Posts by doublelayer

Re: Spammers all still at it

See if that email accepts incoming replies*. A lot of these are sent from spoofed addresses, but if it looks like a quickly set up address, they might have someone there for helping with things like getting bitcoin and sending it to the correct wallet. If so, we can certainly waste their time quite well by pretending to know nothing about what we're trying to do.

*Only if you got this email on an address you don't care much about. I would not recommend you reply with your personal email, but a semi-disposable one without your real name is safe.

Re: Exercise?

I believe this is for people who either have the disease but are not critical enough to be treated in a hospital or have just arrived from another country and are required to have a more strict quarantine, I.E. too bad about your exercise, exercise by pacing your hotel room. Don't come out. After that quarantine period, they're allowed back out and can exercise as you suggest. Not that that justifies this tracking system, but I think it's at least being forced on fewer people than it could.

Re: Eh... What's the point?

That is true, but I doubt they intended a full-featured player with support for every codec out there. It has a low memory limit anyway, so I'm guessing they intend people to primarily use MP3. The entire concept seems very driven by nostalgia and intent on providing a cheap backup device rather than intending on providing a world-class media player or phone. That said, they're using flash storage for the media so they could handle the memory limits of certain codecs by using a swapfile on the SD card. That file wouldn't have to be very large, and the card is likely fast enough to handle some decompression caching. The limiting factor would end up being the processor, at least for more complex formats like lossless ones, and on that they'd not want to spend extra money.

Re: Whiskey Tango Foxtrot?!

"b) remember the European Convention on Human Rights"

This is the U.S. They don't subscribe to the ECHR, and capital punishment is still allowed in some parts of the country. You could argue against it on American law, moral grounds or by referring to U.N. human rights statements that the U.S. has signed, but not the ECHR. Of course, the U.S. hasn't tried at all to enact that punishment in this case anyway.

Re: Switch the burden of proof?

The U.S. system mostly works like that, but they currently make it easy to allege something justifying an appeal, including failure to correctly interpret law or case law on the part of a jury who likely doesn't know it. There are three general solutions to this problem, and each come with downsides which could potentially be significant:

1. Make it difficult to get grounds for appeal on anything other than intentional mishandling by the judge or judges. This would reduce the case load of useless cases. This could result in a situation where an incompetent or unjust judge gets to do what they like without much risk of having their judgements overturned, which could produce injustice.

2. Make it easy to get grounds for appeal. This would make it easier for a problem somewhere in the legal system to produce only short-term consequences and be evident to those responsible for trying to fix it. It produces an absurd number of cases and could throw the judicial system into paralysis.

3. Make laws easier for the general public to understand and require the same of contracts, patents, and other similar components of the legal system by limiting the scope of any particular part and requiring the drafter of the law, contract, etc. to fill out clarifying details. This would reduce the likelihood of misinterpretation allegations to be taken seriously. This runs the very serious risks that someone might understand what they were agreeing to and what restrictions applied to them. Because of these risks, this alternative is clearly very dangerous and therefore probably won't be put in place.

Re: Twitter

That's very true. I recently was made aware of an active phishing campaign, and the attempt to take it down went like this:

Tuesday morning: Someone tells me about the campaign and sends me a sample.

Tuesday evening: I finish looking at things and send in reports (this isn't my job, so I didn't do much until I got home). The information I have implies that the campaign I'm seeing has been running since Monday.

Wednesday morning: Nothing.

Wednesday afternoon: Nothing.

Thursday morning: Nothing.

Thursday evening: I look at the phisher's website and figure out how to submit login pairs, so I write a bot to send in random ones from Tor. It probably won't really do anything, but I can't think of much else to do.

Friday morning: Nothing.

Friday afternoon: The phisher's domain name is about to end its grace period where they can get refunded for the purchase. They shut down.

Friday evening: Nothing.

Saturday: "Thank you for reporting this content. The content you have reported no longer appears to be available on the site concerned, so we can take no action at this time."

Re: DMR ?

That depends on the frequency you use. I'd imagine they lock it to the license-free bands in the country of purchase which occur within that range. Europe has channels around 446 MHz, most of the Americas have 462/467 MHz, Australia has 477 MHz, and lots of other countries decided it would be useful to have some license-free channels but what would be really nice is if they chose their channels and restrictions so they would be entirely different from everybody else's channels. While some regulators might argue that mere possession of a device capable of using those channels requires purchasers to get a license, I doubt they'll care much or enforce that unless people are using them to transmit where they are not permitted to do so.

Re: 20M users per day adjust their privacy

I'm willing to bet that a lot of those people aren't there because they want to review or change their security settings. With a number that high, I'm guessing it's people working with two-factor authentication, either trying to add a device, delete an old one, or turn the feature on or off. Of course, Google doesn't realize that, if the settings don't really let you do much, it doesn't help people to have them available.

Re: At Just the Time

Yes, but only if they stood to gain from the chaos. If they wanted to start conflict or disguise another type of attack, a powerful attack on a health system during a health crisis wouldn't hurt. If they wanted to create confusion and terror to affect an election, that might help too. But what do they stand to gain this time? The elections going on now are relatively minor, and some have been postponed. Also, the attack didn't even work. If this was a state actor, they have done nothing useful.

Re: Unless....

"Yeah try doing that with an android phone. Oh you can't without a 3rd party app?"

If we're going to get pedantic about these arguments, exactly the same logic applies to Windows. It can work with Android phones. Running the latest software update. Manufactured by Samsung only. Only from two device classes. So for the vast majority of Android users, the feature isn't available without a third-party app. So maybe we can ditch the smugness all around. Apple's only works with all-Apple environments, Windows's only works with a couple Samsungs. Neither works well with anything outside their small device set. However, if you're really wanting to push this particular issue, the Apple people have a slightly better claim to pride about their system than does MS--theirs works with all iPhones going back quite a while, whereas the Windows-Android alternative isn't available except for people who spent a grand or so on their phones in the last six months.

I feel obliged to point out that, if this is a big issue for you, it isn't that hard to get a third-party app. Just find one that works with your phone and computer, which probably exists, and it will probably be fine. KDe has done quite a bit of work on connecting to Android devices, and I've heard it works well. It's not a big thing for me, though, so I haven't tried it.

"If they decided to get the site back up as quickly as possible, and just used static HTML. Assuming that bandwidth was not a problem, how much hardware would you actually need to serve 200,000 users?"

The answer depends on the following details:

1. How many files are you serving?

2. What is the average size of each file? Be sure to factor in images, local scripts, CSS files, and anything else a user would download.

3. How often does an average user interact with the site at the time of day/week where your site is most trafficked?

4. When they do, how many pages do they access before they end a session on average?

5. How much data can you cache in memory rather than having to read it from disk?

6. How fast is your disk? How fast is your memory?

7. Does your CPU have hardware acceleration for encryption (I'm assuming this site is HTTPS only as it should probably be)?

8. How tasked can your CPU get before it starts to overheat, underclock, etc?

9. What server software are you using? What is its limiting factor (usually either processing or memory).

10. How afraid are you that you will get a flood of visitors that goes above your previous estimation of peak demand?

And these are only relevant if you can easily create static pages, which if you're using a CMS you probably can't. Sure, it can be done, but it's not a quick process.

Websites are complicated.

"That may be so in US of A, but in the civilised world, the opposite is is true."

Do you have a legal basis to say that? I don't think you do. May I see your papers on that comment?

Re: What logic is this?

If they have a VPN, they're likely at least somewhat internet facing, if only to connect them through the internet to an internal network which doesn't itself have access to the internet. Even in that scenario, if the VPN gets disabled by accident (or on purpose), that could open them to attack, of which quite a few exist. But it's only supposition that the VPN exists for that purpose. Perhaps the VPN exists to protect the machines from access by devices on their local networks, but once it connects them in, they can still go online. In that case, more exploits are available. For example, I've worked at a place that had a rather paranoid VPN setup where it was impossible to disable it, being loaded as effectively a rootkit before the OS was run. But after that happened, I could still cheerfully go online and download malware. Of course they had other restrictions to try to prevent me from doing that, but the VPN didn't do that in and of itself.

Without knowing what people do with them and what exactly the VPN is for, it's hard to tell how vulnerable this is. And similarly, it's hard to know how difficult an upgrade would be without knowing what they're running on them. More information would be useful in this situation, so I assume we'll never get it.

Re: Just one question

It's called the user agent string. It tells you what version of browser your visitor is running, and often some extra data about their system. You don't need more than that. And you won't get more than that for the majority of your visitors who aren't using a browser you've compromised. Only Chrome sends those headers, and only to Google. You as an average web developer gain nothing at all from that feature.

Alternatively, use a local script to redirect to a simplified page if a feature doesn't work. Then, check how many times you're getting requests for that simplified page. When it drops to a level you're good with, delete the script and the page.

Re: Insurance Risk Management?

Of course you would. All of us would. And all of our companies would probably call us or someone like us to go over anything that technical. The problem is when there isn't someone that technical in the place. Many small places have little or no technical assistance. Sometimes they outsource on a pay-per-request basis. Sometimes they outsource on a less expensive basis but their outsourcer won't just do any technical thing when they're asked, limiting themselves only to the specific things in the agreement. Sometimes they don't have anyone at all. For example, I'm currently the primary admin for a small charity. By primary admin, I mean to say that I volunteer some time, in small chunks, when they ask questions or I remember that I was planning to do something. They don't have a secondary admin. With that scale, unless they also have a volunteer doing it, they have nobody to ask to read their cyber insurance documents. In many cases, the person they'll forward the responsibility to will be their financials person who, without trying to do any disservice, won't know enough about what they're doing to do it properly.

Re: Says more about their CNN possibly

These are mostly good points, but a few things need to be taken into account when considering how this study applies to technology being used in real life:

1. They managed to trick their own model. They don't know how to trick the models being used in tech, which probably have more samples. Considering how neural networks work, it's probably not difficult to trick the models in those devices, but they still don't know how to do it.

2. Even though they were able to trick the model, they were able to do so because they passed the data directly to the model. How would a theoretical attacker manage to pass misleading information to a monitor that is physically on your body without you knowing they were doing it?

3. What are the risks of devices using neural networks and being fed improper information? For consumer devices (mostly watches), the risk is that they call emergency services. I believe they do alert the user before doing so as well, so the user could cancel that.

4. What motivation is there for a malicious party to fake an ECG reading? It might be an interesting attempt to prove death by natural causes in a murder situation, but I doubt it's easy to murder someone and have it look like a death from heart attack short of certain poisons that effectively cause a real heart attack in which case you wouldn't need to fake the device.

So while the tech could be fooled, it probably is neither as easy nor as dangerous as it may sound. The real issue to consider is how likely these devices are to produce a false positive without someone malicious fiddling with the data. If there is a risk in these algorithms, it will happen when they think that a heart attack is happening when it isn't, or more likely when they miss an attack that really happens. I don't know how likely that is to happen--I don't have such a device--but that's the metric that will help us decide how dangerous or unreliable these devices really are.

Re: What laws have they broken?

Not really true. There are two places laws can be applied:

1. In the nation of the perpetrator.

2. In the nation where the crime took place.

If I am an Australian citizen, but I go to India and commit a crime then leave for Australia, I can be sent back to India to face my charges. The same applies if I am in Australia and use a network to commit a crime in India. So if it can be proven that improper access was obtained to computers in the U.S., then the U.S. courts have a claim to jurisdiction about that crime. Now, there are other provisos about that. For criminal matters, you get into the area of extradition, but this is a civil matter. So, if NSO is found guilty, they can manage not to pay the bill. However, if they don't pay, they may be restricted against operating or storing money in the U.S. as the U.S. can then be required to confiscate the money to pay the judgement.

This rule applies in any country pair. If an American company violates a law in another country, let's use GDPR as an example, they can be sued in the courts where the violation took place. It does not matter if they have a local subsidiary. It does not matter if they have anything physical in that country. It does not matter if any of their employees has ever set foot in that country. If they violated the law there, they can be sued there. The same logic applies to this case.

Re: If only...

Unfortunately, I have to agree with you. We've had many alternatives, some of them good, and all have now died. The closest thing to an OS we can rely on on mobile devices is Lineage OS, which is great as long as your device is supported, which it probably isn't. It's disheartening to have to look at the pile of corpses of Ubuntu Touch, Tizen, Firefox OS, a few old Android mods, and if you just want updates and don't need open, Windows Phone and Blackberry's OS. However, I'm most afraid of what will happen in the future. Over the horizon I see the slow and unsteady but nonetheless present march of Fuchsia and Harmony OS, and I really would prefer that they not make it here. At least with Android we have some chance of breaking through. With things like these, that chance will be lost.

If that was a condition, Google has either reversed it or ignored it. I can't say I know very much about the various watches, but I know that many manufacturers have their own skin over it. I think it's at least partially because every manufacturer has a different screen and hardware layout and they want to customize things. For example, rather than use a couple of standard screen aspect ratios as is done on phones, watches will have any shape of rectangular screen that the manufacturer thinks looks good (or can buy cheaply), and sometimes they will go for a circular or curved screen as well. They probably want to make their main screens neatly fit those nonstandard situations so the users don't know how badly other people's apps will look on them.

My usual contents:

Two laptops (personal and company).

Power cables for both laptops except for the one I needed last night and forgot to put back in the morning.

USB battery for charging phone while out.

USB wall power adapter.

Two micro USB cables: the one I broke a month ago but for some reason I can't ever remember to take it out and the one that was working last time but whose probability of working this time is inversely proportional to how much I need it.

Two ethernet cables, both of which work, surprisingly.

WiFi access point with VPN preconfigured.

External USB keyboard/mouse. Unfortunately, this is the one before Logitech figured out the concept of a power switch, so it might be dead at some point. And of course I don't carry spare batteries.

Bluetooth earphones.

Wired earphones which work only if the wire is bent at exactly the correct angle but I haven't replaced them.

Assortment of display cables which I might need, but rarely do.

Raspberry pi which I have configured as a fallback desktop. I can power this from the power adapter and use HDMI to a screen nearby. The one time I actually tried, I couldn't find a screen with HDMI in and used a remote connection from my phone which was quite painful.

Sometimes that changes, but often these are present.

Re: Want cynicism? Try customer success

I don't think it's just commission, though that undoubtedly contributes. I know far too many people willing to sell things as long as they stand to gain money from it, so if their employer manufactures something that's terrible, they'll cheerfully try to sell it. Often, they manage to memorize enough technical jargon to make you think they know something about what they're talking about only to balk at your first technical question. Often, this is because they don't know the answer, but sometimes they do and they're aware you won't like it. I've occasionally found a salesperson who seems trustworthy, but they're far too rare.

The odd thing is that they could probably cut out any investment on salespeople they send to me if they spent twenty minutes creating a table of specs for whatever thing they're selling. Usually, I can decide somewhat quickly whether I'm interested from the specs table, and if I'm unsure, I read the manual. That table has to include all relevant information though, as I've seen a lot of tables that always seem to be missing whatever parameter you're interested in.

Re: Now you see me

It's worse than that. How many people are required to track down the one person who did get caught? Not that many if they're doing their job. It's called policing and investigation, and we've proven we know how to do it. How many would be required to find thousands of people? A lot more, but the system didn't do that either. Also, if we did somehow come up with enough police to track down each of these people manually, they'd be doing it by investigation of the fugitives and manual tracking, rather than mobbing the public streets and demanding identification from everybody in the hopes of turning up a suspect. In either case, the original argument is just wrong.

Re: Good

I believe the original proposal was for a global system, and it would probably make sense. If anyone's going to be using it, the British military would probably be one of those. so they'd want access wherever there are large military bases, including the U.K. itself, the Indian Ocean (Diego Garcia), and if small bases are added in, the western and southern Atlantic as well. They would probably also want coverage in places they might be expecting to have to fight, such as south and west Asia. That will require much more than one regional setup, and while you could provide coverage in all those areas without a full global system, it would still cost almost as much.

Re: Better options

Let's compare your thing with the pi, and see what else we have to buy to make them somewhat equivalent. We're assuming here that what you want to do with it is to use it as a desktop--if you want to have it integrated into another project, the pi's GPIOs, CSI and DSI interfaces, etc. will make it the better option. But desktop only:

Your thing has an internal drive. The pi doesn't. Add a 64 GB SD card to our shopping list.

Your thing has a power supply provided. The pi doesn't. You probably already have a supply, but they did just make the switch to USB-C so you might not. Add one of those to our shopping list.

Your thing has two USB ports. The pi has four. Add a hub to your shopping list. Yes, since you accused the pi of needing one, I'm going to add this. You can do just fine with four ports, but two is harder.

You want to use two video outputs? Fine. Both can do it. The pi needs a relatively uncommon micro-HDMI connector, so let's add two cables connecting that to regular HDMI. And to your list we'll add a VGA to something modern adapter and we'll assume you already have a normal HDMI cable.

And ... that's it. They are now equivalent. There may be small differences in processing speed, but it's hard to know without having benchmark numbers for both, and I haven't found a place that benchmarked both of them.

So let's add up the prices. The pi with 4 GB of memory is £44. An SD card is about £8. The HDMI cables can be found for £2 each. The foundation's supply costs £8, but you could find a cheaper one. Total price:: £64. If you want a nice plastic box, we can make that £70. If you want a nice metal box, £76.

Your thing costs £110. A USB hub is £5 or so. The VGA-to-display port adapter I found costs £6. Total price: £121.

So that's why.

Re: LTE Data Plans

"You can buy a 10MB data plan for only $5/month which should be more than enough for GPS data polled every five seconds."

Let's assume that the data is neatly compartmentalized and compressed so that it can fit into a single 512-byte UDP packet, and that there will be a 128-byte response packet to indicate that the data has been received. If you think the protocol would end up being this light, you are quite the optimist, but let's go with it.

(512 bytes + 128 bytes)/ 5 seconds * 1 minute / 60 seconds = 7680 bytes / minute of flight time

10 megabytes * 1024 kilobytes / 1 megabyte * 1024 bytes / 1 kilobyte = 10485760 bytes per month

10485760 bytes / 1 month / (7680 bytes / 1 minute) = 1365.333 minutes of flight time (maximum) per month

In other words, a maximum flight time per month of about twenty two hours. Sure, the very casual hobbyist might not be up for longer than that. If someone's using their drone for aerial photography, data collection, or simply really likes the hobby, they won't be happy with that limitation. And this limit only applies if no data is sent, at all, other than the GPS check-in. And it relies on the provider using binary megabytes rather than decimal ones. And still costs $60 per year per drone.

In addition, this fails to solve any of the other problems noted in the article, such as requiring decommissioning or costly retrofitting of all the drones in existence today and the problems making this requirement work where cellular coverage is less than perfect.

Re: A lot of WiFi traffic may be local....

Well, most web traffic is HTTPS now, and most machine-to-machine protocols in heavy use are encrypted as well with SSH having replaced many more classic ones. But you're correct, a lot of traffic isn't encrypted on a LAN. For that reason, we're usually somewhat protective of who we let onto our LANs. An exploit that lets an unauthenticated user read our traffic is much worse than one that lets others on our LAN read our traffic.

Re: Weakest link security

If it's stored in your head, you stand a good chance of forgetting it. If that means you lose your money, you probably decide not to store it only in your head. If there's a method of resetting a forgotten password, that method can then be attacked. The same provisos hold for all the typical methods of storing sensitive information--the better they are at making sure other people can't get in, the more complex or difficult they are to use. Eventually, you reach a point where what you're really doing is making it hard for yourself to get in without doing much to an attacker. This is why 2FA is so important--if for any reason one method becomes compromised, the attackers still can't get in for the time being. The story here is about the failure of 2FA to have two factors that work well enough. That can of course be argued, but "memorize a long password and why not the private key while you're at it" isn't going to solve anything.

Re: What??!!

I will have to read the patent, because if it's just NAT circumvention, that isn't original enough. The IETF was working on that quite a while ago and has continued past that RFC several times. Nor would pier-to-pier video communication be a valid patent as that's been done for a while as well. If it's been upheld this many times, it must be about something more specific than that.

Almost certainly, as they make money off the advertising and preinstalled apps to help deal with the low purchase prices they often charge. Xiaomi devices are more likely to be supported by Lineage OS and other alternatives though, which has been a major point in Xiaomi's favor when I consider what device to buy.

"Outside the Great Firewall, you don't need an app store, given that you only have to log in, or sometimes even simply go to, one of those sites through a mobile browser when you haven't got the app installed, and you get bombarded nagged to death forced suggested that their spyware feature-laden app can be downloaded straight from the site at the click of just One Button."

Almost always, this is a link to the Play store entry with a bunch of pop-ups around it. It doesn't help if the user is trying to download the app without Google Play. Of course, if the user wants to find an APK, there are a few sites willing to offer it. As long as you find the one that hasn't added some malware, that will work fine. Unless the app concerned also needs Google Play Services, in which case you will have to find clean versions of those.

This is why it will be difficult for their international business. We can do all of that, but the general user won't (or, if they're in your family, they'll ask you to). This means that the general public who buys a Huawei device without Google's insertions will end up in this situation, and they may mention this to others considering making that purchase. Only time will tell if enough notice for this to be problematic for Huawei.

Re: Forget the 'Osborne Effect':focus on the "Upton Effect".

These complaints are rather tenuous. The USB-C thing was a design flaw, and they should have caught it. It was not very impressive when they didn't. But it was a nondestructive design flaw that could be worked around, and they fixed it.

They have a reason for not making the OS a 64-bit one, namely they still make older pis, including the zero, which have 32-bit processors and they want it to be easy for the new customer who is probably a schoolchild to flash an OS to the pi without worrying about versions. You can dislike this reason, but it's logical from their viewpoint and they've been consistent about it. A 64-bit OS is possible from others, just not from them for the time being.

That said, it is absolutely not the case that the pi is "in its infancy". It's been around for over eight years, and we're on our sixth model (and that's not counting any of the non-B models). Even in human lifetimes, that's childhood not infancy, and as computer product lines go, that's between young adulthood and middle age. The fact that the pi is not in its infancy is one of the major reasons it is such a good product; one of the main problems with competitor products is the lack of the type of support the pi community has. Therefore, it's not fair to defend problems that are problems by claiming the product or the designers to be new at this. They're not.