* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

Today the web was broken by countless hacked devices – your 60-second summary

Charles 9

Except there would be collateral damage. Those targets also have LEGITIMATE business via the web. You'd be doing the DDoS's job for them using that, and the way the IoT botnet works, they use the same legitimate requests we do, so they're camouflaged as well. As for the ISPs, they don't see a lot of traffic individually, and the amount they emit wouldn't probably surpass traffic from a home server running, say, a home camera feed.

Charles 9

Re: Standards Bodies need notice

""We can't stop them all so we might as well do nothing"."

In this case, it's accurate. It's not worth swatting one angry bee because there are a million more after you. You really DO need an "all or nothing" solution to it or the ones that slip by kill you.

Problem is, sovereignty gets in the way. How can you regulate devices when they can just be shipped direct from companies who don't care?

Flash reaches the enterprise tipping point

Charles 9

You're missing the point in 2014 when the graph turns downward. That's about the tipping point.

NSA, GCHQ and even Donald Trump are all after your data

Charles 9

How do you get stuff delivered to you if you lie about your credit card info OR your delivery address? And don't say you buy exclusively brick-and-mortar because more and more things can ONLY be shipped these days.

Charles 9

"Agreed - but you don't have to make it easy for them on day one. If they have to start initiating the surveillance when they get power then they don't have any prior accumulated data. People then also have a chance to try to avoid the new surveillance."

Problem is they're patient. Whether it's on day one or day one million, they can get to you eventually. Since they can play the long game (or cheat), you have to wonder if it's really worth it in the end.

Charles 9

"Then embiggen it: write a script which scrapes random texts off the internet, and sends them (via email/Facebook/Twitter/whatever) to random accounts which you have set up for this purpose. The spooks will be drowning in so much noise that they'll never be able to figure out which messages are real."

Or they learn how to sift out the chaff and figure out from other clues which messages are real and which are not (say, only pay attention to messages with common typos or ones that get germane replies). Don't underestimate the power of a State with a lot of resources and the motivation to de-anonymize you.

Charles 9

Problem is, human ingenuity ensures ANYTHING can be abused, meaning there's no escape.

Charles 9

Re: No hiding place

Anyplace remote enough to have no connections, wired or not, would still be within view of a satellite or spy plane.

Charles 9

Re: Minimise your exposure

But what if you're BUYING something? By law, that requires real details to verify your transaction and/or get your delivery.

Dirty COW explained: Get a moooo-ve on and patch Linux root hole

Charles 9

Re: There will always be another bug..

"The solution is obvious. Avoid unnecesary complexity, like UEFI."

And if the complexity is NECESSARY? Say for legal reasons (say, being REQUIRED to be able to upgrade the system in case the baseline has an exploit in it)?

Charles 9

Re: There will always be another bug..

"We need to make manufacturers responsible for any actions of their devices that were not explicitly advertised to the users. Then the manufacturers will start paying attention!"

But what happens when the manufacturers hide behind sovereignty? And lots of things are imported direct to the buyer these days? How will you stem that without seriously hurting the economy?

Charles 9

Re: There will always be another bug..

"This is why IMO the constant warnings about the "Internet of Things" are spot on. If you want to be secure, only an air gap will truly prevent us ingenious, morally-questionable humans from finding another way around the next patch."

Which is next to useless for something you HAVE to network. So how do you secure something that MUST be networked? And no, Joe Public WILL NOT accept, "You can't" for an answer. They want an answer, toot sweet.

Charles 9

Re: Root all the android things

And then all the root-aware apps stop functioning, or have you forgotten that's a rising concern in Android apps these days?

Charles 9

"How can you get the job done when someone has robbed all your tools ?"

With your hands. At least the shed means you can stay out of the rain, which means you can STILL get the job done. Besides, in the digital world, you can't rip silicon out of its housing without taking the entire CPU away, so bad analogy.

Interesting you bring up the 8080 because that clearly demonstrates the mindset back then, and the mindset today (because no one's been able to create something secure-first that can still do the job): the job comes first, security second. If you're in a situation where security is so critical that the world can depend on it (like the US military), then a whole other mindset is needed which is generally incompatible with deadlines.

Charles 9

"Truth is no software will be relatively secure until processors and hardware subsystems are re-designed from the ground up with security coming first in the mind of the architects. It's an afterthought to performance and convenience."

For good reason. What good is security if you don't get the bloody job done? A fortress is no good without a way in or out, for example.

Charles 9

Re: The very definition of technical debt

The problem with formal proofs is that they can ONLY apply in a very narrow set of circumstances. seL4, for example, is ONLY formally proven when no DMA is allowed. But the real world intrudes, and secure code is next to useless if it doesn't let you get the bloody job done, and in the real world, performance matters.

IOW, the worlds where Linux is used are too mercurial for a set of formal parameters to be constructed. Thus, formally proving Linux under all its real-world use cases is likely infeasible.

Basic income after automation? That’s not how capitalism works

Charles 9

Re: Negative interest rates? That's not how capitalism works.

Either storage or spoilage, as now you have a surplus.

Charles 9

Re: Slight problem

"the logical conclusion of this is two very rich people owning half the factories each and only having each other to sell to."

You say that as if it's a bad thing, but perhaps these two (or say, four or five) may well be content with the walled garden if the proles are kept out. Or they could just fight winner takes all, after which no competition means the winner no longer has to share or divvy.

Charles 9

Re: automation has always been difficult

"When lots of jobs go and there is not enough to go around society will have decide how to progress, it is helpful to have looked at possible choices ahead of time and discussed how they could be implemented rather than sticking your head in the sand and saying that the current capitalist system is perfect and nothing will change is at best a waste of time at worst a distraction."

The reason everyone's sticking their heads in the sand is because all the analyses point to an unpleasant fact (unpleasant because it will involve people dying, which automatically means it could be THEM): the planet is overpopulated, and the problem will only get worse as more people get hopelessly idled. Soon you're going to have a Cold Equations situation where, no matter how you slice it, there won't be enough to go around; people will have to go, and that never sits well, especially when they're voters.

Or to put it another way: Ten people stranded in the middle of an arid, barren desert, and there's only one bottle of water. Solve.

Charles 9

Re: Errrm

"Shirley you're joking. "Electrolux is the fourth largest household appliance company worldwide based on its sales in 2013.""

No, because I'm speaking from an American perspective, and over here the dominant names in vacuum cleaning are Hoover, Eureka, and Oreck. Except for the last who tends to cater to the hospitality industry (who can in turn pay the money and apply the pressure), those names aren't really associated with machines that last for generations. Finding either Kirby or Electrolux anywhere in America tends to call for specialty shops that can be difficult to locate. Trust me; I looked.

Charles 9

"When the state retirement age is heading every upwards towards 70 it's very difficult to take the 'automation' argument seriously at all. When it gets down below 50 there may be a case."

But doesn't that in turn put a burden on the rest of society? When people live longer without working, they tend to end up taking away more than they put in while they were working, which is actually one counterargument to a robust healthcare system that doesn't raise the retirement age to compensate.

Japan's really feeling the pinch now as their population distribution skews heavily towards the elderly. Many other first-world countries are starting to feel this pinch as well (the US gave some concrete examples; e.g. Social Security was once feed by 20+ workers per recipient. Now it's just 2).

Charles 9

Re: Reality is never simple, but I'll take a stab at it...

As I recall, mortality isn't one of the Sins. They were Pride, Greed, Lust, Envy, Gluttony, Wrath, and Sloth.

Charles 9

Re: Errrm

"What happened to pride in the work and quality? My parents bought products, they were expensive, but they lasted decades. Today, the products are either cheap and fall apart after a couple of uses or they are expensive and last a few years."

How many people know the names Electrolux and Kirby? Not many these days, and they were as you described: companies that made expensive vacuum cleaners that lasted for years and years. But then that was their problem. Once customers got their vacuum cleaners, they never came back because they never needed another.

There's your answer. "One and done" isn't financially sound because ANY business in the world will have running costs. Thus, one key goal of any business is to have repeat business.

Charles 9

Re: Errrm

"The author isn't attempting to say that capitalism is forever and UBI won't work because capitalism is a natural law. She is saying that capitalism does not work, and we can't simply 'patch' it with UBI to make it keep working like it used to. It's a broken model, and the groups latching on to UBI as a kind of panacea for the many problems that emerge from it are barking up the wrong tree, because it'll maybe tide things over for a few decades before the fundamental contradictions cause it to collapse again."

But then that evokes a paraphrase. "Capitalism is the worst system out there...except for everything else." Meaning that if the best option we have for society is hopelessly broken, we're basically sunk. You say people are essentially needy. I say people are needy AND fighting with the neighbors. Many say economics isn't necessarily a zero-sum game. I saw it DOES at time, and it at THOSE times when things get ugly. When there's no external crisis or issue (like a war) to force us together, we start to turn inward and compete with the neighbors. It's instinct: humans I feel are most fundamentally social only in a tribal sense. We form immediate attachments to family and perhaps one level up, but when it comes to the neighbors we tend to be more mercurial.

Anyway, the discussion leads to what I feel is a fundamental human trait: humans will cheat if they can get away with it. And that affect any and all economic systems humans can devise. Some human somewhere WILL (not MAY) find a way to game the system...ANY system. And since it's practically instinctive in the human condition, I don't think it's possible to fix it (because there are those who have the will AND the means to actively prevent it because they benefit from it) without creating a better human, and as the saying goes, "Nice guys finish last."

Puppet shows its hand: All your software is belong to us

Charles 9

Re: In the future code is going to be managed and deployed by other code

And as I recall, true AI, as in software that can manage and improve itself unprompted, is one of those "it's always 20 years in the future" things.

Charles 9
Joke

Re: In the future code is going to be managed and deployed by other code

Pardon me, but if their goal is to develop code that manages code, then who develops the code that manages their code that manages the original code, and so on down? And if you develop code that can manage itself (which I don't think you can because of limitations of scope), then you can collapse the whole system back down to the original system and simply let it manage itself with none of the middlemen.

IoT botnet swells

Charles 9

Re: Govts needs to get a grip on it and now

"Amazon and eBay can be fined if they don't do something about it as they have offices in the UK,"

And how soon would those office CLOSE if the law gets too close?

That's the thing with international companies; they can play sovereignty against you.

Charles 9

Re: Great. Just great.

"Who owns Amazon, Facebook, Google, eBay, Maplin etc?"

People who could easily end up in someplace like Antigua with no extradition agreements.

"Where are the regulatory offices?"

Where could the corporate headquarters be moved so that these offices can't reach them?

Charles 9

Re: Ebay

How when virtual identities are so cheap (and real ones not much more expensive)?

Charles 9

Re: Govts needs to get a grip on it and now

They'll reply with lawyers and claims of fraud. Next.

Charles 9

Re: Great. Just great.

How are you gonna make China care when (1) they don't care what happens to the West and (2) they have nukes?

This speech recognition code is 'just as good' as a pro transcriber

Charles 9

Re: Dodgy numbers?

What about live transcribing of a live event, like the closed captioning you see during sports events?

Charles 9

Re: Forward planning: that will greatly help ..

Then I wish them luck trying to interpret when I call out LCEDIV4A8EPTBK.

Charles 9

Re: @ Black Rat

Oh? How about "Recognize speech that I want to wreck a nice beach."?

Charles 9

Re: The real test will be captioning YouTube vidoes

Given the errors I see in those efforts, don't bet the house on that statement.

It's finally happened: Hackers are coming for home routers en masse

Charles 9

Re: I think security-by-obscurity is only a problem if it applies to many items which...

But considering where these things could be installed (as in out of the way), there are many instances where external access is a PREREQUISITE because physical access may not be possible. But then, why is it that the device can't differentiate between the internal and external ports and simply not allow ANY remote access (at some hardware level) from the external port?

Charles 9

Re: Time to research alternatives

Ever heard of "Tivoization"? Providing the source code is next to useless if the device demands a signature to go along with it, which ONLY the manufacturer can provide.

Charles 9

Re: Time to research alternatives

"None of this is difficult, but it does require a basic set of background research and knowledge on what you are doing, but I assume that's not an issue for the majority of the readers here !"

But what about the average Joe out there who expects a turnkey solution?

Whinge on: T-Mobile US docked $48m for limiting 'unlimited' data plans

Charles 9

Re: Wrong!

Heck, if I wanted to demand one thing from Congress, it would be a law that required that ANY interaction with the general public be required to be solely and completely truthful just like at a trial. That includes any statements before a TV camera, any ads, whatever.

Charles 9

Re: Really??

You will find that it's not much better anywhere else. Just earlier today I saw an ad for I think AT&T that said data rates can be limited after, say, 22GB. Couldn't stomach the monthly rate for that plan, however.

That said, this marks something I thought I'd never see out of the FCC: them forcing providers offering "unlimited" service to take the word literally.

Robot cars probably won't happen, sniffs US transport chief

Charles 9

Re: FTFY

But some drivers seem to be able to anticipate disaster before it occurs by intuitively identifying clues based on instinct. This is something that pretty much can't be taught...because we don't ourselves know how we come about knowing it. It just clicks and you react...reflexively. The higher brain doesn't even get involved.

Charles 9

Re: Hart

"That's what testing is for. Is an Apollo Program analogy too much of a cliché here?"

Testing couldn't account for Apollo 13. It was only quick HUMAN thinking that saved the astronauts on that mission. And it's hard to test something for which the parameters aren't completely knowable: thus what happened with Apollo 1.

You work so hard on coding improvements... and it's all undone by a buggy component

Charles 9

Re: Another closed source shill?

Wasn't Thompson's 1984 paper retorted by David Wheeler in 2005 ("Countering Trusting Trust through Diverse Double-Compiling"), demonstrating a cross-compiling method by which you can detect a bad compiler?

SHA3-256 is quantum-proof, should last billions of years

Charles 9

Re: Hash functions

Every time someone brings up that XKCD, I have to bring up two possibilities: the masochist and the scaredycat. Masochists would welcome the wrench, scaredycats would faint just at the sight of it.

Freeze on refrigerants heats up search for replacements

Charles 9

Re: why refrigerants ?

Actually, most heat pumps still need refrigerants. It's just they're designed to work in either direction: transferring heat outside in the summer (acting like an A/C) and inside in the winter (acting like a heater). You still need a means to transfer the thermal energy form place to place, and that's where the refrigerants come in.

Also consider that a car engine itself gets pretty hot, even in the winter. That's why many car heating systems simply pass air around the engine before sending it into the cabin (and thus why the heat doesn't really work in a car until after the engine warms up, unlike the A/C which can usually get to work within a few seconds of the car cranking up).

This also poses a problem for the Peltier cooler since the hot and cold sources change from season to season.

Charles 9

I wonder if part of the problem is that the very properties that make a substance a good refrigerant also make it a greenhouse gas?

As for propane, what about at the point of a leak, which would not only be more concentrated but also likely to trigger static sparks. IINM, this caused a massive fire involving lots of cylinders one day.

Apple's car is driving nowhere

Charles 9

Re: Trains, planes and ships

That's assuming the train has the capability to stop, but the thing about trains (especially freight trains) is that they're very, VERY HEAVY. And all that weight translates to A LOT of inertia. So the train may be able to see an object coming up ahead, but it may well lack the sheer physical strength to come to a stop before impact, and while it can be just problematic when a train rams a cow or a transfer truck, it can get pretty tragic if the object is large enough to cause a derailment or worse shouldn't be contacted at all (like a propane truck stuck at a crossing--when a train rammed it, it literally exploded). And some scenarios you pretty much CAN'T plan for due to their sheer spontaneity (like an earthquake).

Basically, the problem set of trains doesn't overlap well with the problem set of cars.

Charles 9

Re: Trains, planes and ships

So what happens if there's a loose car on the tracks? Or a large tree? Or a cow (remember why old trains had "cow catchers")? Or there's a bridge kink ahead (REAL train disaster occurred because a rail bridge was dislodged by a ship but only kinked the rail rather than broke it, keeping the electrical connection live so the train had no clue what was ahead).

Charles 9

But performance can also mean acceleration, and being able to get up to speed in a reasonable amount of time (or even quicker in an emergency) would be a good selling point for just about ANY car buyer.

Audit sees VeraCrypt kill critical password recovery, cipher flaws

Charles 9

Re: I'll be sticking with TrueCrypt..

I switched from TC to VC, and I don't feel silly. For the most part, it's improved on TC and dealt with a few problems that turned. Since I don't use the more esoteric functions, I haven't had much to worry about at this point.