Posts by doublelayer

Re: Why are you still an AT&T customer?

You assume here that the people are still customers. I'm guessing quite a few left after their contracts ended, tired of being lied to. But you also have to realize that people still need phone service. If only one provider provides useful service wherever you may be, then you are effectively locked into them. And even if you're in an area of good coverage from everyone, you still have to shop for the best plan. It might end up being that the plan from AT&T was a better value for money than the available plans from the competition, just without honesty.

One can't always keep placing companies on the never-buy-from-them-again list; sometimes their services are needed as much as people dislike them for previous decisions. Your approach works fine in a market of perfect competition, but mobile service is not in a state of perfect competition anywhere in the world, let alone the U.S.

Re: Google complains about data hungry ISP's??? Those are some swinging balls

It's Mozilla making the argument here. And I completely agree with you about Google's willingness to collect and sell data. The solution to this, however, isn't to choose anyone and everyone who isn't Google and keep data flowing to them. Instead, technology promoting privacy should be supported, investigated, and adopted when feasible, no matter whose data collection is disrupted. If a certain endeavor doesn't do much to cut off the data pipe to Google but does to Facebook, it's still a good thing.

DoH, unfortunately, is somewhere in the middle. It really does promote privacy; it's not difficult to change the provider in a browser and it's quite easy for a DNS provider to set it up. However, it can be used by programs and devices to evade DNS blockers and user controls, including the use of hard-coded servers. Even admitting this, I believe the balance is tilted toward the positive. Programs ranging from actively malicious to locked down by vendor will probably use DoH to hide their tracks, but that can't be helped. If DoH didn't exist, they could and would use something similar. Meanwhile, DoH does really help ensure the privacy of DNS lookups until the DNS server, which can be very useful at keeping data away from ISPs, malicious network devices, etc.

Re: How is the device added...?

Logically, it probably starts with account access. This could be from password reuse, poor passwords, access to an email account, theft of credentials via malware, or the like. However, as we don't have many details, it is theoretically possible that there is another vulnerability somewhere that people have found. We don't need to assume that exists at the moment, but it's not beyond the bounds of possibility.

Everyone will have some type of security incident, and quite a few of those will be account accesses. However, the real problem is recovery from an event like this. Most accounts can be recovered by taking them over again, changing access methods, and enabling multi-factor. When this course of action is not sufficient, we have a problem.

That's not a good idea. For one thing, the organization never asked for the domain. They just complained about Amazon getting the domain because they're annoyed. As pointless as it is for Amazon to want the domain so much and as warranted as Brazil's complaints against the U.S. are, this fight is producing no useful outcome for anybody, which the complainants know well. I have little sympathy for them. I don't really care whether Amazon gets their domain or not, but I can't see that people deliberately trying to be obstructionists have any legitimacy.

Re: Meh

But a auto dealership and a hardware company aren't search engines. They are making recommendations when asked, but it is not their job to provide information. In addition, no manufacturer of cars or phones currently has an effective monopoly on that market. Google, as a search engine, does have providing information as a primary purpose, and at the time (and now), their market share does place them very close to a monopoly in many countries. If they choose to bias their search results to promote other products, it could be considered abusing their market position, which violates antitrust and pro-competition legislation. Your analogy is inadequate.

Re: Hearing aid?

I don't want these, and they're ridiculously priced as well, but there is a simple answer to why people want earphones that block out a lot of the noise from their environment: open plan office. I'm in a mixed plan office and I still choose to use headphones because if I decide to work to music, I won't be irritating the person closest to me. In addition, having devices that have the capacity to serve as impromptu earplugs can be nice if I'm being subjected to far too much ambient noise. An airplane cabin or construction zone next to where I'm working come to mind. Another that comes to mind is if I have to work inside the server room at some point. The shriek of lots of servers is annoying and can damage my hearing, while there's very little likelihood I have to listen out for dangers (unless it's the BOFH's server room) or would be able to hear them anyway.

Re: Hypocrites

They have. At least some of the new companies placed on the American entity list were placed there because they create surveillance systems used in the Chinese province of Xinjiang for tracking and in many cases imprisoning people on ethnic grounds. Which is why they got suggested on the list, but they'll certainly be removed if the trade war goes the way the American administration wants because human rights won't matter in that case. Various other countries have been calling this massive human rights abuse by China out too. It's so obviously happening and so obviously really bad that nearly everyone at least says they're concerned about it.

Just give the pager a very basic microprocessor capable of performing encryption and decryption. They have them all over the place, and they're quite cheap and run with little power requirements. You can still use the same frequency. Given the privacy requirements of some of this data, that would seem to be a sane precaution.

Re: There seems to be something wrong here

Well, let's round up a few suspects:

1. Reused password.

2. Poor password.

3. Keylogger.

4. Phishing email.

5. Someone with a passwords file (especially children).

6. Insecure IoT device (E.G. television watching Amazon's video service).

7. Malicious attack by someone who knew the person.

8. The poster was not the person whose account was accessed; they are the technical person who helped a family member or friend whose account was accessed using one of the above mechanisms.

9. Amazon's had their system accessed and Amazon doesn't know or hasn't told us.

10. Dumb luck.

So maybe one of those was used to access the account. It's still a massive problem if you can't lock them out by changing the password and deleting connected devices and changing how 2FA is working and talking to normal customer support. I fail to see your objection to this quite likely possibility.

Re: Quick question

That question is difficult to answer. The main reason is that these aren't of particular concern to single-user machines. Of course one might want access to protected memory on those, but an evil person is more likely to have a better way of gaining access to data on a less secure user machine. This type of vulnerability is more useful in penetrating the protections in place on a machine running VMs for multiple people or for multiple purposes. The other problem is that you can't easily detect this by a signature or other file characteristic. Only by observing the operation of a program can the behavior be detected, and the overhead required to do that to everything is prohibitive.

All that said, the best answer is "not very many". It's not easy to do, it's relatively slow, and it's only useful in a few circumstances. You probably shouldn't fear this vulnerability as much as many others. But that's not to say it's unimportant, as there are lots of things someone could do with it.

Re: Just a second

This is not about competition. I know, unpopular opinion, but it's not. It started from real concerns in some security circles across multiple countries that Huawei might actually spy for the Chinese government. These people recommended code checks, which revealed some worrying things but didn't reveal spying. And now the security people have mostly dropped their concerns. The only reason this is still a thing is that some American politicians realized that "security reasons" sounds better than "hostage in a trade war". But it's not about Huawei competing with other companies on comms tech, it's about wanting the trade balance to switch. That's an issue so important to the current American administration that they'll sacrifice anything to get it, and they're not above manufacturing another bargaining chip to try and add some stress.

Re: Mobile data is faster in the US?

There are two major reasons for the difference. Reason number one is logical; the U.S. is really, really big. They have their share of large cities that can be cabled quickly, but you have a lot of very empty spaces. It's like that saying: "The difference between an American person and a British person is that the American thinks that a hundred years is a long time, and the British thinks a hundred [insert kilometers or miles depending on whether it's an American saying this] is a long distance". Running wires to all the places people live is expensive, so there is often no desire to do it again if there's something there already, and relatively little reason for other companies to compete outside the major cities. There are various places that are remote enough that there just isn't a cable; if you want internet, you either have to get satellite or pay for the installation of a cable.

The second reason is purely economic and political. Competition is not considered an issue of major importance, and most places don't have it. The various regulations about what service levels are and what companies are allowed to do have frequently allowed service providers to lock down certain areas as captive markets. Even as regulations change, which they do from time to time, the inertia of past regulations carries on. For two examples, there was frequently a monopoly given to cable television companies who agreed to serve an area. When internet began to come along those cables, the companies with those monopolies had a great opportunity to assert their dominance in the fast-enough internet market as well. Meanwhile, companies were not required (and still aren't in most places) to share any infrastructure, increasing barriers to entry. Regulators frequently focused on geographic coverage rather than competition.

Re: In other words

"I'd question if it is truly AI or just some glorified DSS. Probably the latter."

From what they've said, it fits the standard definition of AI, being based on a neural network rather than just a large set of rules. But that doesn't necessarily mean the large amount of different ways a sentence could be read will matter at all to the accuracy of search results. The fact that their own demonstration test case didn't hold after they release indicates that it's probably not as reliable or useful as they would like to believe.

This type of analysis, if it worked, would be very helpful. There are various things that cannot be easily phrased without using word positioning and prepositions. Quite frequently, searches I perform fall into this by being in the format "A without B", as I know I'm going to get a lot of articles about A with B, which is how I got desperate enough to try phrasing a search to get things without B in the first place. But I somehow doubt that this will solve that problem.

Re: SECURITY!!!1!!

It doesn't really matter when the warnings happen. A wall of them makes a better point in one picture, but it doesn't really change the experience if the warnings appear one by one. I'm happy to have to manually grant access to stuff. But it is Apple's responsibility to make sure that works when other programs try to use it. And there is no good reason not to tell people that they have the option to proceed with running an unsigned app; that box is pretty bad. Apple's headed in the right direction, but they're on the wrong track. They'll need to jump to a parallel one with good UX and user choice in mind, then keep going in the direction of more OS-enforced security.

Re: Perplexed

I think they do that, but it takes a certain amount of time to take something down, especially when the person investigating it doesn't live in the same country where it's run, and others can find and use its services while it's not been shut down yet.

Re: Charities are a fraud

Some charities are frauds. Some are run incompetently. And some, quite a lot, are quite useful to the local area in whatever field they focus on. Trying to get an easy answer by putting them all in one box, no matter what box you pick, is certain to get it wrong for a large chunk of charities. Only by researching what a charity does and whether they're doing it honestly can you know whether it is legitimate or not.

I volunteer my time to some charities*. When I decided to do that, I checked out the charities involved to see whether they were trustworthy. This may be tricky in some ways, because a charity can do a lot of the same things a for-profit business does without having violated its trust, including paying some people quite a bit or spending a lot of money on certain things**. And there are definitely charities that exist in a middle area where they're not manifestly perfect. But, even with that admitted, it would be harmful to say that all charities are thus.

*I volunteer my time outside of work, but I work for a company that is definitely not charitable.

**For example, certain charities do spend a lot of money on lawsuits or travel expenses, which would ordinarily be red flags. If the charity is a legal advocacy thing, the law expenses make sense. If the charity does field research, then the travel makes sense. But otherwise, those remain red flags. So you have to consider all the available details; there's no easy equation for whether something is trustworthy enough.

Re: "vishing"?

I don't think we need a new name for this, but this isn't social engineering. Social engineering is when you convince a person to trust you when they shouldn't and you leverage that trust. This is exploiting an unexpected vulnerability in a device so a user's data can be exfiltrated. It's malware, not social engineering. The easy way to determine the difference is whether a person needs to be involved. After writing this skill, a malicious person can push it out and get recordings of users without ever having to personally interact with any of them.

It's wonderful that both Amazon and Google had to specify that they've taken down the proof of concept malware skills. As if we didn't already figure that. What we want to know and what they refuse to tell us is whether they're actually taking any of the necessary steps to prevent active use of the same tactics. From their statements, Amazon seems to be saying "Yes we made a change, but don't ask for details. Trust me, it's fine" and Google appear to be saying "We already did, so we didn't have to make a change, it's fine, and we don't need you poking about now go away". I'm taking both statements with the annual salt output of Bolivia.

Re: Relocate ?

There are places he could run to, but he almost certainly wouldn't. Even if you stick with English-speaking only, you've got countries on every continent meeting that criterion*, and you can find someone who speaks English well and willing to translate for you in exchange for a bunch of money anywhere you go.

But even if this law got passed, he would have a team of lawyers so massive that it would be years before anything at all happened to him, years that would be spent trying to get the law repealed or modified, a pardon issued, or a loophole found so that nothing would happen at all. And, by some leap of imagination we actually consider that he got convicted, I doubt the prison sentence would be very long or onerous. A life in exile isn't so desirable if you can pretend you've learned your lesson, go wherever you'd like, and leave with billions.

*I count at least nineteen countries with English as the primary official language and lingua franca across six continents, and at least another twenty with English as an official language spoken by a large enough community. Not that all of those are places you'd want to live on a full-time basis, but they at least exist.

Re: Any Idiot...

So the phone app shouldn't be used for this information? The paper map isn't necessarily any better. It could be inaccurate or out of date, and you wouldn't know until it became a real problem. While I get that the phone could run out of power or the app could get broken, lots of coulds apply to a paper map as well.

It's also probably worth keeping in mind that many of those people probably didn't use this app for areas they had a high chance of dying in. If people like going to a perfectly safe area containing nature, they're probably using the map to help identify and locate things, rather than get to safety. I am reasonably sure this applies to most users, and therefore the consequences for the app being useless were a ruined excursion rather than a brush with death. As such, your calling them idiots seems quite a bit harsher than they deserve.

Re: Erm

Most good fingerprint sensors won't work on a lifted fingerprint, so you have to pick up someone's hand and physically place the finger on the sensor. Since people move a bit in sleep and the sensor requires sustained contact, you'd also have to hold their finger there for a second or two. In addition, many sensors aren't great and require multiple scans, which means possibly having to lift and reapply the finger. Some people may sleep soundly enough that you can pick up their hand, separate one finger to avoid interference, and hold it to something else, but I doubt it's all that many people. The majority who would wake up would now know the exact person trying to access their device, have very clear proof, and be in convenient punching range (either from gaining lucidity admirably quickly or simply a strong enough startle reflex). Judging from how well my cat can wake me up, it won't work on me.

But I doubt the screen size is directly proportional to the processing, memory, and storage. They could have obtained all of those parts from their extra inventory and simply attached a larger screen to the result. Of course, since nobody will actually run all that much on this device, perhaps that's the most efficient choice for all involved.

Re: @tfb - Already patched in Slackware.

"It is not you alone that decides who is to be trusted and who's not, business has also a word to say."

Methinks you misunderstood the main point. The main point was that giving unrestricted root access lets everyone with that access do anything. The business wouldn't want that. Nothing was said about the admins making all decisions; instead the admins would be better implementing a security policy limiting users' access to run stuff with root privileges.

"Also, may I remind you the not so few cases in which a trusted sysadmin locked down networks and systems and denied legitimate users access ?"

And how did they do that? By running commands as root. So if you give ten times as many people unrestricted root access, you have ten times as many people who could do something like that. And your disagreement with the original point was?

Re: KPIs

And that's often because I know any score below a nine (or sometimes a ten) is seen as an indicator that someone has failed. Even though eight out of ten is pretty good, I know there will be a discussion about why there weren't two more points there. Maybe this will cause a lot of problems for the person concerned. Maybe they'll send me a dozen more surveys to try to extract the reason for my withholding those two points. And I succumb to laziness and just assign nines and tens if the thing was fine or above.

Re: And this means

"When the only upwards path is into management you end up with management by people who weren't recruited for managerial talent but could do the technical job"

Sometimes, but usually I find that if that's the case, the people who could do the technical job got promoted into management, and because they either weren't good at that job or just didn't like it, they left. So management is made up of some random people who actually like but aren't necessarily any good at management, while all the technical people who were good at the technical work left because they wanted to keep doing technical work. Meanwhile, anyone that gets hired and can do the technical job well will do so, but they see what's coming and they're just biding their time until a different job comes along.

Re: Good reasons for virtual currencies.

Well, the theory is that it's harder to commit fraud with a crypto wallet than it is with a credit card. With a credit card, they need a relatively short number which will authorize any transaction whatsoever. With a wallet, each transaction needs a separate signing with a private key, so you can't just steal part of the data traffic from a previous transaction and start making new ones. That's the theory.

In practice, we all know how that ended. If you have a great way of keeping the private key private and secure and not known by anyone and easy to get to but also not easy for you to lose, then you're great. Otherwise, you can still lose your money and now you don't have a way of getting it back.

Re: Satellite internet's a'comin

I just meant to reply to the thread, not a specific post. And while you could put a dish there, it probably won't have the ability to contact the satellite without a very permeable roof. I haven't tested this, but I doubt many houses will allow for it. Of course, the installation of equipment is just one problem that needs to be solved before satellite comms work as anti-censorship gear.

Re: Editing Docs from Email

That's dangerous. The user could edit the document, click the normal save button rather than save as, and have the file saved in the temp directory. And then you have to answer the question "Why didn't it tell me it wasn't saving in my folder?" If you make sure they know to save immediately, thus changing what document is being edited, there's less of a chance they will totally mess up what you said once you've left. Still a chance, but a smaller one.

Re: I Hope This Isn't True...

As a relatively young person (I have no problem making and receiving calls), I think the opinion of those who don't like to make calls is concern that the person they are calling will not appreciate the call because they are busy or unavailable. I'm not saying this makes sense; we all have a vibrate mode on our phones for a reason. But that's the reasoning I've heard from some people and those people tend not to make calls very often.

Re: Not sure...

Sorry, but that calculation is not sufficient. You're getting the combinations of 64 characters that can come from a set of 94 possibles. But since characters can be repeated, there are actually 94^64 options. However, since a 63-character password is not one of the set of 64-character passwords, it becomes that series I wrote instead. Either way, it's a bunch of numbers. But just in case you have access to the biggest hard drive and processor factory ever, make sure you check all permutations and all lengths lower than your limit or your rainbow table will have gaps.

Re: "I did not know that ARM actually prohibited adding instructions"

I don't think you understand what is being said. You are telling us that, if you request and parse the CPU ID before every questionable instruction, it would add a lot of overhead. When you say this, you are right. When you say this, you are missing the point. The ID is not retrieved and parsed before every possible instruction. It is retrieved and parsed (only if applicable), at the beginning of execution. Then, things are updated to use the proper instructions. The overhead is only incurred once, and that is a negligible time cost. You ask for examples of things doing this. I would direct you to nearly every program that uses one of the instruction sets that are widely supported but not universally so. Using my example of AES, look at disk encryption programs. They will do exactly this. Other extra instructions are frequently used conditionally by programs such as VM hosts or anything where the marketing includes the phrase "hardware acceleration".

As an example on how this is done, consider this pseudo-assembly, with AES acceleration as the example:

#function that does encryption in hardware:

run_cpu_aes_instruction parameters

return

#function that does encryption in software:

bunch_of_normal_math_instructions parameters

return

#main function:

encryption_function = do_it_in_hardware

//Note: I've written this like a variable. I do know about computers, so I know this would be implemented by storing a number in a memory location or register. I wrote it like this for simplicity of reading

Retrieve CPUID

Parse CPUID

if (CPU can't perform hardware AES):

encryption_function = do_it_in_software

#rest of program

In this simple case, the only thing that's changed is the value of the pointer encryption_function. The rest of the code merely jumps to it. In the real world, there would be more complexity because they'd probably write the code to avoid the function-calling overhead too. But I hope you get what we're trying to explain.

Re: If something is free, YOU are the product being sold

This is far too general. In some cases, it's simply not true. Plenty of software is released for free without expecting data or anything else of value. And, in many other cases, people pay for a product and have their data stolen regardless. To some extent, you could say that "If there are ads on it, you are the product", but that's not necessarily always the case either.