Posts by doublelayer 10589 publicly visible posts • joined 22 Feb 2018
"do kids still say that?"
Whenever someone asks that question, you can virtually guarantee that the answer is "no, not for decades"*. So in this case, no, not for decades.
*Common variations are linked with slight modifications:
"do kids still use that [tech platform?" -> "No, not for years."
"do kids still think that [insert straw philosophy]?" -> "No, if they ever did."
"do kids still do that?" -> "Yes, of course."
I think this wins a prize for simultaneously useless and creepy idea of the day. Congratulations.
But really, was this meant to be a joke? Is my sarcasm detector not working today? That's an honest question. If it was serious, do you know that wouldn't do anything for this scenario--if there's an untracked format for images, which there is, then people can continue to use that when providing images of crimes. They're already using Tor hidden services a lot. They can figure out how to download an old version of a program so they can open the formats, and they would only have to do that if the new format was actually made mandatory.
So they decided not to run their own cloud. That's not a surprise to me--I've purchased phones from many companies who didn't run their own cloud service. That doesn't make them responsible for Microsoft because they gave people choices including not using the cloud at all.
I agree, but looking at the globe, I can't think of anywhere which will do it. Every dictatorship will be thinking of the potential uses for them. A lot of democracies may be thinking the same and haven't stopped privacy violations before. Those few democracies which tend to be forceful about protecting their residents' rights might think about it, but they don't want to be described as "those people who defended child abusers" so they will probably let it slide.
Since this issue has deservedly earned a lot of attention from these forums, I think a few blog posts I've read will be of interest to others here. A security expert who runs an image analysis system and therefore already deals with CSAM reporting analyzed the statements made by Apple. A blog post from ten days ago reviews the technical details Apple released and how this compares to his own reporting mechanisms (spoiler, probably badly but they won't provide enough detail). A second post from this Monday reviews their announcements ever since (further spoiler, lots of contradictions but little new information). I found these informative, especially with the additional experience the author brings to the analysis.
For those who prefer cleartext URLs, the posts are published on the blog at https://hackerfactor.com/blog and are the two most recent posts at the time of writing. You probably want to read them in chronological order.
"Except ransomware can "hit some of those" in a way that they will still verify and restore and run just fine... right up until you hit a certain date when the self encryption locks down."
I'm no expert, but I'd imagine that's rather harder to do with basic tapes or disks. Unless you can reprogram the firmware on a tape reader or disk controller, then it can't encrypt itself on a schedule. The closest I can think is that they would bother to deploy something to the restore system just to hide that the individual tape was encrypted, but that's a large risk because that would have to include the decryption key which they don't want the user to recover. Also, it's a lot of extra effort. Your prevention suggestions are good.
That's just an argument for cold backups. Whether disk or tape, as long as you don't have it online, it can't be encrypted after the fact. Also a good argument for frequently testing such things, as a ransomware operator who recognizes that you have cold backups might hit some of those first so they're unavailable when you go to restore. If you can catch it when your most recent cold backup is encrypted, then you might be able to cut off the attack on the hot systems which are targeted later.
That was on my list of options too, but it really doesn't make sense. They've nicely publicized that they could be hacked and all the cash stolen. Some people might assume that it's better to employ someone who at least detected and prevented the attack, but others will decide that working with someone who has already been hacked once is a bad sign. In which case the publicity isn't very useful.
It gives them a list of people who have the image. That likely includes the person who took it (sort by date uploaded, pick the first). However, even if it doesn't, they'll be happy to target those who received it as well, who could, under questioning, disclose the person who sent it to them. If the source of the image is their primary target, it's just traversing a tree. Since those who received the image are probably also targets, it's traversing a graph. Even if the source evades discovery, there are lots of others who won't.
No problem. If the group finds a thousand images which have been widely shared, that gives them thousands of targets who took the pictures or stored them. Let's say they only succeed in finding a hundred of them. That's enough people to achieve several goals:
1. At least a hundred people who took pictures and shared them is a hundred dissidents who can be removed.
2. Those hundred can be questioned to find more. Some will comply with questioning.
3. A hundred is large enough that people will notice that the government was able to track them down. That's a good advertisement that protesting can end badly for you.
Even if there are more pictures, that gives them quite a large head start. If there are, they can add them to the filter later when they are found.
"Can you come up with a scenario where what you suggest would be harmful?"
A repressive country, the Democratic Republic of Tyranny, has a protest. People take pictures during the protest and share them with those in other areas. People in those other areas see that they are not alone in their displeasure with the government, and the government feels that protests are likely to occur there. The DRT government tasks a group with collecting those images wherever they have been shared. It tries to block those images in their censorship system, but at least it can't track down those who have it. Enter Apple's system. The DRT government sends the hashes of those images to Apple and gets a report including the identities of all people whose devices contain that image. That would include the person who originally took it (was at protest, definitely guilty of high treason), the people who sent it to others (promulgated information contrary to the government, also high treason), and anyone who received a copy and retained it by choice or chance (just normal treason).
The DRT would have several ways to add this into Apple's system. The easiest would be to call them up and tell them they had to put in the image. If they called the wrong number and got someone who would complain or, it's imaginable, refuse, they threaten to confiscate Apple's assets and cut its business; Apple quickly caves. However, there is an easier method. The country likely has some police system which investigates child abuse, or at least a police organization which can pretend to investigate it. They submit the hashes saying that it is abuse material. If Apple includes it, the DRT gets what it wants. If Apple doesn't include it, the country can go out in public and accuse Apple of being biased and failing to protect children when given information to track; Apple quickly caves.
Yeah, you've just discovered what a rootkit is. Apple could write a rootkit. So could anyone else. There could be one on your computer right now. The manufacturer could have hidden it on a firmware chip or the processor manufacturer could have it in microcode. Better smash it up to be on the safe side.
I didn't, because the text above the video was so ridiculously false. My reply was based on that. I was planning to eventually watch the video at some later point, but it could be someone else with real information or something equally bad, so it wasn't high on my list of actions. It may describe real downsides of the GDPR, of which there are several, but if the text above is any summary, it isn't.
He's certainly useful in this, but he doesn't get to fine the large companies who violate GDPR all the time. The organizations which have that power seem to take a very long time to do anything. It's certainly better than before when they had no power, but it could be even better if they started using their authority often.
Really? That's crap logic.
"If you noticed people accept GDPR terms without reading which gives companies who use that data legal protection."
If you noticed, they did that before. The companies have no more protection now than they used to, and now there are terms which they can't legally put in there.
"Then one of requirements was data portability which forced many companies into implementing data export facilities. This means they can more easily pull the data from the system and sell it, even companies who didn't think about that."
Yeah, so? They had the ability to sell the data at any time, but now, it's illegal for them to do it. How did GDPR help here? Just like the last one, this law gave them no new rights and restricted a few they used to have.
Yes, it's always possible. I don't know what the engineers were thinking when they were doing the work at that level. However, the attitude of the manager is not good. If it were me, I probably wouldn't ascribe the divorces to that project specifically, but he thinks it was the cause. If something really causes two divorces that wouldn't have otherwise happened, that's a rather big negative consequence. He doesn't seem to view it that way; the statement has a lot more nostalgia to it. And the upside, that part after the but which makes it better in hindsight? That you can get a hundred people to work "like their lives depended on it". Because that's critical in this situation.
In this case, that's rubbish. Had Microsoft not written a browser, their OS would have been fine for at least several years while people used someone else's browser. Only if their competition had all decided to include browsers would there be much of a risk, and their competition was very weak at the time. So if they had spent a few more months completing their browser, there wouldn't have been any negatives from it.
Some places have that need for survival, but even then, there are many reasons not to mistreat the workers. Getting something done with unmotivated workers is hard, but getting something done when your workers quit because you're making them work all hours is impossible. Your company's survival, even if that's at stake, is not what the workers most care about. They're focused on their own survival, so it would help you if you tie the two together. If they benefit as you do, meaning that neither group is completely ignoring what is best for both sides, then you'll get a better result.
"Is having Autopilot make an error and injure or kill an innocent third party acceptable?"
The problem with this logic is that it works equally well for literally anything else. Is having a human driver of a large vehicle at high speeds make an error and injure or kill an innocent third party acceptable? On that basis, we could well ban or at least significantly restrict all driving because it carries with it some risk. The better question is what we do when that happens, which must include both having a method to blame the supplier for real problems in their software and not automatically blaming them if something doesn't work. I am more optimistic than you are on that front as there are bodies specifically set up to investigate and penalize companies for exactly that kind of event. The one investigating Tesla here is one of them and most countries have something like it. The software will never be perfect, and it will at times crash. It is the responsibility of our governments to investigate that for safety, but we also need to recognize that we don't need a perfect safety record for it to be acceptable, and in fact we can get a rate of accidents significantly higher than zero before it's even worse than the status quo.
"All autopilot does is take a flawed driver, and add in the technical flaws created by flawed software/hardware designers to get the worst of both worlds."
No, it doesn't. What it does is to substitute the flaws in the software for the flaws in the humans. Depending on the quality of the software, this could be worse or better. In existing tests, it's often better.
Consider a human who is paid to calculate mathematical answers. They are going to make some mistakes. Now add in a computer which solves the same problems. Every once in a while, something will break and the computer will mess up, but it will get a lot of right answers first. Is it the case that substituting the computer will worsen accuracy because you've combined the worst of both approaches? No, because the human is no longer doing the calculations and thus doesn't make their mistakes anymore. The software running vehicles is more complex and has more problems, but it doesn't stop the human's fallibility being removed from the situation.
It may be that the software is too flawed to allow, though existing tests are not showing that. Even if that's the case, your argument still isn't the problem.
"You know why they don’t let Mars explorers go bombing full-tilt around the Martian surface without human oversight at key points?"
Because it's really hard to teach a dumb computer how to decide on its own what you find interesting when all the robot sees is a bunch of rocks? If I were there, I'd need remote control too; I'm no geologist.
"My guess is arond 10% of affected devices will be updated."
I admire your optimism. My guess would probably be at least two orders of magnitude lower because it sounds like most devices using this chip are consumer-level. Many people don't recognize networking equipment as needing the same level of attention to detail as their computers. Manufacturers in turn seem to think that it should have maybe two years of support life, if I'm optimistic, despite the fact that lots of decade-old networking kit works just as well if security isn't factored in.
"Real coins have value because the bank 'promises to pay the bearer on demand...'"
No, it doesn't. We left the gold standard a long time ago. If you go to a bank bearing currency, they will invite you to make a deposit, but otherwise they won't have anything else for you. You can't get anything of objective value in exchange, because the thing holding value is the currency you brought there. It has value because the central bank hasn't printed too much of it yet. This isn't necessarily a problem, but the days are gone when the currency represented some other asset.
"If it is that easy to steal, it isn't worth $600m."
No, that's not it. If it's that easy to steal, then the holder isn't worth your trust. For example, if it turns out that your bank holds your savings in one place without security, then you shouldn't entrust them with the job, but your savings aren't worth any less.
It can take some time to transact in cryptocurrency, especially if the original thief wants to ensure they're returned safely. Merely reversing the original theft could mean putting the tokens back into a system which is now known vulnerable, and so someone else could steal it soon afterward. So, assuming the thief is honest about their desire to return the funds, that could explain it. That is a very big assumption though, and there are other options available which are less favorable to the intent of the thief.
"George O. would have never, even in his wildest dystopian nightmare, ever thought that the proles would be convinced to spend their own hard-earned money to purchase their own telescreens."
No, he did. In one scene, a person says that no telescreen was installed because it didn't seem worth the expense. Now it turns out that guy was lying, but it does imply that the telescreens were purchased.
"BUT (and this is where I'm probably being somewhat naive and too optimistic), if they can present a mechanism that satisfies the feds and gets them to back down from pressuring the law makers into weakening encryption... then that's a win, no?"
I'm afraid your adjectives are quite correct in this case. If they put a spy on the endpoint, then the debate over encryption could get dropped. But that's because they won and we lost. If they can force all users of encryption to turn over the cleartext so they don't ever have to decrypt, then the result is the same: repressive countries do whatever they want, criminals have an attack vector to get the data, all of the reasons we want encryption are neatly circumvented. True, that wouldn't necessarily apply to everything, and a few people who already know why and how to encrypt could use open source software to do so, but if that ends up happening, they just start the encryption legislation again. If we lose 95% of our goal, that's a pretty clear loss already, especially as nothing in it prevents them from later taking the remainder.
"missing the point that the 'something more sinister' never required this step to happen first."
It did though. They could implement it at any time, but in order for the sinister consequences, they needed to. Before, they had the option to take that required step, then become sinister. They have now taken the step. Yes, they could have implemented this in secret years ago, but the fact remains that they did not.
"I'm quite sure that here in the West, it's strongly advised against letting the youngest of children use screens, let alone play video games, and really sure that is not how we teach them."
Then you're mostly wrong, wrong, and wrong respectively. People are often advised to reduce their children's use of screens, not entirely eliminate it. We're also not talking about the "youngest of children", but rather children of many ages. Videogames are very popular with children and always have been, and as long as their parents maintain restrictions on how much they use them, it isn't automatically harmful.
As for not being a way to teach them, you may be unaware of the many educational games which exist. I've seen plenty of teaching tools redesigned to be more entertaining, trying to get the children to voluntarily learn mental math. In my childhood, I had an electronic dictionary which had several word games on it, which was useful in that it taught proper spelling and grammar and, if the computer opponent used a word you didn't know, you could easily look it up right there. Lots of other games may include less teachable content, but will be a little useful (for example, it should help quite a bit with familiarizing children with computer interfaces which they will use later). This doesn't make all videogames an educational experience, but there are some which are used to that effect.
It's only for devices which need a specific app to connect to them. Things like audio devices or keyboards which use the OS Bluetooth system will work fine. Something which an app controls, like a fitness tracker, object tracker, or custom equipment will require access to fine Bluetooth control, which is lumped in with precise location access so the app gets both.
"Honestly do not understand how they [Google] make money."
By lying. If they collect thousands of datapoints, which they can prove, and hire a ton of machine learning experts, which they can also prove, then they must be able to use that to send ads to those who will most benefit from them, right? In the meantime, they just use the same crap algorithms based on browsing history and search term if applicable. Who knows what all the collected data is for, but eventually the guy who's responsible for thinking up the evil plan will come out and they'll do that.
This works for three reasons:
1. Google runs the ad system as a black box, so it is difficult for someone who pays for advertising to figure out who is really seeing the ads.
2. Companies are really bad at figuring out how useful their advertising budget is. Here's a good two-part summary of people who tried doing the research and all the problems they found, both in advertising itself and in advertisers' approach. It's a podcast but the pages contain transcripts for those who prefer to read text: Part 1 (mostly television advertising) Part 2 (online advertising)
3. Google has purchased almost all of their competition, and the others are either basically the same (Facebook) or didn't claim to be that smart in the first place (Bing ads). So you can't try out other advertising platforms to see if they can track better or don't need to, because you have no choices. Google's is biggest, so they get a lot of business.
"I have had both jabs , so either I am now relatively safe or the jabs don't work... Which is it ?"
The former. They just aren't making people come back to the office. Those who want to can. And there is the end of the matter. Your current safety is as strong as it ever was.
As for their data, it likely consists of existing public case, hospitalization, death, and variant rates. They don't want to go to the effort of getting everyone settled into the office again only to have to shut things down a month later, so they decided to do nothing for a while. They don't have to do this out of an altruistic concern for their workers' safety, because their profit depends on their workers' safety too.
There is plenty of incorrect information put into the media by biased people and organizations, but three things apply to it that don't apply in dictatorships:
1. It is done on multiple sides by individuals and small groups, not on one specific side by everybody.
2. It can be contradicted and disproved without someone getting put in prison.
3. There are people who really do keep to journalistic ethics and can be trusted. You just have to find them and have several options in case you find one of your sources less reliable than you thought.
Your false equivalence is not appreciated.
It's not untraceable, just pseudonymous. In fact, it's easier to trace where it went, but harder to tell who has it.
Imagine your bank. If you transfer money from your account to your friend's account, I cannot see that you have done this. That transaction is private. However, the banks know exactly who you and your friend are because both of you were required to submit identification when you opened the accounts. The transfer is identified. Bitcoin reverses both aspects. You can open as many accounts as you want without identification of who you are, but any transfers can be viewed by anybody.
Therefore, if we know where the money came from, we can see where it was transferred to. In turn, we can see anybody they pay. What we can't easily do is figure out who controls those opaque addresses without investigation of other things. The question is whether we can identify the criminals before they convert their public asset into something private. If we can stop them converting, they effectively lose control of the money because they can't spend it. If they're fast at laundering it, then they have now pulled off an unidentified and private transaction and can proceed to hide their new wealth.
It is possible to track them. Most of it is public and pseudonymous. It's used by criminals not because it's secret, but because it's convenient. For instance, you can get millions of dollars from someone without having to meet up in person to exchange heavy bags of currency or valuable items. Before crypto existed, criminals figured out ways to receive money when it became valuable enough. Now that there is crypto, criminals still do that but have branched out. If crypto dies, criminals will still commit crimes and will still find ways to get their anonymous money.
"mail, content hosting, social feeds, direct messaging, video chat, photo albums, and pretty much everything can be on a low cost home computer"
No, that's not going to be your panacea. Because yes, you can put all that on a cheap computer, but you can do that now by forwarding some ports on your IPV4 address but you don't, do you? The problem with that approach is that it requires effort, opens security holes, and has a very large discovery problem. If I want, I can use my ISP connection (it does support IPV6 but even if it didn't) to host a server, attached to DNS so people can find it by address even if the address changes, running the proper firewalls and with hardened services. The average consumer does not know how to set up a webserver, let alone dynamic DNS. They definitely don't know how to secure such things.
Also, if I did that, I would have to send that new address to all my friends and have them send me their addresses so I could periodically check their sites. If power died, everything would stop working. If you're going to do social media, you would need to create new interfaces so you could aggregate all of the information together. Decentralization would be nice, but there are lots of things that need to happen before we can have it more broadly adopted. IPV6 is not the one stumbling block which holds back an otherwise perfect option.
Of course the needs of the military were one of the primary considerations, but that does not mean that it was intended for still being there after nuclear attack. The network that was created was way too fragile for that purpose. A lot of it ended up running across completely standard phone lines, and if those were expected to still be functioning, they could have used the phone network as well. Research into networking technologies so they can later be used in something critical was the intent and the result.
The military built systems for survivability, and those designed later used some of the technologies first proved, tested, and enhanced by the research they funded. The military got several large benefits from that research. That is also what Dr. Lukasik said. It is therefore still incorrect to say that the proto-internet was designed to be online after a nuclear attack. It was designed to be a proof of concept and it succeeded in that goal.
"DARPA's driving goal was to create a system for military communication that could survive a nuclear attack by the Soviet Union."
Unfortunately, this is a common myth. Some of the things invented while getting the internet working were used in such systems, but that wasn't the purpose of the network. Its decentralized nature was due to necessity (things breaking a lot) and convenience (you could add more stuff just by complying with the protocols).
"I did mention statically linked didn't I?"
You did. They said you were wrong, pointed out that it was mostly dynamic, and explained why dynamic was a problem. To be fair, the same dynamic library problem could easily happen elsewhere (Linux without package managers could be really annoying if someone was trying to deploy binaries, because sometimes the binaries would have hardcoded locations for libraries which weren't convenient; building from source or using a package manager was good about fixing this).
No, that's not it. They have learned (hopefully) that if you put all your money in a central place, then you've drilled a hole through all the benefits that decentralization brings with it so you might as well use something that was designed to be centralized. You can keep your own crypto in a decentralized manner and it's usually more secure if you're careful, but a lot of people are too lazy to do so.
It's not every time. There are a lot of exit scams, but there are also a lot of real hacks. Investors who invest without learning how the thing they're investing in works don't seem to realize that cryptocurrencies function a lot like cash. They then act surprised when someone breaks into the inadequately secured storage and takes it and they don't have an automatic backout ability. That makes thieves quite eager to go steal from wallets or exchanges that didn't do their homework, especially if they think everybody will assume it's an exit scam.
The only problem with that approach is that it's not true and the attackers know it. This isn't going to include funds from powerful criminal organizations. It will mostly include funds from small and pathetic criminal organizations and some actual investors, neither of which is usually willing to spend extra money on a mission of revenge. The places that perform acts like ransomware which result in crypto payments are made up of criminals, and they are large enough that they could attack someone who was getting in the way, but they don't have private armies or the assets to perform that kind of investigations. The large drug distribution groups are large enough that they don't need to bother with cryptocurrency unless they want to invest in it--they already use a more rigorous array of financial systems for handling their loot because they have so much of it and because they operate in such a large area that they can commandeer large chunks of the infrastructure that exists there.
The only large organization that I know of that uses a lot of crypto is North Korea. If this was used by North Korea for international storage, the thieves may have an issue. However, based on the way North Korea usually stores the money we know about, it would seem much more likely that, if they're involved, they're the ones who stole the coins. They have a history of large thefts so it is in character.
"I'm not aware of any country that recognises digital currencies as legitimate currency, So is this a financial crime?"
Yes, it would usually be. None of the major countries recognize cryptocurrency as currency, but most do recognize it as a thing you invest in, so it will likely be treated like a crime involving securities, gold, or similar. Then again, most criminal statutes aren't very different between financial or nonfinancial--if you steal things or money, they'll usually use similar laws to charge you if you get caught. Extra laws exist for financial crimes of other types, but that's for things like tax evasion. While it has little meaning, I think the statement is essentially correct.
You are conflating two different things. I said that "You must pay" is not approved. The GPL says "You may charge". The two are not the same. "You may charge" means that I can refuse to give you the software unless you pay me money for it. However, if you do pay me money for it and get a copy, you can continue to use it without paying me again and you can give it away for free. Those actions are specifically mentioned in the GPL as well. In a "you must pay" situation, if you continued to use it or gave it to someone else without paying me, you would be in violation. The first is supported. The second is not. You can still easily do it and lots of projects do. You just won't get FSF and OSI approval.
Yes, they are hoping to have others develop the code so they spend less. That's the nice part about open source--others sometimes do free work. Those others get, in return, a database they can use for free with a small set of known license restrictions. It's why we like open source. If it works right, everybody gets a good product they can use and modify without having to worry that someone will turn around and sue them for copyright violation, license fees, or similar.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
