Posts by really_adf

SAML seemed to do the job 20 years ago. Albeit with horrendous XML baggage.

Re: Aquired taste

How did their MSA signing key get “acquired”?

Yes, and more importantly, how will that be prevented in future? Microsoft seem to have reasonable measures in place to detect and assess the problem, as well as the processes to mitigate it, but prevention is better than cure.

How could they have such a fundamental vulnerability as allowing tokens signed by a key for a consumer service access their enterprise service (OWA)?

I think "consumer" in "consumer signing key" refers to a service that validates and uses (ie consumes) the token that was produced and then signed using that key, not "consumer" as in "consumer-grade".

Another important question is, given the key provided "access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals", what else could have been accessed with it? If a single compromised key allows access to email of more than one organisation, what are the chances it was limited to those?

Re: ummm?

I think you're thinking of Linksys, bought in 2003 by Cisco and sold in 2013 to Belkin (according to Wikipedia).

Re: American cars are too heavy - solution blame electric cars

It's of course true cats have got bigger and, especially, heavier. Part of it is crash safety, part "mod cons" all adding up. EV batteries make the problem a double whammy.

The only real solutions are fewer cars and better drivers. So we're fucked.

Re: Serves Google right

Of course, email is not a reliable transport, and anyone who doesn't understand that is an idiot. It was never designed as such, however.

On the contrary, It was expressly designed to be reliable. A core principle is thot when an SMTP server accepts an email, it promises to deliver it to a mailbox or pass on that responsibility to another system, and notify the envelope sender if it can't do either.

Accepting email but neither delivering it nor notifying the sender - usually because it "looks like spam" - is the violation of the above that makes it unreliable. "Backscatter" favours not accepting email that will not be delivered (or forwarded).

(I didn't downvote, for the record.)

Re: Well, every little bit helps

upgraded from 'crippled slug' to 'drunken sloth'?

Pretty much my first thought. When it's so pathetically sluggish to start with there's plenty of scope for improvement.

The most amusing note to me was, "the Windows biz has apparently cut the latency involved with raising a hand by 16 percent."

(a) The UI latency of such an action being significant enough to consider measuring in the first place says there is a problem (network latency is unavoidable, but that should apply only for others to see a raised hand).

(b) IMHO the meaningful measurement is the time from beginning to act to raise your virtual hand until that action is completed. That increased manyfold when the UI was changed to move the button under "Reactions" and no technology improvement can ever recoup that.

Re: Will it happen?

No sensible Prime Minister would appoint [Nadine Dorries] to a cabinet position.

I'm not sure that answers the question of whether it will happen.

Re: Faster web sites

Yes and no. A site hosting its own fonts, JS libraries, etc means no need to connect to other servers, But you'll download common resources once for each site, instead of just once.

I'm not sure I understand the basis of the fine. If I host a site, visitors must reveal their IP address to those operating intermediate routers. The visitor has no control over this. That's OK, because there's no alternative? I can reference remote resources but only if hosted by a provider that assures me it won't use the IP addresses it sees, beyond what is necessary?

Re: A solution looking for a problem

Is Autopilot a level 5 system? No

Does that mean it’s inherently bad? No

In and of itself, the latter may be true. However, the combination of the former, the name and human nature seems very likely to result in something for which "inherently bad" seems an appropriate description. That result is what is important, and seems to be supported by evidence.

Another question is, can anything less than a level 5 system avoid that result? If not, does it not follow that as long as the answer to your first question is "no", the answer to your second question is "yes"?

Nowadays, if you asked someone to name a vacuum cleaner brand they'd probably say Dyson.

If you ask people to name a hoover brand, I think more would say Dyson than Hoover.

It seems typical of the GNU mindset to think "Ah! But the user may be using a machine without function keys!" It's 2020.

Personally I find function keys just a little too far away from my fingers, and I can't find them without looking (but I guess that's at least partly because I don't use them much). So perhaps "machine without function keys" is not the reason, or at least not the only reason.

Re: Whats not to like ?

The catch is that NR makes a whole slew of optional and rarely used features in LTE-A mandatory. The big one IMHO is carrier aggregation, ...

Sounds like this is something that the software update doesn't need to enable: use of the feature is controlled by the network. That is, it's a problem if not supported by phones, which won't work if the network uses it.

Call it a hunch but from Suri's previous comments I suspect the approach is technically questionable (ie will not deliver various intended benefits of 5G), and has been pursued by Nokia for non-technical reasons.

Re: Yes please

Just... don't expect to be able to tell the difference in the price. After all, combined these two things together probably only cost a couple of quid at the volume Apple makes them...

Possibly more saving from reduced packaging and transporting more boxed phones per unit volume than the cost of the electronics.

Re: "There's no slave in git though"

Masters are the official finalized recordings from which copies are made. A Git master branch constantly updates, so it should be main or devel.

The "master" branch is analogous to a master copy in that it is (in many cases) the one from which copies are made (new branches). Of course, I can't deny the "finished" aspect breaks the analogy, but then there's no such thing as finished software :).

Also, some people seem to think that by changing the word from master to main (or blacklist to blocklist) it's a condemnation of those who previously used the terms. It's not.

Regardless of the motive for change, the problem is that there are some people who will see it as a reason to condemn those who previously used the terms.

Edit: the point of this being that you can't win.

Re: What problem are the certificates solving?

iPlayer can ship with Public Key A

I think you're describing the same thing as I was trying to. I called it key0.

So it works as long as the first connection is within the expiry date of the initial download or pre-installation, and it's run often enough.

The same is true if you use certificates from a public CA, and embed the roots in the client with a way to update them (provided that's done in time).

It's the expiry that makes it functionally similar, even though the detail is different. The benefit you describe comes down to having control over expiry. You could equally get this with certificates by using a private CA, without the wheel reinvention: you just need to be able to specify which CA certificate you trust and have a way to update that certificate.

It's not really about marketing (well OK, maybe a little bit.) Hard disk capacity used base 10 units once the average disk size got a little too big for conveniently using base 2 units, as they are a linear/serial storage medium which means a disk platter's capacity can be any number of bytes you like.

At the read/write head, hard drives are basically serial, but (for a long time) from the outside, they are random access devices addressed by sector. The capacity is actually any number of sectors you like. Sectors have a power-of-two size, as a natural consequence of the fact they are buffered in RAM. This may explain 1MB = 1,024,000 bytes being used for a while; this is the definition applicable to a "1.44MB" floppy disk.

Binary prefixes are a natural convention for memory chip sizes: they simplify expressing exact values because the chips have both a power-of-two addresses (a number of address lines) and a power-of-two data lines. Decimal prefixes are a natural convention for line rates: they simplify expressing exact values when, as is typical, a factor in the rate is a clock frequency defined with a decimal prefix.

The rationale for a convention is less clear-cut and often varies in other cases, such as hard drive sizes. This, I assume, led to kibibyte etc to disambiguate.

Re: I'd like to see it

I'm in the middle of Austin. We see no stars at all. Just the Moon, Venus, possibly Mars and maybe, just maybe Jupiter at times

"Possibly Jupiter and maybe, just maybe Mars at times" is more likely. Put another way, if you can ever see Mars, you will be able to see Jupiter regularly.

The maximum apparent brightness is basically the same, but Mars is more variable. I think the primary reason for this is that the orbit of Mars is more eccentric. An instructive diagram and more here.

I am sceptical that it has to have location permissions granted to use bluetooth.

https://developer.android.com/guide/topics/connectivity/bluetooth#Permissions

Re: How can "Diagnostic Data Off" and "Required Diagnostic Data" coexist?

Or is this like saying if you go out for dinner tonight, it's required that you dress a certain way—but you can still choose to stay at home instead?

I think that's basically the logic. I can see some sense in the wording by reading it from Microsoft's perspective, but surely the wording should have been chosen for the users' perspective. For example, "required" is the minimum required for any useful diagnostics.

I think off/minimum/full would be the most clear (to the user) options for the implied result of the choice. Whether the actual result matches this (ie whether "off" really means "off", as you mentioned) is a different matter.

Re: Doesn't check out

No, I don't think this virus is really as scary as people make it, the main problems are that it seems to spread easier and quicker than an influenza and that there is no vaccine.

Mortality seems to be comparable, so maybe we are overreacting a tad?

More infectious and no vaccine with the same mortality means more people dying, no?

Microsoft; you need to learn what legacy means before you can even think about improving Windows.

I think Microsoft know full well what legacy means, this is just the (wishful) thinking of one part of the organisation that is at odds with other parts, those being more in touch with reality.

Re: On the plus side...

The snap had been shot by my wife on her smartphone (Ugh) so it was in 3:2 format (re-ugh). I took care to re-frame it properly and change it to the proper 4:3 format for photographs, only to have the millenial shopkeeper tell me that she'd have to crop it as it was not in a standard format.

"Proper photographs" - that is, on 35mm film - are 3:2 (https://en.m.wikipedia.org/wiki/135_film). Hence 6x4 (inch) prints.

Re: Insurance

It’s very rare insurance predictions are wrong.

Natural selection: insurance companies making bad predictions die?

Re: Radar

Much more than twice the range, surely: reflection won't be perfect, and a "useful" return signal will be stronger than the minimum detectable.

Re: Selective deafness

Most people who buy a computer (laptop or desktop) for work don't care so much about looks.

I'm not sure about "most"; I think it depends on whether you want to actually do work on it or because you are a superficial twat, eg many in sales, marketing and management.

Re: Finger Printing and The DMCA

If corporations can have a law that prevents circumvention of the what they do to protect their data (DMCA), then why can't we have one to prevent circumvention of tracking and privacy tools/controls that we use to protect our data?

That's a very clear way to put it, and I can't see a reasonable argument against it. Have an upvote.

So that’s the end of cross-EU mobile roaming, then. Why would companies pay for this when they can pass the costs on to the customer?

The obvious answer is because none of them want to be the first company to start charging for EU roaming.

Re: Why obsolete?

According to the totally reliable Wikipedia it was five times more expensive to operate than on road vehicles (disputed by the Communications Workers Union who said it was only three times as expensive).

Could be viewed as: road vehicles should be three/five times as expensive as they are...

Re: As a ex sys-admin....

You should be able to assign administration accounts only the rights actually needed in a "JEA security" type model.

Err, that is literally exactly what sudo does (bugs aside). Its configuration says which users can do which things as which users. Such as "members of this (administrative) group may stop/start this service".

Why is SSH (as a protocol) singled out here?

Because it's by far the most likely way to access a machine with an application warranting the vulnerable infrastructure requirements?

Re: A simple (but costly) answer

If 1km is worth 20k

At a guess: it's not 500m of cable = £10k, but a 500m stretch of (say) 10x 100-cable bundles = 500km of cable = £10k.

Re: This is stupid

I'm surprised not to have seen mention of Android's Log.wtf(), "Report a condition that should never happen."

Re: This reminds me on Son May

Throatwarbler Mangrove: "... fundamentally, it's hard to work up the same level of outrage about "software piracy" as it is to do so about stealing food."

This, along with some other things you wrote, did make me wonder about any differences in society's views of "piracy" between software, music and video.

I think, of the three, music may be seen as more "personal" as opposed to "corporate" and therefore somehow closer to stealing food, although I have no basis for that.

Re: Shameless plug.

Downstairs is a bit more difficult

Huh?

I think I've only had one or two fifty quid notes in my possession ever

Same. Not so surprising when the current note was introduced, but seems strange when the inflation-adjusted value of a (rare) £50 note now must be similar to a (common) £20 note then.

Re: "Which hasn't struck me as particularly advanced either"

And mixing passenger and goods traffic on the same lines is much more common. Which makes for a lot of specific rules in the signalling logic if you don't want to treat every train as the slowest heaviest goods train that line might carry.

Can you elaborate? It looks to me in the UK like passenger trains may have a higher speed limit, presumably if their braking is good enough, with the default limit presumably being for the heaviest goods train (both presumably for trains with the worst brakes in the worst conditions, plus margin). No need for special signalling logic in this case.

Mixed speed traffic is very obviously a headache for timetabling though, same as stopping vs non-stop passenger trains of the same type.

Re: Help with "Innovative Solutions"

"Surely what matters with such cameras is what they do with the information."

Absolutely, but in general people seem to trust what computers say more than I think they should.

Yes, facial recognition may have prevented the tragedy in Stockwell, but the concern due to the above is how to ensure it doesn't end up causing more such tragedies because "computer says he's armed and dangerous".

Unfortunately, I fear the answer will come too late for some, but research like that reported here offers some hope that fear will not be realised.

Re: Dates? Don't talk to me about dates...

... "Oh, it's ok", they eventually exclaimed. "We'll just delete any double-quotes from each line before we process it. And as we asked, you're sending the file with pipe delimiters, so we don't need to worry about escaping commas".

This story resonates with my own experience. Things like this seem to be increasingly common. I've gone past getting mad, now it just makes me sad...

Re: iPhone?

Q. How do you know if somebody is a vegan.

A. They tell everyone.

Better, I think:

A. Don't worry, they'll tell you.

Re: MFA

All of the MFA implementations I've seen so far are much less convenient than passwords and/or require information disclosure to unsavory companies.

All security is a trade-off with convenience. (Wouldn't it be more convenient if you just had your user name, with no password to remember?)

From a convenience/handing over data perspective, I've used:

- Mobile app notification: minimal inconvenience, who knows about data (though not an inherent issue)

- Phone call: slightly more inconvenient than an app for most, but you need to hand over your telephone number.

- SMS OTP: probably slightly more inconvenient than a phone call in most cases; again, you need to hand over your number.

- TOTP/HOTP and similar (RSA SecurID springs to mind): like SMS OTP except no data.

The only other option I'm aware of (am I missing any?), and looks very interesting to me, is U2F. This keeps the "no data" aspect of TOTP etc, while reducing inconvenience to be similar to a mobile app. From a security perspective, it also allows a lot of potential weaknesses affecting the above to be avoided.

Re: How is this patentable?

I really hope the buffering isn't patentable. The technique for identifying the start of the sentence containing the wakeword could be novel.

Re: Scanning...

It's worth noting that the average reader of the Register would probably enjoy a visit to the Diamond Light Source

I have been there, and concur. An astonishing amount of infrastructure around the (comparatively small) storage ring, yet minute compared to (eg) the LHC... (I know DLS and LHC have other differences apart from size.)