Posts by doublelayer

Re: What, exactly, is 'free speech'

"This site knows my real name and e-mail address. Yours too, otherwise you wouldn't be able to post here."

They know a name, which I don't even think they checked looks at all like a name. Mine looks like a name. Do you think it's the one on my identifying paperwork? It might be. They didn't check. They also know an email address which could receive a verification link. Maybe it's mine, but I can set up emails without my name on them. Also, since I didn't forget my password, I haven't needed it since. They have no proof the address still exists. Or was ever mine. That's pseudonymity for you, which is usually enough for sites like this.

There's nothing wrong with asking for it, but it reads to me as if they're demanding it without wanting to help. They don't have to preach all this necessary change if they instead found some people to do the code reviews. If they sent a message like this to repo maintainers, it could work:

Hello maintainer team, we're using your code in our products and therefore have an interest in continued security in your codebase. Therefore, we've employed some people to do code reviews on any PR to main. We'll flag security things as well as bugs that seem clear to us, following your documentation on style and requirements. It would help us if you could hold back completing PRs for a couple days while our team reviews. Of course, you don't have any obligation to do that, but we think it will result in better code for both of us. Thanks for the useful project.

They'd probably get acceptance from basically everybody, because they're doing the work to solve their problem which doesn't restrict external developers. Maybe that's what they will do. So far, however, it seems like they want a bunch of information from the projects and complain about practices they dislike without wanting to put in the effort to fix anything.

Re: @Blind AC I see a use case

I'll be the first to admit I haven't read very much about this, but it doesn't look like that's an option. The pricing pages include the price for creating a model, storage of a model and running said model. I don't see anything about downloading the model, let alone downloading the engine that uses the model. All prices there are about sending text to the cloud, where they are converted to audio using the previously-trained model. If people want to run it locally, they'll need the synthesis software along with their created model. If that's actually available, I haven't found anything about it. I think the original contention about cloud-only may be correct.

Re: I do wonder...

That would be nice. I wonder what they're currently using though. Desktops have existed long enough that places probably have old ones. I'm guessing most of the places that don't have computers at all don't have them because it's difficult to power or network them, which isn't going to be solved with a bunch of newer desktops. There are probably some places that will get a cheap upgrade from it though.

"I've never understood why TLDs are handled the way they are."

To make it easy to determine what kind of site you're about to deal with. With the initial structure, you could determine what country they chose to attach themselves to. Sometimes, this was validated (Australia, China, Saudi Arabia). Sometimes not, but there was still an ostensible reason for doing so. And there were special zones for certain types of validated domains. .edu means an accredited institution of higher learning in the U.S. .ac.uk means the same for the UK. And pretty much every country has one of those. Which helps clarify that it's a real school and not someone making it up. That's why we have a tree structure.

"The whole "level" thing is just a mess and only exists because of history and tradition."

On what basis? Name exhaustion? If that's your complaint, and I have no clue whether it is, that's a little convenient since I can found a company with a name without having to purchase a hundred similar addresses. Sure, I might have to modify my name to get an address that someone's not sitting on, but if they're an actual place, that prevents trademark clashes. We can deal with those who are not by changing the rules on domain parking or resale, but not by making a couple hundred new TLDs and tossing them out.

"It's just an address. All that is needed is to verify that the full address is not already in use, and then add an entry to DNS for it at some point so that the address points at the correct IP address."

And to ensure that people can't easily abuse it. For that reason, I own any subdomains of my domains and you can't have them. And we don't operate certain TLDs that could cause problems (ICANN specifically banned anyone trying to reserve .home and .local, for example). And to ensure there's a dispute resolution process and a method of cancelling a domain used to commit crimes.

"Yes, I know it's more complex behind the scenes, but only because we have made it complex."

Actually, the technical process of DNS servers isn't all that complex. It takes a lot of hardware because we want reliability, but you can explain it to a nontechnical person in ten minutes.

"As an example I'd pay to register @big.boomer but I'm not interested in managing/maintaining all of .boomer and the chances of anyone else doing it is equally minimal, so why shouldn't all registrars be able to register ANY unused domain?"

[Shudder] Because your desire for that domain isn't enough to justify adding another path to the tree. If you want to, or a registry thinks there's a sufficient interest, they can apply for it and get it. It costs $185K. If they didn't do that, then people would reserve every string out there in the hope that people will buy up domains to avoid scammers misusing them. You wouldn't necessarily get the domain you wanted, because some registry you'd never heard of would have already registered TLDs of every word in the dictionary. If I had my way, they wouldn't even let you apply. New TLDs would be assigned if a large group of disparate people and organizations saw a need and requested it. Otherwise, they can petition their national registries for a local one or use existing TLDs.

Re: Is it just me ...

"Here's the thing, I'm still waiting to see some C or C++ code that is well written, and yet exhibits these flaws that are much lamented but not evidenced. Making life easier for people too lazy to do the work is not a winning move."

I'll grant you all of that. The problem, then, is that most of the core stuff, on which we rely, which is developed by many people who have experience, but evidently not enough, is not "well written". These are large projects, which have been tested to some extent, and they still do this wrong. Perhaps there are some people who can be absolutely trusted to never do that, but they don't seem to be writing this core code. We can't fix this problem by telling all the developers of libcrypt that they're rubbish and need retraining. They will ignore us.

The electricity analogy is continuing to make my point for me. I made a point about safe or unsafe plug sockets. You countered that a different part of the system can also be risky, changing the subject. Similarly, you have successfully pointed out that you can get vulnerabilities in languages other than C, which nobody argued against. Security requires good practice in coding, and it especially requires it in C because bad practice in C leads more often to security vulnerabilities whereas bad practice in other languages leads more often to crashes. You can still get security vulnerabilities in those languages. If we removed C tomorrow, we wouldn't solve security. However, that point is not in itself a cogent argument for keeping C. Such arguments exist, and they're convincing, but you're not making one. You are not defending C. You are not really even attacking anything else. You're just trying to change the subject to point out that I can't get perfection and hard work is required to approach it. Which is correct and beside the point.

Re: But... why?!?

Some of the users are probably cross-platform developers who don't need to buy a Mac when they can rent one. Possibly some others need to run Mac-specific software for some reason though I don't know what that is. Probably the largest group are developers who use Macs already, own Intel-powered ones, but want to ensure their stuff runs on ARM Macs even though they don't want to purchase one themselves yet. Those groups probably account for the majority of customers for that service.

It doesn't matter what the price is now. It mostly matters

what the price will be a few years later. If one of the disks that you got for a market price dies three years from now, and you can still get disks for the market price, but the only functional ones have now become a lot more expensive, then you'll have to pay for that because you've locked yourself in. They could decide to increase the price if many people accept your argument and buy the NAS boxes because the disks are cheap today.

Now let's ask whether there's any technical reason that the disks have to be from the manufacturer. Is it because they need the disks at a certain speed? No, the speed of the disks matters to the user, not the system. Is it because they need a different connector? No, it's SATA. Is it that they'd have to replace subpar drives? No, those are user-supplied and don't come under warranty. Because certain features only work on some disks? No, the entire point of their equipment is that it does the management on dumb disks. Because they don't have enough space to store custom drivers? No, there are standards, they've had that code in previous devices, and they have plenty of processing and memory.

If their disks are wonderful disks, they can advertise and sell them. If the price comparison is as you state, they'd likely be successful. They could probably get a bunch of business from customers buying NAS boxes and disks together, since that means a single place for warranty claims and support requests. They don't need to lock down the system to get that business advantage. Nor do their customers need to be forced into the option since many will do it anyway and, if it is better quality, many others will follow.

Re: Mozilla good, Apple bad

"The truth on the Cupertino end is that Apple doesn’t want to allow hardware interaction because it makes PWAs useful enough to act as a viable alternative to native apps from their App Store. Anyone who grew up with addictinggames and newgrounds knows what WASM+WebGL+WebUSB can do for those who want to build 2021’s equivalent of “free flash games” without the walled garden getting in the way."

The important part there is WebGL. Which Apple supports already as they were part of the initial development group. The second-most important part is WASM, because some of the games won't get enough performance from JS. Apple supports that already too. The only thing they don't support is the USB API. And you can only attach USB devices to the computers which have USB ports, which are also the ones which don't require apps to go through the App Store. IOS devices do have the store requirement, but they don't really have much in the way of USB support anyway. So perhaps your accusation is a bit premature.

Meanwhile, there are APIs to get keyboard, mouse, and other peripheral input. They don't need access to USB devices to do that. The quote in the article about implementing custom logic for old game controllers is pathetic, because nobody is going to include a hundred drivers for game controllers, all written in JavaScript, in a web game. That API's in here so Google can do everything from a web app, and while I don't think they have a nefarious purpose here--Chrome already has access to system-level USB if it wants--they haven't put a single thought into security vulnerabilities. Which there are, a lot of them. USB is used not only for peripherals but for some system components as well, more so on laptops. The attack surface is incredible.

Re: Fork it!

You can do that if you think the UK government will do a better job than a group of people replacing current leadership. I'm guessing the people trying to change the people but keep the structure either believe the government won't help resolve these problems in a timely fashion or would make things worse.

Re: Numbers

"I would argue that you should never use percentages to indicate an augmentation or reduction of a number which is itself a percentage. If you say "50% higher", it can mean from 2% to 3% or from 66% to 99%."

That's a problem with percentages in any use case. 50% could also be the difference between two units and three units or 30000 and 45000. It's a tool for multiplicative comparison, whether it's a rate or an amount, you can use it badly. And yes, there's an XKCD for that too. If you don't like that lack of clarity, don't use percentages for comparison.

Re: Investors

It's a pretty normal investor tactic. They take risks in the hopes that the possible but mostly unprecedented thing doesn't happen and they reap their rewards. For example, they invest in the newly public Saudi-Aramco even though it's majority owned by the Saudi government and keeps not appearing on international stock exchanges; they hope that Saudi Arabia won't decide to ignore them later. Or they let Facebook and similar companies change the way voting works so that their founders have total control over the board even when they don't own a majority of the shares. They take the risks that the companies might do something dangerous, like incurring a really big fine by breaking the law while not allowing investors to do anything to stop them. Investors take risks. It's how they work. Some are willing to take very large risks.

"The core processing on x86 is still 32-bit which is why everyone in the world didn't have to recode their app in order to work at all on x86-64."

That's not really how I'd phrase it. AMD64 can run 32-bit X86 code natively, but that doesn't make it 32-bit. If you compile for AMD64, you use 64-bit capable instructions, which this has. It's not just a 32-bit processor with larger addressing. So I'm not sure what you're trying to say with the part I quoted. I have two ideas:

1. "AMD64 is 32-bit even when you compile to its ISA natively": That's incorrect, but I don't think that's what you're saying.

2. "It would be better if the transition to 64-bit required everyone to recompile for it so we got the benefits faster": I get the idea, but I don't know that it's been a major problem. We've had 64-bit desktops and laptops for over a decade now, and you can pretty much guarantee that most users today have a 64-bit OS and most of the performance-sensitive programs they run on it are also 64-bit. The occasional old or small program still runs under X86, but that's only a problem if it will actually benefit the user by using the faster instructions or more memory. Quite frequently, such programs don't need to be that fast.

For that matter, we also have ARM64, which is like AMD64 in that it can coexist with previous versions of the ISA. Still, most mobile devices that are powerful enough (phones, tablets, not the SOC running the embedded devices), are using a 64-bit OS and apps compiled natively to it. ARM is even planning to drop 32-bit support in their next range of high-end cores because so many people never use the 32-bit capabilities.

Meanwhile, the ability to run stuff without having to recompile it means people will adopt 64-bit hardware faster. When the software supporting it comes out later, they already have the ability to run it, and having the hardware themselves, they can also compile and test their stuff to run under it as well. The overlay method makes some sense given those benefits.

On the CE devices I have used, they had a button, either hardware or on-screen, which would close the active window, or sometimes it would close the entire application. Never could be sure until you pushed it. If that button didn't eventually close the application which was rare, there was always an exit option in the menu.

I once had the opportunity to use a Windows CE device with a full keyboard and reasonably-sized screen. It was surprisingly usable and like desktop Windows, even though it had only about 128 MB of memory for the OS and all user files. Then again, I didn't try anything all that complex. Still, I distinctly remember having a command prompt, C compiler, and Python interpreter, all of which ran pretty well such that I could write code on the mobile device if I needed to. I'd like to see a modern mobile OS let me do that. Then again, I doubt many people bothered connecting peripherals to turn a Windows CE device into a desk-bound machine.

Re: "such apps must be free"

I don't think it is a law. I think it's a rule they have set so that it's clear they didn't get paid to make the rule change. That way, if some app is found to be violating gambling laws, there won't be people claiming that Google must have turned a blind eye to keep up a commission. Unless recent cases succeed in reducing Google and Apple's level of control over their stores, they are allowed to set some rules for any reason or no reason at all.

Re: Well worth it?

I don't mean to accuse you of doing it deliberately, but there are those who do it a lot to distract from the actual point, and it still doesn't matter. The difference per week is £3.65 (£4.93 vs £1.76) or, in other words, a factor of 3.86. That difference, over the life of the product, is £570. Either you are willing to pay £570 more for the improvements or you are not. Whether you describe that as a single £570 payment, £3.65 per week, £0.02 per hour, or any other version doesn't change what the number is.

With that in mind, the most honest way to describe the difference in my opinion is how the cost will be paid. If the person actually pays a bill each week, that might make sense since the person could consider the weekly payments in their budget. I've never seen that. I've only seen per-month contracts, usually with subsidized prices or sometimes with overinflated prices when the open market has discounted the device. I think most purchasers considering this debate are going to purchase outright. In that case, the difference is £570, clear and simple. Dividing the price per week only helps if the consumer has the choice to pay it for a few weeks, decide against it, and pay a lower amount for a different product. They can't, so in my view, the division holds no value.

Re: There is no free lunch

Yes, there is a difference. Facebook doesn't limit its tracking to things I do on their platform. They will track me and everyone else who doesn't have an account as we use other sites. They will buy up companies we may have used (who here used WhatsApp pre-facebook and doesn't anymore?) to get more data. They'll excavate others' data and collate it about me. They will use that data to mess with my friends who have accounts. And they will try to weaken a technical privacy measure that could help me from them and others for their own bottom line. I don't have to have an account for all of that to be done to me, and Facebook is the culprit. That's what gives me the right to complain about Facebook. I never agreed to any of their activities and they came after me anyway.

Re: Bounds checking is necessary but has a performance hit

Exactly. That's a benefit. If you get a clear error case, you A) don't have a security hole and B) it tells you exactly what the problem is and you can now fix it. It won't automatically fix it for you so it works, but it prevents it from doing unintended or intended damage and makes it more obvious. It also makes it a lot easier to find the issue by fuzzing, because there are some cases that won't make it segfault but every out of bounds would trigger an exception.

Re: They’re now inserting ads in the middle of the comment stream

BTW did I miss the coverage of the Sonicwall hack on here?

The one in this week's security roundup article or This one from October? They could have made a full article about this week's, but they do have a section.

Re: Kinda similar happened to me

When the same happened to me, the professor dying during the summer apparently without warning, they just cancelled the class. We all had to quickly find a replacement, and given that registrations were typically done four months earlier, choice was somewhat reduced. I don't think they ever offered that class again either.

Re: So much for the experts

There are computers at the universities, and there is a lot of competition to get the few places in the elite. If a student wishes to do well and not end up as a construction worker in the military, they have to be exceptional at something the state cares about. Those things include a variety of natural sciences for manufacturing innovation or weapons development, computer science (now, it took a while), and things that you can compete about or exhibit for external propaganda. People don't generally get to apply for roles in the government that require social sciences (E.G. diplomacy or administration) unless their family is already there, so few need to study things relevant to that.

I'm guessing you have a certain amount of computer skills because you posted here. If, during your youth, you were faced with the choices become really good at that by spending no time on anything else, become very good at nuclear physics, become a really good musician, work in manual labor at 600-700 grams of rice (if you live in the nice places, otherwise it's the same amount of a grain with less caloric content), or die, which would you have done?

Re: Enough all ready...

"Whilst what they did was very badly explained when it was introduced, the "throttling" actually allowed people to continue to use their phones for longer than they could have otherwise (i.e., when they battery was so badly worn that heavy use of the phone would cause it it reboot)."

For context, I have one of the affected models. The following are true:

1. The first unexpected reboot I know about occurred a year or so after purchase. It's not possible for me to check if any occurred beforehand.

2. It applied the performance decrease then, which I normally don't notice but sometimes it's clear.

3. I never turned off the slowing feature. I figured I could live with the performance decrease.

4. It still shuts down unexpectedly, and actually somewhat frequently. Battery level measurement is unreliable and sometimes it will shut down when the battery supposedly has more than half of its life remaining. It will then not turn on again until connected to mains power, and it will report a very low battery level then.

5. Apple-authorized service providers tell me that they can't replace my battery yet because the battery health percentage needs to be at 79% or lower. It has been stuck at 81% for months.

6. I have no method to measure what the faulty battery has done to the performance or the reliability because the only metric is a never-changing number.

Now you are probably right that, had I disabled the throttling, I'd have to deal with even more crashes and worse battery life. That, in my mind, is no excuse for the problems caused by their failure to consider how much power they need a battery to give. I am out of warranty, so I can't require them to fix the problem, but I do view it as the fault of their design, and it does cause problems. Fortunately, I don't rely on my phone very much, so it crashing and requiring a wall connection is simply an annoyance. For others, it may be much worse.

Re: I'm confused

They think people should be able to do that with HTML. Because there's not that much risk with HTML. Sure, you could copy a link to something malicious, but it wouldn't serve any purpose and you would change it. You can't do that with the sites which construct themselves from JS, because A) you don't understand what most of that is doing and B) almost certainly the new page wouldn't work, especially if the JS contacts some other system. Their comments are limited to HtML.

Re: Interesting

I think it's probably good. Mozilla can't take this money and spend it on something else. That means we don't have to worry about Mozilla failing to support the documentation and any company which doesn't trust Mozilla can still donate specifically to support the docs.

Given what we know about their finances, the claims of problems are not always proven true. Last time they claimed a budget problem, they killed the security team then got the same Google funding they already had, leading some to wonder if they just wanted to kill the security team and perhaps have more money for something less important. At some point, it's useful to decide how you want your donation spent if you're unsure you can trust them to allocate it. Meanwhile, Mozilla still maintains ownership and control; the extra organization merely maintains it with a chunk of cash, but can't override Mozilla's instructions on the docs let alone anything else.

Re: Nothing happens by chance in a plandemic

"I expect that at the event 201 planning sessions they realised a need for deniable covert monitoring of targeted households. Pre-installed “Russian” spyware (yet again) kind of gives the game away, they probably paid extra for it."

I was at the planning meeting and I can assure you that's not what happened. Why on Earth would we at the Secret Control of Everything Ha Ha Ha Agency (SCEHHHA) use known malware to spy on people? We're smart enough to know that's going to get spotted. We used spyware we had written ourselves, which got installed onto a secret chip inside each laptop. Then, we passed the infected machines off to the standard technical division and they flubbed it by not checking their system image. Now people will be going through those machines with a fine-toothed comb looking for other malware and someone will eventually find our stuff. We're foiled again. Of course, given that we do have enough control to do that, I have to wonder why we bothered so hard to infect some laptops going to the houses of poor children. After all, we also have SCEHHHA spying software on all ISP-required hardware released since 2012 and all modern electricity suppliers' equipment, so you'd think that would be enough. But you know what happens when someone at the top comes in and tells us we have a real reason to secretly track a subset of the population and we should design a new custom tracker, so we did this one too.

Also, do they want to tell us what was done and why? So far, all I know is that hard drives got wiped. I'm guessing that was to destroy the evidence from something else, but I don't know. Do they not know either? Or do they have an idea what happened? Or did this guy just like erasing drives and ran out of machines so stopped by? for now, I see little sophistication in the attack or the reporting.

Re: Debian is for left-handers

"An operating system is a way of making computers work. There aren't different kinds of OS people except by preference."

Entirely correct. You have preferences including the following:

1. I want it to boot up with everything working and I'm willing to accept anything for that to happen.

2. I want to control everything and never have the OS do something without telling me.

3. I want to have the OS handle all situations without requiring technical knowledge, even error cases.

4. I want all the code that runs to be code that I can and have the right to modify.

5. I want to take some of the parts and swap them out.

6. I want there to be a convenient support line for any problems.

7. I want it to run a piece of software which only works on <insert OS name here>.

When preferences conflict or are just difficult, different options come up. One OS can't easily do all of those things, especially when the additional preference "It shouldn't cost more than the computer itself" is added in. So developers decide which preferences they care about and make an OS for those. People with the same preferences use it. People with different preferences find an OS that works with those.

Re: How long is a man-year?

We don't know the length of those files. If they're very long, and people have been writing them for years, the time could add up. Also, I'm guessing they have just included all hours worked by the people on the development team who do that, so it's rough. Still,, without knowing the complexity it's hard to know if that's realistic or not.