Posts by doublelayer

I'm not seeing it in the article. It runs in a sandbox, perhaps though I'm guessing, but the problem with malicious code is that it's run in the first place. It's not hard to put untrusted pickles in a sandbox, but if you don't or they can do whatever they want to do from in there, it hasn't fixed anything. The best way to handle this is to create a restricted language which can be serialized and runs only in an interpreter which has no OS access. It only does math and has no hooks elsewhere. That would work, but nobody would end up using it because people who so far don't have any problem unpickling random things and running them aren't going to go to extra effort for provable security, especially if it means not using one of the libraries they're used to.

Re: So much for "AI"

The problem is that a random number generator can produce valid or invalid numbers and, even if it produced a valid number, it has no idea what it is for. This has collected a bunch of real numbers and starts handing them out. Admittedly, it's not malicious about doing it, because it just hands out real numbers whenever they're tangentially connected, but it's not just random strings of digits which happen to be callable. If I run a random number generator to produce a number that looks like a credit card number, the chances are incredibly high that it will not work. If I collect real credit card numbers, the chances that at least one of them will work is significant. That is the important difference.

Re: Apple aren't one for banishing people only to pick them up later at a discount

Some of your points are characteristic of Apple, but others, while logical, aren't necessarily used.

"I'd guess that most countries have at least some legal impediments around driving the value of a potential acquisition into the ground; if nothing else, there's a definite overlap with the kind of predatory behaviour which anti-monopoly laws are meant to address."

It is not clear. Using a monopoly decision to do that is illegal. But there are many other methods which are not illegal. There is a certain amount of activity which gets dismissed as "bargaining well for a better price" and therefore accepted. In this particular case, the app team have a reasonably good case because Apple abused its monopoly position, but that would work as well if Apple didn't want to acquire them. I.E. it's only Apple's App Store monopoly which makes that happen rather than another law.

"The first is that if the acquisition has value to you, then it presumably has value to other people/companies. So if you do drive the price down, the odds are good that someone else will step in and buy it at a higher price."

Good point, although it doesn't apply much for this example. The app in question works on phones and watches, but there are lots of keyboards for phones. The IP in question is for their watch app, as their phone app is still permitted on the App Store. There are only three smartwatch platforms with enough functionality to make use of a keyboard with the multitouch and processing requirement of this keyboard. Apple is by far the largest. Samsung's platform is believed to be dying. So the only other purchaser is Google, whose platform is also not in great health. Given that Apple has the most users and that the app doesn't run on Android at this stage, they're by far the most likely to buy it.

"Another point is that by driving the value down, there's a risk that you'll lose the things which made the acquisition valuable. E.g. the target may sell off some of their assets to stay solvent, or lay off people with the domain knowledge needed to make the acquisition valuable."

Again, not a bad point but it doesn't apply in this case. The tech is a single application, although some of its functionality is open source released by another developer. The staff is two people. Not all that much they can do except try or give up.

"And if it becomes known that you're responsible for driving down the value, then people may choose to leave the target of their own accord rather than working for you."

I doubt that's a factor for most acquisitions. Apple can hire new developers to understand and develop a codebase. What they need most is the code that already works and the rights to any patents involved. It's a bigger problem when there are lots of people and the acquirer wants to keep that running, but for something IP-based like this, not as much.

Your final point about PR problems is good and applies.

Re: Bottom line.

It's not humanities which are at the root of the problem, and I see no comments which suggest it is. Check most people who manage without understanding. They're often not humanities people. Nor is management necessarily a problem. They have a role to play which is important, and without them, there is more chaos. What is the problem is that management is more often able to exceed their role and cause issues because they have more power.

I posted on this topic a while ago. I noted there that it's not just engineering that needs this consultation. The discussion here has mostly been about engineering since A) most of us are engineering people (software included, please let's skip the linguistic discussion this time) and B) the article was about engineering. The general sentiment applies to any work where there is someone making the product and someone managing them. That product may be a technical one requiring hard science, or a legal one requiring lawyers (a lot of whom are humanities people), or an artistic one, or literally anything. The problems and suggestions apply equally well to them all.

Re: Why not fork Android + make it a shell

Primarily, because they want a more controllable thing. If they fork Android, they can do a port without changing much, like the various semipopular custom distributions, which wouldn't make you happy since the Android UI hasn't been changed. That is the option which keeps most app compatibility, but you have to live with Android's UI.

Or they could do what you ask, keep some of Android, but do a bunch of work to make the UI different. Result: some Android apps wouldn't work because the UI's too different, so now they have to do extra work to emulate the old structure so things aren't broken. In the meantime, they have to work with other problems in Android which they might want to fix. For example, Android's handling of external storage devices which isn't the clearest or easiest to manage. People who are used to the old Android interface may not recognize this one either, meaning more complaints about how they don't like the UI choices made. Meanwhile, Google keeps developing new Android things and, if this fork is to stay up to date, the devs have to keep backporting the Google updates which are important. That's a full-time job for several developers even when few changes have been made; doing it with a very different fork is intensive.

For people willing to do some of this work, they're probably not that happy with half-measures. If you're going to change a lot of things in Android, why not give a full Linux-style interface a go? If you want to solve Android's storage thing, you could do a bunch of work on Android itself or just run more typical Linux userland software which already knows how to manage that. This also lets you develop things without having to worry about Google changing Android in such a way that it's hard to integrate again.

Re: Two whole gigabytes?

The point is that, to use these, you already have to pay the electricity for most of the parts. All the peripherals including the displays, but also something capable of doing the computing work of establishing the connection and driving the peripherals. That's likely to be a full computer capable of working locally. If it is, it probably has specs superior to the lower tier of possible VMs just on its own. So you could pay for the electricity to run it yourself or you could pay for the electricity to run it and also for a remote VM which is no more powerful than it.

Re: when the win finally comes.....

Probably not. They'll likely try to buy off the people bringing the suit. If they succeed, that moves anything down a year at least. Let's assume either this one or another one wins against them. What will happen then is they will update the terms of service to include a bit of new legalese and continue as normal. Like what happened with GDPR. They're clearly collecting stuff and they're not in compliance, but the various data protection authorities aren't doing anything. Unless somebody actually brings out a big fine, they won't do anything. The fines from small or class-action lawsuits are not sufficient for the purpose because the lawsuits are always run by lawyers who want a payoff rather than to see change.

Re: So tomorrow Signal, Telegram?

"Does WhatsApp use strong encryption? By strong encryption I mean the US Government's definition of strong encryption. Not yours."

Yes.

"Is WhatsApp purposely designed with intent of evading detection of criminal activity by a US Law Enforcement Agency?"

No. Is Signal? No. Was this? Hard to tell, but they'd need to prove it, you know. You can't just say "Criminals use it, therefore it was designed for them." You actually have to prove a statement like that.

Re: Modals

Of course, but that's just failing to do the UI work. If they left out the save button, I'd have a similar problem. Bugs will break stuff until they're fixed. Meanwhile, it's not hard to test modals to make sure that's not been missed.

Re: There one law for Apple and ...

I disagree on most points.

"Well the very first response was questioning the sanity of anyone wanting to run anything other than MacOS."

No, it was questioning the sanity of buying a Mac to run Linux on. You can choose to view that as "only run Mac OS", a clear Apple fan, or "don't bother buying Macs", a clear detractor. Given that the comment also advocates ignoring Apple and building your own machine to run Linux, doesn't seem that one-sided to me.

"Then someone chipped in Apple is so big they're their own standard."

I'm not reading that as an Apple fan either. They're saying that Apple doesn't have to adhere to standards for business reasons, so it's unlikely they'll opt to do something in an open and standard way because they have market power.

"It doesn't really matter about numbers for or against. It's just that if any other company did this sort of thing there would be an almighty outcry."

Disagree. Basically every Android OEM has done this already. There was some annoyance and people circumventing it, but we don't think it's a conspiracy. We just don't like it. To some extent, it might be more muted with Apple just because we've come to expect it. They've always been less than thrilled with people messing with their products. They've locked down their mobile devices, soldered in everything on their computers, and have the only modern OS you can't run on something else (well, legally at least and it's hard). We're perhaps not surprised when they do something and it's not completely open.

Re: Change control is good - when it is properly controlled

"If the client software can't handle a disconnection, then it's not enterprise grade anyway (My reasoning on this: once you start using resiliant/distributed databases, server switches will cause client drops anyway."

I think this reasoning is flawed. If your database gets transferred to a different node in a distributed database, you'll lose connection very briefly because your new node is already available even if the previous one isn't. A simple DB down, retry, connect, and the system recovers. At worst, the client has to store a log of the stuff the previous node might or might not have done to check, not as bad if the operations are idempotent.

When the database isn't distributed, that doesn't happen. The DB down happens, but the retry doesn't immediately turn up an alternative. What should the client do? This could be the database went down. Or the network went down. Or the network cable came loose from the computer and the connection isn't going to get fixed until the user puts it back. The client can easily cache the operation the user wanted to perform and have it ready to resume when the database comes back, but depending on what happened, that might not be a good option. If it was a problem at the user's end and nothing happened for an hour while it got fixed, repeating an hour-old operation might be a problem if other data has changed in the meantime. The client has to do something, and it's unlikely it can guess at the users' intent all of the time. Best in those cases to just tell them the database can't be reached, invite to troubleshoot, and not to start doing things automatically when it comes back. As long as it doesn't crash, I don't think it's fragile.

Re: What is this

It doesn't have to. You want to see it, you can go to the website where it's published and look all you like. You want to keep a copy? Just save image. No need to pirate it when it's already free.

Re: @bombastic bob - Says it all

As I've said in previous comments, this is not a reason we have to care about. I'm merely illustrating that there can be a reason for a company to avoid GPLed code that is not purely profit-seeking anti-user stuff. This is not my problem, nor should it be yours. Companies can make whatever decisions they want to just as we who write the source can. I just think it's worth it to keep in mind the actual results of a license decision like this one so that decisions can be made with real-world effects in mind.

I said: "If you use a GPL3 library somewhere, they have to be able to replace it somehow"

You said: "Err, where does it say that ?"

From section 6 of the GPL version 3:

"If you convey an object code work under this section in, or with, or specifically for use in, a User Product [...] the Corresponding Source conveyed under this section must be accompanied by the Installation Information."

And above that is the definition of that:

"'Installation Information' for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made."

Which means that, if the software can be modified, the user must have the ability to modify it. Which, except for a few rare cases, is all products. There is an exception for a product where it's impossible, like ROM, but pretty much every product uses software which theoretically can be updated and in that case, they have to make it possible for a user to update it themselves. Again, I like this because I quite enjoy hacking my stuff, but companies have reasons not to want to give that access out other than wanting to lock out the users.

Re: Sanctions are messy, politics is worse.

You are broadly correct, but the courts in Canada have also had to resolve claims by her lawyers that the crimes were invalid under Canadian law. These disputes have at times involved discussions of what fraud is, whether sanctions apply in multiple countries, and the like. Some of these discussions have indeed handled questions of culpability if she is found guilty, and thus the intent I described. When such claims were made, Canadian courts have decided that it is a crime to make fraudulent claims about sanction compliance, which is why she is still hinging her defense on procedural issues. Your description about what those are is quite good.

Re: Any word on the vulnerable version of 7Zip?

It doesn't sound like 7zip has a problem. It saw an archive and extracted files from it. It doesn't sound like it ran them. The same feature that lets you run it on an arbitrary file and it will try to find any archives inside it allowed an incorrectly-named archive file to be extracted anyway.

"With Palemoon I can at least choose DuckDuckGo or whatever as the search engine it sends it to. So far I haven't succeeded with FF although I haven't tried hard because I can mostly avoid it."

And

"it's admittedly not as easy to change those settings as one might like."

Really? Here's how you do it. Tools -> Options -> Search category -> Default search engine. And right next to it, the settings about the address bar. A total of five clicks. How is that hard? Some settings are buried. These are really easy to find.

Re: "like your favourite coffee table book."

Why do they do this? I thought that phrase was trying to talk about the size of the machine, but if it is, it's not doing it well. It's not at all similar in dimensions to either a coffee table or a book. More importantly, I know a lot of Chinese people who speak English really well. It can't be hard to find at least one person who understands how to write naturally. Especially as, if they run out of candidates in China's 1.3 billion options, they can always use some of their money to hire a person fluent in both languages from many other countries. Proper translation for a marketing release would be very cheap since it's usually at most six paragraphs and a spec list. And yet a lot of large Chinese companies (other countries do it too but usually not as crazily) have descriptions that don't make any sense.

Re: To: support@ionos.co.uk

It's never too early to transfer a domain. As long as it's before your renewal period, you can transfer to someone else. I just did it, though more because the registrar in question was annoying me than their yet unannounced stance on this motion. I moved it to a supporter of the campaign. By the way, you can see a list of the supporters on the publicbenefit.uk site. There are 413 of them, but at least that's a starting point for choosing a new provider.

Re: Hats off

That's fair, but still, it's not all that different. It wasn't unusual at that time to have a house with multiple people working, but it was typical to have a single phone line. If the companies required remote access at all, there'd be contention between the people as they used it to use any networked services and the inevitable meetings, which would have to be a conference call. They might not have to be using it constantly, but I'm guessing there would be many collisions unless the companies could provide extra lines.

Meanwhile, a lot of the things that weren't done with network services wouldn't be feasible anymore. If you could go to a filing cabinet to find a paper record in the office, it wasn't pressing to digitize that. If the workers are all at home, it would have to be digitized if either more than one person needed access to it or the contents were private enough that the one person who did need it shouldn't take it home.

You're right that I'm young enough not to have experienced that myself, but I think at least some of these statements aren't missing the point too much.

Re: M1x, discrete graphics, expandable memory - maybe not.

Yes, it is. I wouldn't be surprised if they implement an ability to support slower external memory, but they're going to have to work a bit for GPU support. I'm imagining an M2 with 32 GB of memory inside it for fast access but with lanes allowing more standard memory to serve as additional but slower resource. At least that's what I would probably end up doing. Let's see if they even bother. I mean they tried putting all of this in a very difficult to repair iMac, so they might not want to go to that effort just for the people who want to repair stuff.

Re: I'll bite. You should be in jail.

That's not what normally happens, nor is it a problem in my mind.

"Then blackmail the company "we found a hack, pay us to fix it", which is extortion."

That is not extortion. Now there are people who will do the extortion, which looks like "We found a hack, pay us or we'll use it", but there are many who won't do that. Those who do not use it aren't committing a crime unless they have done so to find the hack in the first place.

"Or how they find holes in things, and go on to document the hole, and sell the fix, and again, describe themselves as the "good guy"."

In this case, they are probably the good guy. If your thing is flawed, and you're selling it, you are the bad guy because you're selling something shoddy and putting your customers at risk. A worse guy could come along and abuse your shoddy thing to deliberately cause harm. Someone who identifies where you failed is protecting themselves and others. As long as they don't do something to your systems to figure it out, then they haven't done anything wrong. Probing your system is a grey area. Actively entering them without permission is wrong. Reading the client-side code you sent, testing a product they purchased from you using their own systems, or entering information into fields you have sent them to enter information in are perfectly normal things they have the right to do. If they find a problem, they may try to sell a fix to you. You are under no obligation to buy it. You could find it yourself and fix it. You could have done that before you sold it too. Quite often, the ethical security researchers wait until either you have fixed the problem or you have indicated you're not going to bother before they disclose. If it's the former, then you're patched and have no problem. If it's the latter, it's a fair warning that all us customers want to know before we give money to someone who builds dangerous products and refuses to fix them.

Re: ZX81 option for Raspberry PI?

I hadn't thought of that, but now you've mentioned it, I want it. Especially if the Pi can be shut down and restarted by the RP2040. The most limiting factor of the Pi for me is the power consumption, meaning I can't run them off batteries for a long-term project. Having a low-power coprocessor which could run some native code which could invoke the boot process and spin up Linux whenever I need something more complex could be really nice.

Re: When you say "pants",

"Back on topic in a vague sort of way: would links and something like alpine have run under DOS on a 286? or were they just too advanced. Was there a tcp/ip stack even?"

Links wasn't released until 1999, so that likely wasn't an option. According to the Wikipedia page, Lynx (not the same thing) was ported to DOS in 1994. So that probably would work except it doesn't do anything graphical. I suppose that's an option, but which would you rather do: convince a relative to buy a newer computer or endure their complaints about how the internet keeps telling them they can see pictures but all they see is text (with the bonus feature of complaining that their 286 also can't run [insert other possible software])?