I am the Lorax
I am the Lorax. I speak for the trees, for the trees have no tongues. I am asking you sir at the top of my lungs. Oh, please do not run Ethernet cable through another one.
49 publicly visible posts • joined 21 Dec 2015
So there will be a block chain record associated with a billing identifier for both the supplicant and access point provider? This sounds like an excellent resource to mine if I wanted to track the whereabouts of people. It is inevitable that a deanonymization attack will be developed to unmask the identity of the provers and supplicants.
What is mind boggling is they had no disaster recovery (DR) site for such an important system. Everywhere I've worked there was some kind of DR system that could be brought up in an hour or less. Those DR sites have async database replication from the production site so that only a few minutes at most of transactions are lost. After the malpractice of failing to provide a DR system, the people involved are promoted? If I had any Southwest stock, I would unload it before the next disaster strikes.
It's the Dilbert Principle. Promote incompetent employees to minimize their impact on productivity.
The standard will need to convincingly show that data recovery is impossible, or it would take orders of magnitude more time and money to recover the data than its highest possible value to an adversary. For highly sensitive data, the gold standard is complete high temperature incineration. For more mundane sensitive data such as PII and payment data micro shredding is considered sufficient. Whatever standard is adopted would have to demonstrate that it is at least as good as micro shredding the drives. Nobody wants to be "that poor sod" who leaked data on a massive scale because they didn't dispose of it properly.
Assuming these coding assistants mature and provide actionable advice without ethical quandaries*, it represents an opportunity to reimagine how programming is taught. The instruction could focus more on choosing which suggested solution has the best tradeoff for the problem at hand. Things like how to evaluate O(1) vs O(N) vs O(N²) complexity in suggested code would be appropriate to teach in beginner classes. Topics that used to be considered graduate level or at least Junior / Senior level undergrad could move down the stack to more basic and intermediate level instruction. I believe a focus in this direction would be far more profitable than trying to maintain the status quo by sniffing out "cheaters".
* Yeah, I know huge assumption. This technology is too useful to be abandoned. I think it is a "when" question not an "if" question.
Dobbs vs Jackson goes much farther than just the issue of abortion. That decision puts a question mark on the entire concept of privacy as a constitutional guarantee. I know, some may be quick to point out the fourth amendment: protection against unreasonable search and seizure. But what does that mean when privacy protections are eviscerated? A woman leaves a state that restricts travel for abortions pregnant and returns without a baby and not pregnant? What is to prevent that from being probable cause to trawl through her data? With the legality of birth control in question at the federal level, what is to stop a state from declaring that a controlled substance? What is to prevent mass surveillance of the movement women for compliance with these rules? Won't someone think of the unborn children?
Now more than ever strong encryption is necessary to protect the privacy of the US citizens from what I fear is becoming a minority ruled authoritarian theocracy. If the information is extraordinary difficult or impossible to obtain, that in itself will be a deterrent against demanding it.
I fairly recently worked as a DoD developer contractor. The place I worked (which will remain nameless to protect the guilty) is a contracting company's dream. A contractor can hire programmers, then hire CMMI* process stewards who will slow down the programmers with mandates for useless documentation. Obviously, that will require hiring of more programmers to compensate for the negative work generated by the CMMI camp and the requests from other teams. Then there are the network team, deployment team, architecture team, and myriad more all which must be cared for with proper documentation which unsurprisingly leads to needing more developers. You see where this is going. All the contractor has to do is set back and let the government bureaucracy and infighting do the work of creating new positions for them. They don't have to slow down the system to make more money. The customer does that for them.
* If you've never heard of CMMI, count your blessings. Think of the Agile Manifesto but with the phrases on each side of the word "over" reversed, and you have the right idea.
At least for me, Comcast and T-Mobile both provide an IPv6 network address that passes all of these tests. Facebook and Google's DNS return IPv6 addresses that work fine. When big tech companies see a use case that benefits from IPv6 they will use it. Otherwise, there is little point in reworking a functional system just to be on IPv6.
With typical speed limits of 70 mph (approximately 110 kph) and drivers typically going above 135 kph, I wouldn't take it anywhere near an interstate. Perhaps as a way to get around city streets it is OK, but not as a serious mode of transportation.
"Now would be a good time for GoDaddy users to be on alert for suspicious emails asking them to log in to, say, confirm their details: if in doubt, go straight to the GoDaddy website."
Any email asking to confirm your details is always suspicious. There is no "if" about that.
Now that Apple has shown the world that using technology to surveil and control users is appropriate, why should governments stop with iPhones? There is a whole world of electronic device waiting to be put into surveillance service. The company that ran the 1984 Super Bowl advertisement has all but invited 1984 surveillance on our portable telescreens.
A fairly straightforward way to get a remote desktop from a Linux type system on windows. Run xrdp and tunnel RDP port 3389 on the Linux to something like 3390 on the windows host (because Windows is already running its RDP service on 3389), then connect to localhost:3390 and ta da! A remote desktop.
This is a security shit show waiting to happen. If your CNAMEd advertiser has the same FQDN as your website, it is treated as a trusted part of the web site. Think a minute and let the full implications of that sink in. Its scripts can change the JavaScript runtime by binding to events or changing the prototypes of key objects. It can manipulate any data, exfiltrate any data (remember, same FQDN so those requests automatically get allowed). Intercept any browser tokens and masquerade as any logged in user. The attacks would be indistinguishable because they could be launched from the same browser the victim user is using.
Even if you fully trust your advertiser, still do not do this. If your advertiser gets compromised, the miscreants potentially own every website that has aliased their CDN records to them. This completely breaks and renders useless all browser defenses against cross site abuse of JavaScript and http requests.
I love the reference to Orwell. I wonder if that is a subtle dig at those who complained about his use of language, or having to banish terms such as master from the kernel.
The same thing could be accomplished without changing the OSS community. An entity, such as Google or some federation of companies, could essentially mirror the various critical open source projects. They could create the signed builds they want. They could review each change and include changes that passed whatever reviews they wish to do. They would be free to make pull requests with improvement or perhaps even become a committer on the project. The people who want/need these security assurances should be the ones to provide them. They should not burden the OSS software nor try to change their culture.
Only naive fools assume that a "secret" master key, global "friend", deliberately introduced vulnerability, or other such technical measure for LE use remains in the hands of the "good guys". Once you make the assumption that any such backdoors will be discovered by an adversary, the only conclusion is good security without exceptions.
So will the Red-Black Tree become the Ruby-Obsidian tree? Because after all, in the world of the easily offended, colors like red, yellow, black, brown and white can't just be colors. They are "guilty by association", like the term master used by itself.
You could have names like "Doubleplusungood CVE #", "Plusungood CVE #", "Ungood CVE #", or just the CVE # depending on how severe the finding is. This scheme would actually impart more information than the proposed naming scheme: you would have a good idea of how bad the vulnerability is by the name.
I am impressed with the Elevator Colony article that the bot wrote. It looks like the kind of thing worthy of the Onion or satire articles that appear on April 1st.
This reminds me of the Black Mirror Arkangel episode, albeit with the ability to remove the glasses. Over time the glasses could become so instrumental to day to day life that removing them would put the person at a disadvantage. Kind of like our portable tracking devices phones have become.
A good first step would be to require the manufacturer to set an expiration date for when they will no longer provide patches for the phone. The manufacturer and seller would be required to prominently display this date. For starters, it should be required to be on the manufacturer's website, the box or other consumer materials (including ecommerce product information), and in the information section of the phone itself. In the event support is not provided up to the expiration date, the owner is entitled to a cash refund of the prorated amount purchase amount (up to the retail list price) remaining to the expiration date.
This might motivate the ecosystem to make changes to allow say Google to support the phone by better hardware abstraction. Making this a more "in your face" issue may allow the market to do its thing by having longevity be something companies compete on.
At least in the past few years, the security interface of Chrome has gotten worse because a focus group populated with untrained lusers has no clue how to read a URL. Firstly they hide https / http and the www part of the URL. Surprise! Some miscreants figure out how to use a DNS cache poisoning attack with a twist: they poison www.example.com but leave example.com alone. The genius of this is that when people are warned about www.example.com and are using chrome they proceed because after all it says "example.com" in the address bar. When they call their administrator to check on example.com, all appears to be well because example.com wasn't impacted. Terrible, terrible idea. At least you can use the Suspicious Site Reporter to undo that behavior. Hopefully there will be a way to override this madness as well.
Why is it assumed to be a UX flaw when the user doesn't understand browser security features? Wouldn't a better solution be a campaign to educate the users? Perhaps some kind of bubble that explains the significance of the company name the first time it is seen when using the browser? Hiding information from the user is never the right answer. Hiding information invariably gives hax0rz a way to exploit the user.
Another one: the red-black tree index is in danger of causing heads to explode. Because we know that certain colours must always be racially insensitive terms in 2020.
Where will it end? Will we require a new kind of IDE plug in, kind of like a spell checker but searches for naughty words / phrases and suggests alternatives? Will it need have its naughty word database hosted as a service so it can keep up with the flood of new verboten words that High Priests (oops, I didn't use a gender neutral word), er I mean High Clergy Members of the Offended deem unfit?
Does anyone really think that "dummy value" or "sanity check" is casting aspersions on anyone intelligence or sanity? Is it really necessary to infantilize the language to this extent? As the article points out, the further we go into this Rabbit hole the more the effect will be to discriminate against non English speakers.
Chrome, Safari, and Fire Fox account for over 80% of browser market share according to StatCounter Global Stats. If you operate a public facing website, the shorter cert expiry is a done deal. The only thing left for Microsoft is to decide if they want to be consistent with the other browser makers.
The OSI should go nowhere near something like the Vaccine License. What's next? A license that requires users to call authorities for people in the country illegally? Perhaps licensing that requires supporting "religious freedom" discriminatory stances? Perhaps licensing that requires the opposite? Imagine the fun of using contradictory licenses simultaneously and facing punative consequences as a result. Imagine a dystopian world where installing a program imposes such obligations to the users. This sounds like great material for a Black Mirror episode, but a terrible idea for the real world.
"Essentially, you launch a load of small requests at a bunch of devices on SSDP UDP port 1900, spoofing the source IP address as your victim's IP address." Network operators have switches and routers that allow a packet traversal of a packet from within the network but claiming to originate from outside of the network to anywhere within their network or the public internet? How embarrassing. They should get their act together and configure their network properly. It would make launching this sort of attack using their infrastructure impossible.
Wouldn't it be great if the FCC could make regulations to protect privacy? Too bad, they can't! The Republican controlled Congress and President eviscerated their ability to make such regulations by approving a resolution of disapproval for FCC privacy regulations, which also forbids any similar regulations.
"Those rules would have required ISPs to obtain users' consent before selling their personal data – including location, browser history, health and financial data and other sensitive information – to advertisers."
In light of recent developments, the "– to advertisers." caveat was too optimistic.
https://www.theregister.co.uk/2017/04/04/fcc_privacy_rules_myths/
I worked at a company that had UI guidelines that included command line and text interactive programs. The guidelines actually mandated to never use the words "any key". The correct phrasing was "a key". The document went on to reason that clueless lusers would search in vain for an "any" key before driving up helldesk costs with their calls. If "a key" was used, the users would search, and their search would not be in vain: they would find an "a" key.
Personally I think those guidelines were inspired. They were probably written by someone who had gotten their start from the helldesk and answered that question many, many more times that anyone should have to.
At the risk of infuriating language purists: "Using welcoming and inclusive language" could also recommend using the singular "they" over "he". This can be immediately understood by any English speaker. Although alternating "he" and "she" can achieve the same effect, it can make a complex workflow with many actors more difficult to follow as the genderfluid actors randomly change gender as the flow progresses.* Since that doesn't often happen in literary books, it can by jarring and confusing when reading such technical material. The singular "they" also avoids this mess of proposed alternative third person pronouns. You would need to take a class just to know how to use all of them. https://en.wiktionary.org/wiki/Wiktionary:List_of_protologisms_by_topic/third_person_singular_gender_neutral_pronouns
* Why is the CM manager editing code now? Why is the Developer reviewing the CM workflow? Oh, my fault, the CM manager has become a "he" now, and the developer is now a "she". True story when I was learning about a new CM processing by reading its documentation. It is why the alternating "he" and "she" is unloved by me.
If you change Man in the Middle to Person, then you must change the acronym to PitM. This will serve to confuse new comers reading past literature, and experienced practitioners reading new literature. It will likely be off-putting enough that after a few eye rolls it will be added to the to do never list.
If you change it to Machine in the Middle, the acronym stays the same and the gender neutral goal is accomplished. Historical literature using the MitM acronym remains understandable without any additional burden to the reader (assuming new entrants to the security field who are taught the new terminology), and experienced practictioners do not have to learn another acronym for an arguably flimsy reason.
One of the oldest NRA mind tricks: It isn't the real guns that spray bullets and kill people that are the problem, it's the pretend ones in video games that are the threat. This gun fetish must not be pandered to any more. How many people need to die before America wakes up and has the political courage to try the obvious solution of limiting access to deadly weapons? Australia and the UK did it to great success.
The fault is dynamically loading code from random folks accounts on GitHub rather than from a proper repository and then hosting either in a CDN you control, or within the application itself. The Maven/Gradle model, where the code VCS is divorced from the code repo is a much more grown up way of doing things. I don't see why JavaScript libraries can't either use the central repository, or come up with something like it. With this model, if my project states that it uses version 1.1, then that's what it will use until I update my dependencies. My site won't suddenly go batshit or start mining cryptocurrency because of some change in a library. I won't get the new version until I ask for it. To me, this is a much better way of doing things than to rely on a third party repo that could change and bork my application. It buggers my mind that people would want to always get the latest changes from third party sites the don't even know, let alone control.