Posts by doublelayer

Re: Personally, I wish someone would follow through on the other side of the story...

"We can (and did) live from the Arctic to the middle of the Sahara without the support of modern technology and trade."

We did. It wasn't pleasant and involved a lot of dying. I'd like to avoid that if I can. I can't stop a glaciation, but I can take steps to make that the big problem. For the moment, we're having to deal with changes to the climate before the glaciation.

If we had a stable climate at the current pleasant setting until the glaciation, we could focus our energies on doing something to promote our happiness when it does roll along. Given the timeframe, that might give us enough knowledge to go to a new planet which won't have one, or cancel the glaciation through deliberate control which we don't have the knowledge to do today, or decide that we'll deal with it because our smaller population can happily live in the equatorial regions and let the ice take the high latitudes, or any number of other options.

In the meantime, my concerns are not about mass extinction events (which we could cause if we wanted to; cobalt bombs are available). My concerns are about large-scale unpleasant situations. People complain a lot about migration today. How will they complain if a large region quickly desertifies and leaves its populace trying to escape to find water. That won't be an extinction event, but it will result in a lot of pain for those escaping, likely a backlash against them, maybe some wars, definitely an economic problem. I'd rather we avoid that if we can.

Re: Everyone knows that

That's not really sufficient. He worked on it during his spare time, he claims, and I'm inclined to believe him. The question is whether he did so as part of employment or not. He was a salaried worker being paid by the company to reproduce the software he wrote. At that point, "company time" isn't really how it works anymore. "Company projects" is more like it. For instance, if I work on the projects my company asked for during my spare time, I won't own any of the code; it's still work done on my employer's IP.

The central question was whether he or the company owns the project, which would probably be settled in a license agreement or employment contract. There was no license agreement, which is what you would need if there was a licensing arrangement. That makes it hard to argue that the code was licensed.

Re: Classic ploy

"so you have to be [...] not literate enough to know password managers are a bad idea (this last bit will probably not win me any friends)."

Care to elaborate? Password managers are juicy targets, and thus they pose a risk to an attacker. Therefore, if you had said something like "Monolithic hosted password managers are a bad idea", I'd be behind you. However, you weren't that clear and if you meant that all password managers are a bad idea, I must disagree. A local password manager means people stop using the same password or multiple weak ones. That's so frequently an avenue for attack that it's probably worth doing something about it. If you have a reason they're a bad idea, you could lay out the details about why so we could debate them or agree and find a solution.

Re: "good for security"

I also want to know what reasons they think they have for that statement. A document that's stored on a server and rendered on a client is also on the client. The client can take a copy through many means. So why is stored-on-server more secure than stored-on-client when client security is important either way? If it was something like a database where the client only sees a portion of the data, then it would be more secure there, but it's an individual document all of which the user can see.

Re: The one-device-per-person trend

I take hardware from people who want it disposed of. That which is too old to be useful, even with a lightweight Linux on it gets sent to recyclers. That which is modern but they didn't want it gets resold. That which is older but functional gets donated. That which doesn't fall into those categories, usually it didn't sell and the people I donate to didn't want it stays here and I end up using it. I'm far over my allocation of devices. For example, the laptop whose battery doesn't work and isn't replaceable, but as a desktop it works fine has been on my desk for at least two years now. I wonder when I'll stop collecting things like that.

Re: SmartWatch?

"As a young kid I was given an old carriage clock, it runs fine and you can get them on eBay now for about 3k, you think our kids will be seeing an Apple Watch Series 5 or Apple Watch SE on eBay for that level in 50 years?"

No, but they're not the same thing. I bet if I had a time machine, traveled back half a century, and bought a bunch of clocks, few if any would be worth a lot today. Yours happens to be in the nice intersection of A) things people like and B) things rare enough that they have a lot of value, but most people buying clocks don't anticipate that they'll be investments decades on. They usually just want a method of knowing the time. For example, I have a clock that's rather old as well, though only about two decades. It works well. Also, it's a cheap plastic rectangle with little artistry about it and you probably couldn't sell it if you wanted to. Fine with me, because I only needed something to keep the time.

The same distinction applies to a smartwatch versus a normal watch. People buy normal watches to have the time available with a glance. People buy smartwatches to have different information available with the same convenience or to use it as a control device. Thus, you shouldn't expect that they'll be purchased by the same customers. People who just want the time don't need a smartwatch and may opt for a cheap long-life watch which will have no resale value because it's made to be utilitarian. People who want to see messages by looking at their wrist will not be happy with an older watch and may opt for one which needs more powerful hardware to perform the more complex tasks they want, meaning it won't really work later and thus also won't have resale value. There's a group including myself who don't really want any watch. It's all based on what you want the technology near you to do.

Re: Who's the audience?

"You cannot have that aspect of free speech and also the protection afforded a common carrier. The two are mutually exclusive."

Let's say I agree with that. No problem. The people choosing not to provide services aren't common carriers. AWS is not a common carrier. Youtube is not a common carrier. If I have the power to invite people to speak somewhere, I am not a common carrier. Few of these places are common carriers. You want to argue common carrier, find someone who was put offline by one, which means an ISP or telco, and wasn't disconnected for breaking a law. If you only want to argue common carrier because you're failing to get agreement otherwise, then it's not helping you if you haven't considered what common carriers are.

Re: Lots getting away with it

I don't get that many, but those I do get are usually valid numbers which are probably spoofed. At least once, someone else called back one of the valid numbers and confirmed that it was a normal person.

I have answered them to waste their time, but I never get any of the ones that would be fun to mess with. All mine are automatic ones. I tended to leave them connected with silence until they disconnected, but two have decided to automatically call me back when I did that. Now I'm using a new technique where it will randomly dial numbers at high speed until they disconnect. This has proven more effective.

Re: Bitcoin tax

I think most people who hoped cryptocurrencies would be handy for use as actual currencies have abandoned the hope for bitcoin. Some have given up entirely and others have found different ones to hope about, but now the people buying and mining bitcoin just want to use it as an investment. A bunch of people who have money to burn and who don't really know why bitcoin is useful are wasting their time and resources, which will work out well for some and badly for others. It's kind of like a large chunk of other investing where nothing's done for actual goals of getting some benefit in the future, only hoping to get some money off someone else in a zero-sum game.

Re: The impossible bus

If I was designing something like this, my first attempt would probably be to compromise the firmware or bootloader. If I rewrote the default image to include a rootkit and modified the chip slightly to only start using it after a certain number of boot cycles, that might work. It would have access to most of the hardware, but it would be memory-resident in such a way that the running OS wouldn't detect it. It's not perfect, especially if there are updates to the firmware which this has to handle somehow, but it could function while avoiding a QA scan--a slightly modified chip which was already there and the first cycles are using the correct firmware image.

Re: Err....

"Pursuit" can be positive or negative. It really doesn't have the connotations you think it does. If I am in pursuit of an efficient refactoring of my codebase, my company and users will be pleased. If I am in pursuit of money without doing work,, they're unhappy. If I'm pursuing a person who is lost in a dangerous area so I can direct them away from the abandoned building site, I'm helping them quite a bit. If I'm pursuing someone with the goal of robbing them, not so much. The Trump administration pursued the companies to try to cut them off. There is no question about that. If the Biden administration isn't doing that for now, then they paused that pursuit. If you want to argue bias, go find some bias.

Re: I want(ed) to be an Astronaut

Among other things, you're dealing with some pretty small sample sizes. That aside, the following differences apply:

Duration of trip: Apollo 11 spent eight and a half days outside the atmosphere. Apollo 17 took that up to twelve. People on the ISS spend a lot longer there, usually measured in months. People undertaking a voyage through space would certainly spend months or years on their journey. A longer stay outside the atmosphere means more exposure to radiation, and the ISS is lucky to be as close as it is.

Type of person: Astronauts have to be fit and relatively healthy or they don't get sent, but there are other aspects which are considered. The people sent to the ISS are often sent to work on specific scientific projects, which means that experience with the project can take precedence over physical health. Also, radiation can cause a problem whether you're fit or not. Even if we only sent fit people, they could still sustain serious damage. If they don't because they got lucky, didn't spend much time there, or had a good shield, their later fitness doesn't disprove the risk.

You want someone fired for moving their feet? Now she should have noticed the switch, but from the sound of it she didn't. I occasionally tap my desk when thinking about a refactor. Am I unprofessional now too? If she ignored people telling her not to do that or if she did it deliberately, that would be a case for discipline, although immediate firing seems extreme. Doing it accidentally and reportedly not even knowing she was doing it seems a lot more innocent.

Re: Tor, DNSCrypt, etc.

"Can a personal phone (not a burner) be made equivalently secure?"

Yes, if you're willing to go to quite extreme lengths, including buying only a specific subset of available phones, hacking bootloaders to let you in, and the like. Some steps don't require it, but some do. I'll take each in turn:

"I can run Linux from a non-persistent thumb drive": This one's hard. Even when a phone supports a custom image, it's a persistent one. Very few phones support an easy non-persistent system. A few exist, all designed for Linux mobile distros, but those are a little rough and don't support everything, so unless you want to hack around with them you likely aren't buying them. If you're using a more normal Android device, your best chance is to backup an image, use the current one, then manually erase and reflash the old one back on. That can take half an hour and requires manual intervention.

"and set up a signal chain that looks like ISP-->VPN-->Tor-->DNScrypt,": This one's easier. Android supports VPN, and most providers will have a client. OpenVPN is one of them in case you're running your own. If Tor is configured on your VPN endpoint, that will work fine. I think any on-device Tor client that works on all Android traffic would conflict with your VPN configuration, but you do have the Tor Browser available in case you can't make your endpoint run the circuits for you.

"then run locked-down Firefox on same.": There is Firefox for Android, or the Tor Browser which is based on it, or a few other options. Locking those down is possible.

The harder part is limiting software placed on the device. With effort, you can find and disable or uninstall some of the stuff, but it's not always possible to determine what everything is or what it's doing. That's why, if you want certainty, you have to get a customized Android or Linux variant. The unfortunate part is that many phones simply will not let you install one, and those which are open enough may not be supported. If you're willing to recompile kernels and the like, then you can get closer to the goal, but that takes time and expertise.

"I hope anyone with a Starlink antenna in Myanmar is keeping it well out of sight."

There aren't any Starlink systems there. They're not licensed for the region, downlink facilities are only in the U.S. for the moment, and Spacex's reportedly keeping the radios off when orbiting over nonlicensed areas. Also, the receivers don't work unless they have direct visibility to the sky. I don't have one, so I can't report on tests, but nothing I've seen indicates they'll work through obstruction.

At least that's nicer than a lot of companies. They actually put resources into that. There are ones that are a lot more frustrating to me, such as the ones with exactly one piece of hold music, which is always heavy on the drums so it fades in and out. When they've cut about 45 seconds of that and looped it, you can go insane fast.

Another honorable mention goes to an ISP I've used before. If you call the technical service line, they'll play music and read messages that suggest you check your cables, reboot the modem, etc. Fair enough. I've already done that and the messages do get annoying after you've heard the same ones five times each, but there are people who can benefit from that, including the support reps who hopefully don't have to waste time on people who could fix their problem by power-cycling their equipment. The only problem is that, if you call their system for a different purpose, like they've billed wrong or you are moving and need to cancel service, which you've indicated on the IVR system before you were put on hold, you'll hear ... messages that suggest you check your cables, reboot the modem, etc.

Re: Requires a GCP account?

If this isn't read optimized when it's a database that rarely gets written to, that's on their head. I have no sympathy. Also, it doesn't matter what's billable and not, because it's hosted on their own systems. They don't have to structure it so they pay per transaction to the cloud team. Both can be easily compared to search; they don't have a structure where they have to pay some other department for each search, and it is still a more complex arrangement. They have spent longer optimizing search, but the search process itself is already more complex than a query on this database. Any design decision that leads to the rate limiting is either a stupid design choice ("Should we optimize this database that we expect people to be reading for read operations? No, let's not bother.") or unnecessary ("We're going to host this database as one of our corporate services on servers which are corporate property. Let's set it up to bill ourselves rather than the way we do every other system.").

Re: Computer++ sentence

It depends how you want it done. If a stream is generated and sent to a system for it to be embedded by that system, there are two possible problems. The first is that someone wishing to forge a time could get the stream and store it, later to overlay the stream as it was released at the desired fake time. They can also wait until the time they want and overlay a future time. The second problem is that such a stream would require a consistent network connection. If power or network failed but the camera continued recording, there would be no way to continue adding the time until those came back. This might not be important.

I can solve the first problem but not the second. The way to solve the first one is to set up a system which can accept hashes and store them in a database. The video for a given time can be hashed and that hash submitted to the remote service, which timestamps the entry. That would prevent someone specifying an earlier time, which is the most often deliberate adjustment. They could provide an old hash to make something look like it happened later than it did, but they'd have to do it consistently because the chunks before and after the occurrence could be verified true as well. That still requires a network connection and someone external who stores the database. Given the worth to a police department of unverified images, I don't think I'd bother going to that extent on private security cameras.

Mostly because, when you're seeing it in a security training email, you just get the URL. If you go to one of them expecting it to be real, it will look different and tell you what it is. Someone going to one of the URLs won't be faced with a lookalike service, but instead a warning that looks like this:

"Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks. This page is here to let you know that this is not a malicious web page. The email that led you here was likely sent by your employer as part of a training program."

And thus, they contend that people are unlikely to misidentify the site as the real one, because they look totally different. Nor would anyone typing in a URL type the other version--'rn' may look like 'm' when you see it, but it's very different to type or say. Those are the points that lead to the statement you quoted.

I doubt it. Sure, they have a bunch of money, but possible mistyped domains are so many that you can't just reserve them all.

Transposed letters: Microosft, Microsfot, Microsotf, etc. 8 combinations

Letter one over on a QWERTY keyboard: Microsofr, Microdoft, Mivrosoft, etc., 18 combinations

More than one letter off by one: Way too many combinations.

Letters off and sometimes transposed: Let's test the budget then.

Easier just to put all those combinations into a spell checker and run it over stuff as you publish it. Or check that links work.

Re: "… according to a report by Japan’s Nikkei."

I'm sorry, you've lost me.

"the Japanese truly love the North Koreans!": I'm guessing this is sarcasm, given the dog and cat comparison and that it's wrong, but then you say:

"You could not get a more unbiased source.": Did you mean a "more biased source"? Or was that sarcasm too? If both were sarcasm, it sounds weird to me.

By the way, it's not really fair. Japan and North Korea don't recognize each other and frequently argue (not really bias on Japan's part as North Korea has this nasty habit of shooting missiles at them). Still, there are countries that have worse relations with them, including the U.S., France, Taiwan, and places like that. Japan also contains a surprisingly high number of pro-Pyongyang organizations, although they are operated primarily by a small subset of ethnic Koreans and don't speak for Japan as a whole or the Korean community there.

Re: I don't find Google blocks too well

I would like to filter that, but on occasion, someone in the HR office has sent me an email like that. It's never been an important one, usually talking about some new thing they've set up. Still, I wonder what they were thinking when they decided the best way to create an email which might appear on desktops, laptops, or phones is to make an image of all the text and just send that. It can't scale well. I also wonder if there are any visually impaired people on the list. I checked, and they didn't put in any text layer for people who can't read visually.

Re: Born idiots. All of 'em.

Pranks are dangerous, especially when the victim doesn't know what you're going to do. Pranks between friends work because, if a friend doesn't like the prank system, they'll either make this clear and their friends will respect it or stop being part of that friendship. Most others are irritating. Some are like this one and are criminal. There should never be a defense that the crime was meant as a prank; if all involved are happy about it, then no charges will be brought. Otherwise, it was a crime and should be treated as such.

"Does the whole process of https (encryption on my side, transport, decryption on your side) count as 'transmission'?"

As the ruling goes, it would be as follows:

1. You construct an HTTP request in plain text in memory. If they seize it on your machine here, it's at rest.

2. You encrypt it to ciphertext which we'll presume you store in memory. If they seize the ciphertext, it's at rest. Also, if they can seize that ciphertext, they wouldn't as they could also seize the plain text earlier and that's easier.

3. You establish a TLS connection to a server and send the chunk along a network to it. If they intercept your encrypted data by watching it as it goes to the server, it's in transit.

4. The server receives and decodes it. If they seize it on that server, then it's at rest.

You can think of it as "Where does the interception occur?". If it's on your computer or the remote computer, it's at rest. If it's in between, it's in transit.

Re: MAC address

From the article, that's almost exactly what they've already done. Most discussions here are about prevention, but they appear to already know how to do the detection part.

Re: Keeping the accounts seperate.

Short answer: he didn't. Complaint irrelevant.

Re: since they’re all publicly available anyway

"There is also some applied permission once you publish it."

There is explicit permission based on the terms of service for the thing you posted it on. Which usually gives anyone who can see it based on the settings the rights to view the content, but may restrict them from copying it and using it offline for other purposes unless you specifically allow that. The services we know they used do not take copyright from the original creators, nor do they require those people to grant a right to create derivative works. So those rights don't automatically exist.

For example, The Register has a term describing what rights you have to grant when you post:

"8.2 You retain all your ownership, copyright and other interests and rights in your comments but by posting any comments on our Website you grant us a non-exclusive irrevocable and royalty free worldwide licence to use, modify, alter, edit copy, reproduce, display, make compilations of and distribute such comments throughout our Website."

Re: Apples and oranges

"and to those who rage about Chromebooks timing out on support - this Windows machine has done exactly that indirectly - it's storage is insufficient for updates to occur so Windows will fall off support in a couple of months."

Wrong.

What your thing has: The manufacturer made it with specs that don't let the system stay up to date in the easiest way.

What the other thing has: The system could update, but they've cut it off so you can't do so in any way.

If we're technical, you can update Windows on your thing by performing a deep clean to remove files, including moving all personal files to external media. That will give you more storage for update files. If that fails, you can reinstall the latest version, which will give you the latest updates. You shouldn't have to go that far and some won't know how to do it anyway, but it's possible to do it without having to recode anything or attempt to hack into locked firmware. Chromebooks are instead killed outright.

Re: Wikipedia is far from perfect...

Doesn't matter. If they've reset it to a 200 which says the page isn't there, the archive may have a copy when it was. If it does, you can and should edit the link to that copy. If not, you can remove the reference and invite a re-citation.