* Posts by doublelayer

1861 posts • joined 22 Feb 2018

UK government shakes magic money tree, finds $500m to buy a stake in struggling satellite firm OneWeb

doublelayer Silver badge

Re: It Could Be Made to Work ???

"But nobody from government has stood up and said why they've just spent half a billion on something out of the blue."

Well, technically, several people and documents from U.K. government did say exactly why they bought it. It's just such a shame that basically none of them agree on what that reason was. This article quotes someone who says the reason is broadband. The article from a few days ago links to a report that says it's mostly navigation. Comments sections for both articles link to articles saying any number of other things.

doublelayer Silver badge

Re: It Could Be Made to Work ???

Well, that has several downsides. Basically, you're hoping to compare a lot of latencies between the satellites, requiring the device at the other end be informed of relatively large sets of data. That would make the system more delicate and require more data from the satellites. It would also make the system a lot more dependent on fixed ground locations, which isn't necessarily the most desirable setup. While those satellites are capable of broadband speeds, doing that would usually require larger receiving dishes and more power output. For things like ships and planes, you probably wouldn't find it that hard. For portable units used by field troops, that approach might be inadvisable. Still, if they intend to use the constellation for this purpose, they may find that my concerns are not that troubling. Still, if I were them and wanted to do the navigation with these satellites, I'd start by considering just putting the clocks in the ones that haven't yet been launched. They're planning to send thousands up; it's fine if 80 don't have clocks.

doublelayer Silver badge

Re: It Could Be Made to Work ???

Phone chipsets rarely support additional services that weren't around when the chip was designed. No matter how a new navigation system is implemented, whether almost identical to GPS or entirely different, a new chip will be needed to receive from it. The only exception would be a system which augments an existing one, similar to how QZSS overlays upon GPS for Japan. As for the clocks, that would be a problem. While they could put the clocks in the new satellites and reprogram them, they could have also put clocks in their own satellites without buying this company. While a navigation system isn't impossible, it would seem to be a strange step to take if that was the primary goal. Given their discussion of broadband, perhaps they have other goals in mind. Whether those goals make sense or are in any way useful is another question.

Three UK: We're sending you this SMS to warn you not to pay attention to unsolicited texts

doublelayer Silver badge

Re: Typical

I recently got an email after trying to log in to an online service. It started well:

"We noticed your login attempt seems unusual. To confirm that it is you, please enter the following code in the verification box: ..."

And then things turned for the worse:

"If you didn't attempt to log in, you should reset your password immediately." [reset your password is a link, and it goes to a subdomain of the original service]

While it could be worse and go through some other domain, this is still a perfect setup for a phishing email. I could just copy this directly, change the link, and fire it off to thousands of other users. Maybe some day companies will realize that it's not a good idea to basically create the convincing phishing email for scammers.

Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript

doublelayer Silver badge

Re: Liability

I do not claim that I am guaranteed a victory, or that they will accept one outcome over another. Any group with money can decide to use the law to cause pain to someone else. I am well aware of this. You are correct that I focused instead on right and wrong, or rather I concern myself with what is legal or illegal. To me, that was the relevant question, rather than what lawyers can do if they feel vindictive. Since lawyers can be used vindictively in a number of circumstances, it seemed to be supposition and rather useless supposition at that.

Anything you did in this theoretical situation could cause a litigious organization to go after you. Introducing a cryptominer: "Causing harm to our users". Changing the script to write "The site you're using didn't code properly and is pulling data from another possibly insecure site": "Defaming the organization". Blocking the script, meaning the page doesn't load right: "Deliberately impeding the functioning of the system". And those are ignoring the high likelihood that they might try to argue that making any change counts as tampering with their computer system. The only solution unlikely to anger someone is to call them and request they change it back. Which will almost certainly anger nobody as you won't get anyone to answer your call.

In a situation where I discover that someone's doing this, I'm not going to insert a cryptominer. I'm too lazy for that. It's not because I'm worried about their lawyers. As I see it, their lawyers are basically as likely to go after me no matter what I do.

doublelayer Silver badge

Re: Liability

Yes, you can switch an image in such a way that you are in the wrong. It's not because you switched the image. It's because the image you switched to is illegal, meaning you are guilty of possessing an illegal image and of trying to distribute it. You can claim maliciousness on any switch, but the fact remains that it's not their image to retrieve. It does not matter what it was or what it switched to; they have no legal claim.

For example, let's consider part of your comment:

"unless you switched the file with malicious intent, meaning to cause harm, inconvenience, punishment."

The most open of those words is inconvenience. The problem is that, although anything I change is inconvenient, they don't have any right to convenience on that basis. They are using my bandwidth without permission. It is similar to if they ran their corporate network off my WiFi from next door without permission. If I found out and changed the password, they would be inconvenienced. However, they would not have the right to recompense for that because the inconvenience they received was a direct result of their doing something they do not have a right to do. I did not guarantee that I would keep my WiFi up, nor did I guarantee that my server would stay up, nor did I guarantee that I wouldn't change files.

The same argument applies to harm. If they connected a device to my WiFi that would cause harm if it lost network connection, and when I changed the password it did cause harm, that is not my responsibility. They exposed the victim to harm by making it rely on something they didn't have a right to use. That is, at the very least, negligence. I don't think most courts would stop there either.

doublelayer Silver badge

Re: Liability

"Lets say you were hosting a copy of (say) jQuery. Then, you notice that Barclays have hotlinked it into their own site. If you now come along and stick a crypto-miner into that file, you're opening yourself up for a world of hurt."

If I want to make a script on my page with a cryptominer, I am allowed to do so. If I call that file JQuery.js, I am allowed to do that. If I edit JQuery, I am allowed to do that (MIT license). So the only way they would have a legal claim is if I agreed to host it for them. Otherwise, I have never made any guarantee that the file would remain what they saw at one point. I can argue that I did not know they were linking to the file, and they would have no proof that I knew that. I can argue that they were violating my terms of service by linking to the file, and if I did edit my ToS accordingly I would have a better case than they would. I don't need to claim either of those things in order to have the right.

The issue of a powerful place using legal might to harm people they don't like, even when they have no legal basis to their attacks, is accurate. However, it's also possible for them to do this for anything else. If they hotlinked to a file and I changed it to indicate they used without permission, they could get angry. If I blocked their request, they could similarly get angry. If they felt the need, they could have their lawyers sue me for breaking their service. However, if I blocked, edited to print a string, or edited to introduce a miner, I have the same rights to do what I have done and they have no basis to win the case.

doublelayer Silver badge

Re: Liability

If they have hotlinked to your site because you are providing them a service, then there is a terms of service document describing who is responsible and potential penalties in various situations. Under GDPR, your site would be a data processor and both you and the original site would need to ensure legal handling of the data provided to you. If you violated that, data protection authorities can go after you, even if it was through another site that the data came to you.

If they link to you without permission, then you are not responsible. Well, that depends--if you log information you know to be personal information when you know you have no right to it, data protection can still go after you. But for most other things, you don't have any responsibility. If you want to host scripts that nobody else would want on your site, you are allowed to do so. For example, cryptomining scripts are not illegal, so you can put them up if you wish. If someone decides to link to a file and you switch it to a different file, that's their problem. Any liability would be on them because their site, not yours, was the one deciding what the user gets, and it was their choice to include a script their users don't like.

doublelayer Silver badge

Well, many businesses want someone's head because it's an easy way to make it look like they've done something: "The employee responsible was fired [and therefore the person who should have detected and prevented won't be]". But there's various times when it's the right response. I don't know how or why this particular error happened. However, if it was somehow done intentionally, it's a very obviously bad thing to do. Someone who decides to use a compromisable third party without any guarantee of security or functionality might not be the best coder out there.

Yes, there are lots of things that can fall into that bucket, but this is worse than most of them. For example, although pulling code directly from NPM is similarly dangerous, people at least expect that it happens and do some types of automatic security checks on new releases. Nobody's going to do that for the Internet Archive. Also, most places from which external scripts are retrieved at least expect that to happen and have made statements about keeping their server up. I don't think the Archive has ever indicated they are willing to be used as a CDN and they can delete files or edit them at any time without notice.

So, if you have a sufficiently worrying practice being intentionally used, you have to wonder whether you will catch them if they do something like that again. That isn't necessarily a reason to immediately fire someone, but if you have alternatives, and the current job market means you probably do, it's a thing worth considering. A good company won't fire people for honest accidents, but negligence or intentionally doing something stupid are potentially worth it.

'Google cannot stop it, control it or curtail it...' Inside the murky world of fake addiction treatment center search spam

doublelayer Silver badge

Re: People cost money, automation is cheap

Well, Google could take a relatively weak first step that would be easy and lucrative; if a place in a frequently impersonated industry wants to advertise, make them make a large ad payment up front. That payment will be usable to buy ads, but if the advertiser is reported as fraudulent and subsequently taken down, Google keeps the money. The business can have the money returned if they pull all their ads and close their account. This would give Google an incentive to find fraudulent businesses so they can keep the money without providing a service, and it might also dissuade the scammers. Not a good solution, because Google should really be doing more verification and it only works against those who advertise on Google, but better than nothing.

Purism's quest against Intel's Management Engine black box CPU now comes in 14 inches

doublelayer Silver badge

Re: system 76 - coreboot

This machine also uses Coreboot. Well, to clarify, it can use either Coreboot or the manufacturer's own PureBoot (for an extra charge). System76's machines are nice, but they aren't designed with the physical killswitches or with anti-tampering procedures (also has to be specially requested). It depends of course whether those features are important to you.

doublelayer Silver badge

Re: Pre-orders for the Librem 14 opened today priced at $1,199.

I checked out their specs page. Base RAM is 8GB. Increasing that to 16 GB costs $79 and to 32 GB costs $219. Base storage is a 250 GB SATA M.2 SSD. They have various larger and faster options.

For those outside the U.S., there are some limitations there. You'll notice I quoted all prices in dollars, because they don't seem to have prices in any other currency. They note that, while they ship, taxes in other countries are the buyer's responsibility so I can't tell you U.K. prices with VAT included. They have power adapters for U.S., U.K., and EU sockets. Not Australia, though it is a USB-PD one so that doesn't have to be a problem. Also, they only seem to have English U.S. keyboard layouts right now. If you can touch type your language on that layout, you're good. If you have an attachment to the U.K. layout, maybe they'll fix that sometime.

doublelayer Silver badge

Re: Why Intel?

You can get a thing like this with an ARM processor at the core. I think there are a few like that, but the one I know about is the Pinebook Pro. It is very open, has hardware designs, firmware source, hardware killswitches. The only downsides are that, using conventionally available ARM SOCs, it is a little limited performance-wise. It maxes out at 4 GB memory, and has six relatively slow CPU cores. If you can handle the reduced performance in a laptop and want a lot of privacy and security, that's probably a good option. Otherwise, we will have to wait for more easily obtained fast SOCs or stick to X64.

Consumer orgs ask world's competition watchdogs: Are you really going to let Google walk off with all Fitbit's data?

doublelayer Silver badge

we do not sell personal information to anyone

"we do not sell personal information to anyone."

Well, that's technically correct. You don't sell the information. You sell the ability to market to people based on the information in such a detailed way that people can access chunks of that information by paying you. Someone seems to have been paying attention during PR classes. Really helps spice things up from all those people who try to make the technically correct but misleading statement but either make it too obvious what they're doing or state something incorrect by mistake. I wonder if this turn of phrase has been recently adopted because of that "Don't sell my personal information" link that has started appearing on a few sites.

UN warns of global e-waste wave as amount of gadgets dumped jumps 21% in 5 years

doublelayer Silver badge

Re: Someone's confused

They do have two regions coming in second place though. Based on the figures, even if they meant that Oceania came in second place in total, the Americas can't come in second place per capita because Oceania's per capita is higher. The rankings per capita would have to be:

1. Europe: 16.2 kg/person

2. Oceania: 16.1 kg/person

3. Americas: 13.3 kg/person

4. Asia: Figure not present

5. Africa: 2.5 kg/person

If that's what they mean, they have some rewriting to do, especially as I'm betting Oceania didn't come in second place for total quantity of waste; their population is really small compared to every other included region.

Details of Beijing's new Hong Kong security law signal end to more than two decades of autonomy

doublelayer Silver badge

Re: I adore this BS "we're wat above them"

And many of us think that's terrible and we need to stop it, but it doesn't make a dictatorship any better. Many of us think that a fair trial is one of the most important parts of dealing with criminals, so if a few cases in our countries aren't treated fairly, it's a travesty. For those of us who believe that, imagine how those of us think about a country where no trials are fair and they also hold them all the time.

doublelayer Silver badge

Re: Severely endangering national security

"the Chinese government (indeed, its people) may prize stability more than "flourishing" or 'progress.'"

Rubbish. The Chinese government prefers that because stability means the previous status quo, I.E. they have all the power, stays in place. The people don't get to decide because 1) the government has done everything it can to mislead them about the benefits of their rule and the dangers of its removal, 2) the government has done everything it can to indicate that, should you have opinions, it is wise not to tell anyone lest they be forced to give you some vocational training, 3) the government has also indicated that, if you don't have opinions or even if you do, and someone asks you for your opinion, you should state one fully supporting the government, and 4) the government has demonstrated the capability and willingness to back up items 1-3 with violence.

I am tired of the arguments that a dictatorship is suddenly acceptable because it is desired by its victims. It's simply not true. Cultures may have different ideas about what they view as logical, but similar cultures in places like Taiwan and yes, Hong Kong, prove that there is not some Chinese acceptance of authoritarianism. No, you cannot base it off the writings of east Asian philosophers who preached the same, because I can find Thomas Hobbes and many like him and throw him back at you. Democracy as it is currently practiced is a relatively new concept, and it is not restricted to some subset of the world's cultures.

Everyone is capable of deciding how they want their government constructed. Nearly universally, when people are given that choice, even without experience with all options, they have chosen democracy or something they thought would be democracy. The democracy practiced in Japan and South Korea is differently structured than that in the U.K. and U.S., just as it is different from that practiced in Chile, Sweden, or various other clearly democratic countries.

After six months of stonewalling by Apple, app dev goes public with macOS privacy protection bypass

doublelayer Silver badge

Re: Disappointing

They hid ~/Library for a very good reason. It would confuse the general public, and if files there are deleted or modified, things break. Just like why Windows hides AppData by default too. You can either unhide it permanently, or you can access it on a one-time basis. The procedure is relatively easy. Just enter ~/Library in the path window.

You assume that there will be performance hits when the exploit is active and that the users will notice these hits. I don't know about either argument. If the concept exploit is not efficient, that doesn't prevent someone else from reimplementing it to avoid any bottlenecks or to schedule inefficient behavior for times where users aren't going to notice. If a user is on a browser and notices a performance hit, I'm guessing they will assume what I would probably assume: that there is a misbehaving script in an open tab. This may also cause them to restart their browser, but the exploit can be restarted too.

doublelayer Silver badge

Re: What's wrong with standard unix user-group-world and access control lists?

Android has lots of problems, and it's not because of their SD card format. If they wanted to, they could sandbox the SD card easily without doing anything to the format. It's already set up to have directories where apps write by default. They just block access to those directories based on the app, allowing the user to override that. Problem solved. Except that's not the problem. Android's problems run a lot deeper than that, and the choice of format and decision not to sandbox the SD card too is somewhere between inconsequential and slightly positive.

doublelayer Silver badge

Re: What's wrong with standard unix user-group-world and access control lists?

On most consumer computers, everything is run with the same user account. Try explaining to the general public that yes, we know you are just one person, but you should create multiple users to run different applications. It sounds ridiculous. That's because, in most cases, it is ridiculous. I have done it with a few applications I have reasons to limit, but most of the time, I have no reason to and I don't. With this, you can take one of a few approaches to solving this problem:

1. What problem? Everything in the user's directories can be read or written if the permissions say so. This is generally fine if malware doesn't get into that directory. Not so good if that happens.

2. Create various areas where applications can write which are sandboxed away from other applications. This actually makes a lot of sense, because user documents can be stored in general-purpose directories.

3. Throw up warning screens whenever a new application wants to read or write to a new area. This will probably generate user annoyance and high blind click-through rates.

4. Warn the user on each file an app loads. The users will soon throw the computers on the floor.

Apple went with a combination of options 2 and 3. Option 3 is the more annoying, whereas option 2 makes a lot of sense. Unfortunately, we now know that they failed to implement option 2 correctly, became aware that they failed, didn't fix it, and ignored the problem completely. So we're essentially back to options 1 and 3. If you're sufficiently confident that you will never have malware running on your user account, you're fine. If you think that's a possibility, you're less fine.

The internet becomes trademarkable, sort of, with near-unanimous Supreme Court ruling on Booking.com

doublelayer Silver badge

Re: So what happens if ...

I think it would depend a lot on the expiration policy, and I don't know what that is for .com. If it worked like .uk, then their domain does not go on the open market until it has been disconnected for three months. If .com works like that, then my guess is that, should someone buy it after that period of disconnection, then the original trademark owner would be seen as not having protected their trademark. Trademarks that are left unprotected are considered abandoned and lost. If you do a search on the public trademarks database, you'll see lots of historical listings that were abandoned by their holders or taken off them. It'd probably happen this time too. Things become more difficult if .com simply expires the domain and immediately makes it available for sale. That might lead to ambiguity and legal fights.

doublelayer Silver badge

Re: Is this an open check for the registrars?

Registrars can already do that; you don't need a domain to be trademarked for that domain to be valuable. If one registrar decides to extort a user, they have that ability. Regulations try to prevent it, but not all of those regulations work.

As for ownership, things that are trademarked are never owned. Trademarks apply to things so small that you can't own it. Apple, the computer people, don't own the word or concept of an apple. Their trademark rights say that they can prevent people from using the word to name other computer products so people don't become confused about who actually made the thing. That right isn't perpetual or unlimited, and it in no way means they gain ownership over the word. Similarly, someone using a domain name as a trademark doesn't need to own a domain name, which of course they can't do anyway. If they don't have that domain name, their trademark application would likely be rejected because someone is already using the phrase; that would be a good thing to make explicit in law. That's why we have trademarks: to clarify who is using a thing that can't really be owned.

doublelayer Silver badge

The decision can be made based on a survey because the law is about what users think. The law considers, for example, whether something is likely to confuse consumers, which you can't just encode into legislation. It also allows for trademarks to be removed if consumers have come to think of the term as generic, which likewise means that you have to find out what consumers think. The means to do that is to ask them.

doublelayer Silver badge

Re: So many gaps in this...

Logically, this decision should have benefits for that. Someone trying to trademark "Booking" might have problems with holders of booking.*, assuming they managed to get past the generic term test. Someone trademarking "booking.com" would not overlap with someone with booking.[something else]. Of course, there's also the issue of trademarks in other countries which could go in a very different way.

Apple said to be removing charger, headphones from upcoming iPhone 12 series

doublelayer Silver badge

Re: Low-voltage DC is just USB now

If this was a 24W charger, it was already using USB-PD. 5V on USB tops out at 15W. Given this, the laptop should at least be able to charge slowly from that power source. While it wouldn't be able to run and charge because the power is too low, it should be able to charge for use later. If Dell has decided it shouldn't, I entirely understand the irritation.

doublelayer Silver badge

Re: Gets my vote...

"USB C is the right connector to force as a common standard (until some new super feature comes along that needs something different)."

I am happy to go along with that when we force a common standard on USB-C. This means no display-only cables, no everything-but-display cables, no Thunderbolt-only cables, and while we're at it, no power-only cables and every cable at least capable of delivering 5V 1A. I already have functional but very annoying power-only micro USB cables which tend to turn up every time I really want to move some data to a device with a micro USB port; I don't want to repeat the experience with even more options for a not working cable. When every USB-C cable either carries all types of data or is broken, we can force its adoption. Until then, I don't think we should force something on people that is unwilling to adopt a standard itself.

One does not simply repurpose an entire internet constellation for sat-nav, but UK might have a go anyway

doublelayer Silver badge

Re: You are perhaps assuming that its going to be GPS in the traditional sense?

"The GPS does not need to be global for the UKs purposes. It needs to be accurate where its interests are, and last I checked, that was a few islands in the Atlantic, and perhaps the Middle East."

Well, the U.K. itself of course. Then they have bases in the Caribbean and on the Falklands. They have some islands in the central Indian Ocean with naval bases on them, so there too. And two chunks they carved off Cyprus to put bases on. Oh, and they control Gibraltar so let's include both sides of the Mediterranean. Then wherever they will be fighting, and wherever they're planning to send ships or submarines. Oh, and there are Antarctic bases too. Don't know if they want their navigation system to cover those, but maybe. That's kind of a lot of the world's surface. Given that they send their ships to certain distant allies such as Australia, they may have cause to increase that still further.

"The Chinese nor Indian systems are not accurate outside their areas of interest - they are not global,"

Correct about India, not about China. China's system is intended to be worldwide, but they're not finished with it yet. Unsurprisingly, they started by getting good coverage in China, then expanded from there. Similar to Galileo, really, as that's not complete yet either.

doublelayer Silver badge

Re: "quantum compass technology"

QZSS is intended to provide navigation in densely-populated cities. Japan has a lot of those. It also provides increased service throughout Japan and the surrounding ocean, but a lot of that is because QZSS works with GPS to provide extra information. If all the GPS satellites were to be shut off, QZSS would be difficult to use though theoretically possible. Presumably, the British military will want coverage over the U.K., the various bases in the Mediterranean, Atlantic, and Indian ocean, and in areas where they have fought recently such as southern Asia. You can't do that with a few satellites. If they're willing to do U.K. and surrounding ocean only, they can do so more cheaply.

doublelayer Silver badge

Original: "Wrong orbit, wrong clocks, wrong radios."

Reply: "But only 12% launched so far, so clocks & radios are very changeable."

If they're going to design completely new satellites that work now, they don't need to pay this company; they just do the design and launching. The only reason to pay this company is to use what they already have, possibly augmenting it with additional launches for that constellation. They're not going to buy this company just to do something they could already do.

Original: "Even if it could be repurposed, which isn't a given, it would do positioning very badly."

Reply: "Why is why it's being considered primarily for comms & broadband, with positioning a purely speculative application."

It was discussed as a replacement for Galileo. Navigation system. It might be useful for other things, but the U.K.'s stated interest is for navigation. Maybe they know what to do to make it do navigation, but if they considered buying it for communications purposes, it would have been better for them to say that rather than call it an alternative to Galileo. It's not hard to type "For increased communications potential. The system may also be of secondary use in a proposed navigation system". They could have if they meant that.

doublelayer Silver badge

Re: Re assume...

If you don't know what the plans are, because they are not apparent, how do you know they so obviously exist? Has someone told you of additional plans, so you know of their existence because you trust that person? Have you seen the big cabinet with "Extra plans: Satellite Navigation System" written on it? What evidence do you have for there being additional plans other than that it would make sense if there were some? There are many things that would make sense if they existed, but that doesn't create them.

doublelayer Silver badge

Yes, they need engineers and designers on that report. They need them to answer questions like "What is needed to build a system like this?", "What do we already have that we can build on top of?", and several rounds of "How about this instead?". You need to pay the engineers. Sometimes, they need to run some models or simulations. They don't, however, need to build satellites or receivers for them, nor build new computers to run models on. Their purpose is to come up with some possible designs for a system and expected costs in time and money to build them. It's mostly thinking of designs and writing about them. Their remit is not to build prototypes; their remit is to write about possibilities. At the end, their product will be a large set of writing, hopefully including useful answers to all those questions. Or in other words, a big report.

Macs, iPhones, iPads to get encrypted DNS – how'd you like them Apples?

doublelayer Silver badge

Re: Good & Bad

Not all of that is as concerning as you imply.

"2nd i can block normal DNS at my fw, i can't block https unless i wan to break the internet for my household, or install a proxy."

You can do a pretty good job if you want to. CloudFlare's resolvers on IPV4 are in the range So you can set up a firewall rule: Source: [local_addresses] Destination:, Port: 443, Packets: drop. Do that for a couple providers and DoH becomes difficult.

"I really don't want my local systems being name checked against the internets dns servers,"

If you do enter a local address into something that sends it to an external resolver, that resolver won't be able to find the address, so you'll instantly know you have to fix DNS for the affected application to point it at the server that will work and will protect your addresses. While I understand that you might not want to send your internal requests by accident because you're concerned that a resolver will leak them, knowing your internal DNS names really shouldn't be very relevant to an attacker without additional access, and with that additional access the attacker can find them out anyway. In addition, the likelihood of an attacker also running a default DoH server is unlikely, and the encryption on that protocol makes it unlikely that someone could steal them from the traffic to that provider.

"i also don't want any random IoT crap on my net or apps i install on my laptop/phone being able to do dns look ups to stuff i can't block & without me knowing!"

I agree wholeheartedly. The problem is that any app sufficiently malicious can already do this. We block the most straightforward way of loading unwanted content. Here are some others, and DoH is not needed for any of them:

1. Hard-code an address into the code. Contact it directly. No DNS request sent at all.

2. Hard-code the address of a DNS server, then use normal DNS to retrieve it, ignoring the network-supplied resolvers. This is the easiest to block if you have set up your network to send all requests on port 53 to your local resolver, but most networks aren't set up that way.

3. Hard-code the address of a resolver which is willing to take requests on a different port. Not hard to set up by the attacker and finding out that it's happening requires inspection of packet payloads.

4. Hard-code an address and use it to find additional addresses via some encrypted and difficult to track mechanism.

5. Use the standard resolver to resolve something that's likely to get through, and host a resource there to allow resolution of other addresses. For example, hosting an encrypted database of addresses on Github.

None of these ways will stand up to a manual analysis with Wireshark, but all will completely bypass the local DNS system without requiring DoH to be operating. In only one of the cases can a simple firewall rule help.

"This is good for privacy but terrible for securing your home systems against unfettered outbound comms."

I really don't think so. If some device on your local network starts contacting a random external IP, will your network allow it or not? If it would allow it, then the only restriction on your outbound comms is trying to prevent the local device from getting the right address. Given how many ways there are of getting an address, that's not a guarantee of anything. If it would not allow it, then it doesn't much matter if the device knows the address to use.

"will be migrating to pfsense soon & will need to build a Man In the middle capable proxy to inspect outbound traffic."

This seems like an overreaction. Unless you are confident that you can create something capable of parsing all that traffic and determining whether you would like it or not, the effort will only create an extra bottleneck for your network.

doublelayer Silver badge

Re: Better late than bleeding edge?

If you are already willing to generate a cert, get it into the trust stores, and build a device to MITM your traffic, you might as well just disable encrypted DNS queries on the devices instead. I don't know of anything that prevents you from using cleartext DNS. Finding and switching those settings will take less time and processing than building and running an HTTPS-interrupter.

If you also want to block encrypted connections, you can find the addresses of the existing (not very many) DoH servers and create firewall rules that drop traffic going to ports 443 or 853 on them. If you are concerned that some piece of software will refuse to honor your DNS settings and will also use a secret resolver, you probably have more to worry about than how it resolves URLs.

Beware the fresh Windows XP install: Failure awaits you all with nasty, big, pointy teeth

doublelayer Silver badge

Re: Almost mouse free

Mine has two modes. Either she views them as food and then treats them as such, leaving the less desirable bits, or she gets bored and leaves the living ones inside the house. This led to an experience of finding a living, though likely somewhat unhappy, young rabbit hiding behind a TV cabinet. The rabbit hadn't done anything to the wires, yet, but it was quite a surprise when we found it. Still, easier to catch than the mice and squirrels. Since there are all these rodents to be chased, she mostly ignores wires. The only exception to this rule is if a wire is left disconnected, in which case the disconnected end apparently looks entertaining, especially so for ethernet patch cables. She will only do this if it's about 04:00 and you'd really like to be sleeping; in the daytime, the cable looks boring and she will just take a nap.

It's now safe to turn off your computer shop: Microsoft to shutter its bricks-and-mortar retail locations worldwide

doublelayer Silver badge

Microsoft store Vs Apple store

I think part of the benefit of Apple's stores is that they use it as a location for convenient tech support. If people know they can take their Apple devices to a local place, have someone look it over, and explain to them what is going wrong, they will probably stop by. If you already started that part of the project, you might as well also have new Apple devices on hand to show them off and so the user can buy a replacement when the tech support person tells them that their old one is broken.

Meanwhile, I don't know how restrictive Microsoft stores are about tech support. Maybe they're exactly like Apple, but even if they tried, their job is much harder. There is no way a standard Microsoft store employee will have all the diagnostic tools on hand to identify and fix hardware problems in laptops not made by Microsoft, and if they tried to create that capability it would be very expensive. Furthermore, I'm guessing that coming to their store and asking for help wasn't quite as easy as it is for Apple users. I tried to figure out for sure but all their pages have been changed to reflect work from home and the details aren't showing on the wayback machine. Since fewer users are coming for technical support, there are fewer people with broken machines to which replacements can be marketed.

CSI: Xiaomi. Snappy Redmi Note 9 Pro shows every fingerprint, but at least you get bang for your buck

doublelayer Silver badge

Re: Sorry...

Huawei was specifically put on a list of companies who are not allowed to use American components. Everyone else is fine. Depending on what you think of the American government's policy, the reason is either because Huawei has stolen technology from American companies and they don't like that, because Huawei competes with a possible American communications company such as Cisco or that proposed Nokia-Erikson merger that didn't happen and they want to take them down, because Huawei has connections to the Chinese government and they have been used by that government but the U.S. can't show us the evidence, or because Huawei is big and Chinese and makes a good bargaining chip. Given my own opinion of the American government, I imagine it's most of those reasons combined and nobody really knows which one matters each day.

To contest the allegation above your comment, it's not about competition with Apple or Qualcomm. There are lots of places that compete with Apple on smartphones, including, despite statements, Xiaomi. There are also lots of places using their own chips rather than using Qualcomm, including Samsung (make their own mostly), and a lot of places using Mediatech for the SOC provider. Not even about modems, as you can get those from Intel, Apple, and a few Chinese and Taiwanese manufacturers. If competition is involved, it's about the tech running communication networks, not the components in consumer electronics.

doublelayer Silver badge


"Now consider that neither the iPhone 11 pro nor the Xiaomi have 5G, which means that in reality the iPhone may be a paperweight in 2-3 years, but with the Xiaomi you don't care."

Oh come on. 5G isn't even really implemented yet, only being present in small quantities in a few cities. While they may have completed a worldwide roll-out in three years, it's not going to be that fast. They'll have to keep 4G running throughout that process and for a while afterwards, much to their displeasure. While I have no doubt they'll try to get that shut down as soon as possible, it's not going to happen before most Note 9s or iPhone 11s are broken or replaced.

Apple to keep Intel at Arm's length: macOS shifts from x86 to homegrown common CPU arch, will run iOS apps

doublelayer Silver badge

Re: Keyword here is "maintained"

You basically have to fit into 6 in order to get into any of the other groups. If you don't like Macs or Mac OS, you likely don't get one in the first place. The question these numbered groups answer is why people stick to Macs when they could do something else, and it usually comes down to liking them more, having a speedbump to moving to something else, or a dislike for change. While I don't have a problem with that characterization, I think the people you know fall into it because it's basically a superset of all the other groups.

Consider me, for instance. I fall into group 6, because Mac OS gives me a nice set of supported applications with Unix tools. For this reason, I run a Mac alongside various Linux machines. However, I'm also in group 4. When my current Mac dies, I will consider the available options for replacing it, including not using a Mac for a while. Depending on what the current lineup looks like, I will either be interested or I won't, and that will be the main factor in the decision. There are some who would not be making a decisions, and those are the people who don't fall into group 4.

doublelayer Silver badge

Re: Really?

The GUI thread mention above is a good one. There are some other ones you'll want to keep in mind. Here's a good one: lazy web scriptwriters. A lot of web JS is single-threaded and not all of it is efficient. If you've ever been on a large page with an inefficient JS system, you'll probably have noticed that certain operations are slow. For example, a page with a large table doing a filter and sort operation. Users will notice that and will be happier if the core running that inefficient code is faster. Similar things are true of things written simply, such as spreadsheet formulas, which various types of users rely on. And of course there are operations that aren't parallelizeable that code needs to operate; even when you have multiple threads, there may be a few using most of the CPU time while a lot of others wait for disk, network, or user input.

doublelayer Silver badge

Re: New Intel Macs in the pipeline?

I'm not sure that's true. The earliest Intel models were made available in January 2006 (iMac and MacBook Pro). By May 2006, just four months later, the last PowerPC laptop was discontinued. By August, the PowerMac line was discontinued. The only remaining models were rack servers, and they only made it until November, just ten months overlap.

The only way your figure might work is with software support--Apple didn't drop support for PowerPC machines until they released Snow Leopard in August of 2009. Still, that's only 3.5 years after the first public availability of an Intel model, and I think that's not the right figure to use. I think the seven to ten month number is closer to what we're discussing.

Source: I used the database from the Mactracker app.

doublelayer Silver badge

Re: Keyword here is "maintained"

I'd add a few other groups:

3. People who have used Macs before and gotten used to them. Now they'll keep doing so because they don't like change. This applies to Windows too.

4. People who use Macs because they already have one and it works fine. They might decide to switch if theirs breaks, but they'll think about it then.

5. People who have some specific application that's Mac-only. Similar to people who have some application that's Windows-only, these people are mostly attached to their device because the program runs. If an update doesn't work, they'll probably just stick to the old version.

doublelayer Silver badge

Re: It'll work.

With Linux, you're likely to see few if any problems. For most Linux applications and components, source is available with changes needed for ARM already implemented for several other devices including ARM-based servers, Raspberry Pis, and everything in between. A lot of binary-distribution package repositories already have ARM-compiled versions stored, and things you build manually will likely also work fine. A few old closed-source components exist, but a lot of those are drivers for things you won't have on the new machine. If you're using unusual legacy hardware or something, maybe you'll have some difficulty, but that's basically it.

For Windows, things are probably less rosy. Windows on ARM should work fine, but I don't know if Microsoft has any limits on what you're allowed to run that on (I don't know that you can just go out and buy an ARM-Windows installation disk; I think it's all been preinstalled versions on specific machines but I might be wrong). Microsoft probably has an incentive to facilitate that as soon as the new machines get released. However, ARM Windows can only emulate X86 (32-bit) internally, so trying to run X86-64 on it is probably going to be tricky. There are three solutions to this problem, each with their drawbacks:

1. Don't run ARM Windows. Instead, let Apple's emulation run an X86-64 VM host which runs X86-64 Windows and X86-64 applications. If there are bugs in Apple's emulation, you'll probably see them here. I'm guessing it will work, but it will be terribly slow.

2. Wait for Microsoft to get emulation for X86-64 on Windows on ARM, then things should work well. That should be fine, but it will probably take a while.

3. If you have tasks that require running X86-64 code on Windows, don't buy an ARM device. Wait for compatibility to be improved on Microsoft's end, and stick to an AMD or Intel processor for the time being. Since existing Macs will continue to work and new ones will be split between ARM and Intel, you can still use one of the Intel models if your preference is to use a Mac as the main machine. In a couple years, I'm guessing the situation will have improved for this use case, or at least if it hasn't you'll know not to expect an imminent change.

doublelayer Silver badge

Re: Really?

In many desktop use cases, having a lot of cores will be less important than having some really fast cores at single-threaded tasks. Not that ARM couldn't do that; with the freedom of higher power draw and extra space, they can probably do that rather well. Still, it'd be worth the time of chip designers to keep in mind that a lot of cores will at some point not be so useful as a moderate number of fast ones. I'm curious how the single-threaded benchmarks of Apple's new chips will compare to those of comparable X86 ones. Given their confidence and using them in the MacBook Pro at launch, I'm expecting impressive things.

Folk sure like to stick electric toothbrush heads in their ears: True wireless stereo sales buck coronavirus trends

doublelayer Silver badge

Re: "Canalys reckons the wireless earbuds sector will deliver over 200 million units this year"

The energy usage is not that important exactly because of what you mentioned. A person who uses these likely also has at least one of these things: an electric oven, a central heating system, an air conditioner, a dishwasher, a washing machine, a clothes drier, or an automobile. They likely use that thing too. Small devices like this are comparatively unimportant because, if we eliminated them entirely, not much would change.

Let's look at it numerically. We have a wireless earbud case containing a battery with a stated capacity of 400 mAh (let's assume this is 5V, so that's 2WH). The earbuds inside have 50 mAh each, 0.5 Wh together. Now let's assume that charging is hideously inefficient, about 10%. If the battery in the case is empty, it will take 20Wh to fully recharge it. The earbuds themselves are even less efficient at 5%, so recharging their combined 0.5 Wh takes 10 Wh. Combined charging power usage is 30 Wh. This would probably be enough to run the earbuds for three days or so of all-day usage, but let's call it one day. 30 Wh per day.

Let's compare this to something that's not the biggest user of power in a house. How about the humble microwave oven? How about a really pathetic low-power microwave oven? A 500W one? How long could you run this per day before it used more than your earbuds? 30 Wh / 500 W = 0.06 hours. 0.06 hours * 3600 seconds / 1 hour = 216 seconds. Three and a half minutes.

I've been very generous to the argument here. The efficiency numbers we used are ludicrously low, even for wireless charging and dual batteries. The frequency of charging is unrealistically high. The microwave power is lower than normal. And of course I didn't consider the much higher-power devices out there. If you intend to worry about power usage, focusing on something this small is pointless. If we improved charging to complete efficiency (not possible), the power usage would be basically the same. If we eliminated the devices entirely, power usage would be basically the same. If we want to reduce power consumption, we're going to have to focus on the big users of power. These ... aren't it.

doublelayer Silver badge

Re: "Canalys reckons the wireless earbuds sector will deliver over 200 million units this year"

Basically all of them will; consumers aren't great about bringing tech to recycling places. The same argument could be made about most other types of tech though--even with replaceable batteries, consumers discard their devices all the time and don't always recycle properly. The amount of ewaste from these specifically is not that much compared to all the old smartphones currently sitting in landfill, or even to all the cheap earbuds with broken wires that are also in those landfills. While it's a major problem, you can't really blame these any more for it than most other kinds of tech.

Faxing hell: The cops say they would very much like us to stop calling them all the time

doublelayer Silver badge

Re: Fax will never die!

The problem with that logic is that it's not all that easy to tap lines at ISPs. If you work there, maybe. If you are able to get malware on them, sure. But really, it's not easy. Mailservers may be easier if they're not managed properly, but a lot of email goes through massive outsourced ones that have proven not bad. By far your best bet is to get malware on the sender or recipient's computers. That can steal lots of email very easily. However, it's worth keeping in mind that a lot of faxes these days will simply be entered into a computer. Malware on that computer can steal the entered information just as easily as it can steal emails. Meanwhile, if you do have some access to the lines in some way, whether that is with a tap on local wires or the relatively difficult though possible tap on an open line, you can steal a fax at any point. No, you don't have to know already what line the fax machine is on. If you have a large enough hard drive, you simply capture every line and you can write a program to pull out faxes at your leisure. If you want a smaller tap device, you implement a function to listen to each line and ignore it if you don't hear fax negotiation tones. You will then be able to collect a list of numbers with fax machines on them and all the faxes they sent or received. You can sort this list for the interesting machines and comb through those faxes, pass the received images with character recognition and make a computer sort for interesting faxes too, or even modify the fax data en route.

doublelayer Silver badge

Re: Fax will never die!

"2. Unlike email, it would be difficult for a third party (who doesn't have physical access to either facility) to intercept the communication."

That depends on a lot of things. If you're referring to malware installed on the recipient's computer or the mailserver, you might have some point. The problem is that malware usually isn't on the mailserver and malware on a computer could catch any information entered from the faxed document anyway. If you're referring to intercepting the communication by tapping a line, email is probably better. It is possible to wiretap both types of lines, and in most cases such a tap will be sufficient to collect the message, but in the case of email there is some chance of encryption, whereas a fax cannot do that. In most cases, the connections between sender and sender's mailserver and recipient and recipient's mailserver are run over TLS, meaning the easiest place to attack is between the sender's and receiver's mailservers. Depending on the system, this too may be encrypted. If the message is secure, you can encrypt the message independent of any other encryption on the connection.

doublelayer Silver badge

Re: I called the cops

A quick public service announcement: if you do call emergency services by mistake, don't hang up. Quickly inform the person who picks up that you called by mistake and apologize. Then they'll hang up. Otherwise, you will waste their time as they call back to confirm, and that's if they don't decide to send someone to your address just to make sure. You will be doing yourself and everyone else a major favor.

What's the Arm? First Apple laptop to ditch Intel will be 13.3" MacBook Pro, proclaims reliable soothsayer

doublelayer Silver badge

Re: Emulation

You are quite right. I'm talking about emulation, and the pain that would happen when what you're emulating is a virtual machine host. That's not a small program, and it has lots of little hooks into hardware. When you emulate it, your emulator better be really good so it doesn't realize that it's being emulated. But what is worse is what that VM host is going to be sending through the emulator: Windows 10. That's not a light program. Translating all of Windows's instructions from X86 and X86-64 to ARM will require a lot of emulation, and it will either take a lot of processing (meaning it runs slowly) or require a massive cache of pretranslated instructions as you have mentioned, meaning long delays during that translation processing and a lot of extra storage). Remember that Windows 10 weighs in at eight gigabytes, a lot of which is X86 binaries. Then keep in mind that whatever the user is going to run on that is going to be even more needing emulation at the same time. That's why the ideal scenario would be not emulating a different instruction set for a large, processing-hungry operating system. Windows on ARM is the clear solution here, and it's already available. What we need to run it will be ARM-native VM hosts.

doublelayer Silver badge

Re: Emulation

Virtualization may be tricky, but it isn't impossible. It would require the VM companies to recompile their applications for ARM, which probably isn't easy but it is what they do so they can manage it with time. Most VM hosts do not in any way emulate a different processor short of disabling a few things for older OSes, so ARM-specific builds of Windows or Linux will be needed. In the best case scenario, the VM host is recompiled, the application running in the VM is also recompiled for ARM, and everything runs the same as before. The worst case scenario is ARM-compatibility layer virtualizes X86, VM host runs in X86, tries to run another OS in X86, and probably screeches to a halt before the application can even be started. It will depend a lot on the companies producing VM software.

Native booting, on the other hand, is likely to be problematic. It's not so much the OS itself--someone can compile a version for the architecture. It's the rest. ARM devices tend not to have a standard boot mechanism like X86 does. That's why, although we can compile a mobile OS for any architecture we want, we have to manually rebuild it for every phone in order to run it. There's also the issue of hardware drivers. If Apple doesn't consider natively running another operating system to be important, and their customer base is probably mostly in agreement, they may not bother to compile drivers for ARM Windows let alone Linux. Linux might have some chance of finding suitable replacements, but that will likely take some time. If you need native booting of something else, I'd advise caution about getting an ARM-based product for quite a while until someone else has figured out the details.


Biting the hand that feeds IT © 1998–2020