Posts by doublelayer 9408 publicly visible posts • joined 22 Feb 2018
To use their reward system, however that works. If you earn points and have to identify yourself to spend them, that's one of the only ways. I think if you don't care about that system, you can refrain from setting up an account and just drive the thing. You would then lose whatever advantages there are in the reward points, although I'm having trouble imagining how they could set it up to be very useful.
They would still need to deal with the laws of other countries, just as Facebook must make at least some effort to lie about complying with GDPR and having some kind of backdoor preventing the Irish DPC from investigating them. If you operate in a country, even if you are incorporated elsewhere, they will be able to apply their laws to you. With the internet, this isn't always strong. For example, if I put something on my website that China doesn't like, I'm not going to comply with their censorship law and they can either block me or not as they choose. If I were selling something or had my systems located in China, they'd have more leverage to do something about this and could successfully force me to comply. Social media companies sell advertising and thus earn money in the countries where their users are, so those countries have a method for punishing it if laws are not obeyed. Your solution will work as soon as we have a social media company that doesn't care about earning money or having anything located in in the countries of which they don't like the laws.
I don't like Chrome either and would be happy if they took it away from Google. There are good arguments that Google is also exploiting monopoly power with it and should be restricted or broken up. However, these do not change that Apple's doing the same thing and Apple's actions don't prevent the situation you suggest.
There already exists a version of Chrome for IOS. It uses WebKit internally, but it still has the Google devs and familiar logo. If they wanted, they could set up something that allows websites to only function there, and web developers can detect whether you're using Safari-WebKit or Chrome-WebKit and send users to get the Googly variant. I've seen a couple sites do that. Apple's ban on a browser having features they don't have doesn't prevent that kind of abusive behavior. It does let Apple restrict OS features in a way significantly stronger than anything Microsoft did with IE, and we know how well that ended for web standards. You don't have to like Google for Apple to be wrong.
I didn't say they were perfect, and in fact I pointed out that they can have major imperfections. They have the authority to selectively prosecute and they lack the resources to prosecute everyone in existence, so whatever your view on how well they use those things, it's useful to know they have this. This is not just the U.S., by the way. It's typical of all investigation and prosecution systems everywhere. Describing how financial crimes are judged and investigated, when something counts as a financial crime, and how you can legally do something that causes financial problems is not relevant to the security research situation, so I'll spare you that essay.
Because sometimes, your actions are either legal without permission or unplanned, and in both cases, being denied permission could be a problem. I'll use an example for each one.
Legal without permission: I've bought a device, and I'm going to run security tests on it. This device is mine, and I have that right. I do not require the manufacturer's permission to try gaining extra control of the software running on it. If I find a vulnerability in this one, I'll inform the manufacturer in the hope that they will fix it for all users of the device. If I asked them for permission to test something that I own and they declined, it would have no effect on my rights but they might think that it allows them to come after me. Manufacturers that don't want their vulnerabilities disclosed and don't want to fix them have frequently taken this approach to attempt to silence researchers who discover real problems.
Discovery is unplanned: I'm using a service legitimately and find a problem. This may be entirely accidental (I mistyped a URL, for example) basic (oh, look, this form reacts wrongly when an SQL query is put in it), or more active (look, they've got private information in the HTML of this page which they're sending to me without authorization) but in all cases, it's something that is made available for my use. Even in the SQL example, I'm putting text in a box where I'm supposed to do so, and if my message actually contains a valid SQL query, it's valid input. Having found this, I inform the company that there is a possible issue. Again, I haven't done something invasive to discover they have a problem, but if they're annoyed or don't understand what I've done, they may react badly. I shouldn't need their permission to do that.
There are many cases where you do need permission to do a test, and where failing to get it makes your activities criminal. A penetration test without permission is nearly always an obvious crime. These are pretty clear. Unfortunately, when the activity is clearly acceptable, researchers are not always treated well when they disclose it to the owner, which is why more protections are needed.
"Does the US Department of Justice really get to decide which part of federal law does not fit their agenda and thus can be ignored or is that neglect of duty?"
No, they just get to do that. They have to use the laws to decide who can be prosecuted, but they have the authority to focus their efforts at any subset of those people they want. This is the case so they can optimize the use of their resources (they don't spend all their time on small-scale criminals and run out of employees when bigger criminals come along), but it can lead to abuse and neglect.
"Security Researches should not be prosecuted for doing their job responsibly but relying on the current agenda of the DoJ to protect them seems to be wrong on muliple levels."
It definitely is. It's just that it's the only thing they can do. They are not allowed to put this into the law, so it's just a direction about who deserves their attention. It can be reversed at any time.
It's not in it and the department does not have the authority to make any changes. There are people who could put this into the law, but they probably won't do it and it wouldn't help much. They wouldn't do it because it takes a lot of effort just to add a weak protection and some of them (all of them) don't really understand what security researchers do. If they did, it wouldn't necessarily help because it isn't clear. A lot of laws include such ambiguous terms, meaning that if a prosecutor wants to, they can easily spend months in court arguing whether something was "good faith" or not, decided by a judge who also doesn't know what security researchers do. We've already seen politicians attempt to get someone prosecuted for something that already doesn't come under the definitions in that law, so they're certainly not going to be stopped by a platitude. That's why the EFF wants stronger protections.
And also that cables are shape shifters. I have a box of mostly USB cables, but even though there appear to be at least twenty in there, there is never the old variant of USB that I need when I search it. This is even when I've searched it for different things on separate occasions: when I need it, it's not there. I do have a USB-A to USB-A cable that just makes the wire longer, though. I'm sure I'll need that eventually.
It's easy to prove that something was stolen (or in this case, sold without permission which is similar but not identical). At one point, you used to have the ability to sell this signed URL, and other people didn't. Now, you don't have that ability, and someone else does. You have clearly lost something. How much that something was worth is a different thing, but we don't have to figure that out yet. We were just asking whether it was an asset, not how valuable an asset it was.
This is an asset. It is something that you can buy and sell and there exist people willing to pay for it (for some reason). It was obviously one and there was very little chance the court would disagree. Courts have dealt with lots of nonmonetary assets before, from property rights to patents or contracts. They would have little issue figuring out this one.
As for monopoly money, if you can find some that people are willing to think is tremendously valuable to the extent that they'll give you real money for it, then congratulations, you now have an asset. Even if they're willing to give you a tiny bit of money for yours because their set is missing some cash and they don't want to buy a new set, you've got an asset. Assets are common.
But you can, in fact, make copies of the painting. I can go buy a copy if I want. I'm sure that there's a sufficiently good reproduction if I just like how it looks and want to put it on the wall.
The only thing the original painting gives you is the knowledge that this was actually touched by the painter, unless someone's swapped it. This is the same with the NFT; you know that this URL (or data, sometimes it's not a URL) was signed by the creator's public key, so if you do the basic effort of checking that it was the artist's and not someone else's, you can have the knowledge of that unique ownership. I don't consider that worth anything, but I don't see the original painting in a sea of copies as any different.
That's intentional, I think. They could have used normal words: "make a ruling to disallow use of a digital thing that it's possible to sell against someone who isn't here so we had to send the messages over the internet", but that doesn't sound as complicated. This lawyer wants this case to look revolutionary. Admitting that it's a very basic loan case and there was no expectation that the court would refuse to recognize this as an asset when they already deal with every other kind of asset wouldn't help with that.
That's a pedantic difference without a distinction. When malware infects a computer running Windows, but it used something other than a kernel vulnerability to install itself, do we say that it's non-Windows malware? No, we don't, because it's running as a program on a Windows host. In this case, the malware can run as a program on a Linux host, thus it can infect Linux systems. You still have to leave something for it to find, but that's true with Windows in almost all cases.
I'm a Linux proponent, but I have to say that some of us sound like those annoying "You don't get viruses on Macs" people. When anything infects a Windows machine, someone is there to say how bad Windows is and how much better Linux would have been. When malware infects a Linux machine, they find some excuse for why it doesn't technically count. Malware runs on everything and there are variants intended for running under Linux. We all know that's true, so let's stop pretending it's not.
"The Pi4 is now 1.8GHz, not 1.2 (as incorrectly stated in a comment). You can usually overclock to 2Ghz with no issues."
The 1.2 number is wrong, but so is yours. The only thing that gets 1.8 is where they put the Pi into a keyboard and have a massive metal plate for dissipating heat. The board itself and the compute module used here both have a base rate of 1.5 GHz. They also run hot, meaning that if you overclock and don't have any power problems, you still might have automatic underclocking due to overheating. That gets worse when you pack them close together, although I haven't checked whether this includes cooling or if you need to add it.
This isn't the first board of its kind, although it's unusual. If you too can find a product idea that three thousand people want, you can make a nice chunk of money by selling it to them. Of course, then you have to go make that thing, which leads to the perennial misunderstanding of small businesses where a million in revenue doesn't result in much profit at all. Why not try it, but understand that the money they've made wasn't easy or cheap.
If they took out their money in Bitcoin, that still has value. They can exchange it for normal currency or keep it in Bitcoin without having to be in this particularly unstable thing, and if they were shorting it a while ago, they almost certainly did that. Bitcoin didn't have the same collapse as this did.
Yes, unless you do it very wrong, it's a more legal way to scam someone (you haven't lied about what they're going to get). If you advertise it as an investment too much, however, you could still find someone willing to test whether they can get a court to agree that you've stepped over the line. It wouldn't be the first thing advertised as an investment that had no value and no reason to expect people to keep wanting it.
In some ways, yes, the bank would survive this. They would do it by making some panicky calls to the central bank, but that's why they have set up relationships with the central bank. If it ends there, a run like that doesn't kill a bank because they become more conservative to keep control of the 75% they've still got in loans and other investments. A while ago, they wouldn't withstand that, which is why banks are usually required to do at least some of this and often voluntarily do even more than that.
Why Tether should withstand it is different; they should withstand it because their product claims to be designed so that they have to withstand it. If I tell you that I'll store all your money and it's available to you whenever you ask, without waiting for me to move things around, then I have to do that. If I'm lying about doing it, then that's a problem. Doing that gives me nothing, which is why banks don't give you that guarantee. Tether said they'd set it up that way.
That's not really surprising, given that these are hosting locations, not residential users. Yes, some people may VPN through these, but overeager blocking means it's difficult to do that without seeing a lot of captchas or people who block altogether. How many packets do you get from other places that primarily expect inbound connections? For my services, I don't see much normal traffic coming from AWS or CloudFlare either, but they're obviously not just a haven for spammers.
Two problems. First, at-home generation is great, except the methods available tend to be inefficient. You can have your own generator without spending too much money, but you'll be wasting a lot of fuel that generates power you don't need right now. There's a reason they tend to be used only in emergencies. The really big ones tend to be a lot more efficient. Solar panels are a bit better, but storage systems so you can use power at night less so. Again, it's out there and can well be used, but there's a reason many with home solar setups put excess power into the grid during the day and power on something else at night.
Now for the less important problem: "Apart from large hadron colliders, football stadiums and cryptocurrency mining, who needs massive amounts of electricity on a daily basis ?"
Server farms. Factories. Industrial kitchens. Hospitals. Airports. Skyscrapers. Any place with a lot of people. Any place with a lot of machines. My home usage is tiny, but there are a lot of nonresidential users out there.
"Data are already there, but mismanaged so badly they become useless. If that's what you want because you "fear the State", you don't understand that you are the State, so you're actually fearing yourself."
Let's get the most wrong part done first: I am not the state. I am a member of a state, which one is not important right now. The state can still abuse one of its members, and many have been known to do so in violation of the laws agreed upon by the state and me as a member. Thus, I wish to avoid those abuses. If I was the state, then I would have the power of the state and I would eliminate those abuses (though making me a dictator is probably not the best way to fix things, I at least promise to be a better one than usually seen).
The whole point of privacy isn't to eliminate the existence of data. It is to avoid the misuse of that data, including collection by people who should not possess it. Disorganization is basically the goal. I'm in favor of avoiding organizing data when it is not warranted and approved. My ISP does know my name and payment details, but they did not need my identity paperwork to plug in a wire. I think it is possible to pay some of the utilities in cash, so if I wanted to avoid giving them my name, I could do that with extra effort (it's not worth bothering, but it's possible). Facebook probably does know a lot about me, and this is exactly the problem I want solved, so pointing out that it's true is not going to change my mind. A record of property ownership is not the same as a centralized repository of every utility connected to every resident. If I'm renting, my landlord can know who I am and collect documents to prove it if they want without having to record this for government usage which has already been specified to be illegal.
"It was quite interesting that the Canadian government was able to block the exchange of bitcoins that US citizens donated to the Freedom Convoy truckers."
Why does that surprise you? When it was available to the people that Canada didn't want to have it, it was in Canada. Where it started wasn't very related since it got there. Also, I only saw cryptocurrency being frozen at exchanges, so a direct transfer would probably have worked. I'm curious what part you found interesting, as both aspects seem predictable and ordinary to me.
Some of that's been done, and other parts of that I don't want done.
"In other countries getting a driving license without the required stay permit is not so easy."
In the U.S. as well, which is why they had to branch out. Various methods are available for proving identity, but obtaining a license, especially a federally-approved one, requires documents people who immigrated illegally won't have.
"Even utility bills could be an issue (of course people renting houses illegally can still have bills in their names or using front people)."
I don't want to have to prove my identity to connect utilities. I disapprove of a tracking system that can easily link my identity to my ISP connection. It is unnecessary for anyone following the laws, and for any criminal investigation that needs the data, it can be collected in a limited way during the investigation instead of collected indiscriminately and retrieved from that cache. An updated system does not need to collect that data.
I'm not sure about that. Both groups have different ways of being annoying. I think your descriptions are accurate, which leads to the following interactions:
I know everything guy: Argues with you for a long time before you prove what needs to be done. Embarrassed that they don't actually know everything, they will eventually back down before they get extra proof. Next time, they will do what you showed them so they don't need to ask for help.
I don't know how to use computers guy: Much more humble, asks for help, you show them what to do, and everything seems fine. Tomorrow, they're back asking you how to do the same thing, or something similarly easy. They can also get less humble later on if they think that not learning is an appropriate course of action. This can end up taking a lot longer and giving them the impression that it's fine to waste your time with basic questions because you're always happy to help so why should they figure it out?
Neither kind is good, and depending on the specifics of the situation, either kind can end up being much worse.
I don't know the system, but both of your statements could well be incorrect.
"First, I'll note the customer got the same info, whether the computer was used as intended by the software designer, or whether the manual shortcut was taken."
You don't know that. What else was on the dispatch note? Maybe it was just a copy of the list with serial numbers, but maybe it included extra information. The description we have doesn't indicate this. I'll also note that the computer might have done other things with that information, such as tracking who has each serial number for tracking product defects or allowing the customer to look it up later.
"Second, I'll ask: was it faster for product-pickers to write down the serial numbers by hand than it was to work the computer as intended? If the answer is "yes," then the program design is at fault."
Or the product picking process was. Either way, it sounds like they had to note the numbers and come back to copy them in, so by definition it was faster. Unless they could take the computer with them and write them at the point of picking, the computer approach is probably slower. This is acceptable if there is a benefit to doing it. We don't know if there was.
We're not hiding this stuff. You can go online or to the library and find clear, no-knowledge-required explanations of how all of those things work and how to fix them. That is how most of us who understand them came to do so. I didn't start programming when someone taught me. I started when I found a book on HTML, which didn't teach me about programming, but let me see how a relatively basic computer concept worked. Then I wanted to learn how more complex ones worked and I found those instructions. Only later did I seek out a person to teach me in a more direct manner, and even that didn't stop my undirected experimentation.
The only alternative is to deliberately make things harder for users to use. For example, don't do anything automatic and make people go through network configuration and limited interfaces to get online. This doesn't help, because someone will see that as a problem, which it is, and fix it so that a user doesn't need a lot of knowledge to do something easy. I would prefer to set my microwave by pushing buttons rather than manually setting the configuration of the magnetron, because I don't know how to directly control that but it's not necessary for me to know to make use of it. I can still go find out how the components work if I need to later on.
While they're often wrong about stuff like this, in this case, the point being made against them wasn't proven at all. The allegation is that Nvidia GPUs are not used in consoles because there's some problem with source access, but nobody's proven anything like that. All we know is that AMD's been used, not why. The companies that make these things don't give out source themselves and probably could get proprietary and NDA-covered access to extra information from Nvidia if they wanted to. In addition, while it's been a while, since only a few console manufacturers are out there, it's been a small number of designs that have had the chance to use Nvidia and didn't. It could be that AMD is more accommodating with making custom designs, have had better products for the use case at design time, or had a better pricing contract. If it was one or more of those options, the manufacturer would probably never tell us about it. From what we know, the manufacturers could have had many other reasons to go with AMD.
Implying it's all about open source when those manufacturers haven't been adherents themselves may be incorrect and is certainly unproven, which doesn't help make a case.
You have two problems, both large.
"Why isn't Windows secure? That is the question we should be asking."
Why do you assume it's Windows? You can run programs on everything else as well. Those programs can read, write, and delete files which is all you need for ransomware.
"It shouild not have been possible for any unauthorized programs to install themselves without seeking permission from the user."
Why do you assume it did? Maybe it got permission from a user who didn't understand what it was. This is quite frequently the mode of initial infection. Alternatively, it could exploit a hole left by a user, such as an open SSH or RDP port with insecure authentication. Do you assume that every infection requires an OS vulnerability to succeed? That happens, certainly, but it's far from the majority.
True, but in order to have usable backups, you have to test them. You should also have cold backups that are kept offline. If you did either of these, the chances are good that you can use them with some work. If you did both of these, you probably have functional backups in that case. You can't encrypt a backup after it's been written to a tape and is sitting on a shelf, and if you encrypted it before it was written, a test will demonstrate this.
This page indicates no CVEs for Z/os. It doesn't indicate that Z/os doesn't have security issues. If it didn't, there would be little use for the portal IBM has for announcing them:
IBM Z offers a Security Portal that allows clients to stay informed about patch data, associated Common Vulnerability Scoring System (CVSS) ratings for new APARs and Security Notices to address highly publicized security concerns.
It's possible that IBM doesn't particularly want the publicity of announcing detected vulnerabilities. I cannot see anything important on this portal because I am not a registered customer.
In addition, a CVE is not needed for ransomware to work. I can log into an account to which I have access and run a program to encrypt stuff. The only vulnerability involved is whatever gave me access to that account, which could be in the user who gave out the credentials, the authentication mechanism that was easier to crack, or the administration process that made obtaining privileges simpler. So if your implication was that this couldn't happen if they used Z/os, you're wrong. It couldn't happen in exactly the way it did as the attackers probably weren't trying for it, but it would have been possible.
A lot of universities that came early to computing knew a lot about administration because they couldn't buy in management of all the equipment. This is why most universities I know about have two essentially disconnected networks: the main one with all the university web apps, campus workstations, and student emails, and the one run by the computer science department, which does all the same things but only for those students and occasionally other important systems. For example, I've seen where the CS admins maintain the HPC systems, even though it's mostly the other sciences using it. There are a few exceptions where, when the universities needed administration, they expanded what they already had, but most appear to have taken a more basic approach.
That is a risk, but there are methods to disinfect the backups before restoring them. It doesn't guarantee success, but it's still more likely to work than paying for decryption. This works better when the encrypter in use has been analyzed and can be detected on a filesystem.
No, the constitutional argument is clear. I have the freedom to decide whether you can say things when you're using my property to do so, as in I can tell you to leave if you're doing something I don't like. That freedom applies to the people who own the company, thus the company can exercise it if those people choose to let it. This is not a new argument and has been used successfully. It also happens that, if that law continued to exist, there would be negative consequences, but even if there wouldn't be, it would still be invalid in the U.S.
Two problems. First, the concept of corporate personhood in the law is more complicated than you state and was set up for a different reason. You have the misconception that "companies gained "person" status to make political donations". This is not true; the existing status as persons allowed that. The concept is common throughout the world, allowing a corporation to have some of the rights and responsibilities to act in a legal way, for example to sign a contract as a company instead as its owner (this is necessary so the company is still responsible for the contract after the owner at the time of signing dies or sells the company). The court case that established the concept in the U.S. wasn't about donations either; it was about the difference in tax laws between individuals and specific kinds of corporations, a problem that was solved by making different tax forms.
Now that we've defined terms, there's a reason corporations should have rights. They need to be able to do some of the things that people do. A company needs to be able to have responsibilities and the freedom to take actions. It's an instrument for carrying out the goals of its owners, who are all people with those rights, and those people can be held accountable if it breaks the law. This argument may be a bit abstract. I'll provide an example to make it a bit more definite:
1. If I run a website in my personal capacity, I think we can agree that I don't have to publish your comments if I don't want to.
2. If I run it with a friend so that both of us have admin access, we still don't have to publish your comments.
3. If I run the site with donations that come to me personally, I still don't have to publish your comments.
4. If I set up a company so that the site's income can be divided or invested in its operations, it's still being run by the same people and still making money for those people. Why should I have to publish comments now?
The gap between points 3 and 4 doesn't change what the service is. It just simplifies the tax forms and makes it easier to share ownership. The people still have the rights they had before. Thus, the corporation they are using should have the ability for them to exercise those rights. This doesn't prevent having different regulations for corporations than for individuals, as the act of forming a corporation can activate laws that apply only to them.
Yes. It's worse with some interview-related tests I've had, where there is a time limit for all questions but the system will not allow you to see any future questions or go back to ones. You have to judge when to stop working on question 1 and hope you've left enough time for questions 2 and 3. If you did and you'd like to improve your answer to question 1 in the time remaining, too bad for you. I've seen this too many times, given that not all interviewers even have take-home timed tests.
In general, we do have a lot of negative effects of big tech on our infrastructure and standards. This article appears to be hitting that drum, but from a drummer who just whacks the thing with a stick at random, only landing on the right surface by chance. This starts right from the beginning. The first example to be used to demonstrate that we have a control problem is Apple's Private Relay. This is a VPN. A completely normal VPN. It works like the VPNs we have had. It's also completely within our control, as a user can turn it on and off at will (and it's turned off by default). It takes some information away from the local ISP, which is in fact probably a good thing given what some ISPs like to do with those records. I don't use it because I'm using my own VPN, set up and managed with standards and software that I have complete access to and denying exactly the same information to the ISP. This is not an issue of over-control by big tech.
The same is true of the caching. The article correctly points out all the performance and efficiency benefits of using local caching, then somehow paints it as bad anyway. No, it's not. Once again, it's a thing that can be circumvented if you want extra latency. The systems that implement a CDN are almost always using open standards and quite frequently open source. I can rent someone else's or set up my own. The existence of those networks does not create a barrier to entry. If I choose not to have one, the internet still routes people to my systems. No company locks me out of using or refusing to use CDNs. Once again, this fails to demonstrate any control by big tech.
The sad part of this is that there are a lot of areas where tech companies have major and deleterious effects on important standards and this article had the opportunity to cover many of them. Tech companies have cornered the markets for browsers, mobile OSes, software distribution (in many cases), and membership on a lot of standards bodies. Any of those could have gotten a few paragraphs of legitimate complaint. None of that is something I can opt out of. As this stands, the best example in the article is the complaint about IPV6 which, while accurate, is not the most concerning problem out there.
"I think we need new battery tech before that becomes reasonable."
You're correct, we need it not to kill batteries in no time. Unfortunately, we don't need new tech for it to sort of work, so it's being sold by many phone manufacturers right now. The selling point is that it can charge your phone in twenty minutes if you forgot to do so. That you have to buy a new battery (or phone) when doing that renders it unreliable is somewhere between not their problem and one of their goals.
On the only device I had with RAM as the primary storage (though a PDA rather than a music player), you didn't. You recharged the battery in the device, and if that battery was in need of replacement, you hoped it would work while you copied anything you weren't planning to lose over to a computer. There was a reason I stuck with devices with flash, even if it was removable flash, after that.
"Excellent example thank you. The brevity and elegance of Bash shines."
No, it doesn't. What shines in the bash example is the power of the du command. Delete that from /bin and try making bash do it for you. The result will be a lot longer and uglier than the PS commands written above.
There is also an alternative in PS: get the source for du, compile it, and put it on your path. You can use the one that Git for Windows has. Cygwin probably has a usable one too. Then all you have to do is pipe its output to a sorter of your choice. The thing that gives you all the power, clarity, and brevity is a platform-independent executable designed for the task. Bash does not deserve the credit for that.
I hate that comment structure on principle. I've seen some languages intended for education that take a real language, usually C, C++, or a derivative, and bolt on a compiler that does something based on comments. I won't name those languages to avoid drawing undeserved attention to that monstrosity. Every language must have at least one comment syntax that is guaranteed not to be treated as code and should be as clear as possible.
It's called read receipts and there's a reason I turn it off. If this is critical to you and you have the authority, you can make people enable it for anything. If you don't and some people are like me, then they won't turn it on because it is unreliable and annoying.
I scan over your mail and see that it exists, mentally adding it to my list of things to deal with. Since you only see that I have seen your message but you don't see that I have twenty other ones on that list, you might expect a quick response that you're not going to get. Alternatively, I scroll over it quickly enough that I've still registered its existence but I haven't triggered the threshold that informs you, so you think I have ignored it. Either of these can lead to people (probably not you, but they do exist) being angry that I'm ignoring them and complaining about how I choose to do my work. Those who complain, in my experience, never care what else I might be doing or why I do it that way. They complain less when I don't give them extra unreliable data and their first communication from me is either a reply to their request or an automatic response that I've deliberately created for requests such as theirs.
The password would be vulnerable in the buffer, but malware that is scraping that can use various other tactics to scrape it as it's typed as well. If you have malware that can read your input, then that's the larger problem and needs sorting first.
As for password managers, they allow you to have much longer and truly random passwords when you have lots of services to log into, which is often the case. When the choice is between a password manager with a single, good, long encryption password and using the same password on everything, the password manager is better. Remembering unique random passwords would be superior, but I know a lot of people who don't have the memory or patience for that approach.
In this case, yes, but that's just the target the author of this tool has written for. Unless your saying that it's not possible to write and deploy a similar program on a non-Windows network, the statement doesn't contain much meaning. I know that's not what you're saying because that would be wrong; RATs for Mac OS, Linux, BSD, and less-often used OSes have been written and deployed with ease and are also available for purchase.
Microsoft likes Linux as a developer and server platform, mostly from their Azure people, but they're not going to put all their effort into it, not when some people still pay for Windows and products that run on it. Teams on Linux might not be great, but I have a secret to tell you: Teams on Windows is ... also not great. Their developer-focused stuff is generally better, though it is still young compared to tools that started with Linux as a target.
Microsoft is never going to decide to be Red Hat. They'll do some of the things that Red Hat has done, but they'll do it when it suits their business. Stuff that makes Linux VMs in Azure more popular will get done. Stuff that attracts developers to coding that will also work well on Windows will get done. Writing software that runs on servers so that it can also be used by the millions of people using Linux servers will get done. Writing Office from scratch so it runs on Linux, when they already have a web version that will run and they know most Linux users are perfectly happy using LibreOffice instead, won't get done. This doesn't make them an adversary.
One additional use that has already been mentioned here is multiplatform storage. I would like this, too. I have machines running a variety of OSes to which I'd like to attach a storage device. Connecting all of them to a central server and doing all the file access over the network is slow and requires configuration, whereas connecting a USB cable to a hard drive is much easier. A filesystem that can be reliably read and written no matter what system it's being used on would be useful. It's not just technical users; even the nontechnical users tend to have Linux running on embedded devices of various kinds to which they attach portable storage. I know this because they've frequently called me for help when those devices failed to recognize the storage they attached and I had to talk them through backing up the data and changing the filesystem in use so the device would accept it.
Unfortunately, the one that you can pretty much count on being supported is FAT32, which despite its ubiquity, is not a very good file system. A lot of things still use it because of its wide support, which results in file size limits, reformatting devices when it's the only option, etc. The system to replace it doesn't have to be NTFS, but it has to be at least a little like it and for now, NTFS has read support nearly everywhere so it's further along.
"Is there any use case for ntfs support in Linux apart from system rescue CDs?"
Of course not. Nobody needs more than one filesystem anyway. Looking at my /proc/filesystems, I see 42 supported ones in here. Let's drop 41 of them. Surely nobody will notice, right?
There are a lot of systems using a lot of weird configs. You can't find a single solution to them all. The list I've brought up is from a server with a basic config and where I haven't added any additional filesystem modules, and some of the systems in there have never been used (I don't create firmware images on it, so the squashfs support is not needed here). It is still used by many, including me on other systems, so it stays in. When something doesn't get maintained, it will eventually be cut from the kernel. There's a reason that, far from dropping the NTFS support previously present, they've added a better version. People have a use for it.
If they're going to add it in, it has to be tested first. It's a new addition, just as the read/write NTFS support is new in Linux. It's going through the same system they always use for releasing new features. Why is it so bad that it isn't released yet? I'm having trouble identifying what you would want instead, as if they simply sent it out from dev to full release, I bet you would have several (correct) complaints about adequate testing.
"That's what the question should be - would my country be better off with such a law?"
I'll analyze that, probably too much, in the next paragraph. Before I do, I must first state that you have to ask one additional question: "would my country be better off with the ability to create and enforce such a law?". There are things we'd all like done, but some of those that haven't been done have been left without legislation because there is too much risk of abuse should the required powers be granted. That also needs to be asked.
Let's turn our attention to this specific law, though. I have a dim view of "influencers", and I don't particularly care when they don't have success at influencing. If they all decided tomorrow to quit and do something else, I would consider it a positive. Let's see what this law does to restrict them. The first thing is that it tries to stop them asking for money, one of the more annoying things they do. Yet why should this be a problem? I know, for example, various projects where the creators ask for donations, from podcasts to open source software. If I don't like them enough, I don't give them money. Why should it be illegal to ask for or receive money for something any user can avoid at will?
Next up is making the services liable for refunds when a child uses an adult's credit card to pay. This makes perfect sense, except it's in the wrong place. It's always an issue when a child uses money that isn't theirs to buy something, no matter what they bought. Parents can deal with this themselves by not giving their children access to payment methods or by having rules about their use. For instance, they could do what my parents did: I knew how to spend their money, but if I did it, I would have to explain what, why, and how, so I only did so when it was necessary. I don't have a problem creating a regulation that clarifies what happens when a child spends the parents' money without permission, but the important thing is the payment, not the payee. If a child takes the parents' credit card and pays a streamer, it's the same problem as if they chose to buy a ticket or donate to the Linux foundation; it still wasn't their money to spend. As such, putting this regulation in a law that's targeted only at streamers is doing this the wrong way.
One more aspect to discuss is the curfew on watching this stuff. They're right that children can stay up too late and have negative results, but that's not really a thing they should legislate to fix (and also not something they can). Children can stay up late doing any number of things. In my childhood, it would be reading books. If the government had tried to pass a law banning me from reading books at night, even if it would have made me more alert, it would have been a bad idea. The right approach is for parents to decide what restrictions to place on their children or to let the children make some of these decisions. In my case, I simply noticed how I felt when I had read too late and decided I'd have to change my schedule to not have that happen next time. I also noticed that, sometimes, my teachers would assign homework all at once and I'd have to stay up late to complete it all, but somehow I'm guessing China doesn't consider that cause of late nights to be a problem.
So to answer your question, I do not think my country would be better off with such a law. It has one useful element that's misused to target one group when it should be generic and it has two aspects that give the government power over something it has nothing to do with. I can say this without liking the targeted group. I can say this while agreeing that, if I had children, I would prefer them not to pay streamers, stay up late to watch them, or use my money for it. I can even say this knowing that, if I had children, I'd set rules to prevent them from doing some of that. That's a decision for parents to make, not government leaders.
The known holes have been patched in IOS and Android, but NSO makes money by selling this exploit kit to some very wealthy people (governments, only governments and dictators, definitely believe them). With that kind of incentive, the company really doesn't want to lose access to that income stream and pays well for more zero days. We will never get a mobile OS and mobile apps* that never have bugs, so there will always be a way for someone sufficiently motivated to launch an attack.
That said, there are things that the OS providers haven't done that would help. Some vulnerabilities exploited by NSO have been patched in Android, but because it's Android, there are a lot of phones out there that never got the patches and remain vulnerable. Google could have prevented this. The OEMs could have prevented this. On that matter, I think recrimination is entirely justified. IOS has had a better record as Apple went back to OS versions to patch devices that couldn't update (and because they maintain software support for longer).
*Some of the ways that NSO's malware has been known to infect devices have used vulnerabilities in third-party apps, most often WhatsApp. That target was so often used that Facebook has sued NSO directly, the first and likely only time I support Facebook. In some cases, the vulnerability didn't even let them out of WhatsApp's sandbox. That's a problem the OS writer can't do anything about.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
