* Posts by Justin Pasher

155 publicly visible posts • joined 13 Aug 2008


Exchange Online blocked from sending email to AOL and Yahoo

Justin Pasher

Enforcing DMARC

Absolutely. AOL/Yahoo[1] and Google[2] both made announcements about stricter DMARC validation, which requires either SPF or DKIM alignment. SPF alignment can be tricky if you don't have control over the envelope sender (the "internal" address usually used for bounce backs). DKIM alignment requires the signing domain to match the From header. The article itself mentions that someone fixed their problem by setting up proper DKIM signing. It's very unlikely to be IP address based, even though there are miscreants that use Microsoft email services.

All that being said, Yahoo has always been a joke for email deliverability. Their solution to reducing spam is basically "accept fewer emails." If you are a bulk sender (and sometimes not), they will randomly start throttling you and return a generic "deferred due to user complains" message, which is completely bogus. Anyone that has a Yahoo email address should not expect reliable email delivery.

[1] https://blog.postmaster.yahooinc.com/post/730172167494483968/more-secure-less-spam

[2] https://blog.google/products/gmail/gmail-security-authentication-spam-protection/

ChatGPT's odds of getting code questions correct are worse than a coin flip

Justin Pasher

Useful as a guide, not the end-all-be-all

I've typically gone to ChatGPT for some more obscure technical problems that I struggle finding meaningful answers to on Google (nowadays, it seems like Google gives a few pages of mostly unique answers, then it just starts repeating itself). I've asked things like how a particular daemon config needs to be written to accomplish X when the documentation doesn't give you enough details or maybe just a real quick script that I don't feel like writing, like a batch file to loop through a list of subdirectories and create a separate ZIP file of each one (I do more bash, not batch).

In most cases, I'd say the answer ChatGPT provides is at least mostly correct. Usually at a minimum, it leads me in the right direction to solving the problem. I think therein lies the difficulty it will have at being the big job replacement tool for many technical-type roles. If you don't understand the nuances of the concept you are dealing with, you probably can't figure out how to fix little things that are wrong. Your best bet is just asking again and seeing it can fix it. However, that often leads you down a rabbit hole of frustration.

For example, I was asking questions about using some PowerShell commands to do something. It kept giving me commands (which were valid) with parameters that were not. I had to keep correcting it by saying, "Command X doesn't support the Y parameter". It would apologize, then continue to give answers that simply did not work. I had similar results when asking it how to do some routing/firewall config for a switch. It kept giving me directives that didn't exist for my model or firmware version, even when I told it what I had.

That's why I see ChatGPT as simply another helpful tool, but not something that you should expect will give you exactly what you want or need.

Google changes email authentication after spoof shows a bad delivery for UPS

Justin Pasher

Bug/Vulnerability or just bad implementation?

Maybe it's because the article is referencing two different analyses on the issue, but I'm trying to understand why they are calling this a "bug" or "vulnerability" in SPF.

"Too many lookups" is something that has been known about for ages (although most companies probably have no clue when it's happening). The results of the lookup is "Permanent error". I would venture to say you should have a policy to reject email on both fail and permerror SPF lookups, so it would never be delivered. Otherwise, how will someone know their SPF is borked if people treat it like "dunno". Unfortunately, the RFC just leaves the choice up to the receiving end. Barring a complete block, you should at LEAST have increased scrutiny on the email (i.e. don't allow the email to pass DMARC or BIMI in order to call attention to the issue). However, that doesn't seem to be the case for the ups.com email.

In the ups.com email, the headers show SPF passed because Microsoft's servers were authorized to send on their behalf according to the ups.com SPF (they have since changed their SPF). DKIM alignment failed, since it was signed by onmicrosoft.com, but SPF alignment succeeded, thus passing DMARC (a requirement for BIMI). This still isn't a "bug" in SPF; it's doing exactly what it intended: say these servers (e.g. Microsoft) are allowed to send email purported to be from ups.com. The more interesting part is why Microsoft decided to relay an email FROM a "ups.com" address when the SPF check failed (and no DKIM signature). This touches on the problem of SPF as a whole (it breaks relaying). I believe Google only allows relaying FROM domains that you can prove you have some control over.

Ultimately this sounds more like an implementation flaw, not an SPF bug. BIMI is intentionally supposed to be hard to spoof, which is why you need to have everything set up the "proper" way. Requiring DKIM alignment is better in the long run anyway, since that is really hard to spoof.

Twitch bans AI-generated Seinfeld show for making transphobic jokes

Justin Pasher

Is the intelligence really artificial?

I'm kind of curious. As AI develops more and more, it seems like this content moderation and intervention ends up being used more and more often when things deemed inappropriate in some circles are generated. With people getting involved on that level, how artificially intelligent can AI actually be when it's being coaxed by humans? If we tell the AI "You can't say that", it slowly starts becoming more of a filtered model of reality, which will basically make it biased one way or another.

Windows Subsystem for Android declared ready for prime time

Justin Pasher

Re: WSA or ASW?

It's a little awkward reading altogether, but it makes more sense to read it like

Windows "Subsystem for Android"

as opposed to

"Windows Subsystem" for Android

As others have pointed out, they did the same for Windows "Subsystem for Linux"

Reverse DNS queries may reveal too much, computer scientists argue

Justin Pasher

Well, duh!

To mitigate these risks, the researchers argue that DHCP client-provided information, such as device names, should not be mapped to publicly accessible PTR records.

I started thinking this right when the article mentioned a reverse name of toms-iphone12.example.edu. What admin in his or her right mind would map a CLIENT-provided hostname to a PUBLIC DNS PTR record on a DYNAMICALLY assigned IP address? Did it really take some overly complicated study to come to this conclusion? In >99% of the cases, rDNS PTR records should be statically assigned, and they don't need to be changed unless there is some structured process (i.e. manual admin intervention or a form someone has to fill out).

Honestly, I think the more interesting threat would be from INSIDE the network when using NAT. If you are dynamically assigning private IP addresses with dynamic hostname updates and allowing rDNS queries from within, you could potentially cause a lot more damage, since you are already inside the LAN. If some admins are unwise enough to allow public PTR records to get updated, I'd be willing to bet there are some that don't provide some sort of client isolation on the LAN side, which means if someone comes on with an unprotected device without a firewall (hey, like a phone), it's game on.

US accident investigators want alcohol breathalyzers in all new vehicles

Justin Pasher

Convenient timing

I'm surprised no one has mentioned HR 3684 (i.e. the "Infrastructure Investment and Jobs Act" that was passed last year in the US).

The NTSB has no teeth itself. They can only make recommendations to other organizations like the NHTSA, which is what they are doing. I'm sure there's no coincidence with the fact that HR 3684 has a clause saying the exact same thing needs to be done, written in law. Sure the intentions are good (stopping a drunk driver from driving a vehicle), but do you really thing the rollout of such a system is going to work well enough to not cause problems?

From HR 3684, Sec 24220

(a) FINDINGS. Congress finds that -

(5) to ensure the prevention of alcohol-impaired driving fatalities, advanced drunk and impaired driving prevention technology must be standard equipment in all new passenger motor vehicles.


Subject to subsection (e) and not later than 3 years after the date of enactment of this Act, the Secretary shall issue a final rule prescribing a Federal motor vehicle safety standard under section 30111 of title 49, United States Code, that requires passenger motor vehicles manufactured after the effective date of that standard to be equipped with advanced drunk and impaired driving prevention technology

Disentangling the Debian derivatives: Which should you use?

Justin Pasher

Re: Devuan

"Having looked at many of these shell scripts, one thing I would never describe them as is "simple". A systemd unit file, OTOH, is something I worked out how to do simply by looking at one at changing 2 lines."

I've been dealing with programming for over 25 years, so I will give it to you that "simple" is a very subjective term. By simple, I'm referring more to the idea that I can add a few echo statements or run the script in debug mode to trace what's going on. systemd is a black box. It will fail to start processes, yet report that everything is fine. You are then stuck trying to trace what's happening on your own. To use your engine analogy, it can be like trying to diagnose a modern engine that's giving error codes without an OBD reader.

"So you're taking a system, trying to remove certain parts of it and replace them with other parts under a different system, and then complaining it's complicated?"

My big rub with systemd is the NIH syndrome it suffers from. Tools already exist for a lot of functionality that systemd just tries to duplicate. Sometimes it (thinks it) adds a few useful things, but other times there's no reason for it to exist. Many of these tools are supposed to be optional (i.e. "extra"), so removing them should not affect any functionality. That's why I don't equate it to making the system more complicated. However, systemd often blurs the line between modular and dependent components.

"As someone who tries not to look at the engine unless it stops working..."

Based on that, I'm assuming you are more of a desktop user. In general, I wouldn't say Debian is geared toward desktop users, although I used it in a desktop setting. It's shines more n server environments, and people that run servers typically do look a lot more at the engine.

Justin Pasher

Re: Devuan

"You try really excluding systemd from a Debian installation and you'll find ... not a lot of packages that will install."

I guess my definition of "a lot" is very different.

First and foremost, I'm not a systemd fan. That's why I try to get rid of it. I've used it, and when it works properly, it's not that bad. When it doesn't work, that's when it's a royal pain. Things that were once simple to debug become ten times harder because you're not just fighting a simple shell script.

If I am pretty much forced to use systemd (like in Ubuntu Server), I'll disable as many of the "extra" services as possible, like timesyncd or resolved, and use other programs meant for that sort of thing. I still use rsyslog over journald as the primary means of logging.

For my experience with servers, I've been able to run Debian under sysvinit for many years with services like Apache, nginx, Varnish, PHP, Postgres, MariaDB, memcached, node.js, Docker, and all sorts of other very commonly used setups. I'd say those systems are doing "reasonably much".

Is it easier to just run Devuan instead? Probably. I've never tried, so I can't give a first-hand account. I don't know how easy it is to drop in a package built for Debian (most probably work, but I'm sure some don't). If I had to offer up a concern, it would be wondering how long the Devuan guys will continue to make releases. I don't know what sort of financial backing they have to keep them going, so they may fizzle out or they may continue to be a strong systemd-free alternative.

Justin Pasher

Re: Devuan

"I have a sneaking suspicion you are doing the latter."

Nope. No systemd init on the system. The OS is installed normally, then systemd is swapped out with sysvinit. When I say sysvinit, of course I'm only referring to the init system; that's all sysvinit is.

apt-get install sysvinit-core

-- reboot

apt-get purge systemd

Then block the systemd-sysv package from getting installed via apt_preferences(5). Keep in mind that the systemd package is different. While I normally don't have that one installed either, it is sometimes possible to install it without worrying about switching your init system. They've broken apart the systemd functionality quite a bit in an attempt to make running sysvinit easier.

Is every single package in Debian still installable? Of course not (unfortunately). That's why I said some onus is on the package maintainers, and some just want to force systemd for no truly valid reason (see Ondřej Surý, the maintainer of the PHP package and bugs like 952895 or 959174). What ends up happening is someone comes along and extracts systemd-specific functionality into its own non-systemd module, like elogind or systemd-standalone-tmpfiles. Other times you have to get creative yourself to get around it. It's definitely not geared toward the novice Linux user.

Is the situation pretty or ideal? Absolutely not (that's why things like Devuan exist). However, it doesn't mean you can't do it in Debian. I was not on board with their decision to switch to systemd, hence the reason I try to stay away from it.

Justin Pasher

Re: Devuan

By all means use Devuan. I'm not saying you can't and shouldn't. Just stop selling the lies that you can't use the OS with sysvinit.

I've been running sysvinit versions of Debian on servers since Jessie, and I've been able to get by just fine. Maybe I should clarify that this is largely on the SERVER side (although I've done it on some desktops as well). It is perfectly possible to make it work, so I really don't understand all the down votes, unless it's simple due to people going by what they've heard and not what they've experienced.

Justin Pasher

Re: Devuan

Not to discredit the work on Devuan (which I have not personally used), I wish people would stop acting like you can't change the init system in Debian. While you do not have the choice during the installer, you most certainly can (even in the latest stable release, Bullseye) change to sysvinit after the install.

Granted, there are some packages that truly just cannot be installed without systemd, but that's largely to blame on the individual package maintainers, not on Debian itself. They've actually done a surprisingly good job with keeping sysvinit compatibility for most things. It's mainly some of the graphical desktop related programs that are more problematic.

Sage accused of strong-arming customers into subscriptions

Justin Pasher

Nice try

At first I was thinking Sage had a little bit of a point. When you build software, you build it to the specs available at the time. You can't plan for future unknown obsolescence. A perpetual license doesn't mean perpetual updates.

I remember at a former job, a web site was built for a customer around 2002. They took credit cards, and they were not encrypted in the database. They later came back around 2015 demanding (on some level) that we "fix" the code to be PCI compliant, for free. It was originally a one time purchase to build a web site at a time where PCI compliance wasn't even a thing.

BUT... Then I saw Sage's response to reasonable questions about the software. This is obviously an excuse to get people to move to a subscription. They act like their hands are tied, but they're only in the situation because they planned extremely poorly. I guarantee they are running an off-the-shell SSL/TLS library for the application, and if that application doesn't support TLS 1.2, that library is severely outdated. However, the article states other non-license functionality uses 1.2, so that can't be true.

Although they (probably) don't need to follow PCI recommendations on the desktop side, PCI 3.1 (2015) said stop using TLS 1.0. For software released in 2018 to only support 1.0 and 1.1 is just extremely poor design. IEFT first recommended you stop using 1.0 and 1.1 in June 2018 (RFC 8996). That was early enough in the release cycle for them to provide an eventual patch to the software to support 1.2, so their excuse doesn't hold water. A 2020 software release has no excuse.

Intel’s CEO shouldn’t be surprised America can’t get CHIPS Act together

Justin Pasher

True Colors

The CEO and other industry leaders have rightfully pointed out multiple times that too much of the world's semiconductor manufacturing output is concentrated in Asia now and that the US would be wise to build fabs to create a more balanced global supply chain.

He acknowledges that too much manufacturing dependency is concentrated in Asia (which is correct) and then says it would be wise for the US to build fabs. But of course he doesn't mean INTEL should foot the bill for that. They only feel compelled to help if the taxpayers give them a bunch of money to accomplish that. It just shows that they don't really care about getting more local manufacturing; they just do what best supports their bottom line. Granted, this is the nature of capitalism, but please don't try to act like you're some white knight trying to save the country and economy in an altruistic way.

Debian 11 formally debuts and hits the Bullseye

Justin Pasher

Re: Debian ships sysv init, it's not enabled by default

While I haven't had a chance to look at Bullseye yet, given that it just came out, I assume that the normal Debian installer still doesn't give a choice of the initial init system and forces systemd. However, since they are now saying they have better support for sysvinit (yay!), I imagine the same steps I've been following since Jessie will apply.

After initial boot:

apt-get install sysvinit-core


apt-get purge systemd

Create /etc/apt/preferences.d/systemd-blacklist to keep systemd init away:

Package: systemd-sysv

Pin: release o=Debian

Pin-Priority: -1

US govt proposes elephant showers for every American after Prez Trump says trickles dampen his haircare routine

Justin Pasher

Re: Wrong lightbulbs...

I've had the opposite experience with LEDs.

The two big ideas behind LEDs are that they use less energy and they last longer, so less waste. The energy savings is hard to refute, as they definitely use much less than traditional incandescents (not taking into consideration any manufacturing differences that might require different levels of "energy" to produce them). The lifespan thing... well... I hope you don't have fader switches. For non-fader switches, they seem to have very few problems. However, you put them on a fader, and it seems to dramatically shorten their lifespan.

By my estimate, over the past 3-4 years, we've had at least 5-6 LED bulbs die that are on faders. They don't completely die like traditional bulbs. They start having flickering issues and sometimes will randomly cut off then back on. If you're smart enough, you keep the original box and receipt, and the manufacturer will usually replace them without problems (they typically come with a five year warranty).

The biggest problem with the push to more efficient bulbs was that it was so aggressive. Halogen weren't really any better (and often times a shorter life span), CFLs just plain suck, and LEDs have had a lot of teething issues. Technology STILL hasn't caught up to it (as exhibited by my experience). I remember the earlier days of LEDs where they wouldn't work at ALL on a fader. As they progressed, you then had issues where only certain faders were "compatible" (I think an analog vs digital thing). So in addition to getting new bulbs (which were closer to $7-$10 each at the time), you also needed to replace all of your fader switches.

If your broadband bill is too high consider moving to Idaho, they get the internet for free

Justin Pasher

"You can't really support two competing sewage treatment plants because how are you going to route the waste to the one you choose without a whole separate network of pipes? Likewise with water, electricity, or gas."

In Texas, they deregulated electricity almost 20 years ago. It caused a bunch of competing "providers" to fight each other to give the best rates. The electricity itself is provided by the local TDU (Transmission and Delivery Utility), which is kind of like the government. They charge a very stable base rate, and the providers will usually pass that through plus a few extra cents for kWh to keep their business going. Ultimately, the provider just handles the "paperwork" side of things. If you have any trouble with the electricity, you contact your TDU.

All of this is not available for everyone (such as more rural areas), but it did greatly increase competition for many.

Behold… a WinRAR security bug that's older than your child's favorite YouTuber. And yes, you should patch this hole

Justin Pasher

Ahhh memories

Talk about a blast from the past. Back in the days of BBSes and early file sharing where myriad archive formats fought for your attention: ACE, ARC, ARJ, ZOO. I remember ACE was popular among a *ahem* certain means of sharing software.

That being said, it's a little harsh to call it a WinRAR bug, since they were just using the library file to support the format. At any rate, removing support just helps put another nail in the coffin of a relatively unknown format that really has no purpose anymore.

Doom: The FPS that wowed players, gummed up servers, and enraged admins

Justin Pasher

Re: 386DX

Not true. I ran it on an AST brand 386SX/25 with 4 MB of RAM. Yes, I had to shrink the game play window down about half way, but it was still playable (definitely not 30 fps, but playable). I do remember having to reboot with a clean AUTOEXEC.BAT and CONFIG.SYS to free up enough memory to play, though.

Open Internet lovin' Comcast: Buy our TV service – or no faster broadband for you!

Justin Pasher

Just trying to ruffle feathers?

"Comcast says customers who pay for 60Mbps will get upgraded to up to 150Mbps, while those on 150Mbps will move to 250Mbps and those on 250Mbps will get boosted to either 400Mbps or 1Gbps service"

The articles tries to make it sound like they're not letting people get faster broadband speeds, but it seems like that only means the 400Mbps or 1Gbps speeds, since the above states people can already get 60, 150, or 250 Mbps without TV service. The linked articles says people can't get a FREE upgrade to the next speed levels (60 to 150, 150 to 250, 250 to 400/1000), but that's very different than not letting people get faster internet. They give you the upgraded speed for free because you are giving them more money for the TV service. It's just like the "double play" or "triple play" style packages they've been offering for years.

I don't know if/where you can pay to get 400Mbps or 1Gbps without TV service, but we're really not at the point today where a connection faster than 250Mbps is really beneficial, unless you're downloading a bunch of stuff from a bunch of different places simultaneously, which is not the typical usage pattern.

libcurl has had auth leak bug since 'the first commit we recorded'

Justin Pasher

Re: There's always something nowadays

Backported indeed.


Firefox bookmark saving add-on gives users that sync-ing feeling

Justin Pasher

Re: FF native sync

The big thing missing from the Firefox native sync capability that I get from Xmarks is profiles. I have a Work profile and a Home profile, and I can select which bookmarks appears in each profile. There are some bookmarks I want to see at home and at work, and there are some that I just want at work or just at home. If I used the same FF sync profile at both locations, they'd always be completely identical.

I originally started out with Delicious and moved over to Xmarks about a year or two ago when the Delicious add-on stopped working properly. The ability to use tags on the bookmarks is a key thing for me, and with the TagSieve add-on plus Xmarks sync, I can get the Delicious functionality back. However, the latest version of the Xmarks plugins doesn't properly sync tags anymore, and the export option from the Xmarks web site doesn't export the bookmarks with the tags either. I had to restore bookmarks from a FF backup and disable the sync to avoid losing all of my tags. I've already reported the bug (and they've confirmed), but who know when it will get fixed.

I've yet to find a good, free option to get the same functionality and integration (even self-hosted would work).

San Franciscans unite to smite alt-right with minefield of doggy shite

Justin Pasher

Re: Fines?

"I fully support your right to free speech, so long as you also accept my right to throw sh*t at you..."

Actually, that would probably be considered assault, so not actually a right you are granted.

Hey America! Your internet is going to be so much better this January

Justin Pasher

Re: The answer should be Yes and Yes

"No, no. broadband is cable/coax delivered internet. DSL is phone-based internet. And FiOS is fiber optics."

Now you're just playing a game of semantics. By this statement, you are saying a DSL and FiOS connection should not be called a broadband internet connection. Now I no longer have broadband service, along with millions of others! We need more competition, stat!

The Atari retro games box is real… sort of

Justin Pasher

Re: PC technology?

That's what I see in my mind. A redesign of the original housing with a RPi inside. Done.

You've got HDMI, four USB, and it runs an emulator. The original Atari 2600 hardware is so old, computers from 20 years ago could emulate the games at full speed with no problem.

Debian 9 feels like home with security upgrades and a flaming vulpine warming your toes

Justin Pasher

Re: libsystemd0

Are you sure that matters?

I haven't had a chance to test an upgrade yet, but all of my machines are set up using SysV (package sysvinit-core). They also all have libsystemd0 already installed. I know the key package to avoid in Debian Jessie was systemd-sysv. Perhaps it changed in Stretch? I'm hoping not.

Qubes kicks Xen while it's down after finding 'fatal, reliably exploitable' bug

Justin Pasher

Re: 64-bit

I think it's just more of a terminology semantics issue. I'm sure he just means 64-bit systems running on hardware utilizing the x86-based instruction set (versus ARM, MIPS, etc). Sure "amd64" or "x86_64" would be more correct, but I think most would understand what he means.

Tesla hit by class action sueball over autopilot software updates

Justin Pasher

Pay to play

So Telsa has brought the DLC world of gaming to cars? Before we know it, you'll be able to buy the "shell" of a car for next to nothing, but spend $30k in DLC to add functionality like braking, top speed unlock, multiple radio stations, etc.

BOAR-ZILLA stalks Fukushima's dead zone

Justin Pasher

Re: Mutant daisies

I guess you forgot the Joke Alert icon...


Google gets smooth early Android releases. OEMs are struggling

Justin Pasher

Re: Awww.... come on !

"The whole point is that Google are showing that it's entirely possible to bring updates out, consistently, and frequently."

I don't quite see why people miss the big reason why non-Google phones have a longer delivery cycle. Have you ever used a Google phone versus another manufacturer like Samsung? If you have, you'd notice the obvious difference. Samsung has put a lot of work into making their interface consistent across all of their devices via the TouchWiz interface. If you compare the S4 through the S7, you'll notice that all of them operate very similarly (interface-wise). Google simply takes what they've created as stock and slaps it on the phone. When a new release comes out, they can easily deploy it because everything in the release is basically exactly what goes on the phone. Samsung has to update, tweak, and compatibility test all of the customizations they have made to integrate them into the new release. If Samsung ran stock, I'm sure major updates would be released a lot faster. If you look at the security point releases for the S7, Samsung actually keeps pace quite well.

You also have the issue with carrier tie-in. It's why the Samsung on AT&T can receive the update on a different timeline than the exact same Samsung on Verizon. Each carrier will want their own control over how things are built to make sure their own cruft gets included.

Open source Roundcube webmail can be attacked ... by sending it an e-mail

Justin Pasher

Bad, but not critical (for some)

The article misses an important note about the security hole.

"[It's] only relevant to Roundcube installations not having an SMTP server configured for mail delivery"

If you've set it up to use an SMTP server (even just localhost), it doesn't use the mail() command to send the email. See the $config['smtp_server'] variable in config/config.inc.php to check.

Decade-old SSH vuln exploited by IoT botnet armies to hose servers

Justin Pasher


From my reading of the articles (and my own testing), the issue at hand is that many default SSH daemon configurations for IoT devices leave TCP forwarding enabled by default (AllowTcpForwarding). This basically means "open proxy for people that can authenticate".

Once a user authenticates (be it via password or public keys), even if they don't have a valid shell defined for their account, they can still do port forwarding. Since many IoT devices are going to be using default username/password combinations, if someone can access the SSH daemon on that device, they can use it has a proxy. If they don't have the credentials or the public key (when using key based authentication), they can't do anything, even if AllowTcpForwarding is enabled.

Moral of the story: don't allow unprotected SSH to an IoT device (or really any device) and make sure it's not using default or common credentials for access. Also, if you don't need it, turn AllowTcpForwarding off.

Yelp wins fight to remain morally bankrupt

Justin Pasher

Re: @Phil W

To me, it looks like Yelp wants to have its cake and eat it to. They argue that they are immune because they do not control the content of the site, yet they are pursuing someone with a bad review to get a commitment to buying advertising ... to alter the content on the site.

Not quite racketeering, since I'm sure they don't try to sell advertising just to people with low review scores. Sounds a lot more like just simple (possibly indirect) blackmail.

Come in HTTP, your time is up: Google Chrome to shame leaky non-HTTPS sites from January

Justin Pasher

Re: Dumb idea IMO..

The one-IP-address-per-site thing is very rarely an issue nowadays. Just use shared IP addresses and SNI. Unless you're trying to support IE on Windows XP, you'll rarely find a case where anything remotely modern doesn't support it.

Pains us to run an Apple article without the words 'fined', 'guilty' or 'on fire' in it, but here we are

Justin Pasher

Don't get out much?

"An ancient, single-purpose analog connector doesn't make sense because that space is at a premium"

I guess he thinks only headphones plug into a 3.5mm port. Good thing they broke away from compatibility to save a little space. I'm sure many wouldn't mind a phone that's a few millimeters thicker in order to keep the port.

Life imitates satire: Facebook touts zlib killer just like Silicon Valley's Pied Piper

Justin Pasher

Apples and oranges

It's a little unfair to compare a multi-core capable zstd to single-core zlib. Try comparing it to something like pigz and then see how much improvement there is. It looks like the compression ratio is pretty negligible, which the compression/decompression speed is a big difference (but that's where multi-core capabilities would be expected to shine).

Facebook to forcefeed you web ads, whether you like it or not: Ad blocker? Get the Zuck out!

Justin Pasher


The thinking behind the move, says Facebook, is to eliminate complaints that folks have had about irrelevant or irritating ads

... so, all ads then?

Windows Server-as-a-service: Microsoft lays out Server 2016's future

Justin Pasher


I don't think it works that way (at least for W2K16 Standard). According to the FAQ:

The Standard Edition of Windows Server 2016 and System Center 2016 will license up to 2 VMs or 2 Hyper-V containers when all of the physical cores on the server are licensed.


Standard Edition provides rights for up to two virtual OSEs when all physical cores on a server are licensed.

It means even if you have a single Windows guest VM that is only assigned one processor with one core, you still have to fully license the physical server it's running on. That's how the current Windows 2012 license works (but since it's processor based, it's more straightforward).

You Acer holes! PC maker leaks payment cards in e-store hack

Justin Pasher

Re: Storing CC security verification codes

Per PCI DSS section 3.2.2:

Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.

This goes all the way back to PCI DSS 1.2 (2008). But hey, we like to treat them more like "guidelines" than rules.

Hack probing poodle sacrifice cuffed for public crap

Justin Pasher

It's Friday

Hey, Smokey back here taking a s***!

Linux greybeards release beta of systemd-free Debian fork

Justin Pasher

Re: bsd and systemd

I have bsdutils installed on a Debian Jessie system running sysvinit. The package depends on libsystemd0, not the full systemd init system. In fact, running sysvinit is officially support in Debian Jessie. You just have to do some work yourself.


Whether this will still be the case when Debian Stretch becomes stable next year is anybody's guess.

Verizon peeps gobbled by Frontier enter week two of crap internet

Justin Pasher

@CommodorePet: Re: Guess I'm a lucky one

The little bit I've used WMC, it's not that it's bad, it's just not as good as MythTV. The scheduling capabilities of MythTV completely blow other DVRs out of the water. Recording specific titles, time slots, previously recorded detection, automatic commercial flagging, etc. Then you have the Power Search feature where you can build an SQL query to choose the programs to record.

Since Microsoft has officially discontinued WMC on Windows 10 (and thus will stop supporting it on Windows 7 when its support ends in 2020), the options are getting scarce. Silicon Dust (makes of the HDHR) are working on HDHomeRune DVR as an alternative to WMC, but they've been working on it for almost a year and it still lacks a lot of features (and doesn't support "Copy Once" channels yet). It looks promising, but who knows when it will be finished, and I still won't be able to stream to my MythTV box.

Justin Pasher

Guess I'm a lucky one

I live in the Dallas, TX area and so far I haven't had any problems with my internet connection (my IP address even stayed the same). The traceroute does show it taking a path through the Frontier network now, so maybe they've only changed things a few hops upstream. However, I have heard a few people in the same general area that have been having problems (e.g. someone paying for 75/75 service and now only getting like 16/12 on a speedtest). I tested mine last night and was still getting the 50/50 service to which I'm subscribed. They did break reverse DNS though (at least for my IP address), which can cause delays on SSH connections that try to perform reverse DNS lookups (i.e. the default config).

My biggest worry is if/when they are going to start implementing "Copy Once" DRM on the channel lineup. Verizon only use "Copy Once" DRM for premium channels (along with some Fox channels starting last year), and "Copy Freely" for everything else. From what I've read, Frontier typically encrypts everything but local OTA channels. I have a CableCard with an HDHomerun and MythTV, and if they start doing that, it practically becomes useless and I'd have to resort to WMC (ewww).

I generally haven't have any problems with Verizon over the years except for the occasional billing snafu when I make plan changes or some idiots cutting a cable outside.

How NoSQL graph databases still usurp relational dynasties

Justin Pasher

Graphing nodes

The ltree module in Postgres (which has been around for over 10 years) pretty much does what you are talking about (finding node siblings, parents, children, etc). How well it does as massive scale, I couldn't say (I've only used it at relatively small scale).

The bill for Home Depot after its sales registers were hacked: $19.5m

Justin Pasher


Hmmm... I wonder why they had the breach in the first place...


Microsoft traps and tortures poor little AI in soulless Minecraft world

Justin Pasher

The real problem

"We need to solve the unsupervised learning problem before we can even think of getting to true AI," wrote LeCun, "and that's just an obstacle we know about. What about all the ones we don't know about?"

And THAT'S why AI is so incredibly difficult to master. Think about how a baby learns. Sure there is some trial an error (the same as what they are doing with Minecraft), but think about how much of that learning is because they are being taught or guided by someone who already knows how to do something. If the Minecraft world was the real world, it wouldn't work at all. You can't just keep jumping into lava pits or drowning in water, learn from it, and just start over and try again. Sure you can build this "database of knowledge" over time and use that as a starting point for the real world, but like LeCun says, what about the things you've never encountered?

The complexity of the human mind and its ability to reason and rationalize things is so much greater than any existing computer, it's almost hard to fathom. Computers can only do what they are told to do. Considering they've been around for less than a century while humans have been around for much longer, the ability to essentially create a human analogue in intelligence is mind-numbingly difficult (at least to make it even at a fraction of the level of the real thing).

HTTPS DROWN flaw: Security bods' hearts sink as tatty protocols wash away web crypto

Justin Pasher

@wolfetone Re: Is SSLv2 still supported in OpenSSL?

Actually it depends. The Debian binaries removed the SSLv2 protocol from OpenSSL back in 1.0.0c-2 (i.e. post-squeeze, pre-wheezy).


Competition? No way! AT&T says it will sue to keep Google Fiber out of Louisville, Kentucky

Justin Pasher

Pole dancing

So who owns the poles? Did AT&T pay to install them or was it paid for by the city. If AT&T paid for them, I can see their argument (to an extent). If the city paid for them, why does AT&T think they have the ultimate authority over them (barring any other agreements from when the poles were first installed).

Now I do see how the authority given to the third parties in regards to putting up their lines can be a little concerning, especially since AT&T is the ones that have to "pay" for any outages.

Google calls out Comodo's Chromodo Chrome-knockoff as insecure crapware

Justin Pasher

Trust is gone

If you've got Comodo's browser installed on your machine or using certificates issued by them on your server, get rid of it.


Dev to Mozilla: Please dump ancient Windows install processes

Justin Pasher

Re: wrong problem to be solving.

Just grab the specific version you want directly from the "FTP" site.