* Posts by Invidious Aardvark

112 publicly visible posts • joined 3 Feb 2011


The Epic vs Apple trial is wrapping up, but the battle has just begun

Invidious Aardvark

Re: "Apple’s ironclad control of the iOS platform"

So who gets the other 90%? After all, Epic are also just selling “the same bytes over and over again” so they’re also only entitled to 5% because you think them getting 70% is egregious too, right?

I mean, their platform is done and dusted - they make their money selling cosmetics and other in-game tat to their playerbase. They’ve made the money they invested in the game many times over already, same as Apple have with the iPlatform.

It’s going to take something more than your gut feeling that Apple charges too much to make me feel sympathy for either side in this case. Epic could quite easily have just gone “Sorry people, Apple charges too much so we’re dropping support for the iDevice market”. That would have earned my respect and may even have caused some pain to Apple. Instead, they pulled an Apple and went to court.

A pox on both their houses.

Take a Big Blue cheque and go: IBM settles 281 UK age discrim cases

Invidious Aardvark

Re: bright graduates picking other employers instead of bringing their smarts under Big Blue's roof

Some people like the blood of Christ for the eucharist, the more hardcore prefer the Holy Spirit...

Microsoft sees sense, will give Office 365 admins veto rights on self-service Power tools

Invidious Aardvark

It's a start...

But how about making it opt IN, since the current status quo is that noone can self serve. That way IT admins are consciously opting in for a service they require, rather than having to jump through some hoops to opt out of a facility they currently do not have and do not want.

Plus, what happens when MS decide that other products should be self-serve enabled? Based on this announcement I assume that IT admins will need to play whack-a-mole every time MS decide to enable self serve on a new product.

Brexit: Digital border possible for Irish backstop woes, UK MPs told

Invidious Aardvark

Re: 41 good, 44 bad?

I'm heavily remain but what does this have to do with the point to which you're apparently responding? Quoting a figure that is essentially the outstanding amount that the UK committed to pay in the current budget does not actually address the point that was being made about being a significant net contributor.

You appear to be (willfully?) ignoring the fact that the UK does indeed contribute more than it receives so I will simply quote the same website back at you:

"The UK pays more into the EU budget than it gets back.

In 2017 the UK government paid £13 billion to the EU budget, and EU spending on the UK was forecast to be £4 billion. So the UK’s ‘net contribution’ was estimated at nearly £9 billion."


You may also be interested in https://www.bbc.com/news/uk-politics-48256318 which states "Germany, with a net contribution of €12.8bn, was the largest contributor, followed by the UK, with €7.43bn (£6.55bn)."

Firefox armagg-add-on: Lapsed security cert kills all browser extensions, from website password managers to ad blockers

Invidious Aardvark

Re: Hmm... nothing here

They pushed out a temporary fix via their "Studies" feature. It's possible that you've not locked that side of things down and thus received the fixes before you could notice that anything was wrong?

There was a bit of a kerfuffle about their suggested short term fix amongst people who have deliberately turned all these features off. Essentially, they were saying that either none of our ad and script blocking add-ons would work OR we could turn on "Send technical and interaction data to Mozilla" then enable Mozilla studies in order to get that crop of fixes (plus whatever other "Studies" they felt like).

I used the short term fix of loading addons in debug mode (about:debugging -> Load Temporary Addon) every time I started up FF. A bit more work but it avoided any Mozilla slurpage.

Oz digital health agency tightens medical record access as watchdog warns of crim honeypot

Invidious Aardvark

So if I understand these tough new powers, the CEO now has the power to close the stable door a mere 5 days after the horse, loaded down with all that data, has bolted.

If he feels like it.

After he's notified the offending party that he's about to do so.

Needless to say I have opted out rather than participate in this game of health data breach roulette.

I'm anti-Google, please elect me: Senate hopeful rides tech backlash

Invidious Aardvark

"My Office will not stand by and let private consumer information be jeopardized by industry giants, especially to pad their profits."

"Unless I get my cut of those profits." he added under his breath.

You're decorating it wrong: Apple HomePod gives wood ring of death

Invidious Aardvark

Re: Lace Doily

Due to issues with the new HomePod Base leaving unsightly stains on organic surfaces, Apple is now proud to annouce the new HomePod Base Base for $300. The new HomePod Base Base, designed in California (*1) and made from 100% recycled iPods, is guaranteed to leave no marks on any approved surface (*2) and comes with a lifetime guarantee (*4).

(*1) Manufactured in China.

(*2) Currently only the HomePod Base Base iTable has been approved. This product may leave marks on any unapproved surface (*3).

(*3) Currently only the Apple HomeFloor iFloor has been approved. HomeFloor iFloor is only compatible with any Apple iHouse approved building materials. Enquire at your local Genius bar for information on these products.

(*4) Adulty mayfly lifetime.

While Western Union wired customers' money, hackers transferred their personal deets

Invidious Aardvark

"We promptly moved our external secure storage to a different vendor's system."

I hope they bothered to check the new vendor out, assured themselves that they could provide an actually secure system (rather than what they already had which, presumably, was sold as "external secure storage"), and set the new system up correctly so that it actually is secure this time. Otherwise they've just moved the same data to a different target and they'll be recylcing this press release in a few months and promptly moving their external insecure storage again.

Firefox to warn users who visit p0wned sites

Invidious Aardvark

UI for alerts already exists?

I thought FF (and all browsers) already had a UI for alerts about this sort of thing:

1) Launch browser

2) Type something like "www.theregister.co.uk" or "data breach <company name>" into the URL/search bar.

3) Click on links that mention data breaches, etc.

White House staffers jabbed with probe over private email use

Invidious Aardvark

Re: Hope springs eternal

'Why do I get the impression that "government business" as a term is being stretched way out, to cover ordinary personal emails by a lot of Trump staffers?"

Based on your posting history, I'd hazard a guess that it's because you can only see out of your right eye.

If I understand your argument correctly, they can't be doing anything wrong because:

1) They're not Clinton.

2) They'd have to be stupid and they're not because...reasons, foremost of which is that they're not base, weak, stupid left-wing people, oh no! They're noble, strong, intelligent right-wing people!

From what I can tell, based on the various reports I've read, Kushner's admitted that some emails have been to personal accounts but he's forwarded any government business to his official account so he's presumably in the clear and the investigation will be concluded swiftly.

However, given that this has happened at all (official business to private email), especially after the Clinton debacle, then it seems sensible to have a review to check that rules are being obeyed and also to remind people that it's probably better not to allow this to occur in the first place. That is what is now happening.

Oh, and your final paragraph is a colossal straw man. The issue is not about the sending of classified information. It's about the use of private email for official government business and how that may conflict with the Presidential Records Act and the Federal Records Act if they don't ensure those emails also get sent to an official account so that they can be preserved.

Tick-tick... boom: Germany gives social media giants 24 hours to tear down hate speech

Invidious Aardvark

Re: Disconnect Germany?

Whose existing laws should be enforced? Thailand lèse majesté laws? N. Korea's speech laws (whatever they may be)? If Germany gets to say "not these sorts of posts" then everyone else does too. The US version of free speech may allow for unpalatable things to be said but that's a much better system than anywhere else I can think of. Once you start censoring based on one country's laws, where do you stop?

What is illegal? Where does that line get drawn and by whom? Is a post by someone in the USA regarding the holocaust liable to be taken down by a German user's request? Whose laws apply to that post? The post is perfectly legal in the USA so why does German law apply?

The internet is harder to legislate for precisely because it doesn't respect the old territorial boundaries. Until every country gets together and sorts out an agreed framework on how laws should be applied to the WWW (fat chance) you're left with attempting to apply local laws to content from other countries, which is just never going to be practicable.

Then there's the problem of whether something is, actually, illegal. Ultimately the legality or otherwise of a post should be decided by a court of law, not by a social media company employee.

The open source community is nasty and that's just the docs

Invidious Aardvark

Re: "they're both absolutely unacceptable"

@Oh Homer

You'd be assuming incorrectly, but nice try at going "Well what would you know, you don't even work in the industry...".

I have heard of NDAs, I've even signed them from time to time; they've not prevented me reporting any abuse. NDAs generally relate to products, projects, etc. that partners and clients would like to maintain some secrecy/control over. They don't, in my experience, relate to things like "we get to abuse you but you don't get to report it". If you're talking about confidentiality clauses in settlements then the relevance of my working background is questionable at best, since such clauses are not industry specific.

I have not tolerated abuse nor resigned myself to being abused. When I have spotted abuse, I have reported it. Thankfully it's been a pretty rare occurence for me; perhaps I've just been lucky with the places I've worked.

As for "Asking a forum regular on El Reg how he could possibly know about what happens at software companies is a bit obtuse, isn't it, given that probably 99% of the readership works in tech?"

I'm not asking how you know, I'm asking for proof of what you're saying WRT open source being magically better than proprietary software for handling abuse. From what I can see, it's basically "because OSS!" Given that I too work in software and have not seen much of this dark, murky underworld you talk of over the past 15 years or so I'm slightly dubious.

Given our experiences apparently differ, I don't think that asking for some sort of *proof* of your assertions is that much to ask for. Or do I just accept that, as a forum regular, whatever you say is true simply because you said it? (I should point out too that I've been reading el reg since around 2001 so I'm hardly a stranger either.)

Invidious Aardvark

Re: Meanwhile...

Neither, they're both absolutely unacceptable. If that's the best defence you can come up with then you're not painting a very pretty picture of either OSS or proprietary software.

I'd also query whether this does happen and is never published in this murky underworld you're talking about. I'm not sure what would prevent me from going public with emails and PMs if a company tried this on me? I'm also pretty sure any company that ignored personal abuse of their employees by other employees would be open to legal action.

So please, do tell me more about this hidden abuse in this dark underworld that you know about.

What should password managers not do? Leak your passwords? What a great idea, LastPass

Invidious Aardvark

How is having all my unknown-to-me passwords exfiltrated from my password manager "way better" than having my known-to-me passwords guessed/hijacked? They both seem about equivalent to me (though they'd have a hard time getting someone to enter all the passwords that they re-use in a single attack, so perhaps it's marginally worse to use LastPass?).

Disney sued in race row: Axed IT workers claim jobs went to H-1B hires

Invidious Aardvark

Re: Disney is depicable

Morally wrong I can agree with, but that is beside the point. Morality and legality don't necessarily go hand in hand.

Illegal? I'm not so sure. Claiming it's racism to hire someone cheaper who happens to be Indian sounds like racism to me. I'd be more impressed if they'd framed their argument on competency or some factor related to the actual job, rather than the race of the people doing the job.

I'm also not sure that it's un-American. I was under the impression that the American Way was to make lots of money and screw anyone who gets in your way. That whole "business has a duty to make money for shareholders" thing surely means that bringing in foreign nationals who'll work harder, longer, and for less money than the equivalent American workers is a good thing and very American indeed. I'd guess whoever suggested the scheme got a nice fat bonus for suggesting this. Afterall, so the theory goes, the people who were made redundant should just have worked harder/been smarter, then they'd have been higher up the corporate ladder and thus likely to be let go and replaced by cheap workers. That's how American Dream works, isn't it?

'Google tax' already being avoided, says Australian Tax Office

Invidious Aardvark

Re: Smack them with an "enhanced" GST

"I think he was suggesting that the tax be levied against corporate revenue as opposed to standard corporate taxation on profits."

Attempting to tax revenue would be a fantastic way of ensuring that no-one wants to do business with Australia. We're a tiny tiny tiny market in the global scheme of things and it would be suicide for any government to even float the idea.

Invidious Aardvark

Re: Smack them with an "enhanced" GST

GST is effectively a consumer tax, so you're proposing to 'hurt' the multi-nationals by making Australians pay more taxes on the goods that multi-nationals sell here? Apart from increasing the price of their goods, the blame for which the companies will place on the government, what exactly are you hoping to achieve by this? The multi-nationals will make the same number of sales and the same profit as now, unless there happens to be someone selling equivalent products more cheaply (which seems unlikely for most products because the competitors for a given category of goods are usually other multi-nationals running the same schemes so they'll all be subject to your enhanced tax).

Your solution makes consumers pay more tax without hurting the multi-nationals one iota.

Ireland taxman: Apple got NO favours from us, at all, at all

Invidious Aardvark

He's pointing out that, if they've paid €50 tax per €1M profit, this means that for each €1M of profit only €400 was declared as Irish profit (since 50 is 12.5% of 400). Hence the question about the remaining €999,600.

So it's not a magic 400, I think you just don't understand numbers...

Thieves can wirelessly unlock up to 100 million Volkswagens, each at the press of a button

Invidious Aardvark

Yo dawg, we heard you like to steal polos so we put a packet of polos in the polo so you can steal a polo while you steal a polo.

You really do want to use biometrics for payments, beam banks

Invidious Aardvark

“Unlike a PIN which is entered either correctly or incorrectly, biometrics are not a binary measurement but are based on the probability of a match."

Am I the only person somewhat disturbed by the fact that he appears to be advocating a form of 'authorisation' that boils down to "you sort of, maybe, could be be almost right-ish" rather than "Yes, that is the correct answer to the question I asked"?

I'm really not sure that talking up an authorisation method as being good because it isn't binary is a good idea. Authorisation should be certain, not fuzzy, otherwise it's a bit like having a PIN and the system saying "Well you got 5 of the 6 numbers correct so go on then, take some money!".

Bill Gates cooks up poultry recipe for Africans' paltry existence

Invidious Aardvark

Re: Automatic Updates.

"Turkeys on the left of me,

Chickens on the right

Here I am, duck in the middle with you"

FBI says NY judge went too far in ruling the FBI went too far in forcing Apple to unlock iPhone

Invidious Aardvark

"How is this any different from a warrant for telephone records or financial records where the telephone company or accountant are not complicit - nor alleged to be complicit - in any alleged wrong doing or financial malfeasance ?"

You're seriously asking how a warrant for records that a company does possess is different from a warrant for records that a company does not possess and that is designed to force them, against their will, to create something that they do not want to create in order to access data they do not own?

Even with Turnbull's NBN, Australian ISPs are getting faster

Invidious Aardvark

Re: October sure was a funny month...

Be fair now. You can't expect Simon to proof read everything when he's doing his monthly advertisement for Netflix down under and slyly hinting that Telstra has lower speeds because Foxtel. Do you know how long it takes to look up different ways of saying the same thing every month?

Australia's marriage equality vote should take place online

Invidious Aardvark

Online voting should happen when online voting can be trusted

I wouldn't want to vote for my government online since I see no reason to trust that it is secure, auditable, and anonymous (that anonymity is damned important). Why the hell would I let the government marketing weasels "start the ball rolling" with a "successful test of the eVoting platform" on this(or any other) issue?

Also, what about the luddites without an online presence? Or those who don't want to be signed up to a central government system that monitors their voting habits?

Prove to me that online voting is not subject to trust and security concerns before you try to push it onto us as an efficient, cost-effective means of voting.

Australia to conduct national cyber-security review

Invidious Aardvark

Sounds suspiciously like the government wants some to make some 'evidence based' policies and has asked some nice people to manufacture the evidence for them so they can pass said policies.

Hacker dodges FOUR HUNDRED YEARS in cooler for SCANNING sites

Invidious Aardvark

Re: potentially 440 Years? for that?

I'm afraid you're reading the headline and assuming it's true.

1) This is not just for scanning sites - 14000 brute force attempts to guess passwords is not 'scanning'. If the headline doesn't match the actual story, that should be a small clue about the integrity of the story and/or headline.

2) Most journalists have almost no clue how the courts work, but do know that inflated numbers draw people in, so they find the maximum sentence for each offence and add them all up, conveniently forgetting that sentences can run concurrently rather than consecutively and that judges have discretion when sentencing (most of the time, though there are some minimum terms that must be applied to some crimes in some states, etc.).

Annus HORRIBILIS for TLS! ALL the bigguns now officially pwned in 2014

Invidious Aardvark

Re: So...

S-channel is a security library. Windows versions are kernel rewrites and UI updates (appallingly ham-fisted ones in the case of W8). Why would a kernel rewrite require you to re-write all the supporting libraries?

Google's 'Right to be forgotten' roadshow is just a 'distraction' – EU digital rights group

Invidious Aardvark

Re: Don't do shit that gets you in a database... and ...

So, in a case of mistaken identity, you get arrested for something that you didn't do (let's say kidnapping children, because we all love to think of the children). You're innocent but children went missing so your name is everywhere because the media loves a good story. You're released without charge but, deary me, your name is now associated with kidnapping children whenever we search for you. Sure there'll be links to you being released without charge, but they're waaay down that search listing because that's not really very interesting compared to you being a child abductor so ranking algorithms will do their thing on the original story. Result 1 in every search: OmgTheyLetMePostInTheUK arrested for child abduction.

But that's ok, because we have a right to know about your "mis-doings". I mean, if you didn't do things that got your name into the news or into a database, then you wouldn't have had to worry about having your name show up in a google search. It's that simple.

I should point out that I'm against making google or any search engine filter out results - I think that's better tackled by the websites hosting the content - but your contention that because someone was caught up in something automatically means that they did it and it should be linked to them forever is somewhat facile.

Offshore metadata storage fine by me, says Malcolm Turnbull

Invidious Aardvark

No compelling argument?

How about some vague hope that they can be held accountable for its security and preventing various three letter agencies (let's just call them the USA) from grabbing all the data, without a warrant, because it's held by a company whose cleaner's sister's ex-boyfriend's dog's fleas once set foot on USA soil?

Big Retail's Apple Pay killer CurrentC HACKED, tester info nicked

Invidious Aardvark

Re: There's that throwaway line again

Indeed, it's amazing how many companies will tell you how seriously they take the security of your information after it's been compromised. I expect they'll be "putting procedures in place to ensure that this can never happen again".

Funnily enough, I expect companies that do take the security of my information seriously to have procedures in place already so that such breaches don't actually occur...

Naked and afraid: that's how Telstra's Wi-Fi security makes you feel

Invidious Aardvark

Make your mind up

"..., because HTTPS will encrypt all the traffic between web browser and server. Someone will still be able to snoop on all your metadata..."

"Ironically, the Junkee.com essay penned by Australian Greens Senator Scott Ludlam, in which he makes a stirring call to #StopDataRetention, was transmitted in the clear. The site Ludlam used to publish his views on security has taken no steps to protect its users from metadata gathering."

If HTTPS won't prevent metadata gathering why point out that Junkee.com is using HTTP?

FTDI yanks chip-bricking driver from Windows Update, vows to fight on

Invidious Aardvark

Re: My goodness!

I've not been downvoting your comments, though I've just downvoted your whining about being downvoted.

This isn't Facebook, The Reg has managed to do what Zuck's mighty engineers can't do and have both "like" and "dislike" buttons. People disagree with you sometimes and they let you know.

Complaining like a child when people disagree with you makes you look like, well, a child complaining that people are disagreeing with them. Also, calling people who disagree with your comments "corporate shills" is heading down the road to Eadon-ville...

Invidious Aardvark

Re: Freetard redux?

Good luck proving the deliberately. They wrote a driver that works on their chips.

Some other people made chips that do what the FTDI chips do and decided to use FTDI's VID/PID to avoid writing their own driver. Unfortunately, they don't react the same way to FTDI's driver as FTDI's chips to, resulting in their PID being set to 0.

Cue management saying "We didn't pick this up in our testing, but then we wouldn't because we only tested with our chips..." or "We accidentally left in some test code when shipping the new drivers, normal QA didn't pick this issue up because..." etc.

Brits: Google, can you scrape 60k pages from web, pleeease

Invidious Aardvark

Re: Other search engines?


So you seem to be saying that matters of public record should not be publicly available? Or they should be findable but not searchable? How is this in any way logical?

@Tom 38

We're debating the merits of the system and who should be responsible for the data in question. You appear to be suggesting that irrelevant data should be available on the web but not searchable. If it is irrelevant, ask to have it removed from the web and it will, you know, fall off the search database too.

There's also the question of how deeply they have to filter their results. For example, can they link to an index page that links to the article? It may have links to other relevant (and unfiltered) articles too.

The implementation seems to be clumsy and removal of the data from the offending site seems more logical than asking that a link to that site be removed from search results. Removal at source, use of robots.txt, etc. would seem to be more logical than asking the search providers to judge whether a request is valid then remove those links from their index (or, more likely, hide it from users in certain countries).

Invidious Aardvark

Re: Other search engines? @Raumkraut

Er no they don't. Really, they don't. The people who are maintaining the sites where the articles reside bear the responsibility to keep those articles accurate and relevant.

A search engine (the clue as to what it does is in the name) should search all the articles it knows about and return results, preferably ranking these results based on their level of match to the search term.

If someone has an issue with something in an article on the web they should get the article corrected at source or taken down if necessary. That way the correct/relevant information is available to everyone, regardless of which search engine they use.

'Cops and public bodies BUNGLE snooping powers by spying on 3,000 law-abiding Brits'

Invidious Aardvark

Re: Ask?????

without first seeking consent

I'd rather they actually obtained consent from a judge. RIPA seems to require them only to ask a senior police officer for consent, which is not really the level of checks and balances I'd expect when they're going to be rifling through people's communications records.

Cops apologise for leaving EXPLOSIVES in suitcase at airport

Invidious Aardvark

And how lax was security at the airport that they stored and then redistributed an unattended bag to a random member of the public without checking it first? It's almost like all those "unattended bags will be destroyed" warnings are nothing more than security theatre...

Apple, FBI: YES we're, er, looking into the NAKED CELEBRITY PICS. Aren't you?

Invidious Aardvark

Re: If you don't want any naked pix

Not wishing to pop your anti-Apple bubble, but you do actually need to set that sync up. I know, because I have such a device and have not configured the sync process. In fact, I checked all the settings and they were off by default so I didn't have to opt out either.

More facts, less mindless bleating please.

iCloud fiasco: 100 FAMOUS WOMEN exposed NUDE online

Invidious Aardvark

From what I can tell it is opt-in. You have to enter your iCloud credentials in the settings section then configure it to sync your photos, then go to the photos/camera app settings and select the option to upload your photos to iCloud as well.

This shows me you should probably investigate what you're talking about rather than making assumptions. Using the famous man-in-the-pub-said ("As several above have said...") as a source doesn't make what they said facts; a little research (it's really not that hard - try Apple's website) goes a long way.

US govt watchdog slams NSA snooping as illegal, useless against terrorism

Invidious Aardvark

Re: Martin Gregorie Anon Cluetard Boston Marathon Bombing

If it's aimed at tracking groups, surely they know who these groups are? If so, then how about they get a warrant and target their snooping. If not, then how the hell do they "prevent" and "disrupt" these groups' communications by monitoring everyone? How much noise are they collecting? How the hell do they work out which pattern of calls is me calling my friend with a joke and him sharing it with his friends and me calling my terrorist contacts to get them to call their bomb-making buddies and arrange a car bombing spree?

UK plods cuff another bloke in Twitter violence threat probe

Invidious Aardvark

You're effectively asking an ISP to breach their contract to an end user based on Twitter's request because someone reported to Twitter that they received a tweet they didn't like.

I think you'll find that the "over-stretched police force" would still need to be involved, given that you don't usually punish someone for something unless you can prove they did it. Something to do with the rule of law and due process.

Windows kernel bug-squish, IE update star in July Patch Tuesday

Invidious Aardvark

Re: To summarize....

If you watch Adult Video rather than playing with the real thing you're less likely to get a virus?

A backdoor into Skype for the Feds? You're joking...

Invidious Aardvark

Re: JimmyPage : they can suspect all they want

So they can look at the randomn data generated by Truecrypt to fill the empty space when the volume was created and tell the difference between that and the random-looking data generated by encrypting a file and writing it amongst that random data?

That's one hell of an expert you have there.

With respect, that sounds like a piece of Star Trek "insert technical stuff here" script. You've used a technical phrase and followed it with your required conclusion but it is, in non-geek parlance, utter bollocks.

Australia to reveal tech giants' tax tricks

Invidious Aardvark

Re: One can only presume...

Your argument is so flawed it's hardly worth rebutting, but here goes:

1) It's not currently illegal to avoid taxes in the ways that many companies do.

2) Making it illegal at some future point in time does not make it illegal now. You can claim it does as much as you want, but it simply doesn't (short of an ex post facto law, which are thankfully not possible in some countries and are normally frowned upon because it requires some really special powers to know whether you're currently breaking a yet-to-be-created law).

"Why are these companies not being brought to book ?"

In most countries you don't bring people to book for not breaking the law.

In your road speed limit analogy, noone is saying that you could now argue that there used to be no speed limit but now there is, so I'll ignore the limit. What they are saying is that currently there is no speed limit. Introducing a speed limit does not make past driving at above the now legal limit magically illegal, but it does make continued driving at such speeds illegal.

Arguing what they are doing now is legal is not "dodging and fudging the issue". If it's not illegal, it's legal. End of story. Anything else leads to chaos.


Music resale service ReDigi loses copyright fight with Capitol Records

Invidious Aardvark

Re: I am going to take an unpopular side here.

I'm confused. You seem to be saying that I can purchase a CD and resell that but I can't do the same with digital downloads because I might keep a copy somewhere. Has it occurred to you that I can rip the CD then resell it? Or do you trust me not to do this, in which case why can't you trust me to delete any copies I have made of my digital downloads when I resell them?

Facebook to filter angry comments in site tweak

Invidious Aardvark

Re: Good or bad comments.

No, your 1st amendment rights are not being curtailed - the right to free speech does not mean you can freely write whatever you want wherever you want and that noone can prevent you from doing so. It merely gives you the right to say what you wish (within certain limits).

A rating system, whereby negative comments are relegated to a less visible area of the comment stream, does not prevent you from saying what you wish to say. Next you'll be telling me that, because older comments are less visible on comment streams that are ordered by date, with the newer comments shown more prominently, this is also curtailing your right to free speech because you commented first and now people have to scroll all the way down to see what you said.

In fact, as I understand it, freedom of speech provisions in the first amendment extend solely to what the government can't do to curtail your speech. Facebook is not government so they can, in fact, do what they wish with the comments. If you don't like that, don't use Facebook.

Retailer challenges Visa penalty fees in data security dust-up

Invidious Aardvark

DNA or HTTP headers are not "data relative to those accounts". HTTP headers may be classified as data relative to the processing of the transaction, but the "accounts" in question are the VISA card details.

I think you'll find that "data relative to those accounts" is legal speak for cardnumber, CVC, expiry date, etc. - the data required to actually perform a transaction against the card in question. Section 18 of their complaint effectively lays out what this data is (the mag stripe data). They claim that such data may be retained unencrypted for the duration of the authorisation; this may be true, but my understanding (having had to do this kind of thing) is that you may briefly store such data in memory (pretty much unavoidable given that computers are involved), but it is preferable that this be done encrypted until such time as the unencrypted data is required, i.e. you decrypt just as you're generating the request and sending it to the bank. Logging any of it, unencrypted, is a no-no.

Section 54 of the complaint states that the log files would have been overwritten before they could have been exfiltrated, so no "data relative to those accounts" could have been compromised via the logs. This kind of suggests that some account data was being logged - why would you bother mentioning that you were storing data unrelated to the complaint in a log file in a motion to have your money returned? The only useful data in this context is card numbers, expiry dates, etc. I may be reading between the lines, but it seems a reasonable assumption to me.

Invidious Aardvark

Part of their defence (from the linked Wired article) appears to be that because of regular server reboots the card numbers in their server log files would have been overwritten before the hackers got to it (though what a packet sniffer is doing reading log files is not stated). Persisting unencrypted card data to log files is very much a PCI DSS violation and shows a level of incompetence I can't begin to understand.

All that being said, if VISA can't prove that any fraud was carried out using the cards that may have been compromised during the breach then they really shouldn't be gathering fines. I know that absence of evidence of fraud isn't evidence of absence, but legally it almost certainly is so the fines levied sound to be in serious danger of being overturned, assuming that the rules outlined in the Wired article are those that should apply in this scenario (more than 10,000 cards breached, PCI violation leading to the breach, more fraud than normal occurred on the cards in question).

Google to pay laughably minuscule fine over Wi-Fi slurp across US

Invidious Aardvark

Re: ... and yet...

"I don't think google are getting off too lightly here"

Fine for breaking the law: $7m

Performance bonuses for last year:

Eric Schmidt: $6m

David Drummond (their head legal person): $3m

Patrick Pichette (CFO): $2.8m

Nikesh Arora (CBO): $2.8m

Yeah, that fine is really going to hurt them...