Posts by AlexV 64 publicly visible posts • joined 19 Sep 2009
There is no security risk in accepting cookies. You may prefer to be anonymous and not to receive personalised advertising, and if you care about privacy at all you probably don't want advertising companies knowing which sites you visit. But it's not a security risk.
As many people have pointed out, it's twitters platform and if they don't want you on it because you don't play by their rules then they are entirely within their rights to kick you off.
The problem here is that Twitter, a private company, has been handed effective control of a global infrastructure that should raise so many red flags that no company or organisation should rely on them for anything more than free advertising.
Instead we need an infrastructure like web, or email, where anyone can put up a server and anyone else can choose to either listen or not listen. The government would then have its own server under its own control where the president can post whatever he likes, and it's up to you as an individual, or your chosen trusted service provider, whether they federate (listen to) the government server or not.
I *think* Mastodon is in this model...
So according to Google the threshold is 4MB traffic, 15/30s CPU, or 60sCPU total?
Which means, lets be generous, that an ad that weighs in at 2MB, and consumes 10s of CPU every 30s for 3 minutes is just fine? Because to me, that seems quite high. I would regard about 10KB, 1s CPU total to be a reasonable limit for what an ad should be allowed to consume, unless I explicitly interact with it.
I'm really unsure as to what the point of this is. If you have a 1 year cert, and it's stolen or compromised or something in such a way that it can't be immediately revoked or fixed, then that's on average around 6 months worth of un-fixable vulnerability. Which, you would think, would be plenty. It doesn't really matter whether the vulnerability would stick around for another 12 months after the initial 6 or not, if it isn't fixed within days then it's already too late.
If you do have a mechanism which can immediately revoke or fix the problematic certificate, then it *also* doesn't matter if it was a 1 year or a 100 year certificate, it's dead now and no longer a problem.
Depends what you are looking for from a backup. For myself, I would like to keep a fairly long backup history, but not actually store a duplicate of each identical backed up file at every single history point if it hasn't changed. So I want to be able to look at (and restore from) the full state as backed up at any given date, but without duplicating a full backup's worth of storage for every date.
That said, it's probably worth keeping two full copies of any file, just in case one gets damaged, but that should be transparent to me, I don't need to see that.
Speaking of damage, I want to regularly verify integrity to ensure that the backed up files have not been damaged. I also want to verify that none of the live files have been damaged, but that's harder to do. An alert for any file which is not identical to the backed up version, but whose modification timestamp has not changed, would suffice.
It is also important that the backed up files may not be modified once written, in case any ransomware attempts to encrypt them too.
The backup must run without interrupting usage; it must be able to back up files that are open. VSS is the usual solution here.
Backup software is hard.
Seems pretty clear people can't, or won't generate a secure password. To be fair, it is actually now quite hard to generate a secure password - it's a skill that can be taught, but not something obvious.
So stop asking them to do so! Don't let them create a password, just generate one and assign it to them. Ideally a modern 4-word style password rather than a random character one, but either is better than asking the user to perform a task they are so clearly not able competently fulfil.
If they complain that their password is not memorable, then you can point them at a password manager. Or if all else fails, tell them to write it on a bit of paper and keep it in their wallet - lets face it, if your adversary is of the level to be sending round actual people to snoop inside your wallet then you have bigger problems.
Multiprocess Firefox splits into two processes, one Chrome (User Interface) process and one Content (Web pages) process. Further down the line, there may be multiple content processes.
Extensions run in the Chrome process, but can also provide additional code to be run in the Content process. They do not get their own separate process.
Mozilla started by enabling Multiprocess automatically only for users without extensions. Then users with known-good extensions. The news now is that it's going to be automatically enabling it for users without known-bad extensions.
Yes, it's a good browser. Plus, add-ons, which is even better. I would think it would require all those permissions to provide the web APIs to allow access to them. Firefox itself probably doesn't care about your GPS location (for example), but provides it as an API so that web pages like mapping services can access it. People like having web pages that run like apps. Almost as much as they like apps that run like web pages. Firefox would always ask you before granting permission for any site to use those APIs.
Would make for a great photo frame. Slow 2s refresh is no problem at all. Low DPI not great, but not awful. It would be nice if it could be made solar, so it just charges itself up from ambient light until it has enough power to switch to the next photo, then goes dormant until it's gathered enough charge again.
Yes, paying ransomware is bad for society in general, and you might not even get your data back, but ignoring all of that there's still the fact that your computer has been compromised by bad guys. If you pay them, it's been compromised by bad guys who know you have the means and willingness to give them money.
That is not your computer any more. Whether you get the data back from it or not, you can't trust anything on it.
Time to wipe down to bare metal. If you have the skills, you could try and first determine how it was compromised to avoid future repeats, but the thing's good for nothing else before it's been cleansed with fire.
Sure, you want security if your VPN is for connecting to your corporate network and accessing sensitive data. For a large number of VPN users, though, the only consideration is the IP address you appear to be coming from, whether for bypassing geolocation and content blocking, or for anonymity and privacy from those who consider a list of IP addresses a juicy set of targets for threatening letters demanding money.
For these use cases, security of the connection is barely relevant. Certainly far less important than location, speed, cost, and security (or preferably absence of) any logging or customer data.
They do exist: <http://www.poshmobile.com/catalogue/micro-x-s240/> Can be tricky to obtain, though. Had to get mine from the US through eBay.
Of course, it depends how small you want it. Plenty more choices if you'll settle for something slightly larger. Sadly they are usually coupled with low-end specs, but what can you do.
If the OS held me as the highest authority on what may or may not be done on my own device, as it damn well should.
*I* get to say what is installed, uninstalled, backed up, copied or modified. *I* can grant or deny an app whatever permissions I deem appropriate, and whatever knowledge of those permissions I choose. Do you have permissions to access SMS, or do I just have no messages, and messages you send have no effect? That's my decision.
I think the best use-case for colour e-paper would be digital photo frames that don't need to be plugged in. That's the main obstacle to photo frames at the moment; you want to have them in places that are on display, often far from any power supply, and certainly not with a wire trailing from them. Even more so when you have more than one of them, as is the usual case for traditional frames.
An e-paper display would be ideal - you don't want to refresh the image frequently. Perhaps as little as once an hour or so would be sufficient, and probably only during certain parts of the day (no point refreshing multiple times if no-one is around). With that sort of power draw you might even be able to scavenge the power from WiFi, or if not at least make it practical to run for months off batteries.
Reading the first few posts, I figure I might as well provide some balance from the other side of the opinions. I still use Firefox, because it's simply better.
I don't like the Australis UI changes though; the Firefox UI was better than the Chrome UI, moving it in the Chrome direction did not improve anything. However, being Firefox, there's an add-in available for customising the UI back to the way I liked it (Classic Theme Restorer). That more or less sums up the advantages of Firefox for me, addins to make it do whatever you want it to do, in the way you want it to. Other browser's more limited extensions systems are not in the same league, and the browsers themselves try to force you to accept the way that they think is best to work.
I'd suggest you take another look at KeePass. It meets your requirements, and if you use it's AutoType functionality instead of a browser add-in you'll probably be much happier with it. It's a conceptual shift from the browser(add-in) requesting data from the database to instead having KeePass itself typing the data into the form as if by keystrokes. You as the user have to initiate the action with a system-wide hotkey, the browser can't just fetch what it wants out of the database when it wants it.
I would, however, recommend installing the WebAutoType KeePass plugin (disclosure: I maintain it) so that KeePass can find entries matching agains the URL of the page you are looking at, not just the title.
The problem is with a system where you can't know for sure whether something is legal or not until (well) after you've done it, and it's legality will depend on opinion. They could have made the decision instead that yes, what they are doing is not illegal according to the exact specifications of the law as written, but we'd quite like it to be illegal anyway - but for that we need to go through the full process of amending the law *as written*. If the ammendation were accepted, then the new law would be available for anyone to read and know in advance if what they wanted to do was legal or not.
That's what I see as the problem. Aereo were technically correct, which is the best kind of correct.
I want a phone that's small enough to go in the same pocket as a wallet, like the old feature phones, with a screen that's big enough for comfortable browsing and video watching.
This means that the screen has to be much bigger than the phone is. Any technologies allowing this welcome, whether that be displays flexible enough to roll up tightly, laser projection directly into the eyeballs or whatever.
Probably going to need better batteries too, now that I think of it...
No, the problem is C. In a reasonable language, declaring an array of byte data[P] would result in an *empty* array of bytes. Not data hoovered out of whatever unrelated (and potentially sensitive) crap is sitting in memory at the time. Similarly, copying 64k bytes of data from an array that's 2 bytes long would result in an exception, preferably at compile-time (but at worst, at runtime). Not an apparantly succesfull copy with 2 bytes from the array and the remainder from unallocated memory.
Writing in any language, you could have a bug where you crash out with malformed input with mis-matching lengths. The bug isn't the big deal, the big deal is that as a result of the bug C behaves in a completely unacceptable way.
You're *still* trying to use a smartphone, just a really crappy one. Without a smartphone means you use your phone for voice and text messages.
No email. No browsing. No social media. No synching, although a one-off transfer of contact phone numbers onto the phone is allowable.
Of course you still need a laptop or computer for doing all of that, the point of not using a smartphone isn't that you don't use the internet, it's that you don't use your *phone* for doing so.
So your computer has been shown to be compromised and your solution is to demonstrate to the people who now own it that you have the means and willingness to pay up on demand?
Nope. That computer is toast. Wipe it to the metal and re-image it as if it was new. If you've lost data that wasn't backed up, then it might prove sufficient motivation to actually set up a backup system now...
It occurs to me that I may have come across slightly negative in my posts on this thread. For balance, then, here are some more positive assertions that still square with my arguments above. In my opinion:
* You exist. By any sensible definition, you are a thinking, concious, sapient being.
* Your choices and actions matter - to you, and to others who in turn matter to you.
* You will not be forced into an unwelcome future by some ineffable force of destiny. (By society, your parents, and peers - now there's a different matter!)
* No-one knows for sure what the future holds. Enjoy the surprises!
(not)Spartacus,
At the point the picnic happens, it can no longer be changed? What is special about that point? At time t, the picnic happens. At time t-1, the picnic will happen in 1. At time t+1 the picnic happened 1 ago. Your point of observation moved from t-1, when you did not know for sure if it would happen or not, to t, when you were enjoying a nice hamper of goodies on the grass, to t+1, when you know it happened. What changes is your knowledge about the event, not the event itself.
This is true whether or not, at t-1, your final decision on whether or not to have the picnic rested on a dice roll or on working through a algorithmic set of calculations.
To be clear, I'm not asserting that we don't have free will. I'm saying that, trying to think it through, the concept doesn't appear to mean anything...
If you think the future can be 'changed', what is it being changed from? Something is going to happen at 10:00am tomorrow. You don't know what it is for sure. No-one knows for sure what it is. It may even be fundamentally physically impossible to know for sure, even granted perfect knowledge of the entire state of the universe at this snapshot moment in time.
But just because it is unknown, doesn't mean that it can change. To change, there must be at least two states, and it must at one time be in one state, and at another time be in another state. The thing we are talking about is just one single instant in time, specifically 10:00am tomorrow. It can't change because there is only one state, and no time elapsed. There may be many possibilities for what might happen, but only one will turn out to have been the one that actually does.
The picnic is planned for tomorrow. It may or may not happen, you may change your mind several times. It hasn't been decided for you; you are the one deciding. There is, however, only one final decision that you will make about it. Any decision you make before then isn't the final one, by definition. The question you seem to be asking is, can you change what your final decision will be? Again, the problem here is 'change' it from what? From what you, or anyone else, thought it probably would be, before you made it? Sure, of course, but that's not changing it from what it actually will be.
For your final point, is the brain following a pattern, or are we actually thinking? What would you consider to be the distinction?
The point, however, is more fundamental than this. It doesn't matter how the brain works in practice, or whether it can be, even in principle, actually predicted or not.
Why does whether it is predictable or not make any difference as to whether it is 'free will'? What is the difference between thinking we are deciding things, and actually deciding them?
Without a workable definition of what you mean 'will' to be 'free' of or from, there's very little that can meaningfully be discussed about it. You can start from the other side, what would non-free will be? If all you can say is that non-free will is that where by you could not have made any other decision, then the question becomes, under what circumstances? There is the decision that you actually made, that can clearly not be changed.
If circumstances had been different, could you have made a different decision? I think that's trivially obviously true. If I decide to have a picnic, if circumstances were different and it was raining, could I have decided not to have a picnic? Or if my state of mind was different and I just didn't feel like one? I don't think anyone would argue otherwise. If circumstances including state of mind were identical, could I still have had some random probability of swinging either way? Possibly, though untestably - but would having some random element to your decisions outside of your awareness or control make you *more* 'free'?
There is no special time dependence about this either. The decision that you did make can't be changed. No more so can the decision that you will make. Tomorrow, you will decide either to go on a picnic, or not. You may change your mind several times before then, and it may be impossible to know in advance which way you will decide, but there is only one true answer to what the decision you make will be - even if no-one knows what it is.
This gets a bit squidgy if you believe in multiple worlds/timestreams such that you believe that you will, in fact, make both decisions. I think under those circumstances you need to have a bit of a think about identity and what you consider to be *you*. If both the picnic-goer and the non-picnic-goer are both *you*, then that opens a whole great big can of worms that I don't even want to touch here. At a bare minimum, you should live your life in a constant state of abject terror because something extremely horrible is guaranteed to happen to at least one of 'you' very shortly, even if the overwhelming majority of 'you' are in happier timelines.
"Free will" is rather poorly defined. In this article, it seems to be predicated on unpredictability. It's unclear why being unpredictable is any useful indicator of will, free or otherwise. An unstable double pendulum is unpredictable, but that doesn't make it have free will by any useful definition.
In a word, yes. That's one part of what the Open Connect system offers (follow the link from the article). The other is to offer free peering at a common exchange.
It all gets a bit complicated with transit fees and a raging argument between Netflix and ISPs like Comcast and Time Warner, but the basic argument is that the ISPs think that Netflix are using their capacity to deliver to users and should pay for that (and so are unwilling to sign up for OpenConnect as that would result in Netflix not having to pay them any transit at all). Netflix is more of the opinion that it is the ISPs users who are requesting Netflix data, and Netflix are doing the ISPs a favour by making it available at all - they certainly see no reason why they should have pay the ISPs extra for data which the ISPs paying customers are already paying for.
As another home user, I run a similar setup: disk images of the OS drive, and file copies for data run periodically.
However, having been stung by data becoming corrupted without my knowledge, and then naturally having this corrupted data being itself backed up, I had to come up with something a bit stronger.
My current data backup system, lashed together by scripts, is:
1) Copy all files to be backed up to the backup disk (a USB attached hard disk) into a Mirror folder. I use FreeFileSync for this so I can set up inclusion and exclusion rules, and it can use VSS to copy files that are in use.
2) Create a text file containing the ACLS of all the backed up files, in that Mirror folder (optional, but in my case, some of the ACL permissions are important and would be a pain to reconstruct). Couldn't find a decent tool for this, had to write one.
3) Create a checksum file containing the checksums of everything in the Mirror folder (md5deep can do this)
4) Create a new timestamped history folder. For every file in Mirror, check the previous history folder (created last time the backup was run) for the same file. If the same file, with the same modified date, exists there, then create a hardlink to it in the new history folder. If the file isn't there, or has a different modified date, copy the file from Mirror into the new history folder. (A tool called ln <http://schinagl.priv.at/nt/ln/ln.html> can do this in Delorean Copy mode)
5) Check the checksums file against the files in the new history folder. Any mismatches indicate that a file has changed content without changing modified date, and therefore an indication of possible corruption. This is reported, then there are three copies to check by hand - the one in the history folder from previous backups, the one in the mirror folder from the current backup, and the one on the live installation that was backed up. At least one of them is probably corrupted, but it should be possible to find and restore one that isn't.
Before doing any restore, the checksums can again be verified to guard against the backed up data having become corrupted since it was backed up (only the current versions of backed up data are verified as part of the normal backup procedure).
Of course, the disadvantage of this is that it is slow, as it always has to copy all the data. However, if you don't actually copy the data, and only assume that it's still the same because it isn't supposed to have been modified, how would you know?
I have, every so often, looked to see if I could find backup software that would do the job in a less home-brew fashion, but nothing I've found yet can do the job.
This vulnerability, unless I'm missing something, could only leak passwords that had actually been used. With physical access to the machine (and privileges sufficient to do stuff like memory dumping of the process), that's plenty to be able to get the used passwords regardless. Unused passwords may remain encrypted, but in order for LastPass to actually fill in the form, the password must be given to IE in plaintext, and it remains right there in the web in plaintext before submission. Injecting a malicious extension could read it out of the DOM, or a man in the middle proxy locally installed could read it off the wire (remember, we have full local privileges so can easily mark an MITM SSL certificate as trusted).
Even with no privileges, you could do it (as a first stab, just paste javascript into the address bar to read it out of the DOM and pop it up in a message box), although doing it undetectably would probably be trickier.
As Ben has pointed out, if they have physical access to a machine and privileges sufficient to interact with your browser, it's game over, any password you use, and any unencrypted data can be regarded as compromised.
Get yourself a domain name (there are some really cheap ones around, if you don't care what the tld is), set it up so that anything@example.com gets forwarded to your real address. Then, whenever a website wants your email address, you give it their name: theregister@example.com for example.
If they are well behaved and send you only emails you want, or honour unsubscribe requests for those you don't, all fine. If they prove rogue, blacklist that "to" address and never be troubled by them again.
I find it more convenient than having to create an address before using it (like trashmail) or having to visit a site to pick up mail sent to it (like mailinator), but that's because the vast majority use-case is non-spammy. If it was mostly spammy, or I needed an address to use with someone already known to be spammy, then I'd use mailinator.
Don't really care what they call it, as long as they call it *something*. At the moment, they haven't got a name for it, just a bunch of descriptions. "Modern apps", "Windows 8 apps", "Windows store apps", etc. Those aren't names. Call it "Squareo" or "Touchblox" or whatever you like, we'll get used to it as long as they don't keep changing it.
Using 8.5:
I hate that, in a text box Ctrl+A doesn't select all, it inserts a pointless special character.
I hate that, if I view details of an email address, I can select the text, but I can't copy it.
I hate that pop up dialogs (like Find, various option, etc) aren't actually windows, but just drawn to overlay the main window. So can't be moved out of it. And the close button doesn't work on them.
I hate that you can't drag and drop things in and out of trash and sent, because they are 'special'
I hate the fact that you don't check for mail, you "replicate your database", and that doing it every 5 minutes is considered quite often enough. Like it's 1997 and we're using POP over dialup.
I hate that every so often, it will declare that it "Can't create file" when trying to copy text from an email. Then refuse to open any other emails until you restart.
I hate that rules aren't editable. Or duplicable. Or work properly, half the time. I shouldn't have to write an agent to do simple tasks.
I hate so much more about this pile of junk I just do not have time to write about.
Most of all I DO NOT WANT a cross-platform replicating database application platform that can (barely) be coerced into providing basic email-like functionality. I want a proper email client, designed for Windows, using Windows controls and affordances, following Windows UI standards. If you're writing client software in Java, you're just off to a bad start already.
It's certainly a great step forward (well, backwards, technically, but you know what I mean) to have a start menu that doesn't fill the full screen just to launch a program, but is there any chance we can fix metro apps to not be full screen too?
I don't see why it shouldn't be possible to create something whereby metro apps launch inside draggable resizeable windows, so that they play nicely with a desktop OS rather than a tablet one. Metro apps must be able to display at different sizes (due to different screen resolutions), and if you have multiple monitors then you can display them on just one of those, so there can't be a technical limitation in having both a metro app and normal windows programs displayed at the same time.
As far as I can tell, the 7.7 is better than this one - higher resolution, thinner, lighter, barely any larger (197x133 compared to 194x122), faster CPU, more battery, better screen tech.
Unless this one is a *lot* cheaper than the 7.7, I can't see any good reason for it to exist.
I can understand why you might want to keep savings in gold rather than sterling. I can even appreciate the reasoning that now is the right time to make that investment.
I find it a bit more of a stretch to believe that the best way to do so is to buy small pieces of actual gold and, what, hide them under the mattress? When you need the cash, send them to Cash for Gold or similar? Gold would have to go up in value quite a bit for that not to be a loss.
Unless you're convinced of an impending financial apocalypse, if you want to invest in gold, invest in a gold-backed financial instrument (ETFs, ETNs, etc.), and not in a novelty gold souvenir dispenser.
I'd ask for my money back, if I were the customer. Netragard were specifically told what they wanted tested, and it wasn't social engineering or physical access attacks - they wanted to know how well their network would stand up against external attack. Netragard completely failed to do this.
Or maybe we don't have the full story, maybe they did test it, found no vulnerabilities, and decided to go off-mission and get some publicity for a clever stunt anyway. Either way, they'd not be getting my business again.
Why would I want my voip software running in a web browser? I want my voip software to run at startup and always run in the background, but popup and notify me when it needs my attention - which is almost the exact opposite of what I want my web browser to do.
No longer ad-supported, and free? I understood the old model of free with ads, or pay to remove them, but if it's free without ads, then how are they financing it? It's not an open source project as far as I can tell either.
It makes me nervous. I'm not paying, so I must be the product not the customer - but who is the customer and what are they buying?
Global menus are very silly indeed. If you're only dealing with one window at a time (like on a netbook), have it maximized. No need for a global menu, the window menu is already the only one you see, and is at the top of the screen.
If you have a decent sized screen, and showing multiple non-maximized windows, why would you want to move the mouse away from the window you are interacting with in order to get at its menu? Even worse, if the window isn't active, you can't even see the menu, and to click on it you have to go first to the window, then back out to the menu bar. Madness.
I wouldn't expect any other part of the application UI to change dependent on which the active window was, I don't see what makes menus so special. If you're going that way, why not the close/min/max buttons too? Or the toolbar? Or tabs?
I've grown quite attached to my Waveceptor. Solar powered and radio synching means it never needs batteries and never needs setting. If you left it in a drawer for years, then when you took it out it would charge itself back up and set itself to the correct time, with the hands whirling round to get there :-)
I'd prefer it to be a bit thinner, although if 6mm is considered thin now, I guess there's not much chance of that!
Firefox Mobile 4.0b2 loads in about 4s on my android device.
Firefox 4.0b6 loads in slightly under 1s on my desktop. (not properly benchmarked, just stopwatch from when I hit the shortcut icon)
So, not faster than desktop for me. Not fast enough to be a viable replacement for the android browser yet, unless you've the memory spare to leave the thing running in the background.
Quite possibly faster than older versions of Firefox on the Desktop, particularly if it's a version prior to them fixing the 'scan all files in the temp folder on startup' bug, and you've got a typically far-from-empty temp folder.
Got any links or names for better Android tablets? Serious question - I fully intend to buy a 7" tablet, and if there is something better than the Galaxy Tab around, please do point me in the right direction!
I'm not interested in something not quite as good but cheaper (Viewsonic), or not quite as good but bigger (iPad) - 7" is the size and more importantly weight-class I want, and I'm looking for the best, not the cheapest.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
