Posts by doublelayer

Re: Requires a GCP account?

"This seems to be a side-effect of the necessary rate-limiting."

Which they need exactly why? They don't have rate limiting on so many other products they develop. I can send searches through their system by automatic means, and each of my searches have to go to many nodes so they can search a massive database quickly, find advertisements for me which means going to another database, and a bunch of sharding and protection against endpoint failure. This one is much easier. A single database. Maybe five queries on it for each search. Yet this one needs authentication and rate limiting?

This is Google. They have plenty of resources to host a database. Also, it's supposed to be an open resource for the benefit of everybody [cough as if cough]. That should mean open access, with an open API which lets me clone the entire thing if I have a reason to. It should also mean open management, where they wouldn't even have to provide all the resources. If this was an extension or replacement of the CVE system designed by Google with others who were going to use it and encourage its adoption, they could get lots of other big companies to chip in for the hosting and bandwidth costs. I disagree entirely that rate limiting of any kind is necessary, let alone rate limiting by requiring a painstaking authentication process with contact information.

I doubt it. Sure, they have a bunch of money, but possible mistyped domains are so many that you can't just reserve them all.

Transposed letters: Microosft, Microsfot, Microsotf, etc. 8 combinations

Letter one over on a QWERTY keyboard: Microsofr, Microdoft, Mivrosoft, etc., 18 combinations

More than one letter off by one: Way too many combinations.

Letters off and sometimes transposed: Let's test the budget then.

Easier just to put all those combinations into a spell checker and run it over stuff as you publish it. Or check that links work.

Re: "… according to a report by Japan’s Nikkei."

I'm sorry, you've lost me.

"the Japanese truly love the North Koreans!": I'm guessing this is sarcasm, given the dog and cat comparison and that it's wrong, but then you say:

"You could not get a more unbiased source.": Did you mean a "more biased source"? Or was that sarcasm too? If both were sarcasm, it sounds weird to me.

By the way, it's not really fair. Japan and North Korea don't recognize each other and frequently argue (not really bias on Japan's part as North Korea has this nasty habit of shooting missiles at them). Still, there are countries that have worse relations with them, including the U.S., France, Taiwan, and places like that. Japan also contains a surprisingly high number of pro-Pyongyang organizations, although they are operated primarily by a small subset of ethnic Koreans and don't speak for Japan as a whole or the Korean community there.

Re: I don't find Google blocks too well

I would like to filter that, but on occasion, someone in the HR office has sent me an email like that. It's never been an important one, usually talking about some new thing they've set up. Still, I wonder what they were thinking when they decided the best way to create an email which might appear on desktops, laptops, or phones is to make an image of all the text and just send that. It can't scale well. I also wonder if there are any visually impaired people on the list. I checked, and they didn't put in any text layer for people who can't read visually.

Re: Born idiots. All of 'em.

Pranks are dangerous, especially when the victim doesn't know what you're going to do. Pranks between friends work because, if a friend doesn't like the prank system, they'll either make this clear and their friends will respect it or stop being part of that friendship. Most others are irritating. Some are like this one and are criminal. There should never be a defense that the crime was meant as a prank; if all involved are happy about it, then no charges will be brought. Otherwise, it was a crime and should be treated as such.

"Does the whole process of https (encryption on my side, transport, decryption on your side) count as 'transmission'?"

As the ruling goes, it would be as follows:

1. You construct an HTTP request in plain text in memory. If they seize it on your machine here, it's at rest.

2. You encrypt it to ciphertext which we'll presume you store in memory. If they seize the ciphertext, it's at rest. Also, if they can seize that ciphertext, they wouldn't as they could also seize the plain text earlier and that's easier.

3. You establish a TLS connection to a server and send the chunk along a network to it. If they intercept your encrypted data by watching it as it goes to the server, it's in transit.

4. The server receives and decodes it. If they seize it on that server, then it's at rest.

You can think of it as "Where does the interception occur?". If it's on your computer or the remote computer, it's at rest. If it's in between, it's in transit.

Re: MAC address

From the article, that's almost exactly what they've already done. Most discussions here are about prevention, but they appear to already know how to do the detection part.

Re: Keeping the accounts seperate.

Short answer: he didn't. Complaint irrelevant.

Re: since they’re all publicly available anyway

"There is also some applied permission once you publish it."

There is explicit permission based on the terms of service for the thing you posted it on. Which usually gives anyone who can see it based on the settings the rights to view the content, but may restrict them from copying it and using it offline for other purposes unless you specifically allow that. The services we know they used do not take copyright from the original creators, nor do they require those people to grant a right to create derivative works. So those rights don't automatically exist.

For example, The Register has a term describing what rights you have to grant when you post:

"8.2 You retain all your ownership, copyright and other interests and rights in your comments but by posting any comments on our Website you grant us a non-exclusive irrevocable and royalty free worldwide licence to use, modify, alter, edit copy, reproduce, display, make compilations of and distribute such comments throughout our Website."

Re: Apples and oranges

"and to those who rage about Chromebooks timing out on support - this Windows machine has done exactly that indirectly - it's storage is insufficient for updates to occur so Windows will fall off support in a couple of months."

Wrong.

What your thing has: The manufacturer made it with specs that don't let the system stay up to date in the easiest way.

What the other thing has: The system could update, but they've cut it off so you can't do so in any way.

If we're technical, you can update Windows on your thing by performing a deep clean to remove files, including moving all personal files to external media. That will give you more storage for update files. If that fails, you can reinstall the latest version, which will give you the latest updates. You shouldn't have to go that far and some won't know how to do it anyway, but it's possible to do it without having to recode anything or attempt to hack into locked firmware. Chromebooks are instead killed outright.

Re: Wikipedia is far from perfect...

Doesn't matter. If they've reset it to a 200 which says the page isn't there, the archive may have a copy when it was. If it does, you can and should edit the link to that copy. If not, you can remove the reference and invite a re-citation.

Re: What, exactly, is 'free speech'

"This site knows my real name and e-mail address. Yours too, otherwise you wouldn't be able to post here."

They know a name, which I don't even think they checked looks at all like a name. Mine looks like a name. Do you think it's the one on my identifying paperwork? It might be. They didn't check. They also know an email address which could receive a verification link. Maybe it's mine, but I can set up emails without my name on them. Also, since I didn't forget my password, I haven't needed it since. They have no proof the address still exists. Or was ever mine. That's pseudonymity for you, which is usually enough for sites like this.

There's nothing wrong with asking for it, but it reads to me as if they're demanding it without wanting to help. They don't have to preach all this necessary change if they instead found some people to do the code reviews. If they sent a message like this to repo maintainers, it could work:

Hello maintainer team, we're using your code in our products and therefore have an interest in continued security in your codebase. Therefore, we've employed some people to do code reviews on any PR to main. We'll flag security things as well as bugs that seem clear to us, following your documentation on style and requirements. It would help us if you could hold back completing PRs for a couple days while our team reviews. Of course, you don't have any obligation to do that, but we think it will result in better code for both of us. Thanks for the useful project.

They'd probably get acceptance from basically everybody, because they're doing the work to solve their problem which doesn't restrict external developers. Maybe that's what they will do. So far, however, it seems like they want a bunch of information from the projects and complain about practices they dislike without wanting to put in the effort to fix anything.

Re: @Blind AC I see a use case

I'll be the first to admit I haven't read very much about this, but it doesn't look like that's an option. The pricing pages include the price for creating a model, storage of a model and running said model. I don't see anything about downloading the model, let alone downloading the engine that uses the model. All prices there are about sending text to the cloud, where they are converted to audio using the previously-trained model. If people want to run it locally, they'll need the synthesis software along with their created model. If that's actually available, I haven't found anything about it. I think the original contention about cloud-only may be correct.

Re: I do wonder...

That would be nice. I wonder what they're currently using though. Desktops have existed long enough that places probably have old ones. I'm guessing most of the places that don't have computers at all don't have them because it's difficult to power or network them, which isn't going to be solved with a bunch of newer desktops. There are probably some places that will get a cheap upgrade from it though.

"I've never understood why TLDs are handled the way they are."

To make it easy to determine what kind of site you're about to deal with. With the initial structure, you could determine what country they chose to attach themselves to. Sometimes, this was validated (Australia, China, Saudi Arabia). Sometimes not, but there was still an ostensible reason for doing so. And there were special zones for certain types of validated domains. .edu means an accredited institution of higher learning in the U.S. .ac.uk means the same for the UK. And pretty much every country has one of those. Which helps clarify that it's a real school and not someone making it up. That's why we have a tree structure.

"The whole "level" thing is just a mess and only exists because of history and tradition."

On what basis? Name exhaustion? If that's your complaint, and I have no clue whether it is, that's a little convenient since I can found a company with a name without having to purchase a hundred similar addresses. Sure, I might have to modify my name to get an address that someone's not sitting on, but if they're an actual place, that prevents trademark clashes. We can deal with those who are not by changing the rules on domain parking or resale, but not by making a couple hundred new TLDs and tossing them out.

"It's just an address. All that is needed is to verify that the full address is not already in use, and then add an entry to DNS for it at some point so that the address points at the correct IP address."

And to ensure that people can't easily abuse it. For that reason, I own any subdomains of my domains and you can't have them. And we don't operate certain TLDs that could cause problems (ICANN specifically banned anyone trying to reserve .home and .local, for example). And to ensure there's a dispute resolution process and a method of cancelling a domain used to commit crimes.

"Yes, I know it's more complex behind the scenes, but only because we have made it complex."

Actually, the technical process of DNS servers isn't all that complex. It takes a lot of hardware because we want reliability, but you can explain it to a nontechnical person in ten minutes.

"As an example I'd pay to register @big.boomer but I'm not interested in managing/maintaining all of .boomer and the chances of anyone else doing it is equally minimal, so why shouldn't all registrars be able to register ANY unused domain?"

[Shudder] Because your desire for that domain isn't enough to justify adding another path to the tree. If you want to, or a registry thinks there's a sufficient interest, they can apply for it and get it. It costs $185K. If they didn't do that, then people would reserve every string out there in the hope that people will buy up domains to avoid scammers misusing them. You wouldn't necessarily get the domain you wanted, because some registry you'd never heard of would have already registered TLDs of every word in the dictionary. If I had my way, they wouldn't even let you apply. New TLDs would be assigned if a large group of disparate people and organizations saw a need and requested it. Otherwise, they can petition their national registries for a local one or use existing TLDs.

Re: Is it just me ...

"Here's the thing, I'm still waiting to see some C or C++ code that is well written, and yet exhibits these flaws that are much lamented but not evidenced. Making life easier for people too lazy to do the work is not a winning move."

I'll grant you all of that. The problem, then, is that most of the core stuff, on which we rely, which is developed by many people who have experience, but evidently not enough, is not "well written". These are large projects, which have been tested to some extent, and they still do this wrong. Perhaps there are some people who can be absolutely trusted to never do that, but they don't seem to be writing this core code. We can't fix this problem by telling all the developers of libcrypt that they're rubbish and need retraining. They will ignore us.

The electricity analogy is continuing to make my point for me. I made a point about safe or unsafe plug sockets. You countered that a different part of the system can also be risky, changing the subject. Similarly, you have successfully pointed out that you can get vulnerabilities in languages other than C, which nobody argued against. Security requires good practice in coding, and it especially requires it in C because bad practice in C leads more often to security vulnerabilities whereas bad practice in other languages leads more often to crashes. You can still get security vulnerabilities in those languages. If we removed C tomorrow, we wouldn't solve security. However, that point is not in itself a cogent argument for keeping C. Such arguments exist, and they're convincing, but you're not making one. You are not defending C. You are not really even attacking anything else. You're just trying to change the subject to point out that I can't get perfection and hard work is required to approach it. Which is correct and beside the point.

Re: But... why?!?

Some of the users are probably cross-platform developers who don't need to buy a Mac when they can rent one. Possibly some others need to run Mac-specific software for some reason though I don't know what that is. Probably the largest group are developers who use Macs already, own Intel-powered ones, but want to ensure their stuff runs on ARM Macs even though they don't want to purchase one themselves yet. Those groups probably account for the majority of customers for that service.

It doesn't matter what the price is now. It mostly matters

what the price will be a few years later. If one of the disks that you got for a market price dies three years from now, and you can still get disks for the market price, but the only functional ones have now become a lot more expensive, then you'll have to pay for that because you've locked yourself in. They could decide to increase the price if many people accept your argument and buy the NAS boxes because the disks are cheap today.

Now let's ask whether there's any technical reason that the disks have to be from the manufacturer. Is it because they need the disks at a certain speed? No, the speed of the disks matters to the user, not the system. Is it because they need a different connector? No, it's SATA. Is it that they'd have to replace subpar drives? No, those are user-supplied and don't come under warranty. Because certain features only work on some disks? No, the entire point of their equipment is that it does the management on dumb disks. Because they don't have enough space to store custom drivers? No, there are standards, they've had that code in previous devices, and they have plenty of processing and memory.

If their disks are wonderful disks, they can advertise and sell them. If the price comparison is as you state, they'd likely be successful. They could probably get a bunch of business from customers buying NAS boxes and disks together, since that means a single place for warranty claims and support requests. They don't need to lock down the system to get that business advantage. Nor do their customers need to be forced into the option since many will do it anyway and, if it is better quality, many others will follow.

Re: Mozilla good, Apple bad

"The truth on the Cupertino end is that Apple doesn’t want to allow hardware interaction because it makes PWAs useful enough to act as a viable alternative to native apps from their App Store. Anyone who grew up with addictinggames and newgrounds knows what WASM+WebGL+WebUSB can do for those who want to build 2021’s equivalent of “free flash games” without the walled garden getting in the way."

The important part there is WebGL. Which Apple supports already as they were part of the initial development group. The second-most important part is WASM, because some of the games won't get enough performance from JS. Apple supports that already too. The only thing they don't support is the USB API. And you can only attach USB devices to the computers which have USB ports, which are also the ones which don't require apps to go through the App Store. IOS devices do have the store requirement, but they don't really have much in the way of USB support anyway. So perhaps your accusation is a bit premature.

Meanwhile, there are APIs to get keyboard, mouse, and other peripheral input. They don't need access to USB devices to do that. The quote in the article about implementing custom logic for old game controllers is pathetic, because nobody is going to include a hundred drivers for game controllers, all written in JavaScript, in a web game. That API's in here so Google can do everything from a web app, and while I don't think they have a nefarious purpose here--Chrome already has access to system-level USB if it wants--they haven't put a single thought into security vulnerabilities. Which there are, a lot of them. USB is used not only for peripherals but for some system components as well, more so on laptops. The attack surface is incredible.

Re: Fork it!

You can do that if you think the UK government will do a better job than a group of people replacing current leadership. I'm guessing the people trying to change the people but keep the structure either believe the government won't help resolve these problems in a timely fashion or would make things worse.

Re: Numbers

"I would argue that you should never use percentages to indicate an augmentation or reduction of a number which is itself a percentage. If you say "50% higher", it can mean from 2% to 3% or from 66% to 99%."

That's a problem with percentages in any use case. 50% could also be the difference between two units and three units or 30000 and 45000. It's a tool for multiplicative comparison, whether it's a rate or an amount, you can use it badly. And yes, there's an XKCD for that too. If you don't like that lack of clarity, don't use percentages for comparison.

Re: Investors

It's a pretty normal investor tactic. They take risks in the hopes that the possible but mostly unprecedented thing doesn't happen and they reap their rewards. For example, they invest in the newly public Saudi-Aramco even though it's majority owned by the Saudi government and keeps not appearing on international stock exchanges; they hope that Saudi Arabia won't decide to ignore them later. Or they let Facebook and similar companies change the way voting works so that their founders have total control over the board even when they don't own a majority of the shares. They take the risks that the companies might do something dangerous, like incurring a really big fine by breaking the law while not allowing investors to do anything to stop them. Investors take risks. It's how they work. Some are willing to take very large risks.

"The core processing on x86 is still 32-bit which is why everyone in the world didn't have to recode their app in order to work at all on x86-64."

That's not really how I'd phrase it. AMD64 can run 32-bit X86 code natively, but that doesn't make it 32-bit. If you compile for AMD64, you use 64-bit capable instructions, which this has. It's not just a 32-bit processor with larger addressing. So I'm not sure what you're trying to say with the part I quoted. I have two ideas:

1. "AMD64 is 32-bit even when you compile to its ISA natively": That's incorrect, but I don't think that's what you're saying.

2. "It would be better if the transition to 64-bit required everyone to recompile for it so we got the benefits faster": I get the idea, but I don't know that it's been a major problem. We've had 64-bit desktops and laptops for over a decade now, and you can pretty much guarantee that most users today have a 64-bit OS and most of the performance-sensitive programs they run on it are also 64-bit. The occasional old or small program still runs under X86, but that's only a problem if it will actually benefit the user by using the faster instructions or more memory. Quite frequently, such programs don't need to be that fast.

For that matter, we also have ARM64, which is like AMD64 in that it can coexist with previous versions of the ISA. Still, most mobile devices that are powerful enough (phones, tablets, not the SOC running the embedded devices), are using a 64-bit OS and apps compiled natively to it. ARM is even planning to drop 32-bit support in their next range of high-end cores because so many people never use the 32-bit capabilities.

Meanwhile, the ability to run stuff without having to recompile it means people will adopt 64-bit hardware faster. When the software supporting it comes out later, they already have the ability to run it, and having the hardware themselves, they can also compile and test their stuff to run under it as well. The overlay method makes some sense given those benefits.

On the CE devices I have used, they had a button, either hardware or on-screen, which would close the active window, or sometimes it would close the entire application. Never could be sure until you pushed it. If that button didn't eventually close the application which was rare, there was always an exit option in the menu.

I once had the opportunity to use a Windows CE device with a full keyboard and reasonably-sized screen. It was surprisingly usable and like desktop Windows, even though it had only about 128 MB of memory for the OS and all user files. Then again, I didn't try anything all that complex. Still, I distinctly remember having a command prompt, C compiler, and Python interpreter, all of which ran pretty well such that I could write code on the mobile device if I needed to. I'd like to see a modern mobile OS let me do that. Then again, I doubt many people bothered connecting peripherals to turn a Windows CE device into a desk-bound machine.

Re: "such apps must be free"

I don't think it is a law. I think it's a rule they have set so that it's clear they didn't get paid to make the rule change. That way, if some app is found to be violating gambling laws, there won't be people claiming that Google must have turned a blind eye to keep up a commission. Unless recent cases succeed in reducing Google and Apple's level of control over their stores, they are allowed to set some rules for any reason or no reason at all.

Re: Well worth it?

I don't mean to accuse you of doing it deliberately, but there are those who do it a lot to distract from the actual point, and it still doesn't matter. The difference per week is £3.65 (£4.93 vs £1.76) or, in other words, a factor of 3.86. That difference, over the life of the product, is £570. Either you are willing to pay £570 more for the improvements or you are not. Whether you describe that as a single £570 payment, £3.65 per week, £0.02 per hour, or any other version doesn't change what the number is.

With that in mind, the most honest way to describe the difference in my opinion is how the cost will be paid. If the person actually pays a bill each week, that might make sense since the person could consider the weekly payments in their budget. I've never seen that. I've only seen per-month contracts, usually with subsidized prices or sometimes with overinflated prices when the open market has discounted the device. I think most purchasers considering this debate are going to purchase outright. In that case, the difference is £570, clear and simple. Dividing the price per week only helps if the consumer has the choice to pay it for a few weeks, decide against it, and pay a lower amount for a different product. They can't, so in my view, the division holds no value.