Posts by doublelayer

Re: These developers seem to forget what some users want

I like Apple's software (some of the time), but let's be honest about it. The comment here is not honest.

"I kinda like how I have a device where I’m able to block third party ad servers comprehensively by default across all apps without having to sacrifice security or vendor support (for example)."

Implying that Apple makes this easier? They don't. I can do that on anything. On device or not. Android has firewall apps. Any desktop OS gives me a lot more control than either popular mobile OS. Apple doesn't even write that software, so why are you giving them credit for letting you run software that runs everywhere?

"I also like how I don’t have to give my card details out to every Tom, Dick and Harry and how I can see every subscription in one central list with the ability to cancel without losing immediate access for the rest of the period."

It's so terrible having to give payment details to people when you want to buy their thing with money. There are one-time credit card numbers you can use to ensure they can't charge you unexpectedly or lose data in a hack. I'm sure it's nice having everything in one place, but just because it's convenient for you probably doesn't justify to others paying Apple for the minor convenience when the heavy lifting is done by the developers.

"Do these greedy developers ever think that as a user, I might want centralised controls?"

Let me ask you a question. Why are the developers greedy? Because they don't want to pay Apple a big chunk of their revenues? When it's the developers who make the apps which make Apple phones valuable (some competing phone OSes received good reviews for OS design but failed to sell because apps weren't there)? The app developer writes the code, makes the content that makes the code useful, maintains the infrastructure that the app uses, all of that. Apple provides a place to download the app package. That's all. No, Apple can't claim that they're charging developers for all the work on IOS, because the users are paying for that when they buy IOS devices. The users get those advantages, not the devs; a new IOS feature doesn't help an app developer as much as it helps a user.

"Besides, people can say what they will about App Store practices, but their approach does have some serious advantages as a result of Apple pushing developers to use consistent development methodologies."

They don't really do that all that much. There are so many different frameworks in use to create IOS apps. Most of them are popular because they allow a GUI to be created once and run on IOS or Android. Apple doesn't prevent anyone from using those, nor has it done anything to improve them. An app can look nice or not as its developer likes, and it will get through review equally well.

The rest of your comment, talking about security, is pretty good. I think that's a fair area to give Apple credit. In almost all cases though, none of those security benefits come from restrictions on developers. IOS can get security updates equally well whether they let in an app that accepts payments or not. Mac OS can sandbox data on disk just fine if the apps get downloaded from the internet. I give credit for those admirable accomplishments to those who accomplished them: the OS developers. Not the App Store review team.

Re: Its about the money

However, that's not how breakups work. They don't say "You're a big company and you abused something, so we're going to bring in some wedges and break it into chunks along existing boundaries". Instead, they find the places where abuse occurred and break along those boundaries. Separating AWS from Amazon shopping would happen if, for instance, Amazon didn't agree to sell a product if it used a different cloud provider for its support system, but that's not how that went. The abuses that are most often used as ammunition are that Amazon's shopping system gives Amazon a bunch of data about other sellers which Amazon then uses to compete against those sellers. The boundary where the break would happen should a case on that basis succeed is the boundary between the Amazon store system and the part which makes products, including Amazon basics and a few other lines.

The same general rule applies with other breakups too. If Apple gets broken up, they're not going to make iPhone Inc and MacBook Inc. They'd make Apple the hardware and OS people and a separate App Store runner. Or maybe they'd leave Apple as it is, with App Store intact, but demand that others can also run stores. Or maybe they'd accept Apple's arguments about the single App Store being a feature but make them change rules and tactics that were abused before. If Facebook were broken up, it wouldn't be small social networks with subsets of the previous members. It would be into Facebook, Instagram, and WhatsApp as separate entities. It all depends on the argument being used to prove an anti-competitive abuse of market power; if the courts agree, the action taken is designed to stop and prevent the abuse in the argument.

Re: Idiot dev

"This is why Apple do not allow it. This is why they make it clear in the license."

I'm sorry, but they don't forbid a trial period. Here is a section of the article:

"The creator was told he had to roll out a payment system to make users input their credit card details before signing up for the trial period. There must also be a specific time limit to the pro version of the app, and once that period was over it must charge its customers money. To get out of it, users would have to explicitly cancel their subscription or else it would keep billing them."

This section outlines what Apple accepts. As you can see, it includes a trial period. Trials are not what they object to. What they appear to object to is that the user would have several chances at a trial. Perhaps instead it's that the app isn't using a subscription model which would earn them revenue. Either way, Apple doesn't seem to have a problem with the trial model as long as it only happens once and customers are enrolled into a subscription beforehand. The second part of that could easily be seen as self-serving.

You might not like trials in software which expire. If Apple forbade them, you might have a leg to stand on. They don't. In my opinion, there is no good excuse to forbid that anyway, but we don't have to have that hypothetical discussion, because that's not what happened.

Re: Sorting other people's stuff

Good advice. I can definitely recycle them if needed, and if it's old enough, I do so. The problem for me is the ones that are new enough that they'll run modern software (very well if it's Linux, but Windows 10 will work well enough until too many other programs are added) but old enough that the specs don't sound modern. I don't like to recycle something in such good working order until I've failed to find anyone to reuse them.

Re: Sorting other people's stuff

This is a very good thing to do when people want to get rid of things. Although it helps to have plans for how to deal with the machines afterward. I've recycled machines so often that the charity I used to donate them to has had to tell me that no, they don't want any more computers. It probably doesn't hurt that I've been maintaining the ones they have too so they're also lasting a lot longer. I need to find a new place that wants them. I've tried selling computers on occasion, which sometimes works, but the older ones don't always go as fast as I'd like.

Re: Not Free

I agree with you about most autorefreshing pages. They're quite annoying when they don't need to refresh. Sometimes, however, it is important that they do so. If any application is written with dynamic information, it probably needs to update or at least warn people about the fact that it hasn't.

Consider a simple system I wrote for someone. There is a form for user requests which includes various details including the time when the request must be completed. The backend lists all known requests, sorted by time, color-coded for urgency, with a field for time remaining, and buttons to mark the request as in progress or resolved. This needs to update itself so that new requests are seen, urgency is updated, and multiple users can mark requests as resolved and have all the participants know about it. If it didn't stay updated, people might duplicate requests, ignore one which has become urgent but wasn't when the system originally loaded, etc. Now it doesn't have to be a website, but something this simple might be done that way just to make things easier.

Re: Folded content in raw HTML

Yes, this is a thing now. This makes it easier to do that particular example. What's worth keeping in mind is that this set of tags is rather new, and for many years, it wasn't available in plain HTML. For a similar reason, HTML5 can embed video really easily, but it still took a while for competing video embedding to die because HTML was so late to the party. JS used to fold or unfold sections will probably die eventually too, but it was necessary so long that it has taken over other things.

Re: Not Free

Sort of, but not really. With CSS scripting, it's possible to get a browser to collapse a section for you. However, it takes many lines of CSS and many sections for each collapsable area. Do it wrong and browsers will get lost. For example, one way I've seen it done will trip up anything automatic reading a page. That includes bots, which you might not care about, but also includes accessibility software. Don't care about that either? Depending on how it's done, it can also find its way into things if your user copies and pastes from the page or converts it to a PDF. Meanwhile, JS code that can collapse areas is really simple. Three lines of source at the top makes it available, and a single link or button can be dropped in to do the job.

Re: Not Free

JavaScript is really useful in some cases. Without it, pages can't do some things that users expect. Then, since the developers already learned JS so they could do those useful things, they try to write everything else in it too and create a monstrosity. That's the short version, but if you're interested, the slightly longer version is below.

Without JS, HTML is basic and static unless the user fills out a static form and submits it for a new page. A lot of the internet can work like that. News sites like this one, for example, really don't need much else. However, there are some things that aren't very complicated to implement but can't be done without scripting. A basic example is dynamically showing or hiding content. Having a button which allows a user to collapse or expand a region means that the page can have lots of things on it without requiring the user to scroll past irrelevant things, but HTML itself doesn't do that. JS can also provide basic data checking for forms, so it prevents users from submitting invalid forms all the time. And if you've ever used a table which can be sorted by clicking the column headers, that's JS doing the sorting*. Initial site developers wanted to do things like that, so JS took off. Later on, JS could also be used to keep a page updated even when data changed at the remote server without making the user refresh the page all the time. As you might imagine, users were pretty happy that they could have tabs open and see updates without having to remember to refresh them manually.

These uses for JavaScript are not necessary, but without them, some sites would be less organized and inconvenient to use. Users would prefer a control panel which is on a single page which can unfold sections when desired and updates dynamic information automatically over one which uses fifty subpages so the interface can fit on a screen and requires the user to refresh every five minutes. However, devs who knew how to do that started trying to do everything else in JS too. Why do the work of writing the HTML so that it at least renders when the JS doesn't run? They instead used someone else's library to do the rendering. The library, trying to be generic, was written in JS and writes most of the HTML when initialized. Without it, a framework page is all that's left. Or they realized that a JS page allows them to collect more information about how people view the page than a static one, so they include tracking scripts as well. It also allows them to embed things from other places by dumping in a convenient script; the other places are usually happy to do so because that gives them the ability to add in their own tracking. In a few quick years, JS had changed from something allowing a page to move around content to better serve the user to something slowing down every page and making it impossible to know or trust what was being done on the computer.

*Table sorting: Making the server reload an entire page just to sort a table is possible but rarely done.

"I'm not going to put the blame completely on the user for this one. Particularly if the user hadn't been allowed by management to move the modem, and by having IT show up and move it he actually got the problem resolved in a more durable fashion."

This strikes me as very unlikely. Sure, IT can be annoying about telling people not to do things ("No, you may not come into the server room and move the wires around even if you think you know that it will help", "No, you may not open the network cabinet and force a power cycle by pulling the power cable just because something sort of network-related isn't working and that works at home"), but I don't really think anyone in management would have a regulation about turning a box on your desk around. They might suggest you not do it in case it made things less organized, but it's not hard to do it anyway and claim an IT person did it. Also, I don't think anyone would notice or care.

Meanwhile, the call described in the article is a very stupid way to handle a hypothetical situation as you propose. If you want IT to confirm that the box can be turned around, it would be much more helpful to remember this and ask them when they're already there. Ranting at the IT person who is suggesting how to fix the problem just makes the caller look like a jerk. If I had been called out like that, I certainly would not have turned the box around; I'd have flipped the switch and left. Problem resolved for now. No reason for me to make things easier for someone who won't do what they've been told (correctly) will fix their problem, shown me profound disrespect, and didn't even think about the inconvenience of making someone come in a rainstorm to do something unnecessary.

I see the point, but I don't know if that matters all that much. A museum holding an original painting can at least show something beautiful to its patrons. A museum holding an original circuit board doesn't look very different from a museum holding a reproduction of the circuit board, which shouldn't be that hard to make. Better yet, a museum holding a reproduction of the circuit board in a glass case and an emulator of the running system next to it, perhaps running software from the time. That would probably be more interesting and educational to patrons.

It's even less necessary when the item is a bunch of papers that had engineering documentation on them. Most patrons won't want to read all of that anyway, and even if they did, are you going to post them all on the wall? I'm guessing we already have pretty good scans of those which can be published online (or if you insist next to the reproduction and emulator).

For now, they know:

1. The DNS queries for the specific domain and all the domains it pulls in. Until DoT or DoH, they'll keep having that.

2. The SNI requests which contain the domain name and the first page URL you request. If you type in a domain name, they get it and "/". If you click a link from a search engine, they get the whole thing. Until ESNI or one of the other suggestions takes effect, that will be available to them.

3. The destination IP. This may be a CDN, but not always. Plenty of people use a server dedicated to network requests which makes it obvious who runs it. Others will run multiple sites on a single server but not on all the other servers, meaning that only that server needs to be interrogated to figure out what the possibilities are.

4. The size and timing of requests. They probably don't go this far, but if they have a server to test, they can try certain likely pages until they identify the one requiring the right number of assets from the right locations. Sites that bring in images and scripts can fingerprint themselves in that way.

Re: "Fingerprints" is very vague and hand-wavery.

Of course false flags are possible. They're tried all the time. They can be fiendishly difficult when it comes to an attack on computer systems because you are dealing with lots of variables and you don't know what others know about you. It's been done before, but it usually gets figured out fast enough. For example, when the 2018 Olympic games were attacked, it was first believed that a North Korea-based group had done it. A few days later, it was actually discovered that the first clues pointing to North Korea were shallow and didn't stand the weight of investigation, and most likely Russia had done it and attempted to frame the North Koreans. Further investigation substantiated those theories to the extent possible without anyone taking credit.

Attribution is tricky, but there are people who put a lot of time into getting it right. They can recognize little techniques or snippets, trace through records of systems used, and make a pretty good hypothesis. When one person releases a preliminary report calling out someone, they could easily be wrong. When several places all agree on who it was, they likely know quite a bit and have done their homework. While they could be wrong and eventually they will be about something, they're often right.

Re: Infra-red

"The best thing about line-of-sight remote controls is that they don't upload your button presses to a server in California."

That's what you think. Unless you have a WiFi remote control, the thing that you have to worry about is the device receiving the commands from it. Nothing prevents a television relaying your IR remote commands any more than it's not prevented from sending commands sent over an RF protocol.

Re: Better computer cases?

That would work rather well as a listener. Even low-end devices can have enough storage to cache data sent to them over a workday. The open-source PineTime watch has 4.5 MB of flash, and the proof of concept can only transmit at 12.5 bytes/sec. That allows for four straight days of collection on a watch which can easily sync back as the attacker goes home. If you wanted to execute a plan like that, your idea is a good one.

However, it doesn't change the requirements. If you consistently work in the secure building and were able to install malware on the target computer, you can probably also go to the secure computer and make it do things. Especially so as you need to be very close to it for the transmission to be received by your sneaky watch. If you do have access, it might be easier just to make the computer disclose information a faster way, whether that's copying to media, converting to QR codes displayed on screen, or just bringing it up for you to peruse.

Re: Maybe Typewriters should make a comeback

This exploit already requires that you can get access to the computer. While you can theoretically do that in the supply chain, it also requires that you can put a listener next to the computer, which requires you to be in the same place where that's used. If you have that level of access, you can also copy papers stored under similar levels of security. Theoretically, this is potentially useful if you can only get access once (but your listening device continues to work unnoticed while you're not there and get information out to you somehow), but it's not markedly different from stealing papers; you have to have physical and unsupervised access either way.

Re: Better computer cases?

"With everyone using laptops for WFH rather than proper metallic-boxed towers, I think arguing about cases (and cables) may be moot. Not sure what's underneath the plastic shell, if anything."

Doesn't really matter. Anyone using a laptop to work from home isn't trying to airgap said laptop, nor would they be taking any of the other security precautions that this is intended to get around. An attacker can attack that laptop as they use it to read emails or participate in meetings or just walk in and take it. Airgapping is useful for devices that need a lot more security than that, and usually the place that wants it airgapped will decide not to put it in an employee's house unless they very much trust that employee to keep it secure.

It's useful to keep in mind that this exploit only works if you meet three conditions: a) you can get to the airgapped machine in the first place to install malware on it, b) you can put another device near it to pick up the transmissions and relay them on, and c) you can't just steal what you want when you're installing the malware. If a machine is easier than that to attack, the attacker doesn't need something this complex to do it.

Write it. It's not complicated. OpenWRT has OPKG, so a user can install it if you write it and put it in the repository. I'm sure you can find people to support the codebase with you.

To answer your question though, the primary reason that people don't is that routers running OpenWRT often have very little storage and/or memory. A lot of them have 16-64 MB of flash, which isn't very big when you also need to store the firmware image in it, and they have 64-256 MB of RAM, where they need to store packets and information about connections, so that fills fast too. PiHole works by having a bunch of blocklists stored internally. Sure, they get updated by pulling from the web, but they don't get pulled in their entirety each boot. The Pi can store those on a larger SD card and also always has at least 512 MB of RAM to cache them. Furthermore, most people who choose to install OpenWRT already know enough to use something else as a PiHole, so the size of the userbase isn't dramatically increased by making them both run in the same place. None of these issues make it impossible to do it, and writing the functionality might be worth the effort to someone, but those are the reasons it hasn't been worth it just yet as far as I know.

Re: Not so free after all

I'm not sure it works that way. If they issue you a bill and have your name, they can send a legal threat at you until you pay it. In your situation, they had to back down since you canceled the account, but if you didn't, they could sue you and win. For a place like a cloud provider, they can argue that you intended to operate the services and that you know the costs, which is probably not exactly true but they can likely get someone to accept it. Just because they don't have a payment method that they can bill automatically doesn't mean they're out of options for ways to make you miserable.

Re: From the article

They could have gotten their system to not result in the bill, but they did set up that billing budget thing. Theoretically, such a feature would mean that you don't have to change all the other settings to avoid a massive bill. You might reach your limit quickly, and if you set the settings right you wouldn't have, but you should be fine. In a case where that feature worked as people expect it to, the user without special access would have to pay a bill for a service that only ran for half an hour, but they wouldn't have to pay a bill four orders of magnitude over what they were expecting. Imagine how it would have gone if other such limits were sometimes considered optional. You could end up in situations like this:

1. You set a caching server to keep copies of your files which expire every ten minutes, but it decided that the ten minutes was optional and instead used the value infinity. All your customers are getting days-old versions of everything. If you had only set the server to erase itself through a hidden task, it would have done what the TTL value is there for.

2. You used a programming language's thread pool and set the maximum number of worker threads to equal the number of processor cores because your task is compute-intensive. It decided your maximum was unimportant, so it spawned a bunch of threads which slowed you down immensely before eventually swamping the OS requiring a forced reboot. If only you had also made the OS restrict the number of threads, the defect in the thread pool library wouldn't have caused a problem.

3. You were filling a car with fuel, and you requested the pump to continue filling until the fuel tank was full. It decided to just keep going, so now your car is at the bottom of a flammable pond and you have a fuel bill more often associated with aircraft. If only you just measured the empty volume and specified the exact amount of the fuel, you wouldn't have had this problem. On second thought, that's also a number so you would be in the same situation. Too bad for you.

Re: Surely though...

Google suggestions has received your suggestion. We will not implement this suggestion because cloud users would be impacted negatively by any abrupt termination of their services. A terminated virtual machine may have been running important tasks, so we can't do that until the user says so. Similarly, if we blocked reads of a database, the customer wouldn't be able to get their content out of it. If we just blocked writes, then the user's system could [PRBot error 1004: could not think of convincing-sounding argument, please assist]. An abrupt termination of any service could cause a business customer to lose revenue for each second that clients are unable to make use of the services, and inconsistent termination, where some services are blocked but others which don't incur charges, could cause chaos when [PRBot error 1093: attempting to rephrase message "user could decide they didn't need it after all and stop paying us money" to sound diplomatic, couldn't manage it, please assist]. A user would never accept us pulling the rug out from under a service which they rely on for their livelihood, unless it's the Play Store, in which case we'll shut them down without a second thought [PRBot error 1015: sentence appears to contain data that should not be referenced, but module do_not_outright_lie requires it, please assist]. Also, adding the feature would be expensive for our developer resources for a very small number of users and hence is not an economical decision for us PRBot warning 1093: believe previous sentence is a suitable translation of "we're not a cloud monopoly player, so we don't have to do anything for our customers. Ha ha ha." However, a translation error has already occurred in this message, so please check anyway].

Supposedly, and sometimes, but when it's not, it's really not. They can often manage to add so many possible billable things that it's hard to figure out what you will pay. Worse, it can be mind-numbing to attempt to compare different providers for their prices, as prices are never clearly displayed together and some providers (well, one in particular) go to extreme lengths to hide the price lists and suggest you use a calculator instead. For example, I recently attempted to compare prices for bandwidth egress from various clouds and various cloud CDN-type features as an exercise to see how much it would cost to use them to handle a spike in demand for static files. The results of my survey can best be summarized as follows: what on earth do cloud companies do to set their prices.

Dedicated VM's egress charges are usually easy to understand, but they vary quite a bit between providers because I don't know why. The big three are in the same range (approximately 20% difference between minimum and maximum) and each include the first 5 GB egress per month with the VM. Fine, they're relatively similar and could be compared. Then, I looked at Oracle cloud, which costs a tenth of what the others cost per gigabyte and provides two thousand times as much free bandwidth. I don't get it. Either Oracle has a much cheaper system, is much worse, or is very desperate to get new customers. Still, I'd have expected that Oracle wouldn't be eager to make bandwidth a loss leader, and that other providers would compete that price downwards. But then comes the CDN options. Every single one manages to bill for cache hits, cache misses, bandwidth (completely different prices than VMs), and reading from wherever the CDN fetches data. Some of them also charge different prices based on the CDN endpoint location to the extent that it would end up being cheaper to set up VMs on their service for some regions and use their CDN for other regions to minimize bandwidth costs for the same activity. Before you ask, they usually don't let you restrict which regions you use.

This complexity means that, although cloud can offer price benefits for specific tasks, it can only really do so if you've paid close attention to all the things that can get billed. As pointed out by this article, don't necessarily trust that the limiters on an account will necessarily work like you think they will. The answer you seek is in the documentation somewhere. It may take you days to find it, but it will end up being better for you to spend the time.

Re: End of the world.

This isn't Javascript. It's a native binary attached to software installers which replaces a browser binary with another native binary. Where did you get Javascript from?

Re: OS?

The article specifies two things that your comment questions. First, the malware has only been seen on Windows. Second, it doesn't modify the DLLs through the browser, it installs a native binary which does it. That native binary is launched during an installer, which makes it easy to determine how the binary got elevated privileges to do it.

Re: Overwhelming force

Against someone who is clearly thinking about a violent response but still values their own life, maybe. Against anyone else, dead wrong (often literally). If you put six people with weapons in front of someone, you have six times as many chances that they'll misinterpret something peaceful as potentially dangerous. They're already holding the weapons, so the usual response is lethal. Also, going into a situation where you're in a large group of armed people increases stress, which has proven in various experiments to reduce the ability to recognize small details and act in a calm and peaceful manner. This means it's even more likely that something gets interpreted as dangerous when it's not.

Bringing a lot of force can be of use when your goal is to make someone put down their weapon and come quietly, because you've destroyed any notion they might have had that they can shoot everyone in the way and get away. In a situation where you need to show up and take some computers, you don't need to do that. All you accomplish by doing it anyway is to make the people in the home more stressed because there are many armed people nearby and the officers more stressed for the reasons in my first paragraph. That can only make things worse, even though we may know incidents where it managed not to end tragically.