Posts by doublelayer

Re: Victim shaming

Your concerns are valid and they are often taken into account during extradition hearings. In many cases, if country A does not think the event was a crime, they will refuse to extradite. If country B's punishment for the crime exceeds country A's, it is common that country A will only agree to extradite under some conditions including a limit on punishment. These considerations are often seen in such cases, and there have been cases where country B decided not to meet country A's requirements and country A refused to extradite and charged the suspect themselves.

As for your discussion on where Twitter is located, that is somewhat clear. The company is located in the United States. They may own other entities, but the entity which controls the servers which were broken into is the main company based in the United States. The crime that is mostly being discussed here is accessing those servers, meaning that the locations of the people impersonated is not at issue. The location of the people used during the attack is similarly unimportant. In this case, the U.K. and U.S. both have jurisdiction over this particular suspect, so the U.S. may request to have the suspect tried there. If they do, the U.K. will be free to refuse that request and they will consider points such as yours when they do. It is worth keeping in mind that, should the U.S. make a request, it is not only legal but very standard for cases such as these.

Re: Human Rights

"Does China have greater surveillance of its citizens than the USA? I very much doubt that it does overall."

You may think this, but that is incorrect. China really cares about surveillance, and they have it in spades. They have software to track communications over phone or internet. Software to monitor movements using vehicles, and increasingly pervasive camera surveillance with some of the best facial recognition technology. But these only cover the cities, right? Wrong. They cover a lot of the area, and they link people based on any metrics they need. When they decided to repress a group that was annoying them, they rapidly expanded their surveillance to cover the Xinjiang province and areas near it in other provinces. But you had another point to make:

"Far more Chinese citizens live in extremely rural areas where there is no CCTV, just for starters."

Nope. Those areas are indeed poor, without many of the nice conveniences for life which also make surveillance easier. Want to know what they still have? They have cameras. There's another reason for this. China has had a long history of trying to keep tabs on their population. Going back to the 1950s, it was critical to know who was doing what. Back then, cameras weren't really an option, but a strict hierarchy of power and responsibility was. China built that. Now, they can use technology to support it, but they still have that hierarchy. Part of that is responsibility to watch people for certain activities and know things about them. It's inefficient, but it works.

Countries like ours are dangerously willing to surveil us. They have powers that we need to curtail. They have been taking advantage of anything they can think of to increase their capacity. But we can still do things that China has prevented. A lot of the reason for that is that our countries don't use their surveillance powers against us very often. China is better at it because they use it all the time, while our countries may have the capability but by leaving it unused they don't have as much ongoing data.

Our governments may be interested in ideas like a social credit score, automatic checkpoints requiring constant confirmation of a person's identity and status, or elimination of encryption, but it is China that has already successfully implemented them.

Re: There's more..

But in order to make that decision, we have to ask why those professions get those privacy benefits. Lawyers make sense, since they are ostensibly the protection layer between people and their accusers. How about doctors? Why do they get that protection? According to this article on the subject, it's designed to ensure that patients tell medical professionals enough information that they are treated properly. On that basis, you can make an argument that security testing is similar to medical--they are also ensuring that the person or organization who is using their services is healthy, and you can draw coherent though tenuous connections between tasks performed by security testers and doctors. The argument isn't the easiest to make, but in my opinion the argument for medical privilege isn't particularly convincing either.

Re: Why make keyboards

If you're looking for somewhere where it's really hard to find electronics and the road is a day's walk away, Japan might not be it. Japanese is spoken elsewhere, but not so much that you'd expect to stock many Japanese keyboards for the general public there. If they want to create keyboards for languages that aren't well represented at the moment, maybe they should focus on those which haven't been well-established in computing for five decades. There are languages covering millions that fit that bill.

Re: Disabled person

Are you willing to build the system yourself? There are a few things you can do to get that working. Various projects exist allowing a Raspberry Pi to relay audio to such a service, so you just have to replace the recognition on their servers with recognition running locally (CMU Sphinx has proven to be an effective library for me). Of course, you then have to provide your own list of commands and actions to take when commands are heard, so it's not labor-free.

There are also some open voice assistants that run using local software. I've seen types that use a Pi as the brain, which are more open and configurable but sometimes less powerful. This one is probably the most famous, but I have never used it and I don't know whether it's capable of everything you want. I've seen others that use an Android device to power them because by doing so they can use Google's dictation function (requires an additional download but then can recognize offline) instead of building that themselves. That would also work, but initial configuration or recovery should the host device shut down isn't as straightforward as with a Pi. If you want to investigate those options, try searching for voice assistants on FDroid or Github. If you set up either option with a speaker of high enough quality, this should work.

"My God, if they're spooks then they ought to be about paranoid enough to only use a crappy little GSM type phone while at work."

Antiespionage report, section 12: mobile device usage among clearance candidates

Most candidates for this position are using off-the-shelf smartphones. They will be treated with normal scrutiny. Four candidates are using phones without smartphone capability. Two of these are old and are using old devices. While it will be assumed that these people dislike smartphones, these candidates will still be treated with elevated scrutiny. The remaining two are using newer devices without that functionality and will be treated with severe scrutiny. Two candidates are using atypical smartphones, namely candidate 280 is running a Linux-based mobile OS on a device from Pine64, a known provider of secure devices for technical users and candidate 393 is using Lineage OS, a variant of Android with additional privacy features. Candidate 393 will be subject to severe scrutiny. Candidate 280 will be denied clearance and will be further investigated for potential criminal tendencies.

Sometimes, if you want to blend in, you have to do things that everyone else is doing even when you don't want to or they're dangerous for your attempt.

The Pro iMacs have Xeons. All of them are Xeons. The article says this.

Not voting on either comment, but in my case, I don't want that. My case protects the screen, but it doesn't cover it. It protects it by going over the sides, so if the phone falls onto its screen, the case keeps the screen from touching the ground. That combined with a cheap protector over the screen and not dropping it very hard has served me well so far. The case also goes around to cover other sides so it can absorb some shocks from a fall in any direction.

Meanwhile, a case that does cover the screen either makes me use the device with an annoying hanging component or causes me to remove the device more often to avoid the cover element getting in the way. I may want to hold the phone to my ear or have it positioned in various ways in front of me, and something that doubles its area doesn't help in those cases.

Re: Good move

Not as many as you think. For one thing, family names are common but there are still a lot of options for given names to increase the numbers. For another thing, this just plugs in on top of the existing tracking of IP addresses, meaning you don't care how many people with a certain name are in China, but how many people with that name live in each building. If you can track people by their address when they set up their account, you can do two things with that information. First, you can track them even if they move because you know for certain who it was who set up the account. Second, people aren't very original when thinking up usernames, so you can possibly identify people by names on other things that haven't complied with this policy.

Re: Global Internet

"Having assets in the EU is what gives the EU power. If they were not there and yet they could still provide services without the need for an EU ISP would it be as clear cut?"

The only way that would work is if they offered free internet as long as you get the hardware yourself. If they sell you the hardware, they operate in the EU. If they sell service, they likewise do so. To have the ability to do things like that means they would have to have at least some assets in that area, if only a warehouse full of satellite dishes and the account that people pay into before it's routed to the main account elsewhere. The EU could cease those resources if they needed to. The companies can do only so much to have nothing there, and if they do, there's less and less benefit they get from it.

Re: In re tracing cash...

True, but there can be logs of which serial numbers were placed into the ATM before they were printed. Especially when using newly manufactured banknotes, the stacks are consecutively numbered. This is useful to catch people working for the bank who see a large stack of cash and think of the potential to pick it up and run. Going in is another question. I don't think they OCR those bills most of the time, but there is a facility to do so elsewhere and it is done on occasion. Having never worked in that area, I don't know how the scanning is done when it is deemed necessary or how routine it is.

Re: The problems continue

"Pedantically, for something to be a "zero-day" it has to be actively exploited in the wild, before researchers discover it, or the provider is informed."

Even more pedantically, that's not it. The zero-day doesn't start counting up until there is a solution--something we know about and it's being used but there is no patch is still a zero-day. Now you may be correct about requiring an active exploit; the researcher claims that a zero-day exploit can be something that could be used but isn't yet known to be, while something that is known to be used is a zero-day attack. I'm not sure I buy that logic. Either way, if he is correct about these being exploitable and someone starts to exploit them while the Tor project hasn't accepted and patched them, they would become zero-days.

It may be, but unless there's someone else doing the real work on it to make sure it stays working, some of the students might get caught in the trap while it's still in operation. An environment through which students must submit work is a very important thing in education, and when it breaks there can be large problems.

I am young enough that I've used such systems during my own schooling, and two events of problematic failures come readily to mind. First, there was the time when the system simply refused to accept uploaded documents. Every week, starting around 10:00 in the morning and ending at midnight or possibly later. The homework was due at midnight. I don't know how many students were thrown by this, but I had to email my professor with the documents and promise to try again later and that the files would be identical (fortunately this was accepted). The second time concerned a system for automatically detecting plagiarism which reported, on our class's final papers, nearly universal plagiarism. In fact, we had all committed exactly the crimes of which it was accusing us, namely we had copied, with only slight modifications, large chunks of other documents. Those other documents were our drafts for the same paper, which also got submitted into this system's big database. Worryingly, it seemed we had also plagiarized smaller sections from certain works which all seemed to be between quotation marks. Funnily enough, I don't remember that system being used for many other courses.

From the reports, it sounds like it's only LAN-accessible unless the user has done something really stupid. Still, there are too many ways of getting LAN access and too many worrisome ways of exploiting root access to the network device, so it's still important.

Re: Flash is dying, why not e-mail?

That is true, but unfortunately most of those things are worse. Email may have too many security problems to count, but you can pretty much guarantee that an email sent from one place will get to another one, and if it doesn't there are only a few reasons for it. More modern communication apps require a lot more configuration. Ones designed for companies often make it hard to communicate out of the company. Those designed by big companies require sending unencrypted data through their centralized system. Those designed by hardware manufacturers lock you in. And some others require phone numbers or email addresses and essentially provide an overlay; while the features are good, you still need the other mechanism for that one to work. Email and to a lesser extent phone calls and SMS are global and compatible. Most other things aren't.

Re: I'm a bit confused by this.

Because the code is developed in the U.S., meaning that they're not allowed to supply it, even indirectly, through any entities they control or which control them, or through an independent entity which they know will be used to violate the sanctions. If they do, they can be penalized by the American government for trying to break their regulations, which is investigated on a when-they-want-to basis. This means that Google would be handing ammunition to cause them problems to any U.S. administration which has some reason not to like them.

Re: Why I love the Right to be Forgotten

Google is not allowed to collect and store such information from other parts of the law. The fact that the right to be forgotten had to be enacted as a separate section, rather than coming organically from other sections, clearly indicates that it is a separate thing. Among some of the details that make this different is the fact that Google's database does not specifically say any of this; it simply knows that a certain page happens to contain those words; the entry for a page stating "Person X declared bankruptcy", "Person X presided over a hearing for declared bankruptcy", and "Person X fought against creditors who declared bankruptcy" look rather similar. In addition, if they are required to remove access to the page, they are not required to remove it from the database. In fact, they are required to put it in another database so they know not to link to it. The parts of GDPR regulating personal information would have required deletion, which this does not.

And there you have the problem. If you know you will always be working from home, you would probably enjoy doing exactly that. If you knew you would be coming back in six months, you could try to liberate yourself from your agreement to rent and find somewhere nicer to be for those six months. If your workplace might bring people back, but nobody knows when or whether, then you don't have as much freedom. And the worst possible outcome: your workplace might bring people back and hasn't committed to a specific time by which you have to return. Google has done a good thing here just by giving a date well into the future. People can actually make some decisions based on this without fearing that they'll have to cancel plans at short notice.

Re: Bazaar?

Yes, but given that the sentiment, phrasing, and timing was so similar between the posts, I figured it was likely. Especially as the idea was both wrong and rather unrelated--after all, Apple doesn't make devices like this, so they're not that relevant to the discussion.

Re: "Slapping a "Personal Edition" label on a product implies..."

"Sorry, there are sentences like "Slapping a "Personal Edition" label on a product implies you can only use it for personal use, which would be against the license." which are utterly wrong."

Maybe you would accept it if rearranged. Here's what I think it is trying to say:

If a project said that you can only use it for personal use, that would be against the license. Slapping a "Personal Edition" label on a product implies but does not really mean that.

The sentence occurring immediately after the one you quoted makes it clear that they understand that the implication is not true. They are not claiming license violations. They are claiming user confusion.

Re: Did he not

Comment was written somewhat tongue-in-cheek, hence things like claiming he knew what he was doing and recommending that criminals pay attention to environmental considerations. However, it is good security practice to erase disks even when discarding the hardware, so I only had to joke about what his intentions were, not what is a good idea.

Re: Sitting Ducks

Exactly. If you can have enough weapons to be able to take out satellites with a 12-24 hour lead time, that's pretty good. Preparing a ground-based attack might be able to go faster if you rush things, but it's not markedly so. Also, if you attack a satellite from something near it, you can do so in such a way that relatively little damage is caused to other things. If you have to fire your offensive weapon from the surface, you don't have as many options--either you launch what is effectively what you could launch already, or you go for a blast it to pieces approach. If you do blast it to pieces, there's always the chance you might damage something you didn't intend to damage, either causing problems for you or angering someone who was formerly neutral. Even if you still think surface-based attacks are useful, it doesn't hurt to have both options available. If you can stand to wait a few hours, use your orbiting disassemblers. If you can't, bring out the big laser.

Re: Is dropping your phone common?

I've dropped mine a couple times, onto wooden floors, onto concrete, and onto a cat. The phone never seems to mind these drops, but mine is older and has a case on it to be careful. The case isn't designed to provide massive levels of protection, but I've seen other people with cracked screens, so I figure it's not hard to use the basic protection option. So far, this combination has resulted in no problems save for a short meow and a contemptuous look.

Re: Why is the IT manager deploying HA Proxy?

The culture of having managers and nonmanagers, where managers are defined as people who don't know how to do any of the things that need doing but direct people to do so is harmful. A good manager understands what the people they're managing do, and they understand how to do those things in a pinch. The team members themselves may be better at doing it, but if the manager doesn't know, they're not competent. In addition, the word manager can be applied to people who manage things other than people; it's pretty generic.

Re: Choice, not Charity

So, your suggestion is? If your suggestion is "you should have taxed him more a while ago", well, it didn't happen. If your suggestion is "take away his resources now", don't expect that to happen either. If your suggestion is that he should donate his money to a fund controlled by the government rather than a fund he controls, don't expect that to happen either, because he and probably various others will have more confidence in his determination rather than any national government.

In addition, there are different goals between philanthropists and governments. Do you think the public would be very interested in curing a disease that never affects them, in an area far away with which that country doesn't interact very much? Would a government that is beholden to its voters, lobbyists, and businesses but not to people on another continent spend a ton of money on a comparatively small project to help the least powerful there? It sometimes happens--there is foreign aid--but it's not their primary concern and arguably shouldn't be (I wouldn't argue that but I've heard enough people do so that it does have an effect). It is his choice to spend his money on people outside his country, in a way that might not be the priority of the people who would get the vote on it if he had to turn the resources over. Unless the people decide that, for some reason, he needs to have his money taken away, that is his choice to make.

No, they didn't. The claim is that apps expanding to fit the available memory is good. The reply states why having free memory is good. If the apps expanded to fill the memory, then there is no free memory, and the benefits listed there are lost. If a system can run in a gigabyte but has two, you have a gigabyte for caching. If it can't run in one and needs two, then you have less or zero for caching.

"I'd prefer not to be tracked all the time, obviously, but I've never worried that so being would fit me up for a crime I didn't commit. Does anyone here really worry about that? If so please can you explain why in rational terms?"

Here's one short but good reason. It has already happened. Look at arrests based on facial recognition. There have been several in the U.K. and U.S. In many cases, the person arrested doesn't look like the person identified; the cameras got it wrong. And yet, those people have been in police custody for far too long before they were released. They do get released at some point, with no charges, but do you think they get any recompense for spending some time in jail? Any way of proving to people whose meetings they missed that yes, the police did arrest them, but that they didn't do anything wrong nor was there any reason to suspect they did? Similarly, some police organizations have been known to treat some people without regard for justice. It hasn't affected me. It might not be in my area of residence. If it affects others, it's still bad and it is part of my responsibility as a citizen of a democracy to ensure there are protections for those people. One of the most useful protections is requiring warrants for accessing potentially abusable information. It has been done for decades in many countries; it can keep happening.

Re: why aren't postal votes considered a fraud risk in the US?

"For the benefit of us folks in the UK could you please explain what a hanging chad is and why it matters."

This applies only to the 2000 election. Chads are small round pieces of paper that are meant to be punched out of a paper ballot. The voter selects the choice, the corresponding hole is punched, the chad falls away, and the ballot with its hole can be counted automatically. The problem occurred because some machines failed to completely punch through the paper, meaning that the selected hole was not fully opened. The chad remained partially attached to the ballot, hanging there. This caused problems because the counting machines sometimes failed to count those ballots correctly.