* Posts by JavaJester

21 posts • joined 21 Dec 2015

In the market for a second-hand phone? Check it's still supported by the vendor – almost a third sold are not


Expiration Date?

A good first step would be to require the manufacturer to set an expiration date for when they will no longer provide patches for the phone. The manufacturer and seller would be required to prominently display this date. For starters, it should be required to be on the manufacturer's website, the box or other consumer materials (including ecommerce product information), and in the information section of the phone itself. In the event support is not provided up to the expiration date, the owner is entitled to a cash refund of the prorated amount purchase amount (up to the retail list price) remaining to the expiration date.

This might motivate the ecosystem to make changes to allow say Google to support the phone by better hardware abstraction. Making this a more "in your face" issue may allow the market to do its thing by having longevity be something companies compete on.

GRUB2, you're getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system


Install your own boot loader

If you are able to modify the grub config file, wouldn't you modify it to have the system run an evil bootloader rather than stuffing random crap into the file to trigger a buffer overflow to (drumroll...) run an evil bootloader?

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice


It Doesn't Seem to Help Lusers, lets Hide It!

At least in the past few years, the security interface of Chrome has gotten worse because a focus group populated with untrained lusers has no clue how to read a URL. Firstly they hide https / http and the www part of the URL. Surprise! Some miscreants figure out how to use a DNS cache poisoning attack with a twist: they poison www.example.com but leave example.com alone. The genius of this is that when people are warned about www.example.com and are using chrome they proceed because after all it says "example.com" in the address bar. When they call their administrator to check on example.com, all appears to be well because example.com wasn't impacted. Terrible, terrible idea. At least you can use the Suspicious Site Reporter to undo that behavior. Hopefully there will be a way to override this madness as well.

Why is it assumed to be a UX flaw when the user doesn't understand browser security features? Wouldn't a better solution be a campaign to educate the users? Perhaps some kind of bubble that explains the significance of the company name the first time it is seen when using the browser? Hiding information from the user is never the right answer. Hiding information invariably gives hax0rz a way to exploit the user.

Linux kernel coders propose inclusive terminology coding guidelines, note: 'Arguments about why people should not be offended do not scale'


Re: Some more interesting possibilities

Another one: the red-black tree index is in danger of causing heads to explode. Because we know that certain colours must always be racially insensitive terms in 2020.


Dummy Value and Sanity Check are on the naughty list?

Where will it end? Will we require a new kind of IDE plug in, kind of like a spell checker but searches for naughty words / phrases and suggests alternatives? Will it need have its naughty word database hosted as a service so it can keep up with the flood of new verboten words that High Priests (oops, I didn't use a gender neutral word), er I mean High Clergy Members of the Offended deem unfit?

Does anyone really think that "dummy value" or "sanity check" is casting aspersions on anyone intelligence or sanity? Is it really necessary to infantilize the language to this extent? As the article points out, the further we go into this Rabbit hole the more the effect will be to discriminate against non English speakers.

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too


Microsoft Doesn't Matter at This Point

Chrome, Safari, and Fire Fox account for over 80% of browser market share according to StatCounter Global Stats. If you operate a public facing website, the shorter cert expiry is a done deal. The only thing left for Microsoft is to decide if they want to be consistent with the other browser makers.

Nokia's reboot of the 5310 is a blissfully dumb phone that will lug some mp3s about just fine


Obsolete on Arrival?

It doesn't seem like a good idea to buy a phone that only supports spectrum living on borrowed time. The US announcement of 2G/3G sunset dates is the canary in the coal mine. Others will soon follow. That spectrum is too tempting a target for low band 5G.

Copy-left behind: Permissive MIT, Apache open-source licenses on the up as developers snub GNU's GPL


Vaccine License is the First Brick of the Yellow Brick Road to Hell

The OSI should go nowhere near something like the Vaccine License. What's next? A license that requires users to call authorities for people in the country illegally? Perhaps licensing that requires supporting "religious freedom" discriminatory stances? Perhaps licensing that requires the opposite? Imagine the fun of using contradictory licenses simultaneously and facing punative consequences as a result. Imagine a dystopian world where installing a program imposes such obligations to the users. This sounds like great material for a Black Mirror episode, but a terrible idea for the real world.

Silence of the WANs: FBI DDoS-for-hire greaseball takedowns slash web flood attacks 'by 11%'


ISPs: Configure your networks properly

"Essentially, you launch a load of small requests at a bunch of devices on SSDP UDP port 1900, spoofing the source IP address as your victim's IP address." Network operators have switches and routers that allow a packet traversal of a packet from within the network but claiming to originate from outside of the network to anywhere within their network or the public internet? How embarrassing. They should get their act together and configure their network properly. It would make launching this sort of attack using their infrastructure impossible.

AT&T, Sprint, Verizon, T-Mobile US pledge, again, to not sell your location to shady geezers. Sorry, we don't believe them


FCC's ability to protect privacy eviscerated by the Republican Party

Wouldn't it be great if the FCC could make regulations to protect privacy? Too bad, they can't! The Republican controlled Congress and President eviscerated their ability to make such regulations by approving a resolution of disapproval for FCC privacy regulations, which also forbids any similar regulations.

"Those rules would have required ISPs to obtain users' consent before selling their personal data – including location, browser history, health and financial data and other sensitive information – to advertisers."

In light of recent developments, the "– to advertisers." caveat was too optimistic.


Tech support discovers users who buy the 'sh*ttest PCs known to Man' struggle with basics


UI Guidelines mandate saying "Press a key to continue"

I worked at a company that had UI guidelines that included command line and text interactive programs. The guidelines actually mandated to never use the words "any key". The correct phrasing was "a key". The document went on to reason that clueless lusers would search in vain for an "any" key before driving up helldesk costs with their calls. If "a key" was used, the users would search, and their search would not be in vain: they would find an "a" key.

Personally I think those guidelines were inspired. They were probably written by someone who had gotten their start from the helldesk and answered that question many, many more times that anyone should have to.

'Pure technical contributions aren’t enough'.... Intel commits to code of conduct for open-source projects


Recommend singular "They" for Inclusive Language

At the risk of infuriating language purists: "Using welcoming and inclusive language" could also recommend using the singular "they" over "he". This can be immediately understood by any English speaker. Although alternating "he" and "she" can achieve the same effect, it can make a complex workflow with many actors more difficult to follow as the genderfluid actors randomly change gender as the flow progresses.* Since that doesn't often happen in literary books, it can by jarring and confusing when reading such technical material. The singular "they" also avoids this mess of proposed alternative third person pronouns. You would need to take a class just to know how to use all of them. https://en.wiktionary.org/wiki/Wiktionary:List_of_protologisms_by_topic/third_person_singular_gender_neutral_pronouns

* Why is the CM manager editing code now? Why is the Developer reviewing the CM workflow? Oh, my fault, the CM manager has become a "he" now, and the developer is now a "she". True story when I was learning about a new CM processing by reading its documentation. It is why the alternating "he" and "she" is unloved by me.

Redis does a Python, crushes 'offensive' master, slave code terms


Developers Who Say "Ni!"

The Developers who say "Ni!' demand a sacrifice. Your Git project has a branch called "master". We demand that its name be changed at once to "Ekke Ekke Ekke Ekke Ptang Zoo Boing!" and you bring us a Shrubbery.

Seriously, Cisco? Another hard-coded password? Sheesh


Why not Machine in the Middle?

If you change Man in the Middle to Person, then you must change the acronym to PitM. This will serve to confuse new comers reading past literature, and experienced practitioners reading new literature. It will likely be off-putting enough that after a few eye rolls it will be added to the to do never list.

If you change it to Machine in the Middle, the acronym stays the same and the gender neutral goal is accomplished. Historical literature using the MitM acronym remains understandable without any additional burden to the reader (assuming new entrants to the security field who are taught the new terminology), and experienced practictioners do not have to learn another acronym for an arguably flimsy reason.

Kentucky gov: Violent video games, not guns, to blame for Florida school massacre


The Guns are Not the Cause You're Looking For ... Move Along

One of the oldest NRA mind tricks: It isn't the real guns that spray bullets and kill people that are the problem, it's the pretend ones in video games that are the threat. This gun fetish must not be pandered to any more. How many people need to die before America wakes up and has the political courage to try the obvious solution of limiting access to deadly weapons? Australia and the UK did it to great success.

You can resurrect any deleted GitHub account name. And this is why we have trust issues


It's Not GitHub's fault

The fault is dynamically loading code from random folks accounts on GitHub rather than from a proper repository and then hosting either in a CDN you control, or within the application itself. The Maven/Gradle model, where the code VCS is divorced from the code repo is a much more grown up way of doing things. I don't see why JavaScript libraries can't either use the central repository, or come up with something like it. With this model, if my project states that it uses version 1.1, then that's what it will use until I update my dependencies. My site won't suddenly go batshit or start mining cryptocurrency because of some change in a library. I won't get the new version until I ask for it. To me, this is a much better way of doing things than to rely on a third party repo that could change and bork my application. It buggers my mind that people would want to always get the latest changes from third party sites the don't even know, let alone control.

FCC douses America's net neutrality in gas, tosses over a lit match


Achievement Unlocked - Capture the FCC

Playing as a telecom provider, regulatory capture the FCC by installing a majority of puppet commissioners.

Software dev bombshell: Programmers who use spaces earn MORE than those who use tabs


C Requires Tabs?

The C programming language has never required tabs, or even spaces for that matter as the Obfuscated C Code site http://www.ioccc.org/ demonstrates.

So what's the internet community doing about the NSA cracking VPN, HTTPS encryption?


Shor's algorithm

Shouldn't there also be an effort to use post quantum cryptography? All the effort to increase keysize will be for naught if a practical quantum computer exists to defeat it.

Gaming apps, mugging and bad case of bruised Pokéballs


Golem Searches for Pokémon

Must find Pokémon... The Precious Needs more Pokémon... Pokémon Go is our master now...

How to log into any backdoored Juniper firewall – hard-coded password published


Oddly Appropriate Juniper Related Quote

1 Kings 19:4 "But he himself [Elijah] went a day's journey into the wilderness, and came and sat down under a juniper tree: and he requested for himself that he might die;"


Biting the hand that feeds IT © 1998–2020