Re: Surely...
But his solution would just suck.
- ah yes, that's where I left my coat.
2545 publicly visible posts • joined 7 May 2012
Did the crime rate increase or did the reported crime rate increase.
Because I am quite confident that knowing the whole thing is on camera, when an overreach inevitably occurs, the appropriate investigation occurs*. I wonder out loud whether in the old days the junior gets taken aside for a quiet word about not being allowed to tase someone just cause they made some snide comment under their breath now gets officially recognised as a crime.
*not counting the well publicised exceptions that led to various riots.
If your hypothesis is right* then someone at a vulture desk will owe MS an apology for the title of this article. It would in that case be Asus causes some of its motherboards to crash** after faulty UEFI implementation.
* I have nothing to add on that point.
** Brick is the wrong verb here.
> What needs to happen is browsers need to start a connection to a server with only TLS 1.5 (assume a time traveler with from 2020), then when that fails, drop back to 1.4 and so on until it can talk
Sorry Tim. That can't work. Or more specifically, it can't prevent a downgrade attack.
Alice sends Bob a TLS 1.5 handshake.
Trudy intercepts that handshake and responds to Alice with a wtf response. Alice can't yet verify that this isn't actually from Bob.
Alice then tries with 1.4. Trudy responds the same way.
And so on....
Eventually Alice tries the only-just-better-than-ROT13 version thinking Bob can't do anything better. Trudy lets it through and can then observe or fiddle with the stream.
So independent researchers discover and report to the government a vulnerability allowing it to be patched rather than exploited. Instead of a thank you, they get the book thrown at them.
Do pray tell, what exactly do you think that the next researcher will do if they discover a vulnerability? Certainly they wouldn't setup some hidden tor service where for some infinitesimal small portion of bitcoin you can load credit on the card, making a wad of cash whilst the authorities pay big bucks to try to reverse engineer the hack.
Security research can be a murky area. By not selling their exploits on the underground marketplaces, they are already giving up a lot of money. Sometimes they will overstep the mark even if their intentions are good. I make no judgement about whether they overstepped here, but the government needs to catch half a clue here, figure out what they are trying to achieve and determine whether their decision to prosecute advances that goal.
Upon sober reflection, they should realise they have scored a spectacular goal, just for the wrong team
> However, there’s no direct information in the spec sheets to say drives are warrantied for data written. In fact, terms such as “designed for” are used more often, so where do we stand with the warranty?
In Australia, it's actually pretty simple.
https://www.accc.gov.au/consumers/consumer-rights-guarantees/consumer-guarantees
Companies can include or exclude whatever they want; it doesn't reduce makes no your rights under consumer law. Unless that writes/year is clearly stipulated in the box, visible before you make the purchase, they can't enforce it (won't stop them trying of course). They don't even provide an easy way to measure how much has been written, so it would be difficult to say the least for them to enforce even if they suspected you were "naughty".
It's doubling of powers though. Just going from 8 to 9 would increase it by 36 fold. Not sure what I'm missing here but there should be about 2.8 trillion combinations of 8 character lower alpha + digit
= (26 + 10) ^ 8
Just going to 9 characters gives you 101 quadrillion possibilities, which grabbing my not really Bill Gates hat ought to be enough for anyone.
I don't follow what they are running out of because these are already big numbers. [citation needed]. My suspicion is that they are concatenating more info into those identifiers (first x characters means y, etc) but that's just a guess.
When you have kids, you learn to stop asking how object 1 with no worldly reason to be anywhere near object 2 finds itself inside the said object 2.
The instances of said interactions between unrelated entities tend to happen during the times when the said kids are being "a bit too quiet".
You can install fiddler on your PC then proxy your phone via that PC and fiddler will intercept the traffic for you.
Then you can see if they are encrypting the traffic itself. It is quite an eye opening* thing to observe and works for all apps. You can even mitm** yourself if they aren't pinning the certificates and inspect what they are encrypting. That can also reveal privacy breaches.
* not in a good way
** android will warn you that others can observe if you install the fake root certificate to permit this.
Correct, but this article doesn't even follow the threat model like a bank does.
1. The ATM and cash is insured, so any loss is not paid directly by the bank.
2. Insurance is a cost of business that is passed onto their customers as part of the fees.
3. Unless specific banks are more vulnerable than others, the insurance premiums will rise uniformly across all banks to cover it, that number gets crunched through Excel (or worse) and everyone's account fees or ATM fees or whatever raise by a few dollars over the year.
Sure. It was self evidently a bit too subtle a joke for a few folk here who probably thought that I was advocating against ad blockers.
The point was that they could make the process of presenting the question to probe (all that they are required to do) just as annoying as the ads themselves. Point 2 was that such an experience wouldn't be noticeably worse than what one is subjected to without an ad block installed. Ergo, the only folk who would actually suffer would be those used to an ad free experience.
Maybe they can ask the user's permission on a panel that obscures the contents. It could ask as an automatically playing video that can't be skipped, tripling the page load time. This has two advantages.
1. It would suitably annoy those running ad blockers whilst complying with the law.
2. Those not running ad blockers would be able to tell the difference from their usual experience of websites.
You could nearly mount that argument if the failure was caused by a tsunami hitting their data centre. The script was run by them for them with no customer benefit. They did it in a prod environment without any fallback plan and without giving notice to their customers. Inadequate precautions were taken. Blame is the right response here.
> You convert this to heat, and transfer it to motion
All of the useful work performed by an ICE occurs because of the expansion of the exhaust gases after combustion.
The fact that an engine feels hot while running [citation needed] proves that the energy in the fuel is being converted into heat. If all the energy was converted into motion, it would feel no warmer than a metal street lamp post. Furthermore, it would be silent because the sound waves from the combustion is wasted energy.
But the vast majority of the energy in your fuel tank leaves out the exhaust pipe at a few hundred degrees. If you want efficiency, it's going to have an electric motor, not an ICE.
A bowed head isn't going to fix it. A fine isn't going to fix it either as fines are just considered a cost of business and will be passed onto consumers in one way or another. But what will change behaviour is penalising their future scores. Cheat by 10% and be penalised by 20%. Cheat with a million cars, have the 20% penalty against 2 million. 4 models caught, penalise 8. Done it for 2 years, penalise for 4.
At the end of the day, they are stealing customers off their competition, so this approach would give that competition a leg up and create a strong disincentive to cheat.
> crime victims and surviving family members have rights, too – namely, the right to have cases solved with the strongest evidence available.
Surely the strongest available evidence for orders of magnitude more crimes is kept from victims by the right to remain silent. Admissible evidence laws for many more. Should those be repealed while you are at it?
> I kept going back for a time, but eventually they lacked anything that I found interesting
That is freaking ridiculous. Entirely true, but freaking ridiculous.
The opportunities for aspiring geeks today are massive. From Arduino to drones, mesh WiFi devices, NFC activated automation and other IoT Pfaff, even computer controlled Christmas lights would have been a natural fit for their former self.
There was never a need for them to sell TVs. Their stores could only physically fit 2 or 3 options for each size. Go in looking for say a 40" and you would get a choice between a who knows what home brand with crap refresh rate and colour reproduction for cheap or some 4K 3D smart panel with a curve for about 8x the price. With only so much room in most their stores it was always going to struggle against good guys, JB or Harvey on selection.
Dick Smith of 25+ years ago was a very different store to that which finally closed down.
There was a time before they became a JB HiFi hardly normal wannabe when their catalogue looked more like jaycar's. Their sales staff would ask about your project and be able to suggest the part combination to solve your problem. The latter day "tech-sperts" could tell you which lightening or micro USB cable plugs into your phone. It really was a shell of its former self.
The way that I am reading this, it would also outlaw the only recommended way of storing password information; a 1 way password hash. These by definition (AND GOAL) cannot be reversed* to the original content even if you know the hash and the specific algorithm(s) applied.
* and before someone points out rainbow tables, these are simply cached brute force attacks.
That 'D' in ACID compliant for a start. Right now you can't flag a transaction as committed until the writes have hit the spinning rust or SSD, or at least until sufficient data has been written to a log somewhere to allow the data to be reconstructed in the event of a power failure. This makes that latency several orders of magnitude faster, which in turn reduces the duration of locks and the throughput boost that would provide.
I'm looking forward to it.
Not only that but anywhere that allegedly provides a USB socket for "free charging" (cafe / airport lounge / hotel conference room / etc) could just start firing commands down the line whenever it sees a new device and pwn a not insignificant percentage of phones.
As a side note, it is interesting how perspective of threats have changed over the last decade or two. In the late 90s, the ability to make a call or send a text when the device was locked would have been the story, and access to the internal storage would have rated meh.
Another side note, it would be interesting to know whether the same tricks could be used to sideload some malicious apk. If so, this could get really nasty.
> It also means the whole world will be using the same, open source rendering engine, good for users, good for developers.
No. It creates a monoculture. I am not saying that there is anything horrendously wrong with chromium. There are certainly worse baselines that could have been chosen. I am saying that we already have a product with the specs they are proposing, that that product has around 50% market share depending on who's asking, that there is nothing so horrendous about it that will see a significant portion of that 50% jump ship so why bother. If the best defence is that monocultures rule, then mount an argument that there should only be one c compiler / one desktop environment / distro / in fact, one uber OS / and while we are at it, browser.
> Nuclear power is safe and if designed right, does have minimal waste, much less than coal or gas power
.... much less radioactive waste than coal power (on a per MW/hr basis).
TFTFY
Note: possibly also applies to gas but I don't know those numbers.
I guess coming out the top of a smokestack over time rather than leaving it in the bottom of a lap pool makes it OK?
I guess you are lucky enough to live in a free country. Yes a lot of those good points mitigate many threat models, but a big part of this is a march towards government intrusion (even in free countries) and intrusion above and beyond the level warranted by the alleged crimes of people.
It isn't going to leak so much to Eastern European mobs but firstly to other agencies. In the now famous iPhone debacle, there was a second request for the same assistance in NY for cracking some alleged drug lord's iPhone. Fair call, he sounds like a Bad Guy™. But sooner or later it becomes routine in all investigations. Next thing you know, a fishing expedition is launched whenever someone forgets to return a DVD.
Assuming that our friendly TLAs hadn't already cracked it and were just trying to set a legal precedent (that is a pretty big assumption there), if you can control the parts that retrieve and act upon the device key (ie not containing secure enclave) it is possible to pull the device key. Once you have that, brute force of any short password or PIN can be done for a few bucks of Amazon time.