E & O insurance." I told my lawyer to take the money and walk away, because I was made whole even if they didn't admit that they did wrong.
4 Million sounds like a lot of money, but a lot of it depends on how much insurance they have.
From my research for a client, there is at least ONE country that has BOTH 120 and 240 and uses different plugs to differentiate.
It surprises me that it isn't more common, as having both 120 and 240 in the same room is quite common in about every residential kitchen and most laundry rooms in the USA and Canada. However, while we have both voltages the plugs for each are significantly different in design and not likely to be confused -- other than the NEMA 6-15 but that plug/outlet style is not common at all outside of industrial applications and I have NEVER seen one in a residence or office setting.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
