Posts by Pascal Monett

Making things more complicated

Um, we're talking about billion-dollar behemoths that don't pay taxes.

Make their lives difficult, they'll just have to hire more lawyers.

It's not like they don't have the means to do so.

"Oracle lost 23 of 24 claims"

I'm glad you're happy about your success, but from where I sit, you've lost $90 million, you're banned from doing what you did and you're not getting any money back.

In short, you're lucky Oracle did lose those 23 claims, because if it hadn't, you'd be buried by now.

So that's how they do it

"In almost every ransomware attack we've looked at, the company was been compromised six to nine months before the attack was launched," he said, noting that allows the attacker to conduct reconnaissance.

When I read that line about how attackers start by deleting accessible backups I wondered how they could get to them. If, however, you infiltrate an organization and lay low for months while gathering data on the network, then you have all the time you need to discover network storage and passwords to access it.

Given that cities are not known for having bank-level network protection, I'm guessing that once in, there won't be much of a warning to IT admins that an enemy process is worming through their systems.

So, unc0ver is open-source ?

Interesting. So Apple should be all over that code to see what it's using and patch the holes. Apparently, Apple does not do that.

Now the question is : why on God's green Earth did Apple unfix a fix and re-allow jailbreaking ?

Another question : how long before a patch is published that re-applies the fix, thus locking the phone down again ?

Because Apple is aware of this, and they had the fix, so I really don't see that it is interesting to go and use the unfix to jailbreak the phone since it's likely going to be locked down again at the next patch release.

17.6 hours

Oh, I'm sure you can get that - if you throttle the CPU to 20% of its capacity and turn the screen brightness down to minimum, set the disk to sleep after one minute of inactivity and the screen to go blank likewise.

In other words, you'll get 17.6 hours of use if you make the i7 function like an anemic i3. Yay.

I'd like to see battery life expressed in real-life, pedal-to-the-metal situations. If you're a programmer, you're going to be taxing those 16GB of RAM and probably the disk as well. I want to know how long I will be able to work, not just look at a dimmed screen.

But that'll never happen. Nobody will like to publish those numbers, they're too weak.

"whether electronic counting is in fact the right approach"

Simple answer : it is not.

Use paper. That won't cost you £9M this time, and it won't cost you more next time. Better functionality ? It counted the votes last time, didn't it ? So what better functionality is worth double the price ? Is it more secure ? Somehow I doubt that that is what they have improved.

I want the code to be public and open, so that we can get eyeballs on it and ensure that it does what it says on the tin in the proper way. Until that happens, I won't trust it and neither should anyone else.

BOFH potential for sure

Personally I am content that he does not get to exercise that particular potential in a major IT outfit of any capacity.

I hate it when people think that they have the right to go and wreak havoc on someone else's computer and find that funny.

"protocols that were superseded more than a decade ago"

Um, just a thought : how come those protocols are available on The Cloud (TM) at all ?

Or did they create The Cloud (TM) by including every protocol that has been created in the past twenty-five years, regardless of whether or not it was secure ?

"There is a dark irony that this authoritarian surveillance tool is rarely seen outside of China"

Um, from what I've read, the UK is just as surveillance-camera bent as China, if not more so.

So the dark irony is that there still are people in the UK who consider that China is worse then them as far as camera surveillance is considered.

"the program is a mess but says the NSA should have the powers anyway"

Well of course, grant the NSA the power to ignore the Constitution and citizen's rights, because hey, they're doing it anyway so might as well make it official.

No way you're actually going to institute oversight, right ?

What ?

And where does this Ewari Ellis come out from ? What is the process that allowed the police to get their hands on him ? Why is there nothing about that guy before the last paragraphe of the article ?

We have an interesting read, somewhat copied rather directly from the affidavit, but then the journalist just took the rest of the day off and didn't finish the job.

This article is not finished. We need to know how the police was directed to Ewari Ellis and what he did to get this whole mess started in the first place.

So, waiting for the rest of the article.

"If a user downloads a toolbar or extension.."

Then the user is already making the first mistake. The only extensions you need are NoScript and uBlock Origin. No one needs a toolbar, they are all malware and have no other reason to exist than to hijack your browser for nefarious purposes.

The second mistake is not running a JS blocker.

The third mistake is not running an adblocker, or a browser that does not handle ads properly (like Brave).

Not very bright

He actually thought that living in Canada was going to shield him against the SEC ? What a moron.

Good read

But the very content of the article kind of contradicts it's starting premise. After having read the article, it is clear that you do not set a data strategy "by Friday". It seems to me that that is something that will take weeks to elaborate properly, with many a meeting along the way.

I don't think Goldman Sachs got their petabyte-sized data lake described and specced in one week.

But, apart from that, good read.

"we paused human review of audio more than a week ago"

Right, the time for all the fuss to die down, then they'll resume. Got it.

Proof of concept

To me, the fact that it is real time is less important than the fact that it is accurate.

I'm less hot on doctors being able to ask the machine what it is they're looking at. Replacing doctor's knowledge with a machine's knowledge just feels wrong to me somehow. If I am to be treated, I want to be treated by a doctor, not a guy who's googling the problem.

But of course it is

"Microsoft is keen that everyone recognizes this change for the wonderful opportunity it is"

Oh don't worry, we immediately recognize that this is an absolutely wonderful opportunity - for Microsoft.

For the rest of us, it's basically roll call. Who wants to pay for the rest of their lives to be able to use their data ?

Once again, Microsoft is the best argument for Open Software there is.

Viva LibreOffice !

I just love it

I just love when companies waste millions acquiring then selling a business, and then turn around and spend more millions, if not billions, re-acquiring the same fucking business.

Kind of demonstrates just how ignorant the CxO-level types actually are, despite all their qualifications and titles. They haven't a fucking clue, just like the rest of us.

Um, what about airbags ?

They might want to start thinking about putting giant airbags around the payload, no ?

"mobile versions will be easy to scale quickly"

I just love how something that doesn't exist today and hasn't been tried is already touted as being easy to implement and scale.

After all, it's trivial to create a National Identity database and let everyone and their dog consult it to verify a phone holder's identity, right ? Isn't there an app for that ? What could possibly go wrong ?

The only thing that surprises me in this report is that it's not from Gartner.

"make sure public access is severely restricted"

What I will never understand is how someone can set up an AWS account and not think of locking it down from public access.

You're putting data on the Internet, don't you realize that ? It doesn't matter what kind of data it is, lock it down tighter than a gnat's arse. If somebody with actual authority complains, you can always relax it a little in his favor.

Better safe than sorry, right ?

"immigration officials determined $1m would be necessary"

And there we go, minions in power disregard the law and set their own criteria.

That is exactly where the USA has gone wrong : letting minor government officials reign supreme without any recourse. That is exactly how a corrupt regime displays itself.

If the limit is $220 000, you little scribbler have no authority to decide that it is suddenly $1 million in a specific case.

But they did it, and nobody can complain about it.

And you still call yourself a democracy ?

"all the vulnerable drivers we discovered have been certified by Microsoft"

Well duh. Given how difficult it is for Microsoft to get its own code right, I wouldn't take any MS certification to mean vuln-free.

Certified by Microsoft simply means they ran it once on a machine and that machine didn't crash inside of 15 minutes.

Money spinner

The use of that term indicates to me that security is not the primary goal of all this hoopla. Indeed, if it's security that is the issue, then I think LetsEncrypt is doing it right : you got a cert valid for 90 days that can autorenew for free.

If LetsEncrypt can do that, then why can't DigiCert and the rest of them ? Because they're in it for the money, security is just the cow they milk.

So here's your solution, DigiCert : go for 90 days auto-renewable, and turn your hefty fee into a yearly subscription without changing the cost to companies. You get your money, web sites get their certs, companies do not pay more, everyone is happy.

Except your Board, of course, who would have wanted to charge the yearly subscription to the 90-day charge, but you can go screw yourselves.

AgeChecked

I checked out the site and, apart from blurb assuring how good they are, it is quite light on technical details.

From what I understand, you prove your identity to AgeChecked by " a range of options" (not telling, though), and then AgeChecked vouches for your ID and age to other sites who ask them - for a fee, of course.

The complete lack of technical details make this look like a racket to get money with minimal expense.

Security is hard

It's because of users. Always has been, always will be.

You can design the perfect security for a house, if the owner forgets to shut the door, it's screwed.

And if you mandate vise-level security, the user will just go somewhere else.

It is quite hopeless, but removing a valuable indicator just because 85% don't pay attention means that the 15% that do will have to do without.

That's sad.

Well, you're leaving

And you do have a thing against all those bloody immigrants, right ?

Well they're leaving too. You should be happy.

Ah, but you hadn't thought of that ? Well, looks like we're going to spend quite some time discovering all the things you hadn't thought of, as well as their consequences.