Posts by Crypto Monad

Re: I threw some money at this....

Android really struggles with running in landscape - a ton of apps, including just the chrome browser - really aren't expecting you to do that and often don't display their content in a sensible way.

Here here (speaking as a Gemini owner) - on the Gemini, Force Rotate is a three-step dance.

However, the main reason to avoid PlanetCom is that they orphan their devices from software updates very rapidly. I got my device (one of the very earliest) in March 2018, and the last software update was December 2018. A ton of Android security bugs have been found since then, but no subsequent updates. I contacted their support recently asking if support had been officially terminated, and they gave a bland non-committal answer.

For that reason alone, I would say don't waste your money.

Re: Well....

And another xkcd: relative importance.

Re: CEO Dr Janko Mrsic-Flogel

> The Gemini also got an update in December but since then nada

Whereas Android for the Gemini got an update in December 2018, and nothing since then. Why abandon what is surely the most important platform?

Google, Microsoft and Amazon are infrastructure providers. In most cases, each individual VM fired up needs an IPv4 address. Cloud usage is going up, not down.

However, more importantly, Google is an advertising company, and its money depends on eyeballs on the adverts. They can't afford to cut off IPv4-only users, which are still the vast majority.

Think about what happened with IE5. For a long time, websites had to have a completely different version to support IE5, which was really painful and expensive. They continued to do so, until the number of people on IE5 fell to about 1% - at that point they felt safe to drop IE5 support.

The same will happen here. When 99%+ of the end-users on the Internet are dual-stack or v6+NAT64, content providers will feel it's OK to drop v4. Not before.

Well-documented as in "Intel have released all the details of the management engine and other similar components, and we trust them to be complete?"

Or as in "researchers have comprehensively reverse-engineered the billion-transistor silicon, and to the best of their knowledge there are no additional backdoors to be found?"

I'm not sure either of those fills me with much confidence.

Re: Another option

My (Android-running) Gemini hasn't received any update since "security patch level 5 December 2018".

I'm not expecting they will do anything this time - and not buying PlanetCom again.

Re: I understand

You don't need to open anything in your firewall if you use the DNS-01 challenge for renewal. Instead, you need to dynamically add a temporary TXT record to your DNS domain, and remove it afterwards.

This can be done using an outbound "push" to your DNS provider. There are many Letsencrypt agents which can do this, which integrate with many different DNS service providers.

Re: What to do with old 2.5" HDDs?

> So a kind of JBOD where individual drives can be added to the pool, or marked for withdrawal and all the data migrated off.

LVM will do exactly that for you. Each drive is a PV, and you can tell it to migrate data off a PV before you remove it from the VG.

Re: That brings us to thin clients again

> But how about corporates? Is buying a hundred or so of these + the Raspberry Pi + Citrix or open source equivalent a good option in real life as opposed to deploying desktops?

I don't think corporates will be buying Raspberry Pis. As far as I can see, the idea is they plug their employee's existing company phone into this, and the phone gains a full-sized screen and keyboard.

The phone is already set up for secure access to corporate resources, so this means one less device to manage compared to giving the employee a full-blown laptop or chromebook.

Re: Hopefully the UK will follow this

> Have none of you noticed that the UK standard plug is only used in the UK

Many countries with ex-colonial links - Kenya, Ghana, Malaysia etc - use the UK (type G) plug.

https://en.wikipedia.org/wiki/AC_power_plugs_and_sockets:_British_and_related_types#International_usage_of_Type_G

Given that equipment in these countries is generally obtained from the cheapest supplier, and may arrive with US or European (Schuko) plugs, what you mostly find is Chinese "universal" power strips which can take any sort of plug, more or less. They are one step safer than using crocodile clips.

Re: Hmmmm...

X.25 for the network layer. X.400 was E-mail.

Re: And then...

> ... All it takes is one person to be curious to find the cheat.

Not necessarily.

ML models are basically black boxes. He could also have cheated by training the model on the additional pictures in the test dataset: this would not have shown any trace in the code.

Re: Why some people keep on reinventing the ill-fated Palm Foleo?

> You could go with something like this. Not quite as cheap but easier to carry.

There are some others in that space, all rather expensive:

https://www.epiphan.com/products/kvm2usb-3-0/

https://www.lantronix.com/products/lantronix-spider/

If you want to do this on the cheap, then search for "HDMI capture" devices on Amazon (the thing gamers use for uploading their adventures to YouTube) - starting at £55. You may have to put up with a second or two of video lag.

This leaves you with the need for a keyboard. You can buy tiny USB keyboards easily enough, but making your laptop act as keyboard to a remote device is harder than you think. One option might be to use a Pi Zero with serial port on one side and USB running in target mode on the other, but you get to write the software yourself.

Re: Buy-out?

That would be a risky strategy for Sonos stockholders though. Firstly, stock may plummet on the news of the Google spat - meaning that even if Google eventually buys it, they get it at discount price. Secondly, Google already has a directly competing line of products, so little incentive to buy another. Thirdly, the risk that during litigation it comes to light that Sonos is unknowingly already violating Google's massive patent collection in some way.

Aside: that to me also seems an absurdity of patents. You do something in the only obvious way, without looking at someone else's patents or products, and you can still find yourself in violation just because somebody else wrote it down first.

Re: Is there a database somewhere keeping track of these 'deprecations' ?

> I keep saying that we need a website, with a queryable API, that returns things like:

>

> MD5: Insecure.

And the authenticity of the response from the website will be verified how, exactly?

Re: I watched the video

I would guess it tries to guess the most likely words you are typing, based on relative movement of your fingers, and on the previous words typed - i.e. predictive text on steroids.

Probably fine for the odd message home. Not so good for coding.

Re: Noise cancelling

Hand them one of these.

(We live in a world where it's impossible to tell if this is a spoof or not - despite being on indiegogo)

Re: blinkenlights

It's an IT crowd in-joke. Sorry it's a bit of a damp squid.

"it emerges that GlaxoSmithKline is ordering contractors to switch to pay as you earn tax arrangements or leave the company."

Isn't that exactly the outcome which IR35 was intended to deliver - more people ending up on PAYE? It's unlikely government would backtrack on that, if it's what they wanted to happen in the first place.

More likely outcome: more IT work outsourced to other countries.

Re: Vertical space rules

Reminds me of the xkcd phone with 4K screen (50 x 80 pixels)

https://xkcd.com/1889/

Re: another workaround to this

A better solution IMO is to use VLANs.

With unifi APs, the management IP address is always on the native (untagged) VLAN - and you can assign the wireless SSIDs to other (tagged) VLANs.

Therefore: put the management IP on a separate device management subnet that has no external Internet access - and no outbound access to any of your other networks, for that matter.

Then there's the question of what you do with the management software, which isn't currently implicated in phoning home. I'd suggest you stick that on the same untrusted device network and then you don't have to worry about it. If it's a Debian/Ubuntu box, you can give it access to an apt-cacher proxy so that it can download software updates when you choose, but nothing else.

Re: How much?

> MS will ultimately move Windows to a monthly license fee model though. It's inevitable really.

I doubt it. That's the *one* thing they could do which would make a significant proportion of PC owners try switching their desktops to Linux.

Charge 5p for a carrier bag and the vast majority of people will bring their own...

Re: Global roaming charges are evil

"My provider charges $1000 / gig"

Nope. Never heard of that sort of charge at all, and I use O2 who are famous for charging extortionate fees. Perhaps you meant $10 per gig?

Ha ha.

If you use your mobile phone in various third world countries - including Canada - Three still charges £6 per *megabyte* for data roaming - that is £6,000 per gigabyte. (Or £6,144, depending on how you define a gig)

But in the "Go Roam" (formerly "Feel at home") countries, including USA, roaming is free - it just comes out of your UK inclusive data allowance.

You have to be extremely careful about where you turn Data Roaming on and off!

Can someone develop an app that polls all these apps to work out which one the person you are trying to contact is using and then route the conversation to that?

Insert Obligatory XKCD

Re: BBC still coming in "loud and proud" in sunny Spain.

Just tested it: Radio 2 via TuneIn on Sonos still working for me this morning (in UK)

Re: For 2025 read 2075

> Running a fibre link for miles to serve a single house makes very little economic sense.

Except this article isn't about replacing copper with fibre: it's about withdrawing analogue telephony services over the copper. The copper can still be used to deliver data services: FTTC (from the cabinet) or ADSL (from the exchange). Voice will become VOIP over that. That's what's being talked about for 2025, no more.

In a completely unrelated development, Boris said we should move forward the aspirational target for replacing copper with fibre* from 2033 to 2025. That one will almost certainly go out of the window as undeliverable. If we get to even 50% fibre coverage by 2025 it would be a huge achievement.

*He's already watered down "fibre" to "gigabit-capable". That's so that properties covered by Virgin Media will count, once they've upgraded to DOCSIS 3.1.

Aside: as for whether running fibre for miles to serve a single house makes sense: fibre is cheaper to buy than copper, fails less often, doesn't need those pesky powered street cabinets, and allows customers to buy higher speed (and hence more expensive) services. So in the end, yes it will make sense: but when there's existing copper, the payback period for upgrading could be long.

Re: Local access and you get ever so much!

> If they could monitor the server's traffic they could see the pauses directly.

Which is a much bigger hole than this one. Even someone *listening* to your typing can attack this way.

Solution: use a password manager for all your passwords. Then you paste them in one big splurge, with no gaps. This is an easy and comprehensive solution, and of course lets you use strong random passwords too.

Using RSA/EC private key authentication for ssh helps too - but you're still going to end up typing some passwords over ssh sessions (e.g. sudo password)

Re: At least a responsible response

> So it may have become known by someone leaking the existence of the vulnerability.

Or somebody decided to compare the webmin distribution tarball with the source on github.

Re: New service!

Email me your passwords, and my algorithm will check if they are compromised.

Already been done - e.g. https://haveibeenpwned.com/Passwords

(TBF, that particular implementation takes a lot of care not to send the password to the server)

Re: An issue of Google's own making ...

> I *can* teach my mother to avoid a website that Chrome (other browsers are available) labels as "INSECURE".

I think what you mean is, "I can teach my mother to avoid entering her banking details into a site which Chrome etc labels as 'INSECURE'". Even that minor toe-hold goes away when all sites are HTTPS. But it never really helped in the first place.

The theft of sensitive data by packet-sniffing of unencrypted traffic is only a tiny part of the problem. The main problem is entering data into fake sites which look legitimate. If the web site looks like her bank's website, your mother will use it. It may even proxy to the real site behind the scenes.

Anyone can register a plausible-looking domain like "halifax-online-services.com" - and could also register a similar-sounding company name if they want an EV cert (but why bother, since 99% of users ignore them anyway?) I expect most users would enter their login details at "halifax-secure-banking.dyndns.org" if the content looked right.

"Secure" (in the weak sense provided by HTTPS) is very different to "trustworthy".

> Throttles split across different consoles.

>

> That sounds like a recipe for the Chuckle Brothers 'To me... To you.'

Or Air France 447.

Re: FIPS stands for reduced security

It's funny that you pay extra for a FIPS-certified device, and receive something which is less secure than the regular one.

Similarly, there's a FIPS version of OpenSSL. Nobody uses it - except those required to by policy. What you get is effectively an old version of OpenSSL with a bunch of features stripped out.

If there was even a chance that it was any more safe than normal OpenSSL, there would be plenty of people who would choose it for that reason. But they don't. That tells you all you need to know about the value of FIPS certification.

Re: Map projections

I guess they must have their reasons for cabling at sea rather than overland (shorter overall distance? Siberian conditions the bigger maintenance nightmare?)

Wayleaves.

Re: That is damn close

My chemistry teacher was always bemused that the "kilogram" was chosen as the SI base unit for mass, and argued that we should weigh small amounts of things in "milli-kilograms"

Re: Sure this will be great on the long term

> There used to be a time where a small business would back up their local data to a single set of tapes, but that market has almost entirely died to be replaced by disk cartridges or cloud services.

There used to be a time when small businesses would run their own servers, but that market has almost entirely died to be replaced by cloud services.

Re: MS SOP: Embrace, Extend, Extinguish.

"We're told people will eventually be given instructions and code on GitHub to roll their own WSL 2 kernels, if the supplied 4.19 one doesn't float your boat"

Oh, how very magnanimous of them. But for some reason, the article doesn't mention that if Microsoft is distributing Linux kernel binaries in Windows today, without providing the corresponding buildable(*) source code, they are directly violating the GPL.

Remember: Microsoft is a cancer on open source software.

(*) "The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."

Re: Interesting story, but... @Terje

What I'd like to know is - how do they already know the half life of Xe124, if its decay has never been observed? Is it a theoretical value? What's the level of uncertainty?

Direct observations which either confirm or disprove the previously expected value are equally interesting.