Posts by Bill Stewart 70 publicly visible posts • joined 6 May 2009
A few years ago, to do my taxes, I had to
- Download Turbotax
- Get new toner cartridges for my printer
- Hack into the State of California tax board's website to get a form
"Hacking" into the website meant "changing the URL in my browser to use the correct year for the form instead of the incorrect one in the link on the tax bureau's website,
but was equally evil and criminal.
My father-in-law once had a lifetime subscription to a financial newsletter whose author was very explicit that it was for his lifetime, not yours. Eventually the author got cured of whatever cancer he had, so his lifetime was suddenly looking like it would be much longer than he'd anticipated, but he did keep writing it for a while after that.
I eventually bit the bullet and imported everything from Eudora into Thunderbird, but I still preferred Eudora.
My mom might still be using Eudora 1.4 on her Mac (it's one of the G3 all-in-one slab versions, that she bought after the graphics card on her Performa 630 died.) She doesn't use it a lot (her vision hasn't been very good this century, and she doesn't see well enough to use mouse-driven things), so it's usually my sister reading it to her, and my sister might be doing that in Gmail (which she switched to after her dial-up provider suddenly stopped doing business. My siblings had been trying to get her to upgrade to broadband for a while, so they could use the Internet when visiting, but when all you're doing is a few dozen emails a week, dialup is just fine.)
The shell checked whether your mailbox file (/usr/spool/mail/yourname or whatever it was named in that version) had a last-written time that was later than when it had last told you you had mail.
How the mail got delivered to the mailbox file varied a lot, e.g. was it from somebody else on the your machine (and therefore immediate), or was it from some other machine (depended on the network connection - was it uucp dialup? Did your machine poll them or did they push to you? That could vary a lot; if you were in Australia it might be one phone call a day to pick up everything from your US office.
You have mail
$
Hah - I should try that, not for nefarious reasons, but because I've got a WWVB clock that has trouble getting signal in my house unless I stick it in an upper window. (At the moment, this means retrieving it from behind a dresser, because the cat also likes that window and knocked the clock off the windowsill.)
Nominet could set up .eu.uk in a hurry, to give UK companies that used to be .eu a transition location, in case the similar .co.uk name is already taken. They could either be nice and do it free for a short time, or charge a nominal ten pounds a year or a soak-the-businesses few hundred pounds. And they could either be precise and let you register if you show your .eu registration and UK address, or sloppy and just zone-transfer the whole .eu to start off, not worrying if you're really a UK company.
(Or whoever owns .eu.co.uk could do that, if they wanted.)
IPV6 Address Privacy has become supported in several popular OS's - instead of using a constant IPv6 address based on the MAC address of the interface or some other constant IP address, computers pick a different address per connection for outbound connections like web browsing. Obviously the /64 for the network segment doesn't change (so your /64, /56, /48, whatever your ISP assigns is more easily trackable than a dynamic IP might be), but the individual computer isn't tracked (which is especially important for portable computers that would otherwise have the same lower 64 bits at the coffee shop or office as they do at home.)
I don't know if cellphones do this or not, but I assume cellphones generally leak identification all over the place.
Moore's Law was originally about the specific technical details and specific time units, but we keep it around because it tells us things we like to hear, and because the economic principal is still sound - there's enough market demand to keep manufacturing improvement and research going so that computers keep getting exponentially better performance, or at least price/performance.
The VAX I used 30 years ago had 50x the RAM of the PDP I used a few years before it, and about every 2 years we could afford double the RAM, so by now $50K that got us 4M RAM will get you 1 million times as much (~$50/4G, and it's >100x faster) and the 1GB of disk was four washing machines for maybe $150K, vs 1TB for $50 now, or 128GB of flash that's generally faster than the RAM on the VAX was.
And the Cray-1 Supercomputer back then? Cell phones have been faster for a long time.
Bob announces that he will hack back against anybody who attacks him.
So Mallory impersonates Alice and attacks Bob. Doesn't need to be a big or effective attack.
Bob detects the attack and launches a hack-back against Alice.
Alice's network is now trashed, and Bob claims he was retaliating legally.
Congress seems to be a bunch of Chaos Monkeys.
Sorry, one guy who misses something is not much different from one guy being on vacation, or out sick. One manager saying "we can't do the update this week, because X" might have the ability to delay it, but if your system doesn't keep track of that PENDING SECURITY-CRITICAL UPDATE WHEN YOU'RE A FINANCIAL COMPANY, your system is broken by design.
Hey, cattle investors think a cow is a $1000 depreciable asset, and if it costs $200 in vet bills to avoid shooting it and selling the carcass for $100 in pet food instead of getting a bigger sale of beef or 5-N years of milk, they'll generally pay for it. Chicken farm investors might not think the labor's worth it, because a chicken's more like a $5 depreciable asset and the vet still charges per visit, so it may be cheaper to dispose of one chicken than risk the whole herd getting sick.
Assange's excuse for "why I shouldn't be extradited to Sweden to answer rape charges" has always been "the US will kidnap me if I walk out the door". If he's willing to risk being extradited to the US to answer charges that haven't been filed, he should be willing to risk being extradited to Sweden.
I don't think we'll see his lying ass leave the embassy unless Trump grants him asylum for services rendered.
Not just VPN - you want a DNS provider who isn't your ISP. Your browser doesn't actually ask your ISP for a URL, it asks to set up a connection to an IP address (though your ISP might snoop any unencrypted packets to see what else it can find, and for SSL that might leak the domain name), and it gets the IP address by asking a DNS provider for it (which typically defaults to your ISP's caching DNS server.) By doing DNS lookups somewhere else, you can reduce the amount of data your ISP collects. This doesn't always keep the snoopers from seeing it (e.g. anycast-based DNS servers like Google's 8.8.8.8 will typically connect you to their nearest server, which will typically be in your country), but it does increase the work they need to do, and you can further separate the queries in time by caching DNS results in your computer.
Way too many apps seem to want GPS when WiFi accuracy or Where-was-I-last or Pick-from-a-list accuracy are good enough. (And even if I weren't a geek, battery life means I usually have it turned off.)
I'm more likely to use Yelp to ask about a restaurant near some specific city (e.g. home, or where I'm going later today) than near where I am now, but even if I'm not doing that, whatever level of location resolution it gets should be good enough.
I'm more likely to use weather for a specific location (home or work) than "here" - I can see if it's currently raining outside, and don't need 10-meter resolution to tell the temperature when it's actually using readings from the nearby airport anyway.
He's not just trying to get attention - he's trying to monetize it (and/or stifle further work in the field, which is sort of monetization-equivalent for intelligence agencies.) Choice of UK venue means:
- First-to-file, not first-to-invent, so he doesn't need as much real documentation to show he was the real inventor
- Libel laws that make it easy to sue anyone who calls him an impostor - especially since it's really hard for a defendant to prove that Wright's not Satoshi, unless the defendant is the real Satoshi and is willing to come out of hiding, which is unlikely, while it's easy for Wright to prove that calling him an impostor is causing him real monetary damage by blocking "his" patents.
- It's not the US, so it's harder for someone like Nick Szabo to fight the patent by proving that the claims are equivalent to previously published work, or for a libel defendant to hire Nick, though Adam Back and a few other Bitcoin experts are UK-based.
NIST knew that if they wanted anybody to trust their replacement crypto, they'd have to run an open international competition for it, with all the design rationales published, not just hand us a shiny updated version of the Clipper Chip or something. And yes, AES is Rijndael, from Belgium. And OpenSSH is managed by a Dutch/SouthAfrican who lives in Canada, and OpenSSL by a New Zealander. Shamir of RSA is an Israeli.
"A cryptographer, a Eurocrat, and a normal person walk into a bar. What do they order?" Three Belgian beers, and maybe some Club Mate' if it's available. (Cryptography seems to be one of the Belgian national sports these days.) But it's not just the Belgians and the Dutch and the New Zealanders and the Israelis and Canadians and the Russian Mafia writing computer security software - lots of other places do it too. And while a lot of the Cypherpunks group activities were in Silicon Valley and Berkeley in the 1990s, it's not like everybody attending were Yankees; we had Canadians and Russians and Dutch, and there was a lot of academic work back and forth between US and European and Aussie and NZ universities.
Faraday cages block electromagnetic signals; if I'm reading this article correctly, they're using audio to measure changing workloads.
Paul Kocher's been doing various differential power and timing analysis things for years, all of which have told us that we need to do calculations in ways that take the same amount of work regardless of the keys, which means undoing some of the optimization methods for long-number arithmetic and such.
A few years back Californians got to vote on the early version of High Speed Rail funding. We were asked to approve $10B in bonds to fund a $30B rail project (SF-LA and beyond to SD and SAC), with the rest of the funding being magic money that would appear from the sky, and $55/ticket SF-LA, cheaper than Southwest Air on sale. Immediately after it was approved they said "Oh, ooops, we'll have to pay interest on bonds! Ok, it's $40B." After a while it was "$70-80B, $110/ticket", and recently it's "Oh, apparently ridership will depend on ticket price, who could have guessed that? So maybe we'll need to subsidize it more to get ridership up!"
They have no idea whether the data has been stolen - most ransomware follows the "take the money and run" strategy, because it's easy, but once the Bad Guys have access to your system, there's no reason they can't send the interesting data to some server they control, either before encryption or along with the keys. The risk to the Bad Guys of doing that is they're more likely to get caught, especially if the victims hire a security expert to help them through the process (especially before paying any ransom); the benefit is that sometimes the data is worth a lot, and the Bad Guys know the victims weren't running a competent enough shop to stop them before they got infected.
They appear to be mixing up using electronics to disable the car dangerously when somebody else is driving (which might count as attempted or actual murder, things that are already illegal and very serious)
with using the electronics to vandalize or steal a car (which are also already illegal, but are much less serious crimes.) Maybe life in prison is justified for wrecking a moving car; hot-wiring a car to steal it doesn't have any justification for more serious penalties than any other method of stealing a car.
This didn't start with the San Bernardino shooting - the FBI's been running court cases for a year or more trying to force Apple to do the same thing in drug cases. If they succeed, they'll end up with a tool that lets them inspect anybody's iPhone, without needing warrants, as long as they've got the phone.
And cops have been getting away with confiscating smartphones from people they stop, also often without warrants, and they've especially been doing this in protest arrests, though at least they're starting to get some pushback from judges.
My Samsung Galaxy S4 mini is running 4.4.2 (which was an upgrade that got installed shortly after I got the phone), and as far as I can tell Samsung's abandoned it since then. (My Coby tablet running 4.0.4 was abandoned about the time they put it in the box, but I'd expected better from Samsung than from a noname.)
I've never been a fan of the Nexus phones, but they seem to be the only way to always get the latest Android version your hardware's capable of supporting - are there any other manufacturers who do that?
Most Cisco equipment used to have a default password of "cisco123", before they started all the mergers and acquisitions and decided that they should be able to handle longer than 8-character passwords. A password of "password" suggests an acquired product (like their Sourcefire products which have a default password of "Sourcefire") or else a new standard for factory passwords.
It's probably been 3-4 weeks since my last BSOD on Win7-64, which usually happens when Firefox is burning about 3GB of RAM and there's lots of flash going on. It's been longer than that since I had a legible BSOD, because these usually end up squished and warped in the top 1/3 or so of my screen, but I've had them this year as well.
Hardware's a year-old HP 8-core laptop with 8GB of RAM.
How do we get them to understand? You won't really, but if you want to start
- Give them the data they're asking for. On paper. Bring in the first wheelbarrow load and let them know how many seconds it's for, and ask where they want the next 32767 batches delivered.
- Give them the data they're looking for, for a narrow slice of IP addresses that includes theirs, in a nice spreadsheet that tracks what they're doing, or mixes up what they're doing with what their neighbors are doing.
- Many years ago, when a right-wing US judge was being nominated for the Supreme Court, somebody looked up his video rental records, and provided it to Congress. It was boring and entirely non-scandalous, and Congress quickly passed a law providing privacy protections for video rental records. You need to let them know you can do the same for them.
Who uses small machines these days? Other than the Raspberry Pi hobbyists, it's people using virtual machines. I'd really rather not have to burn 8GB of disk on a vanilla Ubuntu for each VM, on a server where I'm using a large pile of them, and I'd rather not use as much RAM as Ubuntu needs if I'm running a Linux VM on my Windows desktop.
The "USA Freedom Act" was a compromise between pro-privacy people who wanted to control the NSA's spying and the pro-spying Congress members - but it was written before the court decision that invalidated most of the NSA's bulk collection, and before the Senate decided not to renew Part 215 of the "USA Patriot Act", so by the time it was passed, it ended up authorizing some data collection that was no longer allowed by earlier laws (which it had been trying to restrict) and got almost nothing in return.
That's correct. US law says that census records are sealed for 75 years (length of time might have been different back then), and only summary information is available before that, not individual records, but the Army used them anyway to find the names and addresses of Japanese-sounding people in the US and put them in the relocation camps.
Even for non-illegal uses of census records, there's also the problem of 75-year-old records revealing your mother's maiden name, and for supposedly summary-only data revealing that the number of people in your census tract with a husband of Mexican origin, wife Guatemalan, and three kids is exactly 1, and the US census forms obsess about detail for anybody Hispanic, unlike those of us with Anglo or Celtic origin.
IE's purpose wasn't to achieve dominance over the browser market - it was to prevent the browser from displacing the operating system as the important user interface, by preventing compatibility and cross-platform development. Dan Farmer's SATAN network security analysis program had demonstrated that browsers were a good enough user interface for most applications, Netscape and various Unix versions (including Linux and BSD) were free or near-free, and AOL could have swamped the market by porting their application to Linux and handing out free coasters to everybody. What IE needed to do was to get a large enough chunk of the corporate browser space to prevent everybody from moving over.
And they succeeded. Microsoft's still around.
I clicked on the up-arrow to vote on one of the comments in this thread, and Firefox crashed. Not the first crash of the day, either. I'm running on Win7-64 with 8GB or RAM, so FF is no longer running out of RAM the way it did when I only had 4GB, and it's a recent version of FF.
On the other hand, unlike IE, when FF does crash, it's really pretty good about remembering where it was; IE usually loses the whole session.
It's able to grab whatever 64KB off the heap is near the object it's supposed to be able to ask for, so that can include memory from live or dead objects, because C doesn't stop you from shooting yourself in the foot by running off the end of an array.
The reason the memory of the dead objects wasn't zeroed on release is that, by default, OpenSSL keeps its own pool of memory and doesn't bother using malloc() very often (because on some systems, that might be slow, which would make managers sad), so OpenSSL doesn't call free() when it's done with those objects, and therefore if you've got a malloc()/free() system that has extra protection, like zeroing stuff or putting guard pages after chunks of memory to keep you from running off the ends, it doesn't waste time doing that.
So yeah, modern Linuxes give you lots of cool tools, but they're not compiled in by default.
C is still my favorite programming language after all these decades, but most people really shouldn't be allowed to use it, certainly not without extensive oversight of anything security-critical.
What do you mean by "no Internet connectivity"? The pricing says you get 1TB of transfer a month. The description of the applications look like you're connecting over the Internet. Do you mean that you don't get a static IP address, or that you don't get IPv6, or that you only get IPv6, not IPv4, or don't get a DNS name for free, or what?
"Getting drunk without beer" is called "smoking a joint". Sometimes that's what you want, or you might want something else in that space that's a bit more controllable.
Dr. Nutt is trying to do social engineering on UK drugs policy. He's the guy who got fired from his job as medical advisor on drugs policy for saying that drugs policy ought to be guided by science and medicine rather than by the political correctness of the drug prohibition police. And good for him.
Of course alcohol free beer is not real beer; it's the stuff you drink when you don't want alcohol but still want something cold that's vaguely beer-flavored instead of cola-flavored.
And Budweiser isn't made for a UK climate. If you're in the US Midwest, where the stuff is made, and a summer day is 95F outside (35C or so), and 95% humidity, and you've been out mowing the grass or doing other hot work, when you come inside you're not going to drink Real Ale. You want something much lighter and colder than that, and a very cold Budweiser is absolutely perfect, followed by another very cold Budweiser.
Here in San Francisco? Real Ale is just the right thing.
I accidentally triggered one of these many years ago. Somebody sent a CraigShergold-gram to the building list (about 5000 people) one Friday afternoon, and I thought for a moment about whether I should send a "Please don't reply, especially to the entire list, here's the explanation" reply on not. This was back in the days when most of our mail was on departmental Vaxes, and some of it was on a big Unix-like mainframe system, some running SMTP but some running UUCP, and there wasn't a snopes.com to point people to, just alt.folklore.urban on Usenet.
I decided that it was probably better to send it than not, and of course I started getting bouncegrams from people on vacation, etc. About half an hour later, a friend called, asking if I'd meant to send five copies of the mail, spaced five minutes apart. "Umm. no..." "Thought not, enjoy the rest of the afternoon cleaning things up." Apparently the mainframe in the basement had forwarded out the message to everybody, decided that something hadn't worked, and re-queued it to try again later. I went down to the basement where the building sysadmins lived, apologized, and we spent a couple of hours trying to find the problem and clean up the mess (simply stopping the mail server and clearing out its queue wasn't close to good enough.) Never did find out what was wrong, and of course my bouncegrams were starting to include "Can't deliver message; mailbox full" as various departmental Vax disks filled up. And Monday morning we started with a couple rounds of "Stop sending me this junk at work" "Get me off this mailing list" "Don't send that to the entire list, dummy, just the sender (sent to the entire list, of course)", but none of them broke the mail relay this time.
For about four years, Airship Ventures ran a Zeppelin in the San Francisco Bay Area and occasionally took it on the road around the US. It was built in Germany, and while it was a lot smaller than the Hindenburg, it was a real dirigible. It used helium, and held a dozen passengers. It was based out of the old Moffett Field blimp hangers in Silicon Valley, and ran tours, usually flying at 500-1000 feet for an hour or two, and it was an amazing ride. It was also used for some local scientific research. In spite of the economic decline, there were still enough people to keep a Zeppelin flying around, though the 10x rise in the price of helium finally killed them.
I don't use Facebook very often, but when I do, it's only on a virtual machine, with a dedicated copy of the browser, and I don't use that VM for anything else. And all that game stuff is turned off.
I started doing that when the LA Times in my main browser session started showing me "see what news articles your Facebook friends are reading today!"
I haven't looked at an iPhone 1 in a long time, but I'd be surprised it had a dual plug as shown in the diagram. I've had Nokia phones that had separate jacks for the audio headset and the telephony headset-with-mike, but that's two separate interfaces, not a dual plug. (Also being Nokia, you tended to need a really _special_ snowflake of a connector to do anything at all with it, because the standard connectors everybody else used didn't break often enough or cost as much.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
