* Posts by pmb00cs

65 posts • joined 18 Aug 2011

Page:

So you really didn't touch the settings at all, huh? Well, this print-out from my secret backup says otherwise

pmb00cs

Re: Ah, customers.

The best response I have found to an unreasonable "just do what I say" type order from an unknowing boss, or higher up, is "Can I have that in writing please?" either they suddenly start listening to why that order is a bad idea, or you have a paper trail to point to when it does go wrong.

Never underestimate the power of properly applied bureaucracy.

Node.js creator delivers Deno 1.0, a new runtime that fixes 'design mistakes in Node'

pmb00cs

Re: Wonder how long it will take…

The software written now, regardless of language used, is not old and tested. All programming languages have their merits, and their flaws.

A skilled artisan with a chisel can make a great chair, where an idiot with a power saw can make one that's crap. That doesn't mean the power saw is crap, or that the chisel is great.

pmb00cs

Re: Wonder how long it will take…

Firstly, C does have a steeper learning curve than JavaScript, it's a lower level language and so you need a better understanding of how a computer functions in order to make use of it. Also I was replying to a point about how that steeper learning curve specifically reduced the dross written in C.

The only reason there is more written in C is entirely down to the age of the language. It's been around longer than I have.

I'm not saying either C or JavaScript are or are not crap. I'm saying that the comparison based on the steepness of the learning curve is an unhelpful one, and has no real merit.

There are lots of people who would argue the merits of JavaScript, personally I'd suggest that crap or not it's here to stay, and getting grumpy with that fact isn't going to change anything. I don't particularly like JavaScript, but that doesn't mean it can not be used by skilled people to make useful software.

pmb00cs

Re: Wonder how long it will take…

You still get crap written in C. The idea that a steep learning curve automatically filters out idiots is not supported by the evidence.

Yes it is easier to learn JavaScript, and so lots of idiots learnt it, and then wrote terrible JavaScript. But When people gave up on C because it was too hard to learn not all of them were idiots, and not everyone who persevered were not idiots. So fewer idiots learnt C, but so did fewer people who are competent. There's less crap written in C because there's less written in C, relative to it's age anyway. C has the advantage of age, but crap doesn't age well. Old C that's still around makes C look better not because it is, but because time has filtered out the crap.

It's like furniture, you see 100+ year old chairs and say "They don't make chairs like that any more, modern chairs are crap" and mostly modern chairs are crap, but mostly 100+ years ago chairs were crap too, but the crap didn't survive 100+ years to be held up as an example.

Proof-of-concept open-source app can cut'n'paste from reality straight into Photoshop using a neural network

pmb00cs

Re: OK, I'll bite.

It's open source, and the code is linked to in the article. You know you could always raise a pull request to allow it to support your image editor of choice if it doesn't already.

IBM age discrimination lawsuit suddenly ends, suggests Big Blue was willing to pay to avoid discovery process

pmb00cs
Trollface

Re: Not "risky"

It would appear IBM's lawyer's agree with you.

AI startup accuses Facebook of stealing code designed to speed up machine learning models on ordinary CPUs

pmb00cs

Re: "nifty software tricks to achieve similar speeds on CPUs"

I've worked on Rack mount servers with up to 8 CPUs. Larger Kit has always been capable of having many CPUs, and IBM's mainframe systems have used proprietary interconnects to solve the scaling issues inherent in many CPU systems for as long as I have worked in IT.

Google's second stab at preserving both privacy and ad revenue draws fire

pmb00cs

Why not target the ADs based upon the site they're appearing on?

I don't get the "people prefer targeted ads" schtick, what with the targeting being so rubbish (as already mentioned). But why do we need to target the user directly? We know they are interested in the topics of the page they are viewing (or at least they should be) so why can't the Ad be based on that? It worked in print and broadcast advertising for decades.

Linux in 2020: 27.8 million lines of code in the kernel, 1.3 million in systemd

pmb00cs

Re: "Everybody who has ever worked at that level in the operating system ..."

Preaching to choir there.

I'm no fan of systemd, and am well aware of it's many, many, flaws. Not least of all the most important aspect of server startup isn't speed, which systemd isnt actually all that good at, despite being one of it's early selling points, it's stable, repeatable, consistent, debugable, startup. Which systemd does not do.

But denying it's advantages is also not helpful.

pmb00cs

"Everybody who has ever worked at that level in the operating system ..."

Yes, but for everybody that has to actually use Linux in the real world systemd is often worse than what came before it.

As an experienced Linux SysAdmin I've had to come to terms with the fact that systemd is here to stay, and have had to learn to use it, and it does have some very good attributes. But, it also has it's flaws, and often those flaws are ignored by it's proponents, homed being a prime example. It solves a problem with security, and portability, of home directories. But it also breaks ssh keys, and rather than acknowledge and accept this state, and offer any concessions or work arounds the answer is "well don't use it then" ignoring the fact that systemd is being deliberately developed in a way that makes it difficult to not use. New features are added, and tied closely to systemd, then downstream products are encouraged to use these features making it difficult to use alternatives.

I want to be happy using systemd, I like the ease of creating new services over having to write init scripts (which can sometimes be tricky), and holding onto the past is often counter productive. But I run Linux Servers, and systemd isn't appreciably faster than sysvinit for booting, and parallel service startup creates problems that never existed in the slower sequential start up of sysvinit.

This would be easier to take if there was any indication that the developers or proponents of systemd gave a shit about these issues, but hey, if it solves problems it has to be good right?

Dell slathers on factor XPS 13 to reveal new shiny with... ooh... a 0.1 inch bigger screen

pmb00cs

Re: @pmb00cs - That price..?

The OP got upset about price, complaining about the fact that a laptop with Linux pre installed cost more than a laptop with Windows pre installed, despite the "MS idiot tax".

So yes I am aware that FOSS isn't about paying for software. I'm also aware, as was the point of my reply, that not all costs are monetary.

pmb00cs

Re: That price..?

Possibly because the "MS idiot tax" includes significant development of tools that make supporting it (from a device manufacturer point of view at least) easier, where as Linux has a less polished volume licensing and support solution. Meaning Dell must expend engineering effort to be able to fully support Linux on it's products.

Free Software does not mean that it has no costs associated with it, just that the software itself is Free (and there are some debates as to if "Free" should be "free as in beer" or "free as in speech" but that is a whole other can of worms)

As someone who works with Linux, I'm not so blinkered by ideology to be unable to accept that sometimes you have to pay for "Free Software" somehow.

Doogee Wowser: The S40's a terrible smartphone, but a passable projectile

pmb00cs

Re: There was a time....

I don't think anyone ever dared ask why the kitchen. We all just assumed because that's where the hob was to heat everything up to the required temperature.

pmb00cs

Re: There was a time....

Yes. I know. That was explained in the same speech. From the front of the classroom. Along with the explanation as to why TNT and not TNB is used as an explosive, what with TNB being basically impossible to make. DNB also goes boom, but is less powerful and less clean as an explosive than TNT. The methyl group on the toluene lowers the energy needed to add the third nitrate group to the benzene ring to the point that you can do so without it going boom first.

She was also quite a good chemistry teacher.

pmb00cs
Mushroom

Re: There was a time....

Scariest teacher I ever had was a quiet, kind, unassuming A-Level Chemistry teacher. She never threw anything at any of us. She did however explain, in painful detail, as if from personal experience, why it is much easier to make nitroglycerine than TNT, and not just because Toluene is toxic, and hard to come by, and that the former can easily be made in most kitchens if you know what you are doing.

Astroboffins peeved as SpaceX's Starlink sats block meteor spotting – and could make us miss a killer asteroid

pmb00cs

Re: How many such exposures are going to be messed up like that?

They don't use photographic plates, they use cmos (and other related) electronic sensors. But that doesn't change the physics of how focusing optics function. Over exposure will bleed out into neighbouring pixels. Preventing that takes more than clever post processing. There's a reason DSLR camera's still have physical shutters. Too much light for the exposure still ruins the exposure. Especially on exposures measured in minutes.

pmb00cs

Re: "Accurate [..] predictions are essential for understanding the hazard they pose to spacecraft"

Yes, the total percentage of the sky covered by these satellites will be quite small.

But what portion of the light entering ground based telescopes will be reflections off these satellites?

Simplifying matters somewhat, we want to look at incredibly distant stars, which means exposure times suitable for very little light, and then a wacking great reflection from a starlink satellite streaks across your image. Well bugger, we'll just have to try that again!! How many such exposures are going to be messed up like that?

pmb00cs

Re: "Accurate [..] predictions are essential for understanding the hazard they pose to spacecraft"

Also, 'autonomously manoeuvring' supposes that the satellites never suffer a failure of their control systems, or their manoeuvring systems. Space is big, but orbital velocities are also big, and cross orbital collisions impart enough energy to really mess things up. One of these satellites fails to the point it doesn't avoid another one crossing it's path and *BOOM* that's an awful lot of unpredictable, high velocity, difficult to track, debris that is going to start upsetting anything else on that approximate orbital level, like the rest of the constellation.

I believe a man much smarter than I once described such a possibility. Kessler syndrome https://en.wikipedia.org/wiki/Kessler_syndrome

UK political parties fall over themselves to win tech contractor vote by pledging to review IR35

pmb00cs

Re: More nonsense

"Roll all NI into income tax and charge it on everything."

That's another strike against IR35 in my mind. Contractors have to pay Employer's NI contributions, employees don't. After a finding of being inside IR35 not only does the contractors tax bill go up (a lot) their NI bill doesn't go down (unless they can find some of the ways to reduce Employer's NI contributions, it's a complicated area, and one of the reasons I'm not a contractor, but essentially they'd need to limit their income)

pmb00cs

Re: More nonsense

Not all employers like hiring staff proper, and will insist that potential recruits are "contractors". IR35 is sold as stripping these "contractors" of several tax dodges they could take to reduce their tax burden. As it stands for doing this it is probably quite effective. However for those (often underpaid) "contractors" it is very hard to get the employer to treat them fairly, and give them the benefits they rightly deserve, and HMRC don't give a toss about that, so IR35 isn't written to enforce that the person paying taxes is automatically, under employment law, an employee proper. As such the people it rightly targets cannot afford the consequences of the law.

On top of this, as written, IR35 impacts on contractors who knowingly, and by choice, are in positions where they don't get employee benefits, and for various reasons are happy to take that risk. As such these people often get paid a higher fee. That higher fee then under IR35 attracts higher tax rates. It is worth noting that a large number of cases that fall into this bracket have been found, in court, to not actually constitute hidden employment, and so IR35 shouldn't apply. But fighting this is expensive, particularly given cuts to legal aid.

The solution to my mind would be to change IR35 so that the tax burden is there, but the employer owes the hidden employee all the benefits they have previously denied them, and that hidden employee is automatically granted employee status. But the issue is more complex than a simple solution like this can fully cover, so there needs to be significant work put into dealing with it, and I'm sure there are edge cases that would need handling with more nuance.

We are absolutely, definitively, completely and utterly out of IPv4 addresses, warns RIPE

pmb00cs

Re: "What's wrong with a /64 prefix?"

I'm not suggesting that ISPs shouldn't be offering /56 allocations, my issue is with the implication that getting a /64 is somehow problematic compared to the status quo of IPv4 that exists for most users.

Anything you can do on a domestic ISP connection with a single IPv4 address you can do with an IPv6 /64 allocation, and the latter case is, in my opinion, vastly superior than the former.

pmb00cs

Re: "What's wrong with a /64 prefix?"

Yes, the default behaviour using SLAAC is to use the MAC address (plus 16 other bits) to form the Host address, but there are privacy concerns with that, a device can be tracked across networks that way. However SLAAC isn't the only way to issue IPv6 addresses, and not all of them are tied to a 64 bit host address. So the argument against giving a /64 to a standard ISP connection of "but you can't do a none standard network partition without also using a none standard IP address assignment scheme" strikes me as poor. Most users are not going to subnet their network, and frankly those that are probably don't want to advertise their unique device identifiers to the internet. If for some reason you absolutely cannot have a shorter than 64 bit host address, and you need to subnet your network, you can subnet on link local addresses, and do some form of NAT (Oh I know, NAT is evil, but it is a possibility).

Also a /64 for a single connection is still, even if I accept that subnetting becomes impossible on that network, significantly better than what most of us find ourselves with on IPv4, a single IP address, and NAT, and in some cases that single IP address is non-routable as the connection is behind CGNAT.

PS: Yes I do know that IPv6 specifies giving multiple IP addresses to individual network interfaces, such that a laptop could have many IPv6 addresses, some for WiFi, some for cabled ethernet, some for Bluetooth, etc, even if you do take your /64 and sub split into 4 billion /96 subnets, using for example DHCPv6, each of those has 4 billion addresses going spare.

So I ask again, what are you planning to do that a /64 is insufficient for your needs?

pmb00cs

Re: Vicious Circle

"but you may get only a /64 prefix"

What's wrong with a /64 prefix?

How many devices/subnets are you planning to set up that a /64 is insufficient for your needs?

"(which makes using VLANs an issue)"

How exactly? VLAN tags are entirely different to subnet masks. Also once you have a prefix you are free to split that prefix however you see fit, 2 subnets with /65 prefixes? or 4Billion subnets with /96 prefixes?

GitLab mulls ban on hiring Chinese and Russian support staff because 'security'

pmb00cs

Re: Who to use ?

I wrote a guide on how to do just that with Gitea, on Debian.

https://craig.stewart.zone/guides/building-a-git-repo/

Here we go again: US govt tells Facebook to kill end-to-end encryption for the sake of the children

pmb00cs
Trollface

Re: Watch your back

I also use signal and think it works well.

*whistles innocently*

Mozilla Firefox to begin slow rollout of DNS-over-HTTPS by default at the end of the month

pmb00cs

Re: Please explain?

By blocking HTTPS wholesale. You appear to be assuming that isn't a valid network configuration. Believe it or not many large corporate networks do so, and use web proxies to allow connection to websites (including HTTPS sites, some with MitM corporate certs, some not) and those proxies whitelist access based upon the domain you try to connect to, and route that traffic for you.

pmb00cs

Re: Please explain?

DoH is designed to fix a very narrow problem for web users who might be getting their traffic snooped on (note that it only works for pure web traffic). That problem is that the domains they lookup through DNS are typically in plain text. So the snooper knows what they are (ignoring for now the fact SNI headers are not yet encrypted) DoH protects that information. So in that very narrow use case DoH is an improvement.

DoT also solves that problem, and doesn't tie the hiding of DNS traffic to web traffic, but it's detractors argue it can be blocked more easily.

pmb00cs

Re: Please explain?

True, it's harder to block DNS lookups that use DoH, but it's not impossible, and there exist valid reasons for wanting to control the DNS information available on a network.

Similarly there are valid reasons for wanting to bypass those controls.

My issue with DoH is that it is only a valid solution to a very narrow subset of the issues affecting DNS that also affect the web. DoT isn't that much better on it's own, but it at least acknowledges the internet is more than just the web. DoH is also skirting into the realm of "technical solution to non-technical problem" and that never really works.

pmb00cs

Re: Please explain?

Whatever their motivations the fact of the matter is that they are making "the web" more secure at the expense of "the internet" that carries it. DoH is not the correct solution for anything other than the web, although in that narrow context it is an improvement, but for everything else that uses the internet DOT and/or DNSSEC provide better solutions.

pmb00cs

Re: Please explain?

As already pointed out this (DoH) is every bit as bad as DNS over HTTP over TLS.

There is a competing standard DoT which is running DNS over TLS skipping the whole HTTP thing. But for some reason Google and Mozilla (organisations that deal primarily on the web, and in web technologies) don't appear to recognise that the internet is more than just the web and so everything needs to http(s) for them.

Police costs for Gatwick drone fiasco double to nearly £900k – and still no one's been charged

pmb00cs
Trollface

What Really happend

Passenger 1: Is that a drone?

Passenger 2: Don't be daft,it's a gull.

Nearby

bystander 1: did they see a drone?

bystander 2: well they said drone.

bystander 3: what about a drone?

bystander 4: did someone see a drone?

....

bystander 96: drone you say?

and so

guard 1: there's lots of talk of a drone going on over there, what do you think we should do?

guard 2: report a drone sighting, the brass will deal with it!

You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier

pmb00cs

Re: What about other applications?

Because banking and voting are two entirely different problem spaces.

With banking the bank needs to know that *I* allowed the transaction, and they know who *I* am. so as long as they can reconcile the details of the person authorising the payments with my identity all is good. It's a problem that requires two parties who know each other to be able to authenticate intention through a third party.

With voting the entire population needs to know how many people within the population voted for each candidate without knowing who each specific person voted for. So we need to validate numbers without recourse to validating identity after the fact. Although you need to identify yourself in the polling booth this is only to prove you have a right to vote, and haven't already done so. Once you get your ballot your identity becomes meaningless.

Put another way, with banking I don't give a fuck if you trust that I paid the shop or not, as long as my bank does. With voting I care deeply that we all agree on the results, but don't know who we each voted for.

Get ready for a literal waiting list for European IPv4 addresses. And no jumping the line

pmb00cs

Re: Seriously, whats wrong with IPV6 ?

What's wrong with a home network getting a /64?

Hell what's wrong with a data centre getting a /64?

A /64 IPv6 network can contain an entire IPv4 internet's worth of subnets the size of the entire IPv4 internet. What on earth are you planning to do that needs more IP addresses than that on a single connection?

IPv6 addresses are 128 bits long. A /64 assigns only half that to the network, the remaining 64 bits are free for the host addresses. Compare that to IPv4 addresses which are only 32 bits long.

$30/month email upstart Superhuman brought low with a blast of privacy Kryptonite

pmb00cs

What we need now ....

I've seen in the comments a few possible responses to this sort of behaviour:

- Spam people who send emails with tracking pixels

- block images from loading (what I actually do)

But what I reckon is needed is a server that can have the tracking pixels' URLs loaded into it, so that it can send requests over TOR (or some other anonymising network) for them every few minutes. Make the tracking data useless by filling it with junk data.

Comms room, comms room, comms room is on fire – we don't need no water, let the engineer burn

pmb00cs

Re: Leap Out And Let It Burn

Save the heroics for people who are trained and equipped to deal with burning stuff on a large scale. Unless you're a fireman, that isn't you, Mister I-Did-The-Annual-Fire-Safety-Training-Course. Blundering into a burning data centre with the wrong extinguisher is going to earn you a roasting and two lungs full of Halon/FM200.

I've done multiple Fire Warden type courses, two of which were the full blown two day, lets start a fire and practise putting it out safely on day two, courses. In both of those (one back when I was in Scouts, many years ago) we didn't get to play with fire extinguishers, but that didn't really matter, because the subject of the courses was basically "here are the types of extinguisher, and the types of fire they may slow down slightly, pray to whatever God you hold dear that you never need them, and if there is fire raise the alarm and get the fuck out"

My Grandfather was a firefighter with the RAF, my Mother learned from him what to do in a house fire, and she taught me. It really isn't complicated (although I am fortunate enough to not know how difficult it can be first hand), know your routes out, the main route, the secondary route when the main route is blocked, and the "oh fuck" route when all else fails.

BT to axe 90% of its UK real estate, retain circa 30 sites

pmb00cs

Re: What are the odds ...

Given the roof in the artists impression looks a lot like the roof of the BT call centre in Doncaster (a glorified warehouse, with desks and telephones) I can well imagine this isn't far from the truth.

Alas that building was not easy to have a telephone conversation in, the noise reverberated awfully, and they had to hang material from the roof to help attenuate the noise levels (which didn't help that much).

Yes the new offices will look a lot like that. Nondescript warehouse with office furniture crammed in. The people who imagine these "workspaces" have clearly never had to work in anything like them.

Cloudflare gives websites their marching orders to hasten page rendering automatically

pmb00cs

Re: Why does it have to be https ?

In theory, your site over unencrypted HTTP could be altered by a MitM attacker, causing your viewers browsers to load resources that you did not expect them to load. Those resources could include malware, or adds for companies you don't like, or don't wish to be associated with your site. The very content of the page could be altered to say things you find abhorrent.

In practice, you probably don't if your site has no javascript, or paid advertising. The risks are mostly to your viewers, not to you anyway.

That said, the cost these days of enabling SSL for a small site are minimal, and I don't just mean that LetsEncrypt offer free certificates, but modern processors (atom processors included) often contain hardware acceleration for many of the cryptographic functions used by SSL, and if you take the time to set up an ACME client your certificate can be renewed automatically with no further effort on your part.

Facebook is not going to Like this: Brit watchdog proposes crackdown on hoovering up kids' info

pmb00cs

There are online identity verification services that can offer various levels of assurance as to a users identity. These can be paired with more in depth document matching services, for users whose identity is harder to verify automatically. The former are widely available and reasonably priced (for services that actually make money by charging some, or all, of their customers for their products). The latter are somewhat more expensive.

It's not like there aren't already regulated industries trading over the internet that have strict requirements on knowing who they are dealing with.

No fax given: Blighty's health service bods told to ban snail mail, too

pmb00cs

Re: Hancock's half hour

Email can be made to be secure, but not within the control of the sender, and at the cost of reliable delivery.

You can enforce transport encryption, but then what happens when none of the receiving servers for a domain support it? Don't send to that domain?

Assume they do, your email is securely transferred to the next hop. Now you have to trust that infrastructure is secure, there could be a dozen more hops, and you have no control over the security practises of any of them.

If everyone secures their email infrastructure then everything is coming up roses. But it's 2019 and my ISP doesn't even offer TLS on imap or pop3 ports for email collection. What hope do the rest of us have that the SMTP transport across the internet both supports TLS, and has it enforced?

Or do you mean end to end encryption like PGP or SMIME? because they require everyone to have keys, and know how to communicate them.

One click and you're out: UK makes it an offence to view terrorist propaganda even once

pmb00cs

"likely to be useful to a person committing or preparing an act of terrorism"

Generally useful to "a person committing or preparing an act of terrorism"? Could be anything!

Or more specifically around the actual terrorism? A-level chemistry would certainly fall under that category, I bet a number of other subjects too, electronics, mathematics, physics, biology, and those are just the ones that could be considered dangerous at high school level that I can think of off the top of my head. So much for the government wanting to recruit teachers, they apparently want to lock a fair chunk of them up.

Should the super-rich pay 70% tax rate above $10m? Here's Michael Dell's hot take for Davos

pmb00cs

Having been rather unfortunately afflicted with a condition that I could not afford to get treated privately, and that at times put my life at imminent risk, I cannot sing the praises of the NHS enough. My condition was not nearly as bad as cancer, and yet I was treated promptly enough once diagnosed, and when my health deteriorated due to the condition to the point that I was in need of emergency treatment it was freely, and immediately, available.

I am not now burdened with a crushing debt, and I did not need to be vastly wealthy to be seen. How is the NHS not a great thing that the UK should be rightly proud of?

The only problem with the NHS, and one that is outside of it's control, is that successive governments have been desperately trying to kill it in favour of a system of health insurance and private medical care more akin to the rather dysfunctional system the US seems to be obsessed with keeping.

Open-source devs: Wget off your bloated festive behinds and patch this user cred-blabbing bug

pmb00cs

Re: From where

It's not just command line usage of wget, wget can be used as a library for other programs to fetch files off the internet. If the resource being fetched is behind a login the details needed to authenticate access to that resource need to be passed to the wget processes somehow. That can be done by prepending the domain with "user:pw" in the URL or by including auth tokens in the query string at the end of the URL. Both of these could be considered sensitive data that should probably not be arbitrarily stored on disk unprotected. So any program, or script, that relies on wget could be effected by this bug.

It is worth noting that chromium is also effected by a very similar bug, and that is not an easy program to use on the command line.

It's been a week since engineers approved a new DNS encryption standard and everyone is still yelling

pmb00cs

Re: Cat herding

The Web isn't the only use of DNS though. Any service that needs to resolve a hostname to find which IP address to connect too, or what domain a connecting IP belongs too (assuming PTR records are appropriately updated) rely on DNS. The assumption that "The Web" == "The internet" needs to die.

Yes "The Web" is an important service that many people use day in day out, but it is only one of many services that run over the internet.

Take my advice: The only safe ID is a fake ID

pmb00cs

Re: Silly first name.

Stuart is an English name, derived from the French name Steuart, which is derived from the Scottish, and correctly spelt, name Stewart.

All because of Mary Queen of Scots.

Tired sysadmin plugged cable into wrong port, unleashed a 'virus'

pmb00cs

Odd Network issues

Once worked at a place that had an interesting, and difficult to diagnose, network problem. The network kept going down, and it looked like a routing loop, but would recover on it's own sporadically. Turns out that when you use virtualisation on Windows 10, and team two network interfaces together it helpfully uses spanning tree protocol to prevent routing loops. Unfortunately it uses a very low ID for this, so in this case become to root of the tree, every time the dev plugged his laptop in to the wired network it became the root of the tree, and sent traffic out over the wireless link (that didn't support spanning tree) which was then passed back to the wired network. And when he left his desk for a meeting and unplugged his laptop everything recovered. Took hours of my collegues running around trying to figure out what was going on to get to the bottom of that one (and we all learned the importance of telling your network switches which ports were allowed to use spanning tree protocol, and which switches were authorised to be part of the tree). I dodged a bullet by having that morning off.

S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats

pmb00cs

Damp Squib

The attempt by the authors to hype up this "vulnerability" for exposure is both obvious, and irritating. There are now going to be articles in the mainstream press "encrypted emails are insecure" for a week or so. Any one following reasonable practice with email security is simply not at risk due to this, despite the "turn off all encryption and uninstall the plugins" message that this was first reported with. All that is required to not be at risk from the "vulnerabilities" as described is to not automatically fetch remote content. An option that has been in email clients for ages, and has been good security practice for almost as long. That other vulnerabilities may exist for the second of the two attacks, which only allows the exfiltration of some of the plain text, rather than all of it for the first vulnerability, and is more technically involved than the first vulnerability, is something that is of minor concern, and should be patched against, but turning off html rendering (which has also been good security practice for ages) closes both holes completely.

Yes some of the vulnerable software has default settings that put the users at risk, reading the paper that is 13 of the 48 clients listed as tested, and 10 of those have the option to turn it off.

This meh at worst for those who need the extra protection of encrypted e-mail frankly.

You're a govt official. You accidentally slap personal info on the web. Quick, blame a kid!

pmb00cs

Re: Unisys screwed up

"A better example might be that the library have a shelf with free give-away books, and have put some that they don't want to give away there by mistake.

Now you are meant to come in at the front door and ask the librarian for a book on her list - and then she gives it to you from that shelf. You can't ask for the mistaken books, because they are not on her list. But one night a kid outside the library opens the window next to the shelf and takes a whole armful of books, including some which weren't on the librarian's list..."

Given he could just run get requests if there was an access control system (which none of the information I have read suggest there was) it was more like the library putting that shelf outside the front door, clearly labelled to say the books are free, with a sign inside the library telling people they need to ask the librarian which books they can take, and a teenager, having never been in the library, but seeing the shelf labelled as a "free books" shelf, helps himself to some books from that shelf, not knowing there is a process to take the books, or that some of the books might not be free.

I'm not saying it isn't a crime, but it ought not be, and the library management should be sacked for gross incompetence.

Maverick internet cop Chrome 64 breaks rules to thwart malvert scum

pmb00cs

Re: Legal liability?

Sounds great, but also complicates the matter, and allows both to wring their hands while blaming the other.

No as far as the end user is concerned the Website should be held solely liable.

If the website then wants to sue the Add platform as per their mutual contract, that is a matter for the owners of the website. And if the add platform wants to sue the next party down the chain ... etc.

pmb00cs

Legal liability?

This is why websites should be held legally liable for the third party content they choose to include on their pages. The excuse "oh but it was a third party advert that screwed you over" should simply not be tolerated. Whilst the websites can claim that their active inclusion of untrusted third party content isn't their responsibility there is no incentive to clean up the cesspit that is the online advertising market.

Once a couple of good lawsuits bring down a few major websites caught including dodgy adds there will be calls to do something about the dodgy adds that the add brokers simply will not be able to ignore. Websites will start using add platforms that offer financial guarantees, and/or indemnity against lawsuits. This will force the add platforms to vet the adds they include or face bankruptcy when a dodgy add hits the wrong person.

Rolls-Royce, Airbus, Siemens tease electric flight engine project

pmb00cs

Re: Elementary dear readers

Indeed. All the comments of "but efficiency" or "battery weight" why are we not happy with a technical demonstrator/research test-bed being used to move the state of the art forward? It's not like any of the partners in this process are saying that they are going to start mass producing this configuration for commercial operations. It is an attempt to develop the technology, and demonstrate it's feasibility.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020