Posts by hayzoos 375 publicly visible posts • joined 2 Jul 2014
Most distros offer a bootable live CD/USB package. Very good for a trial run to see if there are any hardware issues. Many of those also provide an install option from the live version.
Since you have stated that Windows is just being a VM host for your setup, the live option is a very good next step for you. If you do not like it you can just reboot.
I think you are closer to Linux only than you give yourself credit for. I had to find alternatives for a couple of Windows apps before I could fully switch to Linux.
An informal survey of my important bookmarked sites has google in various hostnames on over 90% of them. I use a handful of tools manage third party content on sites I visit. I have seen functionality of sites requiring more and more of Google hosts' content. Google has a multitude of products/services for the website operator to integrate.
P.S. also present on www.irs.gov
I guess that I am less impatient than you. The local sewage authority offers a 5% discount if an account is paid a year in advance. This is available any time but rate increases (far and few) make the account credit diminish faster but the discount is given up front. Once a relative decided they were going to help financially by paying for a year of my sewage bill anonymously. I noticed the credit right away, but continued to pay my regular amount waiting for the correction of the assumed error. It was well over two years before my wife had found out somehow and confirmed that it was not an error. I then allowed the credit balance to do it's thing. Of course, during that "year" of credit balance a rare rate increase took effect. Since rate increases have happened only a couple of times in the 25 years I have lived here, it seems they may be on a decade cycle.
Is weak 2FA even worth the cons? Lost access to email or phone is a problem. I work in areas without cell services and cannot login when 2FA is only SMS. Implementations are shit. 30 second lifetime of the 2FA code, usually expired by the time it is received. SMS nor email is supposed to be instantaneous nor even quick. Recovery methods that completely circumvent any protection the 2FA provides.
email is not as insecure as it used to be as generally since connections between clients and servers and server to server tend to be encrypted and additional hops on relays to get from domain to domain are nearly non-existent. SMS on the other hand is relatively immature and has not implemented much in the way of security.
I have researched the server side of TOTP and there is not that much more work to implement support for an authenticator app if email or SMS delivery of the TOTP has been implemented. Good enough is not good enough and far better does not require far more effort. Even then, poor implementation could still negate the whole.
I prefer U2F but {whiny voice}"that is just too hard"
If systemd were just an init system, it would not be so reviled. It is the fact that systemd has taken over so much more that it is avoided by so many. It has not only taken over various means of functionality, but also ways of doing things. It is doing things in a more "MS Windows-like" way both in a technical sense and conceptually. It has managed to become a dependency in more than one area of functionality.
A Linux OS can be 100% systemd free. A Linux OS can be full on systemd. There is a third wide ranging systemd variety of Linux OS, less than full systemd in order to deal with dependencies. Because MX Linux does not use systemd init, it falls into the third category, barely. MX Linux is a systemd Linux OS on all other counts, and that matters more than systemd just not being the active init.
I do not think there is any Linux OS which cannot have systemd added 100% with relative ease. On the other hand taking a systemd Linux and removing systemd ranges from not to hard to nearly impossible. The systemd cancer is beginning to take hold even in Windows through WSL. There are efforts to emulate systemd through compatibility deamons on BSDs to allow some Linux origin software to run.
It is the dependencies on systemd which are making matters worse. I have been able to overcome some of the supposed dependencies by manually installing a "service". But other dependencies are far greater and would require a rip and replace of a major part of a package and possibly easier to rewrite the whole package. Software dependency on systemd has to be considered part of the cancer.
There should be an organized effort to make software and Linux "systemd not required"
You do not need an account to download the Linux kernel. The Linux kernel is copyrighted (held by numerous contributors). It's components are generally licensed under GPL2 or a compatible license. You cannot simply download it and do with it as you please, you must follow the license. Copyright laws are what make the licenses' restrictions legally binding. It is protected without a login. And it is publicly accessible.
What you are proposing is that things that need to be protected can only be by restricting access from the public. I want to share some of my creative works publicly, with limits. Copyright and other IP laws allow me to do so and place those limits.
Being publicly visible and being in the public domain are entirely two different things.
I generally agree with WEI being a bad idea. A very bad idea.
I do disagree with the concept that anything posted to the web is public information and anyone can do anything they wish with it. IP/Copyright laws are to allow one to make their content publicly releasable and retain control of the use of said content.
Going to extremes such as "information just wants to be free" or "DVD regions" just sets up a situation where compromise cannot be achieved.
Do not forget that open source relies on copyright in order to be free.
I dabbled with many an OS over the years (too many since 1978). Windows brought in the living money so that is where I spent most of that time. On my personal machines I also used Windows out of bad habit. I did try others from time to time to break the habit, but never happened across Slackware, Slax and Porteus were close. At one point I had committed myself to use Linux starting dual boot with Mandrake from CDs I purchased. That was the dial-up era and CDs via post was faster than downloading. I gave up again when my ISP refused to disclose configuration changes they had made to their pppd to support Windows connections.
When Slackware 15.0 release was announced, I made the jump. Prior to that I went to Mint when Windows 7 went EOL. I was not aware of systemd. Too much of Mint just wasn't right because of systemd when i was poking around under the hood. Slackware is much closer to the *nix I had used before. systemd may not be installed, but it leaves its mark through other softwares' phantom systemd dependencies. It does use elogind from systemd. It could be changed to be more pure non-systemd, but it is systemd-free enough for me. You can even install systemd if you like, Slackware is that flexible.
I have been installing Slackware 15.0-64 from the "live" version. I am comfortable enough with it for the friends and family installs.
May the Slack be with you.
Only two separate networks? I knew of at least nine and I was not privy to how many there were, even though I was part of the security department. On top of that, I am speaking of separate hardware networks. Many of these other networks were operating in separate TEMPEST approved spaces. That's when air gap meant absolutely no connection. Even back then there was talk of allowing other networks at the desks on separate machines. The beginning of the long slippery slope.
The only significant Linux variant is systemd and it is a moving target kinda like Windows in a lot of ways. GNU/Linux without systemd requirements can be a single target for a develpoer. Targeting non-systemd GNU/Linux should also work on a systemd GNU/Linux until it diverges too far (not if, but when). Granted, there are different package systems but there are also for Windows (I supported Windows from v3.0 to reluctantly current.) There is not that much difference in the package systems, I know this because I have manually extracted from .debs and .rpms to install software on my machine when a slackbuild does not exist. I have even installed supposed systemd required software without systemd, it only looks for systemd indicators or uses systemd service system (aka daemons outside of systemd). Vast amounts of Windows software also erroneously claims the need for "admin rights" but in reality does not. Developer laziness is a major factor in all of this.
I can take an application's binaries compiled on my system, for my system (Slackware 15.0) and install it on a systemd Mint installation, provided I compile with the same kernel version and compatible library versions.
Windows application binaries have a somewhat smaller target of kernel versions and library versions but it is still a factor. Lazy developers had coded windows version checks for NT based Windows to halt on "Windows 9"x systems originally meaning Windows 95, 98, and ME. This was a major factor in Windows jumping from version 8 to 10 and skipping 9,
I also use Slackware. Wayland is present but an option that I periodically evaluate. I have not yet been sold. I have not yet been completely turned off.
On systemd, it may not be present, but it has left it's mark. In order to provide a reasonable selection of tools, it has implemented workarounds to appease various packages. I have successfully installed packages which supposedly require systemd, but only require "infrastructure" of systemd. Lest us not forget that Slackware uses elogind as a workaround for hard-coding for systemd dependencies.
"Maintaining sysvinit would be less effort than dealing with systemd related problems by many, many orders of magnitude." -volkerdi 08-16-2012, 04:42 PM post #164 to thread Slackware and systemd on linusquestions.org
I have tried Wayland and will try it again. I have also performed some research. Is seems to me that the biggest difference is that Wayland does not do network display. At this point in time, that will not stop me from using it. But, I have in the past used X network display capabilities. So, I have hesitance to using a display technology lacking the network capability as efficient as X has achieved.
On the other hand, X development is lagging. I am not looking for the new shiny. I am concerned about security. I am concerned about keeping up with display hardware.
Change happens naturally, you have to live with it. Change for change sake as said is useless. There is also change for monetary sake. If the change is only for the monetary benefit of the driver of change, then that is even worse than change for change sake.
A "single site search" is relevant in that the query information is already known to be associated with the particular client. It is only known to a different site in a search for third party sites when the client follows the provided links and it is included in the referrer.
I am viewing the process from a step before the form being filled and returned to the server. I am viewing it from the blank form being presented to the browser. A search provider for third party sites concerned with privacy should really not set up the browser to fail.
The browser does not decide to use a GET method for the search form. The server provides the form with the GET method. The server is where it is known that third party links will be provided. So, yes a POST method search form is what the server needs to provide to the browser. GET and POST are not seamlessly interchangeable so the browser cannot just simply use POST instead, the server has to be prepared for a POST and the best way is to present a POST method at the time of form delivery to the client.
The browser can alter the referrer prior to making the request to the third party server.
Google search is using the GET method knowing full well that most links provided to the query will be third party and will result in a referrer with the query embedded. Leaving it up to the browser entirely to prevent the query from being seen by the link destination server.
The second part is the browser does have a role. It is permitted to change the referrer. There are rules it is supposed to follow and ones it should. Implementing those rules pertaining to sensitivity of information is challenging for the browser. The only way to be sure is to always strip the query portion from the referrer if the link is going to a different server or domain.
As far as I know, Google is still the search leader and now the browser leader.
Google is not the only search provider guilty of setting up the search result to include the query so a referrer with the query will be presented to a third party. Nor is Google the only browser provider guilty of sending the search query off to a third party by design.
Times have changed and it has been realised that more information is sensitive than previously thought. Google would prefer that we keep doing things the old way as long as possible.
The difference is your example is a single site search. The search string is already known by the server where the links take it. Also, your example is a URL, which differs from a referrer string.
In the case of a Google search, the destination site when following a link is not (usually) google.com, but a site which matched the search. That site only gets the search string if provided by the referrer string.
There are two points where the referrer string is controlled. First, the referring server generates the string. Second, the browser can modify the string before presenting it to the destination server.
Google is now frequently representing both the search server and the browser. Most people just accept the defaults which will result in the search terms being in the referrer string.
Now, for the $32 million dollar question. My top of the head math tells me the estimated individual share is optimistic by maybe an order of magnitude. Seventy or so cents seems more like it unless there are far fewer Google users than I am thinking.
The copying or emulation of complex systems goes far and wide. non-exhaustive list: automobiles, "smart" products, IOT products, websites, "customer" "support", tax systems, non-smart electronically controlled devices, soft-touch on/off switches, healthcare systems.
Some of the problem comes from intelligent people egotistically showing their cleverness. The less intelligent are the copiers of the complex.
This is a far cry from the cleverness of simplicity. Instead of creating a Rube Goldberg contraption, create a system to produce a result with the least resource consumption. This concept used to be the gold standard. What happened?
I think your assessment is somewhat accurate. But, a lot of this also comes from lack of experience. The trend is to dump the experienced and hire the fresh out of university or tech school lower cost bright youngun's. So I think it is an industry wide problem. Azure is the canary in the mine though.
Experienced similar telecom shenanigans multiple times in multiple jobs. First job out of university I managed to work my way up to Head of IT (only 25 people in corp office, single step up from bottom rung). This set me up to oversee the tech aspects of the office move 40 miles from the then current location. This involved seven phone/fax/modem lines, and a small capacity DID trunk line. Bell of PA which was becoming Bell Atlantic - PA which later became Verizon - PA all formerly known as Ma Bell under AT&T said they could only provide four POTS lines and the DID trunk line with a 2 week delay for the additional three POTS lines. I had to do some quick learning of the advanced configuration of the Merlin Legend phone system and came up with a workable solution. No more dedicated lines! All incoming would be on the DID trunk and outgoing from a shared pool of POTS lines whose use I could configure in the system far more simple actually. It turns out the existing configuration was advanced and complex because it grew ad-hoc from two POTS lines phone and fax with published numbers and rollover and dedicated modem and all going away because those numbers could not follow our move. But the DID trunk numbers could because they were regional and the move was within the region.
A number of years later I was with another company a hundred or so miles away. We were a private payphone (as a service) company as opposed to phone company payphones. We were servicing one of our rapidly expanding convenience store customer's new locations in the same area of my previous job's office. We were required to provide four payphones each requiring a POTS line. The store itself required about 8 lines. We had our order of four lines in and confirmed to be live no less than ten days before store opening. Then the customer put their order in with Verizon - PA which did not have eight available lines. Verizon gave them two lines from our order, without notice. Our crew was there to install and connect the payphones ten days before opening. They called me because there were only two lines with our name on them. I called Verizon and this is when I found out what had happened. We were obligated under contract to have four working payphones five days prior to opening. That requirement was reduce to two in this situation. Funny thing though, somehow, without us pressuring them, Verizon came through with our two additional lines six days prior. I think somebody with our customer knew somebody at Verizon who could make it happen.
Not enough lines, happened many times. Now no new ones going in, you have to wait for Widow Smith's line to become available.
Excellent idea, but the warning lights have been designed to overcome that mole whack. Observe when you turn the key to the "run" position, the lights will illuminate for a set duration then go out. Then as you start the vehicle they may illuminate again briefly and go out. This is describing "normal" operation when all monitored systems are within operating parameters. If any system is outside of "normal" operating parameters the lights will not go out.
I feel like a combination of Mr. Spock and Mr. Scott in describing this behavior.
Of course you can do as I and ignore (sort of) the light and it will eventually burn out (incandescent) and the inspection mechanic never notices the light does not illuminate initially as it should. I do know the cause and it involves a discontinued part only used on the 1996 model year F-150 inline 6 cylinder, AKA sort of rare even for scrapyard parts.
You should have the right to repair anything you own. You may DIY or hire whomever you wish to do so, be it the OEM or the local Mr.Fixit. There should be simple language stating any shenanigans by OEMs in design or process to inhibit this is illegal. Anything less smells of kowtowing to special interests.
The microswitches are the weakest link. The only reason I have needed feet/pads is because the do double duty as screw covers. If I did not disturb them to access the screws to rejuvenate the microswitches, I think they would last far longer.
The switches may be rated at 5v but most of the mice I see use a single AA battery = 1.5V - even worse for keeping the contacts clean.
My system identifies files by a signature string ("magic bytes" to some). Is this why I get complaints when I send a file without the "standard" "dot" followed by letters at the end?
Seriously, this is not a new invention. It would save many from inadvertently performing some unintended action.
Translation: remotely exploitable
EUFI - Extensible Unified Firmware Interface
Made to be bloatable, changeable, upgradeable; and easily through the installed OS. What could possibly go wrong?
I am not sure, but maybe even secure boot can be disabled through the installed OS (with local admin privileges of course) which when combining a local privilege escalation and a remote code execution, you have remote secure boot disable. TADA like magic!
But just wait, When TPM v.{whatever Win 11 requires} becomes the standard, the secure boot will benefit from the TPM security. Except when those vulnerabilities reveal remote TPM tampering has become a reality. YAY progress!
I am reminded of my company's final Y2K meeting. All manner of suggestions were being made as to how to approach the "event". One in particular was a shutdown everything just in case all hell broke loose, then restart after everything blew over. I played devil's advocate and asked how many of the machines had ever been shut down, would they properly restart? That idea was scrapped, but it did trigger a to do list item to verify that in the event an unplanned shutdown occurred, that machines could reliably restart.
Have an upvote for expressing your opinion.
I can tolerate a lot of music and other stuff. My own musical taste probably elicits a similar response from many a folk.
As such, I do no subscribe to the theory of hate a favored song after using it as an alarm/ringtone/notification sound.
I have used AC/DC's Hell's Bells as an alarm, through an approx. 1.21GW sound system turned up to 11. Pink Floyd's Time has served the purpose as well. Many a good wake up tune out there and I was doing it long before the smartphone.
I do agree with using a personally annoying song to motivate oneself to arise with vigor and purpose.
Thanks for giving your benchmark details. I am compiling on an 8-core 16-thread Ryzen, 64Gb, 1Tb NVME SSD. So you caused me to RTFM. And I found that I had misunderstood the default make behavior is a single job thread. A small tweak to my command line and now the kernel compiles in about 22 minutes. I am using Slackware's huge kernel config as a base so I know it has alot of extra baggage which I should be able to toss with no ill effect. I am a little out of the loop for compiling. It was the 386->Pentium era when I was last routinely compiling anything large, so a 2-hour kernel compile did not seem all that bad to me.
I have it compiling now. I see it has a few AMD and DRM tweaks I would like to try out. I am glad I took the time to perfect building a kernel image I can just copy to /boot/efi/EFI/BOOT/BOOTX64.EFI not need any command line params and let the UEFI firmware boot that by default. I really need to config out features and modules I will never use so the build time will be shorter. Just under two hours is not bad, but I know it can be shorter.
While at college, I wrote a program to help students retrieve their username. At the time, many students did not have to use the VAX computer system except to check exam results or such. Many forgot their username which seemed very cryptic. I suspected it was based on the student ID. After some reverse engineering, I proved my theory. A relatively simple mathematical manipulation and number/letter substitution with a few logical rules converted the student's ID number into their username. I loaded it onto the three PCs in the lab and posted a sign indicating it's presence by the name of username.bat Considering it may take a day or so if the service desk was queried, this was well received by the forgetful students. Not so much by the VAX admins. The program prompted the student for their ID and returned their username for the VAX. I do not know exactly why the VAX admins despised it, there were a few possible reasons. But the student ID was the student's Social Security Number. It seems many think the SSN needs to be kept secret.
TLDR: SSNs are only an identifier, not an authenticator and use without an authenticator is rampant. That is what needs fixed.
SSNs should not be retired. They can only be used as an identifier. As such, their security requirements would be at the same level as a name - minimal. A separate matter is when multiple identifiers for an individual are combined, the security requirements of the combined set should be additive at minimum. When multiple records are combined, security requirements multiply. Simple math really.
What is lacking in the use of SSNs is authentication. In cases of identity theft (fraud against creditors) the creditor accepts a set of information, performs minimal authentication if that is what you would call it. They do make sure the new account given SSN and name combination is assigned an interest rate or security deposit commensurate with the credit rating assigned the combination by the credit bureaus. They may not be bothered if the mailing or physical address given matches the record. They will make efforts to obtain an email address and mobile number for notifications, alerts, marketing, flogging the new dataset to the highest bidder.
Imagine setting up an online account where some form of credit is given. You provide info similar to above. Upon return to the account from an "unknown device" you are not asked for a password or a code sent via SMS or to insert a U2F key device. Upon submitting your username (SSN) you are presented with a Welcome, <FIRSTNAME> <LASTNAME> message, you have 1 million currency unit credits to spend. If this is not <FIRSTNAME> <LASTNAME>, then please log out. This is nearly the same level of authentication granted in instances of identity theft (fraud against creditors).
To top it off, the creditors are permitted to hold the individual authentically described by the SSN and name combination liable for whatever credit was granted and used without properly authenticating the initial individual presenting said information fraudulently. This is how fraud against creditors becomes identity theft. The identity theft victim is given the legal ability to jump through hoops bound with copious red tape to deny such liability. Seeing money to be made the Identity Theft and Credit Monitoring industry has arisen.
I am afraid of LLM (AI). I know better than to blindly trust output from LLM (AI). What I fear is LLM (AI) being pressed into use in things that directly affect me. Healthcare AI! - no need for healthcare organizations to employ expensive doctors! - profit and bonuses abound. AI says you pay this price because . . . it said so and we get more money. Sorry your insurance is marked for non-renewal, AI said you cannot have this job. AI said you cannot have a loan. Blah, Blah, AI, Blah, Blah.
Not hardware vs. software, but network vs, hosts. In a previous job I was on the desktop team dispatched by the helldesk. There was also a network team. When our diagnostics exhausted any problems with the user's computer, we called the network team. Some of their member's standard test was ping. Their answer was it answers ping, not a network problem, click. Fortunately for the user's some of us on the desktop team knew a bit about networking and called their bluff.
The small company I work for outsources their payroll to PayrollTime.com which uses Patriot Software and they use SVB. Fortunately, each client or partner of Patriot Software has a separate account with SVB. Direct deposit is mandatory because of this arrangement. SVB has not been consistent with their direct deposit orders for my bank to extend early direct deposit to my account a feature many banks are offering ( I realize that now ). My company is handling this as well as can be expected for a small company. Most of the employees work in the field, each received a personal phone call to inform them of the situation. The situation is an expectation that the pay will process Monday, but a check was offered if needed. I declined the check today because resolving the difference if deposit goes though would be a nuisance. I'm more pessimistic and do not expect Monday processing, but I'll be patient, I have enough liquidity to be so.
I will be making a stink Monday afternoon if no deposit is made or no check is available. Technically, the company has not met payroll.
I will also be voicing my opinion concerning using a company which is a rebranded online payroll (cloud) using a rather generic name of PayrollTime.com. Nearly the epitome of a shady operation.
If PayrollTime.com has more than the $250,000 deposited with SVB, then they had better make good on the payrolls first before making themselves whole.The payrolls are not their money. Should those shenanigans occur, I will be seeking a lawyer. Of course my employer would be one of the defendants, but they are ultimately responsible to make payroll. I will not tolerate passing the buck(s) in a game of pay keepaway and liability avoidance.
Spoofing a number is literally a feature. The true originating number is not always transmitted by each switching office on the way to the destination. It really is not much different than email on that aspect.
The originating carrier does know the true number. The terminating carrier chooses whether accept the call without a number. Blame all around.
As per the article, I say better than status quo. Elon Musk is trying to run his car company like a software company, ignore all liability, fingers in the ears, na na na I can't hear you. Something needs done since so much is becoming dependent on software. It is a realization of "the computer said so" does not mean it must be. There is the danger of implementation by committee of luddites.
So, considering that the mass ejection produced more movement than expected, maybe we need to be careful how much mass from Earth we eject out beyond Earth's orbit.
Title: Just popped into my head. Searched it before posting and found it was the B side to "Point me at the Sky" strange coincidence.
Icon: Visual of mass ejection. Okay, mass conversion as well.
I believe putting the source in pseudocode is all that would be required. Then you must arrange for it to be printed on t-shirts. Politicians' heads may rapidly expand beyond the cranium's ability to hold grey matter. Please do not mistake that statement as a suggestion of the presence of grey matter.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
