Microsoft: The Google Wannabe
Whether it comes to trying to track and data-mine everything you do with your computer, or working against your web freedom and privacy, Microsoft has become a big Google wannabe these days.
217 posts • joined 26 Jul 2007
As bad as it has been in recent years where giant social media platforms have become megaphones for all sorts of 100% false and manipulative garbage, the alternative of having corrupt politician-du-jour decide what stays or what goes is probably even worse.
I've watched this debate going on for decades now, and politicians didn't care all that much one way or the other until they discovered occasional restrictions on their own armies of disinfo bots and nonsense-posting political provocateurs.
If any changes are going to be made they need to be done cautiously and with due consideration from people who understand the big picture cultural implications (and what is or is not feasible from a technical/platform standpoint), not idiotic self-serving politicians. At the very least some sort of community standards or board with a diverse membership should be involved in setting standards.
Far easier said than done.
Especially considering the fact that some degree of anonymity is still important for any sort of dissident. Nowadays you cannot even attend a political protest without being surveilled, face-recognition-matched, DNA-collected, GPS-tracked, etc etc.
Unfortunately they are so emotionally invested in the illusion he represents that they are extremely fact-resistant and prone to impressively deeply-nested levels of rationalizations. So those numbers of "core" followers are not dropping as fast as you might think.
The so-called "independents" that voted for him, however, are declining noticeably lately.
There is no need to wonder, it's been obvious for a very long time.
You are missing a few other elements but the ones you did include are correct.
If there is one actual skill that this man possesses it is in finding and manipulating gullible, not particularly intelligent people to serve his personal interests.
He certainly hasn't the slightest concern for anyone's interests but his own.
Regarding your last paragraph, I simply want to know what entity I am dealing with.
If Google or Microsoft sees the need to create a slew of brand-new domains like awer9u8sdlfkjsdkfjhdf.com to serve web content, I view such a decision as inherently hostile, because they are a well-known organization that has no reason to do such a thing unless they're trying to hide something.
If I have a company name I can look up the company and decide whether their content has any use to me, is just useless/unneeded or is an actual potential threat.
So eg if I find out that their business is "behavioural tracking", their code goes to the bitbucket. If I find out that they are providing something actually useful like a web chat client that the calling domain (a known and legitimate company that I have an existing business relationship with) uses for a legitimate purpose like customer support, then I might not send it to the bitbucket, I might enable it on a day I actually need to use their support chat. Etc.
I registered my first domain in 1998 as well and the information there is complete and correct as of this day.
Mind you, I don't put data in there that could directly endanger me or subject me to stalkers. Never had a single problem with it, maybe a dumb domain-switch solicitation mail or fax every once in a blue moon, that's about it.
I see basically ZERO reason for any legitimate business to hide behind a 100% redacted WHOIS record. If you are a legitimate business and not a scammer, you owe it to the public who may be roped into "doing business with you" simply because you're serving some dodgy JS on thousands of webpages that people encounter every day without any warning in advance that your lousy dodgy JS is going to be trying to get into their browser.
At the VERY least they should have their f'ing COMPANY NAME there. Would you buy stuff from an entity on Amazon that won't even tell you what the name of their company is or where they're based?? Would you buy a car or a pork loin from a reseller that won't even tell you who they are?? This is absurd.
For individuals of course it's different, if they don't have a business or mailing service address or a phone # that doesn't ring at their house or on their mobile then yes, I understand all that. I'm not talking about such people. I'm talking about companies who you are forced to "do business with" in the form of active online code, but which REFUSE TO IDENTIFY THEMSELVES.
As it stands today, the whole idea of WHOIS has been completely destroyed for all practical purposes. It seems that almost every new domain registered today is completely redacted by default.
I view this as just one example of how various parasitic entities have twisted the domain and IP address-space management bureaucracy in recent years towards their own profit interests and against the interests of the public at large.
Just like the subject of the article we are commenting upon.
What has happened to ICANN, IANA and the Internet Society over the last 10+ years is horrible.
Considering the fact that Google isn't particularly interested in making it easy for people to circumvent advertising and paywall tech, don't expect much help from them in Chrome/Chromium (and all its forks) either.
Yes, it should not be easy for websites to ascertain if someone is using incognito mode. Or any other privacy/security enhancing tactic if the user so chooses.
"Ask me every time" became ridiculous on the web like 15+ years ago.
Nowadays the best strategy is use an extension that auto-deletes them, make the default "session only" and set the timeout after tab close to delete to ~60 seconds. (In case you're doing an e-commerce transaction or some other page that pops a new window to enter credentials in and then redirects back to the original page afterwards to complete the transaction with cookies carrying the login status)
Then just add the few sites you do need persistent cookies on as necessary and that's that.
Of course, now that we have reasonably effective cookie management tools, site developers are moving onto other mechanisms that don't rely on them, like local storage/DOM storage and browser fingerprinting.
Goodness forbid you're using a mobile browser, the choices there are bleak.
Being able to initiate a password reset is not the same as revealing the password in plaintext on someone's monitor.
Initiating a password reset shouldn't be an inherent risk for an admin to use unless they control the account that the reset request is being sent to. (Or they are using an idiotically insecure channel like SMS to send the unencrypted password reset request)
On the other hand, if a user asks an admin to both reset a password and disable 2FA simultaneously, that should probably require A) some additional info from the user, and B) get a supervisor approval of some kind before being allowed, and probably the account in question should be closely monitored for a while, too.
As for Twitter not being open, I think it's clear that they are not, despite their claims. If they were actually being open, they would have defined what this "small number" of admins actually means, what positions they held, and more details about how they were pwned.
People have had years to "wakeup", yet they seem to be getting stupider and stupider about such things.
Education and aggressive policing of the massive online disinformation programs that are going on these days would be helpful.
As would actual criminal penalties against any business that causes damage to customers or the community, either willfully or unknowingly. If you own a building that flouts safety regulations and which blows up and injures people living next door, the same principle applies.
Unfortunately in the US, Profit is King, so there is rarely any political will to write and enforce such cyber-laws. Especially since technology-ignorant politicians can't even imagine what the potential problems are until they have already left a trail of destruction.
Not just one but apparently several Twitter employees were socially-engineered to share or compromise their admin credentials which have access to super high-profile accounts?
Is this some kind of bad joke?
Maybe it's karmic justice for being one of the top 3 enablers of the current POTUSCLOWN.
"When the only tool you have is a hammer, everything looks like a nail."
Give technocrats a problem, and they will propose a technology "solution" for the problem.
I suspect old-fashioned contact tracing is at least as efficacious, and I don't have to worry about incompetent/cavalier developers that make stuff that violates my privacy far more than necessary to accomplish the job. (Eg, anything with links to any Google framework is already highly suspect.)
The attackers apparently did 2 things on the targeted accounts with the admin creds they gained access to (apparently via social engineering), which are standard admin tasks:
1) Disabled 2FA if enabled
2) Reset the associated email account to an account under their control
Once they had control of the linked email accounts (and with 2FA disabled) they could send password reset requests and at that point they effectively owned the accounts.
None of that discounts the fact that Twitter is incompetent here - in fact I think they are grossly incompetent.
And this also highlights the folly of making access to a particular email address a critical part of any account's so-called "security".
It's not much better than your bank giving someone else access to your account if they are wearing the same brand of shoes you wear.
One WiFi privacy tool I use on my phone uses the GPS to ascertain if you are near a known network or not before it attempts to connect. (Rather than the usual practice of constantly broadcasting and looking for a known network)
Perhaps something like that could be applied to Bluetooth. (Of course, all the privacy-invasive things people like to use Bluetooth for - like retail BT beacons and such, would stop working. A feature, not a bug..)
Unfortunately Verizon's network, while probably the best run in the US, is rather unique.
So the majority of phones that work elsewhere won't be fully operable on Verizon's network. (Due to, among other things, its unique LTE spectrum and usage of IS-95/IS-2000 ["CDMA"] technology for fallback voice and SMS)
It doesn't look "right" because it's more or less just the top of the final launch stack, equivalent to the 2nd stage, a dummy crew module, and the Launch Abort System. (LAS - the little tower on the top, which is what they were primarily testing today)
This is what the completed launch vehicle will look like during the first stage of the launch:
@elDog - you beat me to it.
I thought the article was going to talk about the fact that Acronis and Kaspersky were going to do some kind of partnership or something.
Because Acronis was indeed founded by a bunch of Russian guys.
Lots of companies seem to move their official headquarters around to more geopolitically blasé locations to avoid cuing-in the public about their national roots, particularly when that's a place that isn't very popular at the moment...
I've been using RSS for quite a few years and a "headline lister" sounds fairly pointless to me.
The whole reason I use RSS readers is to avoid all the garbage on the original webpages, and to reformat the pages into something that doesn't blind me. (I pretty much despise blinding white backgrounds on anything I have to read much of.)
I realize this may sound like some kind of declaration of war to those whose salaries depend on website advertising, but if I wanted to load all the scripts, images, tracking nonsense, ads and other junk just to read a couple of paragraphs for each article of interest I would just go to the original website and forget about RSS.
Re: Assange's "selectivity", of course it would never have occurred to any of his numerous bitter critics who made their mind up about him the moment they heard all that state propaganda about him and never bothered to look at the details.. that he might actually be protecting Edward Snowden by not going full-tilt against Russia at the moment?
Or that Russia is one of the very very few countries in the world (2 or 3 at the most) which has the power and capabilities to a) keep Snowden away from US clutches, and B) provide some kind of platform to someone like Assange (eg via RT) who is persona-non-grata anywhere the US has significant influence? Does anyone in their right mind think that the BBC is going to provide Assange with a neutral platform from which to criticize western countries?
Most of the shrill critics from what I can tell basically decided whether they like him or not based on whether he leaked anything on their buddies recently and what their favorite politician tells them to think. The US Republicans hated him and Wikileaks with a passion for years and were incessantly braying for his head until Wikileaks released some damaging material on their political foes that ultimately helped them win the election, whereupon they all kissed and made up and got on the Wikileaks bandwagon. Pathetic.
This is the most ridiculous international legal case I have ever seen.
Sweden issues an international arrest warrant for a guy who had already been cleared to leave their country after they questioned him on Swedish soil the first time around. Then after he leaves the country they decide to re-open the matter - likely after back-channel pressure from one of those exclusive club-members with 5 eyes.. The way they've been after him you'd think he blew up the Swedish parliament or something.
Assange and his legal assistants offered many many times over the years to speak to the Swedish prosecutors, but they refused to take a plane flight to the UK to do so and instead created this ridiculous circus where the cost for the UK to babysit him all this time has probably exceeded 1000 times what the cost of traveling to London would have been to interview the guy who they claim they "do not have physical access to". (Yeah, I suppose that's code for "physical access to kidnap him, chain him to a wall and send him for US-style "extraordinary rendition"" in one of those peachy "black sites" the US loves to use when they want to avoid the inconvenience of legal and publicly-known detention.)
The Swedes waited something like 5-6 years before they bothered to travel to the UK to interview him and then a few months later they drop the case.
It's ridiculous, it's absurd, he should be a free man.
It's trendy to bash antivirus (especially when you have your own axe to grind), but it reminds me of all the dimwits who breezily proclaimed on January 1, 2000 that the Y2K computer problem was obviously a big hoax because the world didn't come to an end that day. (Conveniently forgetting that the world had spent decades and billions of dollars/pounds updating everything precisely so that would NOT happen.)
Oftentimes when a security measure is this ubiquitous people in ivory towers who have enough advanced knowledge and skills that they don't personally need to rely upon such measures make dumb sweeping proclamations about everyone else.
I haven't used A/V on most of my personal boxes for decades (except Android where eg the available web browsers are too unsophisticated to be capable of being configured securely and Google has a lousy track-record of letting malware/spyware into its appstore), but I would never dream of advising one of my clients to do the same.
I sympathize with both parties. A company in IBM's position can absolutely have a legitimate concern that keeping the worst parts (eg exploit code) offline during the initial disclosure will prevent some of their customers from being exploited. Perhaps after some nominal timeframe they can "un-embargo" it.
And while full disclosure is a nice philosophical goal, I've seen more than my fair share of "security researchers" over the years who seem more determined to make a name for themselves by releasing documentation and tools to facilitate widespread malicious behavior via copycats than they truly seem interested in improving the security of the digital world.
I don't know what category Maurizio Agazzini comes under. But likewise, not every company that thinks in the way IBM is here is automatically some cartoonish caricature of the sleazy, profit-hungry monster that only cares about their bonuses and golden-parachutes.
Given that OVH is one of the very largest hosting providers in the world (especially free or cheap hosting, thus they have more than their share of miscreants as customers), and given that Level3 operates one of the very largest "Tier one" transit networks in the world - statistical probability suggests that yes, it was probably a coincidence.
I'd say there's a good chance I started soldering electronic things together before you were born, given the demographics of this website.
So yeah, I'm a total beginner at this stuff.
The statistical risk of damage to a $10 surface-mount component when attempting to de-solder it from a circuit board is exactly the same whether it's one of a dozen junk phones you are casually tinkering-with in your garage or a key piece of potential evidence in a massive and highly time-sensitive international terrorism investigation where failure is not an option. (Which for some reason you have also been asked to perform in that garage lab of yours)
But the stakes in the latter are about 1,000,000 times higher. Which is why you don't send such high-value evidence to tinkerers to play around on in their garage lab for 6 months. And the price of such an operation varies accordingly.
Actual high-security/low-production devices such as those used in top-secret roles eg military and by national-security officials, often have just such countermeasures.
But it would be corporate suicide for a company to build a product that sells at the scale of hundreds of millions per year, which is essentially 100% un-repairable.
Especially since the vast majority of end-users don't give a rat's behind about security and privacy anyway. (If they did, companies like Facebook wouldn't exist)
Re: "Not so amateur"
What you offer as 'proof' says that he's an academic, not a professional forensic technician.
As I wrote previously, the constraints of an actual, high-profile forensic investigation of a very high-profile, high-value piece of evidence are vastly different than what a guy tinkering in his home lab (while probably destroying many phones in the process) are under. Has nothing to do with his smarts or abilities, has everything to do with A) being able to guarantee success within a certain timeframe, and B) being able to guarantee that even if he doesn't succeed, he doesn't destroy the evidence in the process.
For every Skorobogatov that proudly announces he's come up with a successful hack, there are probably at least 100 people that tried and failed. Which one of those 100 should the FBI have hired instead of Cellebrite or whoever they did hire? John McAfee? :D
And how much was it worth it for them to have an answer in March, rather than waiting 6 months for the tinkerer to come up with a successful hack?
Skorobogatov claims it took him 4 months, but it's nearly 10 months since the FBI got their hands on Farook's iphone.
Except the little fact that the article author claims that the FBI overpaid by "$999,900" - valuing the amateur hacker's work at exactly $100. (In fact, valuing their labor at "zero", and only accounting for their out of pocket cost for hardware. Which is uhh, rather sensationalist.)
All that said: I'm no apologist for the FBI, or Comey in particular who I think is a lying/deceptive piece of sh.... But the premise of the article doesn't "prove" that the FBI overpaid "$999,900". (See my previous comment)
They probably overpaid, and overpaid by a lot, and trumped-up the figure to make headlines. But they could not have done it in a proper way for $100, either.
It's also telling that we never heard a peep from the FBI later about what they had actually found on the device - which likely corroborates the opinion of various people who said prior to the hack being announced that it was highly unlikely that there was anything of value on the phone anyway. (It was his work phone, he already destroyed his personal phone.)
You can't compare the work of some amateur that values their time and expertise at 'zero' - and who spends months working on the hack, along with probably destroying dozens of phones in the process, to an actual forensic investigation of a highly valuable piece of evidence.
When you desolder the chip that holds all the memory of the device from the board, there is a huge risk that you damage the chip beyond repair and then everything that might have been on it is lost, whether or not you eventually figure out how to extract data from similar chips.
For a certain class of person, the only possible explanation for a person who has revealed widespread injustices, lies and governmental abuses and thus rattled feathers in high-places (and is therefore on the run from governments determined to punish him for that) is that he is a self-aggrandizing attention seeker.
I think such pre-determined conclusions say more about their worldview than his.
Thank goodness for so many of those "attention-seekers" over the millennia that had the perspicacity and conviction to force society to make important changes that ultimately became the human race's heroes.
But no, in this case, we keep hearing instead that he's just an "attention seeker".
If so, that's an attention-seeker we could use more of.
Actually the Swedish allegations have always been weak and questionable, and the Swedes already had a chance to question him about the allegations, which they did, and they cleared him to leave the country.
Sorry but for those who have actually reviewed the actual history in detail and who don't have some kind of in-built bias against the guy, the whole matter stinks to high heaven.
"...any links to actual evidence that Yelp offers such quids pro quo?"
Yes, they do. But here's how they do it:
At the top of every review today, Yelp now proudly states:
" Your trust is our top concern, so businesses can't pay to alter or remove their reviews. Learn more."
No, they don't technically "remove" negative reviews, they hide them. Which is the go-to tactic these days for online "review pages": the vast majority of people do not have the motivation or drive to seek out anything but the stuff right at the top of any page they are viewing. If a company like Amazon or Google Play systematically put the positive reviews of a product or service right at the top, 99% of people will never read anything but those positive reviews.
SO they hide the ones their advertised businesses don't like. Take a look here: http://imgur.com/a/qaEjB
That's an example from today, using a desktop browser. Note how they hide the bad reviews and call them "Not Recommended", at the very bottom of the page (there are 20 reviews per page) in small, faint grey text with a tiny dropdown button. And I'm not sure that "unhide" feature is even available to people using a mobile to view reviews. (Probably the majority of Yelp users these days)
Sleazy, absolutely. Pity it's not thought of as illegal here in Capitalism Central.
I remember the days when Yelp was much more useful. Now you have to be very careful to not get misled by the reviews.
If the "per capita" absolute amount of dollars/pounds/etc paid in income tax annually by a billionaire is higher than what a dishwasher at a fish and chips shop pays annually, is that supposed to be some kind of shocking and satisfying revelation of fairness?
As Warren Buffet (considered to be one of the most highly respected US investors and one of the wealthiest in the world) has pointed-out on numerous occasions, there is something very wrong with the fact that his personal tax rate is far lower than his personal secretary's.
In short: the wealthy have the attitude and the means to find ways to escape the kind of taxation rates that most of the populace pay. That generally comes down to political power and the resources that capital allows them to expend on the matter.
In the case of companies like Apple and Google, most of what they have been doing with tax-jurisdiction shopping is actually legal in the USA. It only became a hot-button issue after western countries were financially crippled post-2008 and looking for scapegoats.
The way I see it there are 2 major issues: the laws that allowed such practices to flourish in the first place (tell the politicians and banksters to solve those - and good luck with that), and the fact that globalized tech companies like Apple and Google which deal heavily in digital 'intellectual property' make it quite trivial to move capital around, since most of their assets are ephemeral and not physical. (In addition to the IP assets, the vast majority of their manufacturing is outsourced to other entities)
The EU apparently wants to retroactively penalize Apple and make them a high-profile media pariah, but if it was such a big issue going back 10 years in their own backyard, the EU should have dealt with it themselves 10 years ago by making sure member states like Ireland could not grant companies like Apple these low or zero-tax incentives. Instead of waiting 10 years and then trying to make a media circus out of it to deflect attention from their own failings.
Biting the hand that feeds IT © 1998–2020