* Posts by JohnFen

5648 publicly visible posts • joined 20 Feb 2015

What's the last piece of software you'd expect to spy on you? Maybe your enterprise security suite? Bad news

JohnFen

Re: My frikkin' LG dishwasher does this too

Why do you let it?

JohnFen

On the other hand, this is far from universal practice.

I've been working on enterprise security software for various companies for a long time now, and none of the companies I've worked for engages in any form of telemetry or phoning home for any reason. The security risk is too great. Instead, the standard practice has been to keep reasonably detailed logs on the customer's machines, and supply a utility that the customer can run to collect the data from the logs to supply to us when needed.

That way, the customer can review the data being sent, and must proactively engage in sending the data to us. This is an extremely important security measure, and I personally wouldn't trust any security software that does otherwise.

JohnFen

Re: Stop spying on me!

"For example, I read the register from my work desktop daily, or catch up on the news via typical news sites on slow days. I don't care if my employer sees that."

Fair enough. But you're still taking a risk -- it's awfully hard to predict what an employer may get upset about!

Personally, the less my employer knows about me outside of my work-related activities, the better.

JohnFen

Re: Stop spying on me!

"Right now we have ~28 years worth."

You have me beat! I've been keeping all my personal email for years, and recently decided to see how far back my archives go. I only have ~20 years of emails.

JohnFen

Re: Get on with it!

Not every developer. There are plenty who have more respect for their end users than that.

JohnFen

Re: Stop spying on me!

In the US, if you're using company equipment, then your employer can legally look at everything that you do on that equipment. This is also usually explicitly spelled out in your employment agreement.

This is why you should never use company equipment (including the company network and internet feed) for personal use or communications, ever. I use my smartphone (on my own data plan) when I have to do any personal stuff at work.

Trump continues on the warpath: Now US tariffs cover nearly everything arriving from China

JohnFen

Re: Transfer of technology

"they do have a right to profit from their intellectual property"

Of course. But they don't need action by the US government to protect their IP. They voluntarily do business with a nation knowing that doing so means it's likely their IP will be stolen. They could protect their IP by not doing that.

What they're really demanding is the use of US governmental power to force another nation to do business in a way that US corporations prefer. That's amazingly unethical and abusive.

JohnFen

"he's not too thrilled about warfare"

So he says, but a large amount of what he's been doing is resulting in an increased likelihood of war.

JohnFen

The only thing the tariffs accomplish

The only thing the tariffs accomplish (other than being a defacto tax increase for the nonwealthy) is to encourage the world to route around the US when it comes to trade. Trump's efforts can only lead to decreased US power and wealth, and increasing the poverty problem.

GoDaddy's daddy goes: Chief exec Scott Wagner steps down as hosting biz swings into the red

JohnFen

GoDaddy's losing money?

Good.

Lyft pulls its e-bike fleet from San Francisco Bay Area after exploding batteries make them the hottest seat in town

JohnFen

" if you really want to see property poorly maintained, make it the responsibility of the government."

That's not been my experience. From everything that I've seen during my life, the government and private owners are about equally good at this.

JohnFen

Re: "San Jose – the heart of Silicon Valley"

"You could NOT pay me enough money to live there again!"

Me too. I have to go to SV on a fairly regular basis, and every time I do I'm reminded of how utterly awful and depressing it is.

JohnFen

Re: I wish

The locks on these bikes are welded to the bikes themselves, so if someone really did break the lock it would be obvious.

JohnFen

I wish

In my city, a local company (not Lyft) has littered the streets with similar bicycles. They aren't exploding or anything -- but they are a hazard, and it's getting worse, as people just leave these things anywhere they want when they're done with them. This is causing increasing problems for everybody -- pedestrians, cars, and even other bicycles (disclaimer: I ride a bicycle as my primary transportation).

I dearly wish that this program simply stopped. It's making my city worse. Failing that, I wish that the city would start levying large fines on people who leave these scattered around (it is littering, after all!) -- it wouldn't be hard to find out who paid for the rental, after all.

If you could forget the $125 from Equifax and just take the free credit monitoring, that would be great – FTC

JohnFen

"Credit monitoring" is a largely worthless piece of BS that was invented early on when the first large leak of financial data happened. The purpose of it is to minimize the amount the company has to actually pony up, while at the same time attempting to make the affected people feel like "something has been done".

JohnFen

"FCC comes to mind also."

True, but at least the FCC has largely given up any real pretense that they're operating in the best interest of the citizenry. Their existence is now overtly to protect and enhance the profits of the major telecoms.

Omni(box)shambles? Google takes aim at worldwide web yet again

JohnFen

Re: www?

"That's why the convention was adopted, and the reasons for it haven't changed"

Yes, I understand why the convention was adopted. I just think that the reasoning for it is flawed -- it was adopted for convenience and expediency, not out of technical necessity.

"if you want to use a CDN or DDOS protection or a loadbalancer or any other enhancement by use of CNAME records"

This is a bit of a stronger argument, but the practice began before CDNs were a thing.

JohnFen

"Is the plan to remove ALL the descriptor or only default ones www & m?"

Only www and m for now -- but who knows what Google will decide is "worthless" in the future?

JohnFen

Re: www?

"By convention, www has always pointed to the host that serves the main website for a domain."

I remember when web sites first started coming into existence, and even then prepending the "www." was idiotic. There's no need for a special domain because there's already a special port. Many efforts have been made to get websites to stop doing that -- which is why so many will now respond to both "www.example.com" and "example.com".

We do need to just get everyone to stop using "www." for this purpose, but regardless of common usage, it remains a fact that "www.example.com" and "example.com" are two different URLs that don't necessarily resolve to the same web site. Hiding the "www" is a terrible UI decision because it means that the browser is lying to you by reporting you're at one URL when you're actually using a different one. Aside from increasing confusion, this can also be leveraged to engage in attacks.

JohnFen

Re: Damn, people

Good to know, thanks!

JohnFen

Re: I reckon the proper term is 'institutional stupidity'

This is correct. Thanks!

JohnFen

Re: I reckon the proper term is 'institutional stupidity'

"we're still using part of a file's name to indicate a file's type, on every single OS out there"

Not every OS. Filenames are not used by Linux to determine filetype.

JohnFen

Re: "Long ago, we chose to hide 'https://' [..] and simply show a security indicator"

Yes. Hiding the "https://" is just as bad -- arguably even worse -- as what Google is proposing to do.

JohnFen

Damn, people

"While the Chocolate Factory is still keen on axing "m." at some point, it is "www." that is for the chop now."

"Long ago, we chose to hide 'https://' for this reason, and simply show a security indicator (secure or not)."

Stop hiding information from us!

On the other hand, there is exactly zero chance that I would use Chrome, so that doesn't affect me. I've never used Vivaldi, but knowing that they're in on this "hide stuff from me" bandwagon means that I know I don't need to consider it, either.

Official: Microsoft will take an axe to Skype for Business Online. Teams is your new normal

JohnFen

Re: Yeah..

"So you cannot stop the spying now. Personal security is dead."

That's seriously overstating the case. It would be more accurate to say that it requires greater effort to maintain security than ever before -- but you can have a meaningful amount of security if you don't mind putting the constant work into it.

JohnFen

In all fairness

My employer has forced us all into the O365 dystopia, complete with requiring the use of Teams.

Lord, how I hate Teams. That said, I do hate it a little less than Skype for Business, so this is good? I guess?

Microsoft snubs Hololens loyalists by already ending feature updates – even though version 2 isn't out yet

JohnFen

I totally understand why Microsoft wants to do this. But that they are willing to do this on such an expensive piece of gear merely reinforces that you shouldn't spend a lot of money on gear that Microsoft is selling.

JohnFen

Re: Confused

This.

LTS is the compromise offered to those of us who can't stand rapid release. It's not a great compromise, but it's all we got. What it isn't is an indication of EOL.

JohnFen

Re: Confused

"That isn't abandoned or ophaned, that's a normal product life cycle."

It's the tail end of the normal software product lifecycle. But this is a piece of hardware -- this is effectively abandoning the hardware.

JohnFen

A great idea!

"You can pre-order a Hololens 2 for a market-busting $3,500 "

I can spend $3,500 on a piece of kit that will end up abandoned like the Hololens 1? What a fantastic idea!!

Get ready for a literal waiting list for European IPv4 addresses. And no jumping the line

JohnFen

Re: We need a new approach

"If users start asking their ISPs for ipv6 en masse"

But why would they? The only thing the vast majority of users would care about is if they can get to the internet. They wouldn't notice whether or not they're using IPv6 to do so. There is no reason why most users would demand IPv6 specifically, they'll only demand that their internet connection works.

IPv6 is really only an issue of great importance to ISPs and users of numerous IP addresses.

JohnFen

Re: We need a new approach

Privacy addresses are a weak solution at best. They're better than nothing at all, of course, but not nearly as good as other solutions.

JohnFen

Re: We need a new approach

You are correct, and I never meant to imply otherwise. Here's why I need NAT regardless of IPv6 -- there is more than one box that I want to be able to contact from the internet, but I don't want the IP address of those boxen to be exposed to the internet (by "exposed, I mean both that it shouldn't be possible to contact it directly and that it shouldn't be possible for anyone outside my LAN to see that IP address is even in use). What I want is to have a single IP address that is used for incoming internet traffic, then my router directs it to wherever it needs to go.

NAT accomplishes this. I can also accomplish it with other router rules -- but in doing so, I've really just implemented a NAT via a different mechanism.

JohnFen

Re: Why didn't they follow the phone system?

That's essentially what IPv6 does.

JohnFen

Re: "And there are far easier ways to track you, such as browser cookies."

"Not all traffic is HTTP"

Indeed. In my network, most of the traffic is not HTTP(S).

JohnFen

Re: We need a new approach

"IPv6 is deisgned to be an individual public address per device"

Right, and that's what I need to work around.

JohnFen

Re: We need a new approach

"when NAT is not used it would be far easier to map an internal network by observing the packets addresses, and if addresses are not generated with a good random algorithm, and changed after some time, each device has an observable unique ID."

This is really my only problem with IPv6. When I shift my LAN to IPv6, I see a fair bit of work necessary (including making sure I have a working IPv6 NAT) to ensure that I can both have static IPv6 addresses on my machines and that those IPv6 addresses are not visible to the internet (not just that they aren't reachable from the internet). That's enough work that I will put off making that transition until I have no other choice.

Stones, meet glass house: Mind behind Windows 8 GUI disses Windows 10 over leak

JohnFen

Re: file search

Or the even more basic basics of making the search actually find stuff.

JohnFen

Re: Tuned Linux kernel integrated with Windows

The GPL is viral in the sense that if you modify GPL code, then the modified code must also be released under the GPL.

However, there is nothing about the GPL that says that the code that uses it must also be GPL'd. You can use a GPL'd library in your closed-source project, for instance, without having to put your entire project under GPL. The requirement is that any changes you make to the library itself are also GPL'd.

JohnFen

Re: Tuned Linux kernel integrated with Windows

"does that mean MS will now be Open Sourcing the rest of windows?"

The GPL doesn't require them to do that, so why would they?

JohnFen

Re: stop fucking around with the start menu

Microsoft has already totally ruined it, and I use a replacement instead. This means as far as I'm concerned, Microsoft can do anything they like to their version -- I won't be using it anyway.

OK, Google. We've got just the gesture for you: Hand-tracking Project Soli coming to Pixel 4

JohnFen

Re: For some reason, I'm remembering a scene

Yes, I remember when Samsung had (maybe they still have) the ability to detect gestures that you make near, but not touching, the screen. I tried it out for a week or so but ended up having to disable it because of all of the times it thought I was gesturing when really I was just moving my hand nearby.

JohnFen

I think the FCC is only going to be concerned about RFI, not health.

JohnFen

No

Wait, let me rephrase that. Hell no.

It's official: Deploying Facebook's 'Like' button on your website makes you a joint data slurper

JohnFen

Re: No f in button?

"Almost nothing on the modern Internet works without Javascript"

As someone who avoids letting Javascript run by default, I can say that this hasn't been my experience at all. There is a class of sites that require it, but fortunately they tend to be sites I don't care about anyway. The vast majority of the web I see run just fine without JS,

Dutch cheesed off at Microsoft, call for Rexit from Office Online, Mobile apps over Redmond data slurping

JohnFen

That's fair

The spying nature of Microsoft products is one of the primary reasons why I avoid using Microsoft products.

If at first you don't succeed, Fold? Nope. Samsung redesigns bendy screen for fresh launch in September

JohnFen

Re: Dogfooding

"Maybe Samsung's engineers were also testing the phones, but they had internalised some preconceptions about how to treat them"

That why when it comes time for testing your product in real-world use, you don't have the engineers do it. You have someone who is approximately representative of your target market. In this case, I'd say that should be secretaries, cleaning staff, etc. Anybody who wasn't involved in the design or implementation.

And when you do so, you don't give them a list of cautions -- if you feel the need to provide usage instructions or warnings to prevent damage, then your product isn't ready for this level of testing yet.

JohnFen

Re: wants vs needs

I honestly never understood why some people (outside of collectors of rare things) consider owning something worth bragging about. All they did was buy a thing -- that's not exactly a huge accomplishment.

Now, if they were involved in the design or manufacturing, that would be something to brag about.

JohnFen

Re: To those who say "I don't watch 16:9 content"

That you may have wants/needs that aren't the same as what the mass market wants/needs in no way invalidates your opinion or means that you shouldn't express it.

JohnFen

Re: Another solution...

"running Windows mobile or Palm OS"

Those were far from the only choices. You could also get real handheld computers (not PDAs) as well.