Posts by doublelayer

Re: offline backups on the recovery laptop?

My guess is that the recovery laptop has the clients for the backup servers and the encryption keys which are not stored on the tapes. Destroy those and you won't be able to decrypt and you'll need a new machine even to start reading. Of course, I'm sure the BOFH has plenty of other places where those keys are stored for insurance purposes.

Re: Jim and the long game

I doubt it. He wouldn't have to infect the BOFH's personal computer in that case because that doesn't affect anyone. From the description, the PFY appears to have really been sick. And we know that sometimes someone without the skills gets loose on a computer because they volunteered to help. I'm sure there are backups which this guy couldn't infect--there is no way they would let him get to the server room, but still a lot of work for them ahead which isn't going to end well for the clueless idiot.

Re: It Depends…

"slogging away in a hot factory, whilst everyone else sits at home isn’t really fair."

No, it's completely fair. You could make the same argument about the previous situation. It would sound like this: "slogging away in a hot factory, whilst everyone else sits in a nice air-conditioned office and just has to type isn’t really fair." It combines inaccuracy about what the others are doing with complaints about the job they knew they were doing.

If the people in the factory have been subject to bad working conditions, that should be repaired. I can imagine a lot of ways that work could be terrible and a lot of valid complaints. However, complaining that a factory job is not the same as an office job is not as productive. The complaints are true; I would much rather work an office job, but making the experience of the office workers worse doesn't help the factory workers in the least. I'm guessing that they have more concrete complaints that would really help them.

Re: Going on-site has certainly been made redundant in IT

If they're going to outsource, they could have done that at any time during the past decade. For that matter, they can do that just as well now. Some places have decided that their workers that are more expensive are still worth the expense. The question of whether they're worth the expense while not in the office is very different than wondering if you can hire someone elsewhere for cheaper.

In more pragmatic terms, there are a few issues with outsourced workers which companies know about and may factor in to their decisions. Time zone differences, frequent turnover in contracted staff, language issues, and administrative overhead of the outsourcer are all things that may change their decision. For workers they already have, they already know all those things and they're likely not to be very problematic.

Re: How does it work?

We don't have knowledge of everything in their code, so these points are based on partial information which has been released:

First, NSO operates several servers which are used to install and operate the malware. This means they know at least some of the targets because they are infecting them on behalf of their clients. We don't know whether it's possible to change those servers to ones that NSO don't operate. Similarly, we know that NSO has target limits where certain licenses are paid depending on how many devices you want to force spyware onto. That implies but doesn't necessarily mean that there is some mechanism for checking whether a client has complied with those licenses or preventing them from infecting others when they have run out of credits. This would also imply that they know when and by whom someone was infected even if they go to some effort not to know who the victim was.

More speculatively now, I think NSO must continue to control the malware after they've sold it because they are operating in a very ambiguous area. They do have some protection from Israel for some reason which has never really made sense to me, but if Israel decided they no longer supported NSO, there would be major problems for the company. Therefore, NSO needs to make sure that, whichever governments or groups (yeah, I'm not buying their claims) they sell it to, they don't sell it to someone who will cause Israel to abandon them. For instance, they could sell it to governments for repression of the local populace, but selling it to someone who would use it against Israeli government figures is something they'll do a lot to avoid. Making a version available which is easily controlled without their knowledge is an invitation to do exactly that. They have strong financial and safety incentives to control who gets to buy and who gets to be the victims, and I'm going to assume that they know these things very well.

Re: Scam bait at major printer co.

From the sound of it, you got hit by ransomware or something like it which destroyed your data. That means you don't have to replace the disk and could probably just wipe it and reinstall. I'm not sure if you've tried that, but unless they have some unusual method of actively destroying your disk or you had a coincidental disk failure, you might be able to resurrect it.

Back on topic, it's very useful to hear stories like this to prove to people that mere knowledge won't save you from all scammers out there nor does getting scammed mean you weren't smart enough to avoid them. I think this is important to better educating users including ourselves that the risks are higher than some might think.

Re: I was a bit surprised by this bit

It's not really tech knowledge that protects one from most scams. Knowing how to make the computer do what you want it to doesn't help you figure out that the bank alert is not real. We would hope that technical knowledge leads to checking links, but that's more a factor of laziness. Meanwhile, young people have less experience with a lot of life's details; if you've had a bank account for five years, you may not have seen what actually does happen when someone has compromised your account details, so when the call comes that someone has done that, you don't know that it's unusual.

I think the only reason that we more technical people are better at avoiding scams is that, since they involve a computer somewhere in the chain, we're told about them more often. Awareness, rather than knowledge, is our primary strength. However, I must warn those who think it's an impenetrable shield that we can get scammed too if the other side is convincing enough.

Re: Always trust Microsoft reports - not

In fairness, just because someone has been calling you more doesn't mean the aggregate goes that way. If we're battling anecdotes, I have been waiting for a tech support scam call because it seems much easier to waste their time when they have to have a person on the call. I'm still not sure if it's disappointing or nice that I haven't gotten any. I do get automatic scams where the robot wants me to confirm I'm gullible before they put a more expensive human on the call.

Re: Why do you want to work here?

You have money, I have the skills you are looking for, and I wouldn't mind having some of your money.

I always find it strange that they think I have some burning desire to work for a company--there are companies I want to avoid working for, but I've never marked a specific employer as an absolute goal. This question becomes all the stranger if it's somewhere that contacted me.

Re: Reverse

I don't like that approach, or rather I only like it in a very restricted set of circumstances. Unless the candidate has already been told a lot about what they will be doing, they don't have a lot to ask about. After the obligatory question about what the job involves, and some necessary clarifying questions, the candidate is likely to know what it entails. So one of two things happens:

1. The interviewers know everything about the details and are willing to share that information, so the interviewee has to ask about active tasks that they would be working with, essentially trying to solve problems without ever getting to see the system, code, or whatever else is involved in the problem. This is if the interviewers tell the interviewee that they're doing this, because most interviewers don't even know that stuff so the interviewee usually knows well enough not to interrogate them on the internals.

2. The interviewers either don't know the details or don't want to disclose that to anybody who can get into the interview, so the interviewee has to come up with enough questions to fill the time. Instead of learning anything about the interviewee's qualifications to solve the problem, the interviewers learn of the interviewee's ability to improvise and fill time. While improvisation is a useful skill, it's not very useful if the more important qualifications are lacking. Filling time uselessly is a negative except in sales or law (and isn't necessarily great there either).

By all means let the interviewee ask questions, but unless you give them enough information beforehand, which questions they ask isn't going to prove much about their skills.

I don't think it's having the opinion that's the problem, but instead how you express it. If an interviewer asks what systemd is, they want you to describe what it's for and how it's used, not what you think of it. Commenting on its design decisions which you think are good examples of something you will avoid later is a middle area. Shouting that it's the worst thing you've ever seen is, even if they agree, not a great harbinger of your ability to accept things that you don't entirely agree with.

"As the article says, the employer needs to avoid anyone who is applying solely because they're desperate for a job."

I'm not sure about this. There can be several cases where someone does need a job badly and is also quite capable of doing the work involved. That someone is applying because they need a job doesn't automatically mean they lack the ability to do it properly. For example, someone who took time off to deal with an emergency which has also depleted their savings could be very desperate for an income stream, but that situation could also happen to any one of us given a sufficiently bad emergency. On another level, anyone getting their first position in a field will have faced some difficulty proving their qualifications without citing experience, and they could be very interested in finding a position, any position, so they can prove their abilities as a professional. Yet everyone here who has a job at one point didn't have any job experience but still had skills.

As an interviewee, if you're desperate for a job, hide it. Many interviewers will follow this quote faithfully. To interviewers, I suggest you become the exception to that rule.

Re: Oh yeah…

That's fine if you're at the offer stage when you decide you don't want to do that job, but if you're still in the interviewing stages, the costs are higher. Especially if the later interviews have time or location costs for you. Taking a day off work to travel somewhere to interview for a position you don't want in the hopes that you can suggest a ridiculous salary and they'll accept it is not very useful and certainly unpleasant. For similar reasons, I don't automatically start interviewing for positions when recruiters find me--having a bunch of one-hour initial interview calls isn't that hard, but it's often time wasted.

Re: That Meme

Okay, I'll ask. What is it that you want to hear when you ask that question? I've seen a few basic answers, either listing qualifications of use to the position (you already have that in front of you) or platitudes about a hard-working, motivated, interested, team-working self-starter (useless). This becomes even worse if it's the kind of interview where someone might end up in a few positions, because now they're not sure what specific qualification you're hoping they'll tell you about.

Re: It's a two-way street

"to people who neither know nor care about its products, ethics, "work-life balance" or anything else except the number on the offer letter, [...]"

Mostly agree, but I really do care about their work-life balance. I currently work a normal working week and I know how to request time off (and it's easy). If they want me to work long days or weekends, they'll have to pay me a lot more if I agree to go through that at all. Sadly, even though I care about this, I've never heard anyone tell the truth about the balance. Nobody ever comes out and says "To take time off, you must submit three forms through the complex portal with at least two months notice then wait for manager approval which should take about seven weeks", even if that's the case. If they ever did tell me, I would be listening with close attention.

Re: ew

So include those in the package. There are mechanisms for managing Python dependencies so you can deal with outdated systems. Alternatively, have the installation process rely on those dependencies and then check at install time whether they're met satisfactorily. If not, you can still do the full install method.

Even with that, there's no need for it to install a database server for you. Make it clear it needs a Postgres installation, and ask for credentials just like everything else which has a database does. A user can easily install the database from their package repositories and let the install scripts do all the setup if they don't want to manage that themselves.

It all depends on idle power consumption because that's what the law is about, so even if one is significantly more efficient under load, this law doesn't care. When running at idle, a lot of things consume power other than the CPU, which is probably why gaming computers are the ones that don't fit within the bounds. Only if one manufacturer can make large enough cuts in their processors' consumption when idle will that make a difference, and it's more likely that the PC manufacturers will find a way to make the more power-hungry components run better instead.

No, it's not a Ponzi scheme. That doesn't, in itself, make it a good idea, but if you're going to argue against it, do so accurately.

A Ponzi scheme requires a central entity transferring real value to handle transactions in falsified value. In clearer terms, someone has to run the scheme and commit the fraud. Cryptocurrencies do not have such a person. This disqualifies them as Ponzi schemes. In your argument, you said "you're supposed to think if everyone sold off, there would be something left of value, but there would not.", which is correct, but doesn't a Ponzi scheme make. In fact, that statement is true of any other real currency--if we all decided tomorrow that the pound was worthless and sold ours, it too would go to nothing.

Most cryptocurrencies are bad as currencies and weak as investments, with no external worth and hideous volatility due to investor activity. That almost certainly means that you shouldn't rely on them for storing or making money. They aren't fraudulent though.

London. The company has moved premises from time to time but has always remained in or near to London. Of course, sometimes it's a London as envisioned by a New Zealander, but London is the goal nonetheless.

Re: Not the Halon!

They don't need to keep it. They just need some gaseous method of keeping people out of the room, and if they've implemented the nitrogen method correctly, that will work as well. Or, for that matter, if they've pretended to implement it correctly, that might be as good a deterrent as any. More importantly, if they had an event where halon was detected, it's a worse excuse if it's illegal to have around. They might not be found out for the original use, but they'd have consequences already.

Re: Thankfully!

I assume they wanted to use two icons, and they're only allowed to select one.

Re: "I don't know how much AWS gives back to the ecosystem"

"I see that you thrown in "rent seeking" buzz-word, but in the context you used it, why don't you accuse workers of rent-seeking? Why company should pay workers every month?"

The difference is what they said before. The workers signed a contract saying they would be paid, whereas Elastic didn't. Therefore, the workers are asking for what they already agreed they would get, whereas Elastic were asking for something nobody ever agreed to give them and, in fact, something their license said wasn't required in the first place. Once again, I can see why Elastic wanted it, but changing the license terms is not a very nice thing to do, especially given that there were other contributors to the code whose contributions were being exploited just as much as Elastic's were.

Re: Inevitable

I'm sorry, but what?

"the transfer limit would mean that assume an average of a 1k ransom, then 10 "customers" could be directed to a given wallet a day, having to create many hundereds of legit wallets a day would lead to throttling and easy detection"

No, it wouldn't. They don't need to set up legitimate wallets to receive payments if they can exchange somewhere other than the EU. They can even live in the EU and exchange elsewhere. The people who need to set up registered wallets would be those paying the ransom, and they would only need to set up one. The creation of unregistered wallets is easy.

"2 the internet is ultimately answerable and licensed for operations by governments, if they say no they its a no, freedom online is an illusion"

Well, sort of, yes.

"icann answers to the US govt, RIPE to the eu and uk govts,"

So what? So the ransomware operators can have domain names taken off them (and it wouldn't be ICANN doing that anyway). And if they registered their own IP blocks, those could be taken away too, although they never do that. How would this affect them at all? They mostly use Tor hidden service domains, which ICANN cannot take away, and they'll operate on anonymous hosting accounts or compromised computers which can be shredded whenever they're concerned. How does the regulation of basic internet operations impact this and if so, why hasn't it been used before?

Re: Inevitable

I'm afraid this isn't correct. The regulations require tracking of people setting up wallets and moving money inside the EU, but don't have control over the technical systems of any cryptocurrency. Without a regulation making the payment of ransoms illegal, this would do nothing--user identifies themselves, exchanges cash for crypto, pays crypto to anonymous wallet, ransomware operators exchange that crypto somewhere outside the EU without identifying themselves (which they're already mostly doing).

The only thing this gives you unless you make payment of ransoms illegal is a list of people who paid the ransoms. They would still be able to do so easily.

That doesn't break this system unless you mined or bartered for all the crypto you have. If you wanted to exchange some cash into crypto without being known to this proposed system, you would have to go to an exchange that's outside the area where you live (or is willing to break the law). Therefore, for most users who got the crypto by exchanging local currency, they and their wallet public keys would already be known and stored.

Re: SWaaS

"I bet this all started with some suit ordering their techies to do it over their objections."

I don't think so. Technical people have the option not to do this, and they especially have the option not to do this well. To get a successful set of exploits and use them to this effect, it wouldn't appear they have technical people doing this under duress. I would be comfortable assigning guilt to any programmer on their software and I wouldn't be so quick to assume the blame only resides with a subset of those who know what's happening and do it gladly.