Posts by doublelayer

Re: @Dan 55

They kind of did. Not close enough to that screen to meet your conditions, but they did provide instructions.

Re: An alternative.

The first problem is certificates or TLS versions, and that's a simple proxy. You can write that in a couple hundred lines, and there already are some things that come close if you have a modicum of configuration knowledge. Everything else, like designing something that runs modern Javascript in a way that outputs something that displays properly and remains as interactive as intended with a browser that doesn't support the functions it's calling, is much harder.

The problem is why, after that first easy step has been taken, anyone should be motivated to do the rest of them. If I try hard, design compatibility layer after compatibility layer, and write clients for ten different classic OSes, you can navigate the web using your old computer running Windows 95 or even your 8-bit device from the 1980s without the pictures and all you need to do it is a computer that's more powerful from which you could navigate the web more efficiently by plugging it into the screen directly. Why is this worth the effort?

Re: Purge is the best one, and the hardest to do. But what if...

It's not hard. That's what a lot of us use to wipe drives. Boot to a USB with something on it, probably your choice of Linux distro, find the disks and dd over them. The script to do that automatically would be quite easy to write, and bringing a Linux distro will help with the drivers and utilities. Nothing is stopping anyone from making that and you can probably find someone's. I think they're not making a fortune because those who want that can easily do that themselves so don't need to buy it, those who want physical destruction wouldn't accept it, and those working at scale can use the same software but need to spend most of their budget on the hardware that makes it scale up.

Re: Meta, Google, Microsoft, Amazon, Signal, Yahoo.........

Then:

1. I would be most worried about the existence of an all-powerful corporation, and if possible, more worried about that than them having my data.

2. I would expect that they had gotten my data by paying, or since they are all-powerful just telling, Google/Facebook/Apple to hand it over rather than going through the trash. Because while none of those are all-powerful, they all have people willing to sell some data or access to it which mostly comes to the same thing, and two of them do that as their main business.

But that question is not what "I think we should be told" means. It appears to be a joke referring to UK satirical magazine Private Eye, but in that context, it makes at least a little sense whereas it doesn't make sense as a reference to that joke or literally when thrown into comments. But if they intend the same reference, then we can ignore any comment they make as the original joke was pretending a question had relevance when it did not.

Re: Do it properly FFS

"It is perhaps notable that MS seem to assume people don’t sell their PC’s and so include the readily available factory reset options o be found on Apple and Android devices."

Yes, I must be hallucinating the options under System -> Recovery -> Reset this PC. It has an option to wipe the non-Windows parts of the drive, although I would not count on that working if you've manually installed other volumes on it, E.G. a parallel Linux distribution.

Re: Meta, Google, Microsoft, Amazon, Signal, Yahoo.........

Physical destruction. The article already says that Google does that to everything, and the other rule is that anyone thinking this through does that to failed drives because they can't be erased if they're not agreeing to run.

And what is the "I think we should be told!" supposed to mean?

I think you're probably correct, but the risk with attacking student accounts should hopefully be limited to that student, whereas a teacher account gives more general access. The problems with MFA access to a student account are much larger. I can understand why those two factors in concert would make MFA on student accounts infeasible, but teacher accounts shouldn't be as affected.

Implementation is always a problem, but SSO is becoming more common and, if the things you need to do can be attached to an SSO provider, policies controlling the frequency of authentication is faster. I can't guarantee that school IT can implement that with their budgetary constraints, but the first task is deciding what should be done, and SSO is not something so complex that it can be ignored out of hand.

I wouldn't be that worried if student accounts, especially for younger students, didn't have MFA. Teacher accounts should have it, and I don't think the problems you specify are real problems. I don't think there is any problem with a rule allowing teachers but not students to use mobile phones. Policies on photography would be independent of that, since they may have any number of other things they could use to take pictures. If phone use is that big a problem, issuing teachers with MFA tokens, either U2F tokens or a separate hardware device that generates TOTP codes is a viable option. Teacher accounts have too much access not to have that.

The separate issue of needing to authenticate too often is a good one, and that probably needs more thought to make it work. We would probably want different authentication policies depending on what's being accessed. Services with a login used for teaching without access to sensitive data could be on the low end, where a valid SSO token is sufficient to log into them, thus as long as the teacher has authenticated once today, they won't be asked to repeat it. Access to sensitive student data in the grading system could be on a higher tier where authentication is more frequently requested or usage patterns are used to determine whether to send that challenge. If students have shoulder-surfed passwords and used them to access or, as the article suggests, modify the data in there, this demonstrates that this kind of access control is justified.

That would only act as a patch for this specific piece of malware. Before knowing this existed, we wouldn't know to do that, and now that we do know this exists, they can change it in any way, for example by incrementing their values by 3 or actually checking whether the disks look like they should given the config value. Most per-malware patches are only good for short-term mitigation.

Re: That sound you are hearing is a Whoooooosh to beat ALL Whoooooooshes !!!

And why do you think it's not okay? We may agree on some of it, but you haven't actually stated why it's not. What should the limitations be on software with the explicit purpose of putting investigators on your machine if your machine appears to have malware on it? What limitations should apply when it appears to be a normal user's machine, and which if any should be removable when it becomes clear that a criminal is running the machine?

Re: i'm missing something surely

The purpose of the software is to monitor the machines you install it on for malware-related events. When those events occur, people from the company that makes it are called in to figure out what the event was and whether action needs to be taken. Usually, the action that they're going to take is intended to protect you, which is why you might install that. In this case, the people responding to malware spreading found that the owner of the machine wanted malware to spread. So yes, if you install this on your machine, you can also be monitored and, if there are indications of malware spreading from your machine, you will be. That is the entire point of the service. Those who install it normally know and actively choose that.

Re: That sound you are hearing is a Whoooooosh to beat ALL Whoooooooshes !!!

The important part is what it's a trial version of. It's a trial version of their product which puts their company in control of your security. "Managed Endpoint Detection and Response" means that you are giving them the power and permission to take all sorts of monitoring and modification control of the computers you install that on. If you do not trust a company, you do not install or purchase that service because of the control that it provides. Anyone using such a product is making the choice to give the company providing it an unusual amount of trust.

If this had been some other kind of software, I would be on your side. The software was specifically intended to allow their automated and human analysts to monitor what that system was doing and take action if it was doing something that threatened your or others' security. Generally, those who install it are most worried about their own security, but they're still interested in malware spread from that machine in case it's a beachhead they can disinfect before stuff spreads. The system concerned was spreading malware. The software detected what it was supposed to detect.

Nice try. The problem was, as you identified last time, failure to meet peak power requirements. Apple knew that would happen when they first saw evidence of it, which is why they throttled their CPU without telling customers. Yes, a battery that ages will also eventually reach that point, but generally, it will work better when it is correctly paired with components that can be powered from what the battery will supply. Choosing a battery that won't catastrophically fail, even when it's slightly aged, is the responsibility of any hardware manufacturer and they, including Apple, generally do it. Battery life falls with battery age, but they usually don't fail in that way because the designers have put enough thought into the load they're putting on that battery.

And, in fact, I did get the battery replaced after several months of this. The first place I took it was an Apple-approved service provider. They told me that they could not replace it because, according to Apple, the battery health was not sufficiently bad; battery health was supposed to be 80% or less, and mine was 84%. I'm not sure why that should be Apple's policy for someone paying for the replacement, but I had to have it replaced by an independent repairer. There are a lot of people using phones with more than three years on the original battery. I don't hear too many stories of them failing in this way. Please don't pretend that this is normal. It's not, even for iPhones. It was a mistake which I have not seen Apple repeat, probably because they recognize internally that it was one.

This may be bad phrasing on my part, but I'm speaking from experience. You are entirely correct that the problem was lower watt delivery, but Apple's problem was that they hadn't designed a system that could work with fewer watts. The problem was that the batteries they used could not provide enough power for the hardware they attached to them unless the battery was almost unused. The result was that batteries reporting that they were nearly fully charged (hence my 80% level) would still suddenly fail whenever more power was requested. In my case, one common way for that to happen was answering a phone call, because now I was using more power to transmit to the tower. The result was that, even if I had recently disconnected the charger, the phone would often simply power down and refuse to turn on until the charger was connected. When it was, it would often report about 15% charge. To prevent that from happening all the time*, Apple throttled the CPU very quickly so that that wouldn't cause similar unexpected shutdowns. Importantly, my experience wasn't after disabling that throttling; I left it in place, got my extra year of no problems, but eventually, I had a device that would fail at random times due to Apple having made a bad choice of battery for the hardware they intended that battery to power.

I knew others firsthand who experienced exactly the same behavior, all with the same model which they kept for multiple years. Specifically, it was people with the 2016 iPhone SE and problems tended to start, for anyone who did not disable throttling, about three years after purchase. I understand that the situation was similar for some other models, but I mostly knew iPhone users who wanted either a small device or the cheapest iPhone available, so the SE was the one I saw most frequently.

* Or, at least, to prevent it from happening during the warranty period. They exacerbated their legal problems by trying to hide it and upsell people on new phones, but bad power design was the first and biggest problem.

I can't say I know much about comparative evaluation of battery tech. I can't say you know much either unless you can add some detail to your message of support. All I can say is that, if Apple's battery tech is now better than the average manufacturer, that is a nice change from the many models released in 2016-2018 which had batteries so bad that they ended up needing to permanently throttle their CPUs just to delay the undervoltage problems leading to 80% charged batteries suddenly dropping to can't-turn-on level. I admit that their repeated losses in group lawsuits and complaints from regulators would have given them an incentive to not make that mistake again, and I haven't heard similar complaints anymore, so perhaps you are correct about their quality now. I would still be interested in hearing why you think they are better than others.

Re: That kool aid must taste really good

Funnily enough, chip designers who have been building things for battery-operated devices have thought about how to turn off components they're not using to the extent that their power consumption is negligible. Operating systems custom-built for the hardware tend to use those methods.

You will note that there was an option in my table for software you don't want running at all being run anyway, the option that resulted in a power increase in both situations. Your unproven and undefended assertion that this is spying software is possible, though if there is spying software, there's little reason to expect that an NPU will be of use to it, and if there is, CPU-run spying software would give you the same spying result with worse battery life than NPU-assisted spying software. But if you like, you can continue to believe that a custom processor component is what makes spying software possible; it's wrong, but you wouldn't be the first person I've seen say it.

Re: That kool aid must taste really good

That depends on what software you run and what hardware it runs on. I can't put a table in my comment, but the contents would read like this:

Power effects when you run:

No more software than you run now:

On the CPU: no change

With an NPU: no change

AI tasks you choose to run yourself, E.G. voice recognition, image classification:

On the CPU: moderate increase

With an NPU: small decrease

AI tasks the manufacturer turned on and either can't be disabled (haven't seen any so far, but eventually) or you haven't:

On the CPU: large increase

With an NPU: small increase

The inclusion of the NPU doesn't have negative effects on your power usage. Running software can. It just depends whether you find the thing the software does beneficial enough to justify using it. Plenty of tasks that aren't an LLM trying to make arrangements for you run well on NPUs.

That is not an accurate summary of what I said. I don't think copyright is to blame for any of this. I think that anti-consumer contracts and lack of enforcement are the problems. I did not propose, nor am I proposing now, any changes to copyright. I propose changes to consumer protection law that makes attempts to change contracts unilaterally illegal, which they basically already are, but enforced in such a way that it isn't tried. I favor restrictions on advertising so that you can't tell me I'm buying a "permanent" license if you have the ability to take it away. None of that has to do with copyright.

Re: Licences offer an illusion of substance

"As you pointed out, you can do that for software, so why should record companies be able to have it both ways?"

They have a lot of challenges that software writers generally don't. The software example works rather well because that file which they give me won't work without my license key. And, following the analogy, things get worse if it's the license key I've destroyed, because companies often have some weirdly complicated procedure for getting one of those restored. They can sometimes manage it, but it's less often a problem because it tends to be less than fifty bytes and preserving it isn't too hard. Record companies can't give you a file that's the data you own but only works with your original purchase information, so they have to find an alternative that verifies that you aren't getting multiple functioning copies, which would be challenging for someone trying to do it in good faith. Of course, they have no incentive to bother doing that as long as people aren't making them, and it's not a big enough problem that many have tried. This might actually be a good thing because the only methods that have gotten anywhere close are DRMing the media until it's almost entirely useless, but you can access it again when you log in, meaning you don't need to preserve any media and always have access right up until they shut off the server in which case you lose everything. On balance, I'll take a CD that I have to manually copy for backup purposes (legal, as far as I know, in every country) over that.

This is very similar to Louis Rossmann's piracy reason ranking (video). While I don't entirely agree with his ranking, he puts obtaining replacement for damaged media, for the same personal use, near the most defensible reason end, and I agree with that position. It is difficult to encode some of this into law, which is why I prefer things without DRM and backing them up myself so that media destruction doesn't deprive me of what I bought or require me to try to find some suboptimal replacement method.

This is why I think all terms must be stated in clear, unhidden language before you pay money and that sellers be forbidden from changing them afterward without your explicit consent. I don't mind if people choose to put restrictions on the things they sell, and I can conceive of reasons why they would. Making something nontransferable makes many things easier and prevents classes of piracy, and I don't think that's automatically bad. However, there are two things which have similar results and definitely are bad:

1. Laws making this the default. No, the buyer should have all their typical rights established by law and the seller should specifically enumerate those restrictions they are placing on the terms. If they don't think of something that they later want, too bad, fix it next time.

2. Sellers hiding this behind dishonest or misleading statements. If they can expire the license, they cannot sell something as a permanent purchase. If they mean until they choose to shut down the servers, they must say "until we choose to shut down the servers at any time of our choosing". Chances are that they'll find people aren't so eager to buy that, so they may have to adjust it, perhaps to "until we shut down the servers which will not happen until at the earliest 2035" or, maybe, not reliant on their servers in the first place. Whatever it takes for people to voluntarily pay them money for the thing they described.

At that point, you could easily choose based on prices and terms what you think is justifiable. If there's a price you would accept for something that can be revoked or altered at any point, you could refuse to buy until it is selling at that price. For me, that price would be quite high; I do not like that kind of term and tend to simply ignore things if that's the best they can offer, the same way that I've decided not to buy software even though I liked the price and feature set if they had bad enough DRM on it. To companies looking to restrict your stuff, this is actually quite a nice outlook, since I'm pretty much allowing them to put on whatever restrictions they want as long as they don't hide or lie about them or change them after you agreed. Unfortunately, there are enough who think that hiding, lying, and changing terms is nice and want to take more than that.

I don't think there is any good reason why those should be different. You should be able to lend or sell an ebook, and if they don't want you to, it should be a license agreement, clearly stated before paying any money, not a law, that forbids you. Unfortunately, laws that make this possible likely exist because of the arguments of people like those immediately above your post that, if you can copy it, you should be allowed to do so infinitely and give out copies to anyone. That philosophy breaks many things in an obvious way. Unfortunately, that makes it easy for lawyers to design restrictions that give their employers far more power than they should have rather than trying to implement reasonable levels of ownership, which is likely what happened with ebooks.

Re: Licences offer an illusion of substance

With software, that's exactly what happens. My purchase price was for a disk containing the software and a license code. My disk broke? Oh, just download this file and use your license code on it. If they're very afraid of piracy, they won't make that link public but will email it to me. It doesn't work perfectly, but it's quite common.

From a music store, it's not hard to understand why they didn't make replacement media cheaply available, specifically how could they tell that you had purchased a copy and couldn't access it? The only way I can see is if you presented both proof of payment and the damaged media, which unless you routinely destroyed media quickly, you probably didn't keep around.

Re: What About Cheap Licences From The Internet ?

It really could be either. There are many countries where reselling licenses is completely legal, so you may be getting license keys from one of them. It's also popular to just find some keys and sell them to anyone willing to pay a small amount. If something notices that seven thousand people activated with the same code, that's the customer's problem. It can be worth looking for indications of a reseller to avoid that problem.

Re: At OpenAI, we can't eliminate that disruption.

I didn't mean to stop. I'd also take that, but there are two reasons I suggested that they keep doing it.

The first is that we already have had enough promises on this that, if they just stopped talking about it, we'd be saved having to hear annoying statements but not the continued desire to replace people with AI. They've already pushed this thing up to a sufficient speed that if they stopped pushing, momentum and inertia would take it forward anyway. If, on the other hand, they keep pushing with all their strength, it will hopefully move more quickly to the barrier at the end of the road and crash more spectacularly which should hopefully mean fewer people willing to try the same thing again.

The other reason is that actually stopping this would require that they not only stop saying these stupid things but withdraw their services and shut down their companies. They can't and definitely won't do that, so arguing for it won't help us. Of the actions they could take, I think continued hype is more likely to end this than being honest that they had lied about the capabilities and potential of their technology for as long, because people who like and promote these have already had plenty of opportunity to recognize how unreliable the things are.

Re: ?????

The em-dash (—) is functional, used to separate clauses from the rest of a sentence. The en dash (–) is mostly useless, and wherever it is most typically used, such as ranges, a hyphen would do exactly the same thing. Nobody is going to be confused by 1914-1918 but find that 1914–1918 makes it so much better. Thus, those are flavor, stylistic choices that you can use but don't matter if you do.

Re: Great news

More conveniently typing em-dashes is "fully using" your OS now? We've managed quite a long time without that. Even if that is what you're saying, you realize that it's not going to be a bolt-on tool, because it will be integrated and turned on by default in non-beta releases soon. Not to mention that you could have used various methods to make that easier to type if you had cared before, such as creating a custom keyboard layout with it or making these some of the defaults in the Windows symbols/emoji selection thing that has been built in for some time. Your complaint makes no sense.

Re: If an employer asks you do to this ...

Let's assume I would actually get the benefit of the saved time. Let's say that it even gets tacked onto my salary. It won't, but let's assume it. My answer is still no. There are two reasons:

1. It doesn't work. Summarizing my answers to prewritten questions does not allow the employer to understand my experience or skills. They can't ask clarifying questions, decide that something indicates a useful indicator and go into detail on that, decide something shows a worrying indication and confirm that it means they shouldn't hire me, etc. A qualified human interviewer can do that. Whether I get the job is now more random.

2. And that means that my colleagues are also going to be more random. If they save a little money on the hiring process and end up getting worse candidates, it's not going to be a saving for long.

Re: Control flow of ideas

Not really, because all the things that would affect the mirror would still affect the switch-off. There would still be a multiday "warning period" while TTLs expired where effects would be blunted while people implemented backup plans.

But it also wouldn't be very easy. As root servers go, the US government runs a lot of them. Three of the thirteen are operated by government sources, but not the same government source. To switch the .uk zone off, you probably want to coordinate the action from NASA, DISA, and the US Army Research Lab so they switch theirs off simultaneously. That's already hard, but they all come under federal jurisdiction, so you could manage it. The rest of them are going to be harder. They're run by private entities who aren't going to jump to executing commands just because they were told to with no legal justification.

Verisign runs two of them. That makes me wonder why they're considered logically separate, since all the other servers consist of redundant installations and infrastructure, but for whatever reason, they're there. If Verisign messed with them, that would permanently remove them from trustworthiness in any internet infrastructure. Trustworthiness in internet infrastructure is the only thing they do that generates money. They would do a lot to avoid taking this action because of the mortal harm that would come to them if it ended up happening. That action would either prevent this from happening or give people a lot of warning so they can switch to non-US servers. I also think they would have a lot of trouble convincing ISC to do that, since it's a small group of very motivated people who know exactly what would happen.

Running through this hypothetical was fun, but also, I don't think it's a risk we're going to encounter. Most people wouldn't understand that this is an option. Most who did, especially anyone with the knowledge to come anywhere close to accomplishing it, would understand it's a weak option. I'm not sure how we would get to a situation where anyone decided they wanted to try it badly enough to have any effect.

Re: Control flow of ideas

RIPE already operates one from the Netherlands, and there are Swedish and Japanese operators of root servers. Of course, the US-administered ones are global, including many non-US facilities.

Also, operating root servers does not allow you to censor things. Let's say that I have taken over all the root servers and now run the entirety of the system single-handed. I want to censor something hosted in the UK. My options for doing that are to drop all addresses in the .uk namespace or to not. I do not get to pick and choose. The UK name servers are not operated by me, nor can I decide to remove some of their responses from your view since I merely tell you where to find them and you talk independently to them. Okay, so to deal with that, I will set up a mirror of those servers and direct people to that instead of the real ones. For one thing, the TTL on requests to root servers is long, from days to a week. When I make my change, you won't immediately switch over because you or the DNS servers in your path won't have reason to request information from the root until the old information expires. You know who will notice, though? Nominet, who operates the DNS zone for all .uk addresses, who will see the flood from my mirror and will notice that it isn't normal, then call in people who will recognize this for what it is and raise the alarm. UK-based ISPs would then change their DNS settings to avoid my corrupt roots for that zone. In the meantime, Nominet might well block me to reduce the traffic and prevent me from trying to poison things. DNS is not that weak.