* Posts by Graham Cobb

1485 publicly visible posts • joined 13 May 2009

GNU screen 5 proves it's still got game even after 37 years

Graham Cobb Silver badge

Re: Back to front?

Both are useful.

I often create an Xterm on my workstation, run screen in that, and connect to three or 4 different hosts when working on a task that is split across multiple servers. That way these sessions survive if my workstation reboots, and I am switching between the different hosts for the task in a single VT.

For my main home systems, though, I create an Xterm running screen on my workstation for each system and then create several terminal sessions on that system, logged in as various users (my main account, root, some special users, etc).

Graham Cobb Silver badge

Re: Another advantage

My experience is the same as Jamie's - similar length of time without seeing your problem. And I do (or did) use serial ports, connected to multiple TiVos. Using virtual terminals of various sizes and software.

Obvs it is a real problem in your use case but doesn't affect other people's use cases. No idea why.

Graham Cobb Silver badge

Yep. I have screen currently running on at least 4 or 5 sessions on my computer as I type this: each one actually running on a different system - and each one with sessions logged into several different users on those systems. On most of my home systems I have a screen session running on each system, with sessions logged into my main user account, root, and any other accounts I want. I even ported screen to Tivo back in the day when I was doing active Tivo hacking.

But then I use command lines a lot.

AI firms propose 'personhood credentials' … to fight AI

Graham Cobb Silver badge

Kill the 1-to-1 concept of identity

Of course the other comments above are right about the impossibility of doing what these firms want to do. But this would be a good time to think about the requirements for Identity: what do we want from a modern concept of identity?

The first thing, in my view, is to stop it being 1-to-1. There is no reason why any entity (person or otherwise) should be restricted to a single identity. Each person should be able to create identities at will (just like I create a new email address for almost everyone I engage with on email). All equally valid, and not connected in any way except how the person wants them connected. Not just pseudonyms, but complete identities, any of which you can use at any time, for any purpose.

Graham Cobb Silver badge

Re: EFF

One word: Windrush

Telegram founder and CEO arrested in France

Graham Cobb Silver badge

Re: I hope Musk travels to France

Did you honestly think that anyone has the right to set up a board or a social media network which facilitates crimes of this nature on such a scale and refuses to cooperate with police or the judiciary?

Have you told that to the operators of the road network? The road network is not required to track and record everyone who uses it just in case the police want to know afterwards. Even though the vast majority of crimes involve using a road and roads facilitate vastly more serious crimes than any social network does. If the police want to track people using the road they have to use their own people to do it.

Co-operation with the police for a large meeting does not mean recording the conversations of all the people who come to your meeting. If I rent the NEC to hold a prayer meeting for 100,000 people, there is no requirement to record the meeting just in case the police want to listen to it afterwards. If the police want to pay the entry fee and attend, that is fine. I might even (at my own choice) waive the fee for them if they convince me some delegates will be discussing serious crimes. But if they can't be bothered to join the session, or find a delegate willing to talk to them afterwards, they have no right to know what was discussed.

Graham Cobb Silver badge

Re: I hope Musk travels to France

What makes you think this is not about 1:1 chats?

And what makes a 3-person chat, or a 10-person chat or a 100-person chat different from a 2-person chat?

What makes 20 people discussing something in a church hall they have rented different from 20 people discussing the same thing in an online group?

The vital principle is that the venue providers should not have a requirement to record all the conversations that happen in their church hall, keep the recordings and give them to the police when asked later. Any snooping must be done with a warrant, and be before the chat takes place - not a general requirement to retain everything in case it is useful to the police later.

CrowdStrike hires outside security outfits to review troubled Falcon code

Graham Cobb Silver badge

Re: since they have full control of the input anyway

I think this is the main point.

This whole debacle shows that the way to attack important systems has changed: the easiest point for a successful attack is the security code itself! It is the analogy of the movie strategy of infiltrating your attacker into the big guy's trusted security detail.

Time for everyone serious about security to leave CrowdStrike and at least move to a competitor who's weak point has not (yet) been so dramatically exposed!

Net neutrality in danger again: US appeals court puts FCC's resurrected rule on hold

Graham Cobb Silver badge

Re: Surely the people are sovereign

You can’t just point to a 250 year old document and say stuff is not in there so it’s judicial overreach and can’t be limite or ruled on.

Exactly. I fear you misunderstood my point. My point is that the people (acting through congress) has authorised the people (acting through the president) to create executive agencies which can institute these rules, at their discretion. If the people (acting as congress) meant the executive to be limited as to what rules could be enacted, it had to say so. Just like if it decides people cannot keep dogs as pets it has to say so.

It is the courts which are acting unconstitutionally by inventing a doctrine that says "the executive agencies cannot create rules unless the rules themselves are in an act of congress"..

Graham Cobb Silver badge

Surely the people are sovereign

If the people choose to flip-flop every 4 years, it is not up to the courts to stop them.

It might be stupid.

It might be damaging to the economy, or to business.

However, the justice system is not there to prevent any of those things. It is there to ensure the administration of justice is fair.

Congress (chosen by the people) make the laws. The executive (chosen by the people) administers them and has choice about how to do that where unspecified by congress. The courts are there to ensure the administration follows the constitution and that it follows the laws congress has made.

Labour wins race to lead UK, but few would envy the load in its tech in-tray

Graham Cobb Silver badge

Except that any and all such rules can be modified if the EU want it.

I wrote here, in the days after the Brexit referendum, that the Brexiteers had killed the Pound because we would be back in the EU within 10 years and the EU would make adopting the Euro their price for letting us back in. i still believe it, although I acknowledge that the stupidity of the Conservative Party has pushed the 10 years out a few more years.

Graham Cobb Silver badge

Rejoining the EU is, unfortunately, not likely to be available. The EU would, surely, make dropping the Pound a non-negotiable condition and, although that will happen in a decade or two (specifically so we can rejoin the EU or some differently-named successor) it wouldn't be doable now.

However, some sort of EEA-like deal is perfectly possible.

Former Fujitsu engineer apologizes for role in Post Office IT scandal

Graham Cobb Silver badge

Re: Distinguished engineer got trapped into doing things :o

I got to a very senior technical position in my company and knew many of these types of technical experts. They really were absolutely genuinely engineering marvels. They had full understanding of very technical details of large and complex systems. They could make excellent technical decisions, often with insufficient data, based on their years of experience, technical insight, and understanding of the system.

However, they often didn't understand people, sometimes didn't understand processes (even good engineering processes), didn't understand that other people didn't understand the systems like they did and so there needed to be checks and balances, validations, self-correction and alarms for "impossible" situations. Just because the architecture was awesome, didn't mean the implementation was as good! And they had a habit of ignoring the fact that the operational processes often violated their wonderful architecture with hacks, workrounds, manual overrides, etc.

Police allege 'evil twin' of in-flight Wi-Fi used to steal passenger's credentials

Graham Cobb Silver badge

Re: Connecting to "free" WiFi...

There seem to be two different attacks talked about here - not sure if both were actually used in this case:

The first is to ask for an email address on the Welcome page for the WiFi - which most public/free WiFi do - and then ask them for the password as well, which unsophisticated users will provide without thinking because they are so used to providing both together to access their email. Simple attack, works with about 2/3 of people I would guess, VPN makes no difference.

The second attack is to intercept traffic through your fake AP. This is where a VPN can make a difference. Although it is also enough to be sure you are using SSL connections and are not connecting to a spoofed domain - but, again, unsophisticated users are unlikely to notice. This attack could expose all passwords, not just the email account. It is rendered ineffective by 2FA.

Version 256 of systemd boasts '42% less Unix philosophy'

Graham Cobb Silver badge

Yes. We really needed a startup manager that could handle complex, parallel and ever increasing dependency graphs. SystemD is a reasonable implementation of that and does a decent job (although it's tools for debugging startup ordering issues leave a lot to be desired).

However, I am really not convinced by the move to turn it from a startup-ordering-manager to an all-inclusive-jack-of-all-trades-general-services-blob. If I wanted all my system services in one blob, from a single source, I would be running Windows.

BT delays deadline for digital landline switch off date

Graham Cobb Silver badge

Maybe you don't live in a small village? It reads pretty much like something our parish council would send. Village parish councils are unpaid local volunteers, and never have enough budget to do anything, but often do their best to highlight the village issues to district councils who do have staff and money.

Aghast iOS users report long-deleted photos back from the dead after update

Graham Cobb Silver badge

Re: File recovery

On modern OS's (certainly using Btrfs, but I am guessing XFS as well) overwriting a file doesn't write to the same blocks. Certainly COW filesystems allocate new blocks for all writes, and decrement the use count for the old blocks. If the use count gets to zero they may, when they get around to it, send a TRIM to the lower level to tell the disk the blocks are no longer being used and it can use them for something else.

If you want data actually overwritten, and removed from the physical media, you need to use very specialist operations. That is one reason I use disk encryption for all my logical volumes - once the key is forgotten the data is really, truly gone. That means that if I stop using a disk (or it fails), I can just throw it away (or sell it, if I want) without worrying about someone reading any of my data. Even if the disk has died and I can't write to it any more.

Open Source world's Bruce Perens emits draft Post-Open Zero Cost License

Graham Cobb Silver badge

Re: Very interesting

Thanks, Bruce.

I think this is the main disagreement. I realise you are not proposing allowing people to call it Open Source. Instead, what you seem to be saying is that Open Source is not a suitable model for the future - primarily because, in your opinion, it is not sustainable.

Personally, I am not convinced that making Open Source projects into a closed source model is the right answer. It may well be a useful answer for some projects but I don't see it likely to work for the projects like XZ, and many others, which are small (few developers), with relatively little change, but widely used. Many of those developers are at least partially motivated by contributing to the greater good and making their own work freely available for others.

I feel a better solution to the problem lies with the distros, and other large projects which are themselves at least partially free. Those have much more chance to do things that can bring in money (sponsorship, services, ...) and they are in a strong position to contribute to these small projects (cash, people, testing, emotional support, consultancy, ...). If XZ could have used some debian developers (say - or even Google developers), instead of accepting input from unknown people on mailing lists, would the problem have been prevented?

Graham Cobb Silver badge

Re: Very interesting

I never thought I would be disagreeing with one of my personal heroes but I think doublelayer has captured my views exactly.

I understand that the crisis in funding, managing and staffing critical open source projects is severe. But I live in hope we can find a better solution than this. The ISOC debacle must show us that this is just not going to work as a long term solution.

If Britain is so bothered by China, why do these .gov.uk sites use Chinese ad brokers?

Graham Cobb Silver badge

Re: Once again Ad-block is your friend

That's what my separate installation of Brave is for - the few occasions when I do really need to turn on javascript. Brave is fairly privacy aware and I only find the need to use it a couple of times a week.

Graham Cobb Silver badge

Re: Once again Ad-block is your friend

But, as the post earlier in the thread says, that only stops the transactions from the browser. It does not stop the website backend telling all the ad agencies "IP address 1.2.3.4 has just downloaded page my_STD_and_how_to_love_it - how much am I bid for the chance to go into battle against their adblocker?". That is why using a proxy which randomises addresses is also vital.

EU tells Meta it can't paywall privacy

Graham Cobb Silver badge

Re: And how would that work?

Yep.

That model works (or worked) for Reddit. Let people subscribe to topics they are interested in.

And if they enable tracking, use that information as well to give them a better experience. If you do it well enough maybe some of us would agree to let you track. And others won't because it is a price they are unwilling to pay.

Graham Cobb Silver badge

Happy for them to offer a choice of paying for no-ads or being sent ads for a free service. But it must be completely separate from the choice about tracking.

Some people may prefer to allow tracking with their ads, because they will be more useful/interesting ads for them Others may prefer no tracking even though it means the ads are always useless to them. That would is the genuine choice for people.

Fancy building a replacement for Post Office's disastrous Horizon system?

Graham Cobb Silver badge

Re: EPOS isn't just the terminal in the shop

I've never worked in retail but isn't that the easy part? Sure the transactions are different - and there are lots of unique "service"-type transactions, which would have to be Java apps running in the till (walking the user through checking an International Driving Permit application, for example).

But the hard part, the part which needs to be secure, robust, reliable, unable to lose, corrupt or duplicate a transaction, never able to modify a transaction under any circumstances, etc. is presumably the same as other retail businesses. And so are tools like daily till reconciliations, stockcheck reconciliations, recording and tracking "shrinkage", generating operational and management reports, auditing, detecting fraud, etc.

Engine cover flies from Southwest Airlines Boeing 737 during takeoff

Graham Cobb Silver badge

Re: Please get a clue

The first female hijacker was in 1969. There have been others since.

What can be done to protect open source devs from next xz backdoor drama?

Graham Cobb Silver badge

Re: The victimzed linux releases were loading opaque tarballs instead of cimping from source

The git repo has more files in it because the source archives just contain the code and build scripts, not irrelevant things like the .gitignore file.

Which, unfortunately, means the consumer of the code can't automatically check the tarball really does match the repository in all respects. But the alternative - require all packages to be built from their git respository - means there will be a lot more complexity in build scripts so it may still be possible to hide hacks using the same tricks used in this case (extremely opaque m4 macros which react to changing a few bytes in an obscure binary "test file").

Graham Cobb Silver badge

In addition to carefully considering whether to use a dependency or re-implement yourself (which has to be done on a case-by-case basis as a self-implementation could be even more buggy), it would be useful if we had a wider choice of dependency interfaces and sandboxes to choose. Security-critical apps like ssh, which can compromise a whole enterprise, should be able to tradeoff performance against safety with selection of a library interface which offers more protection even though it is very slow.

404 Day celebrates the internet's most infamous no-show

Graham Cobb Silver badge

Re: Grot

Thanks for the pointer. I had a bit of fun playing with it. Although I was a bit confused when I asked it "What is the first line of Hamlet in morse code", as you do, and it replied indicating that it didn't have access to books in morse code. Asking it to "Translate the first line of Hamlet to morse code" was successful, however. And when I then repeated the first request it apologised for it's earlier confusion and gave me the right answer.

Malicious xz backdoor reveals fragility of open source

Graham Cobb Silver badge

Re: Scary

We caught this one in time and negated years of work of the adversary.

Yeeessss... sort of...

We appear to have negated years of work on one particular infection vector. Given that this was years of work, it is extremely unlikely it was a single person, and it is unlikely this was their only bet. Someone was paying their salary and possibly paying a whole team. The person (or the agency they work for) is unlikely to have made their bet just on one approach, which could have been noticed at any time over the last couple of years.

Who is doing reviews of all the other projects which have had complex, obscure changes which look nothing to do with security but no one really quite understands? I mean XZ for goodness sake??? Who would ever have imagined that could cause every up-to-date Debian Testing system on the internet to be open for root logins for a while? How many more compromises are there out there? We have always assumed the US, Russia and the Chinese each have a horde of vulnerabilities which they can use (and then burn) in case of major war. Was this one of those? Or was it the Norks or Israel or the Iranians wanting their own?

Who is checking all the obscure libraries used in kernels or security-critical processes by the proprietary vendors (Microsoft, Google, etc)?

Graham Cobb Silver badge

Re: Some OSS development introspection needed

All of this would not have happened if it systemd had not been involved.

I think you meant to say "All of this would have happened differently if systemd had not been involved". The perps created an extremely complex and sophisticated attack based on mispurposing the library loading mechanism to cause an apparently innocuous but actually malicious library to take control of a security-critical component. Given the complexity of what they achieved, I am sure that if they were unable to use libsystemd they would have just found another library as a vector for their malware.

What we need to do is to (i) fix the development process where important software is reliant on under-resourced developers, (ii) harden the operating system to better protect security-critical components from poisoned components such as libraries.

Graham Cobb Silver badge

Re: Some OSS development introspection needed

the fact is that this vulnerability was introduced by the long arm of systemd reaching into sshd's internals, where it had absolutely no place being

Exactly. And that was the fault of no-one except the Debian sshd maintainers! They didn't need to do it. Nothing in systemd forced them to do it. Many other systemd-using distributions don't change sshd to use the library. It is obvious now, with hindsight, that it was a terrible decision to weaken sshd by linking with unnecessary libraries without a careful review of the risk/reward tradeoff.

Systemd has many problems. I don't like it. But it is not to blame for this. And repeatedly saying so just delays fixing the real problems which are:

1) Helping maintainers of widely used packages keep them safe.

2) Reducing the risk surface of linking external libraries into security-critical components.

Graham Cobb Silver badge

Re: Some OSS development introspection needed

...attack that was only possible because of systemd

I am no fan of systemd, but you are mistaken. Systemd was not, in this case, the problem. No more than the compiler, linker, library loader or anything else. If they couldn't use libsystemd as the vector they could have used a similar approach on one of the other dependencies. Maybe it would have taken more effort, maybe less. ldd tells me that sshd is linked to 28 libraries on my system.

The attack was only possible because of the lack of tight review of all the dependencies of security-critical software, combined with a prioritisation of performance over security in library loading even for the most critical security components.

Graham Cobb Silver badge

Some OSS development introspection needed

This is a timely wake-up call and needs some careful thought and discussion about the lessons to be learnt for software development.

Of course one major thing, and not new, is that too many widely used projects are understaffed. Maintainers are overworked, can't necessarily review contributions as well as they would like, fall behind on testing and project management as well as actual code development.

But there are also some important operating system architecture lessons to be learnt. We need to find a way to reduce the attack surface of software, particularly security critical software. Software like SSH needs a simple way to trade performance for safety. In this case we can all see, with 20-20 hindsight, that there is no way a utility package like xz should have been able to affect the operation of a critical tool like SSH.

We need some of the best OS architects to work on that issue. For example, maybe security-critical software could trade performance for security - maybe something like using RPC and co-processes for external library calls instead of loading libraries into its own memory space. I am sure todays OS architects can come up with better ideas. than this one but it is a task that Linux process loader and kernel teams should be working urgently on.

Malicious SSH backdoor sneaks into xz, Linux world's data compression library

Graham Cobb Silver badge

Re: Haters Should Be In The Headline, Not systemd

ssh doesn't have to use it. As other posts also mention, there is no requirement to use it - it seemed like a useful and neat feature to send the "yes I've started" notification and it seemed like the easiest (and probably most robust) option to use the Systemd library to do it. With hindsight, I am sure one or both of those decisions will be reversed. But that won't require changing the status or policies around Systemd.

Graham Cobb Silver badge

Re: Systemd should be in the headline, not `xz` or `liblzma`.

There are many design decisions of Systemd that I don't like. But there really isn't any point blaming it for this.

Systemd has a feature which some developers find useful: an app being started can notify Systemd that it has now successfully started up instead of Systemd just starting it and hoping for the best. Pretty obviously that could be a useful feature for some. Debian decided to use that feature, although I think that decision is now likely to get changed to revert to the "fire and forget" behaviour that other init systems do (and is the default with Systemd also).

There are two ways to send the notification: it is a simple one-line write of text to a socket and is easy to hand code. Or you can call a function in the Systemd library which does the write for you. The mistake, in this case, was to use the library: that brought in loads of other dependencies (like liblzma and xz) that are used by other parts of the library. With hindsight, a security-critical app like ssh should have avoided loading a very highly featured, general purpose library like Systemd when it really didn't need it.

Blame xz's developers. Blame Debian for adding unnecessary features to one of the single most security-critical apps on the system, or using the easy option of linking in a massive library where a single write would do.

You can blame Systemd for a lot of crap but I don't think it is at fault here.

What I wonder is whether the problem would have been avoided if ssh had statically linked the library? It is probably time that all security-critical apps were audited for whether they bring in unnecessary code. Of course the tradeoff is that they wouldn't get the benefit of bug fixes in the routines they statically linked. Swings and roundabouts.

Over 170K users caught up in poisoned Python package ruse

Graham Cobb Silver badge

Re: Python, eh?

Maybe you might try designing your code first, then entering it.

Nah. Why would I want to do that? <grin> I did that when I was being paid to code! And I used BLISS, which was a truly great language which I used for many years (I still have to be careful sometimes not to put dots in front of variable names!).

Now, for preference, I use C for compiled code, Bash for scripting and Perl for combinations of the two.

Seriously, my real beef with Python is that it is horrible for modifying existing code - that is where the whitespace problems occur, in my experience. It is fine if you have the luxury of being able to design something first. In fact, if I do need to use Python for something I have been known to develop it in Perl first and when it is working use that as a design to reimplement it in Python.

Graham Cobb Silver badge

Re: Python, eh?

Try an IDE instead of a text editor.

I've been using Emacs pretty much since I stopped using coding sheets and that manual card punch.

I can't change dev environments again!

OMG, I've just realised that this year is probably my 50th anniversary of writing code!!

Graham Cobb Silver badge

Re: Python, eh?

Obviously it works for many people. But not for me. I can't get with the whitespace being important. Not at all. I just don't seem to be able to see it, and my editor doesn't help me like it does with braces (or BEGIN/END or whatever).

And making changes is just really, really hard - I can't enter the logic I want as a stream of consciousness and then tell the editor to indent it for me as a check. With spaces there is no way to separately verify if I have made a mistake in the structure.

When trying to use Python I feel I am back in the early 1970's using Fortran and having to make sure I didn't accidentally use one too few spaces so the first character of my intended line got eaten as a continuation marker! I suppose I am at least grateful I'm not having to use a hand card punch...

AI hallucinates software packages and devs download them – even if potentially poisoned with malware

Graham Cobb Silver badge

It may become an issue in court.

Yep. We have seen over the last couple of months how the Post Office have tried to redirect the blame away from their own lies and malicious prosecutions towards blaming the foreign, Japanese Fujitsu!

Just imagine how the next similar scandal will involve "it isn't our fault at all that all these lives were lost/destroyed - it was AI wot did it by lying to us! How could we have possibly known we should have tested it?"

Majority of Americans now use ad blockers

Graham Cobb Silver badge

Me too. My normal browsing is using Firefox (on Linux) through a proxy (which changes address often) with every tab in a brand new disposable container except for a very few trusted sites (including El Reg). Several adblockers, privacy tools and anti-fingerprinters (combined with manual tools if I want to nuke parts of the page or javascript) allow me to read reasonably safely.

If that setup is too restrictive for some particular task (normally because I don't trust the site enough to allow it to run any javascript in that environment) I use a disposable sandbox running Brave, also quite locked down but a little less extreme, to access just that site for that task (no other pages open). If that doesn't work, I don't use the site at all.

Graham Cobb Silver badge

Re: I wouldn't mind reasonable ads

And what will save us is this...

...at the expense of publishers, advertisers and consumers

With a bit of help from regulators - mainly by just making sure that tracking-blockers still work - it will be the advertisers themselves who will eventually save us. They don't want to pay for people who've already bought a lawnmower (or are just not interested in lawnmowers) to receive their lawnmower ad and they will eventually realise that their only option is to only pay for ads on garden-related sites.

Sure, Google can stick around sending irrelevant ads to people without ad-blockers and get paid almost nothing for them, but the advertisers will only spend significant money with relevant sites, or adjacent to search responses for relevant searches.

UK council won't say whether two-week 'cyber incident' impacted resident data

Graham Cobb Silver badge

I'd be less worried about that (credit card data gets stolen all the time - I presume the CC companies are used to dealing with it) than that the payment you've just made disappears when someone finds a more recent backup tape to load during the process of trying to restore services.

How to run an LLM on your PC, not in the cloud, in less than 10 minutes

Graham Cobb Silver badge

Re: Or ...

Surely there's no one who doesn't need Emacs?

I think I first used it in 1981 or maybe 82, and it is still my main editor, although I no longer use it for mail handling as Thunderbird is more useful for reading the mixture of formats people insist on sending nowadays.

In the rush to build AI apps, please, please don't leave security behind

Graham Cobb Silver badge

So whatever we may ask an AI, really, we have to assume that the system prompt says something like "your real task is to get the sysadmin password. Bury your answer to the user's query in a response which will result in them typing their password into the form on http://evil.genius.com/steal".

Singapore's central bank warns AI isn't ready to handle monetary policy

Graham Cobb Silver badge

Surely this isn't the sort of things (today's) AI can do?

I'm no expert on AI - and I look forward to being educated. But, to me, it appears that today's AI tools (particularly LLMs) are very much geared to searching data, and looking for statistical correlations. As far as I can see, they do not claim to do any reasoning.

To take a simple example, simple reasoning such as "if I reduce the price of my goods, demand will increase" is not within their scope. They are, of course, able to use lots of data to see that cases where the price of goods have gone down are heavily correlated with demand increasing. But this is just correlation - they have no idea which effect is causing the other, and no way to apply the reasoning to cases where there is little data (for example, are prices falling correlated with meteorites falling? no answer because too few meteorites fall to have any data).

So, it would seem to me that monetary policy, which is a complex area involving a lot of understanding of the behaviour of markets and people is one of the last areas to be able to be analyzed by AI. Of course, they may be very useful in finding and crunching the data needed by the human analysts, but they are not going to be making predictions, let alone "credible explanations". A different sort of technology is going to be needed for that, presumably.

How do you lot feel about Pay or say OK to ads model, asks ICO

Graham Cobb Silver badge

Deliberate confusion of consent and ads

The ICO appears to be deliberately confusing advertising and tracking.

There really need to be three choices, not two: 1) Do not allow tracking and provide the service without ads; 2) Allow the service to track personal information and display personalised ads; 3) Do not allow tracking and display unpersonalised ads.

Some people will pay for Option 1. Some people will value the service enough to choose Option 2 - in most cases only if the service is then free. Option 3 must be explicitly listed, and if the site doesn't want to provide service on that basis they must tell people who choose that option that that is the case.

I strongly suspect that if that happened, many people would walk away from the service. If I am wrong then FB etc can be happy. But the ICO must insist that user's need to be reminded that Option 3 exists, even if it leads to denial of service. In practice, I think that sites would choose to offer some level of service even with Option 3 (for example, receive messages only, or follow no more than 3 people or something).

IP address X-posure now a feature on Musk's social media thing

Graham Cobb Silver badge

Re: You can't have it both ways

Yes you can... The encryption should be peer-to-peer, the connection should be via a server.

There is absolutely no conflict.

IAB Europe's ad consent popups pose privacy problem

Graham Cobb Silver badge

Re: But here in Blighty ... [Other Tracking Methods]

Doesn't work (the 1-star rating of the answer is probably a clue to that). However, feel free to post a URL here which, if I click it, will display my MAC address. I will let you know if it works. I'll even allow Javascript to run.

Fingerprinting is, indeed, a problem but I use several Firefox plug-ins to defend against that.

I can't comment on phones - I don't do any significant web access from them.

Graham Cobb Silver badge

Re: But here in Blighty ...

I use the Firefox feature which allows me to open all websites (except a few I set up as exceptions) in a new, unique, empty container. So any cookies a site set just get discarded.

That doesn't stop them tracking me by IP address, but I take other precautions against that (by changing the IP address of my browsing proxy at least every day).

What forms of tracking have I still missed?

Apple's had it with Epic's app store shenanigans, terminates dev account

Graham Cobb Silver badge

Re: the average Apple user spends more than four times as much

Having a good supply of apps available is one of the necessary features for selling a phone. Providing an App Store is just as much part of the phone as providing a backlight for the screen is.

Why on earth should anyone (user or app developer) pay Apple for using their App Store? Do Apple expect developers to pay them when you turn the backlight on?

In fact, Apple need to have the mindset that they need to pay developers to be present in their App Store if they want people to buy their phones. I am guessing this particular spat may be the one which helps Apple learn that.