Posts by doublelayer

Re: "Or do all Russia-based hackers sit in the pocket of Kremlin?"

"'Fingerprints' is very vague and hand-wavery. An example or two would go a long way..."

Examples of how attribution is done include things like these:

1. Does the code look like stuff you've seen before? At a basic level, is there an exploit that someone has used before but few others know about? If so, it's more likely to be them. At a more detailed level, drill down into the assembly and look at modules. Stuff gets reused or updated. Even a pattern of names may be illustrative. There is usually not a need to go to sufficient effort to change your entire coding style to frame someone else. If you've developed a great file spider that can quickly identify stuff of interest for exfiltration, you might decide to put it into multiple malware distributions rather than rewriting it from scratch; if your obfuscation isn't good enough, that may link them both. Attribute one to you, and the other connects too.

2. How did the code get onto the victim's systems? Was an exploit used? How about a botnet? Who do we know who has done that before? If we have a location of the source, what do we know about it? Who purchased the server? Do we have any information from historical network scans? Sometimes people are careless and information they didn't think about ends up coming back to name them. For example, people who set up fake servers sometimes forget that, even though they change the information later, the provider has the ability to recall the information they put in originally. The original silk road Tor drugs market was partially taken down due to its founder putting his real name in a related account.

3. Once it was there, how was it controlled? Do we have logs showing a human acting? Maybe it crashed and restarted from a manual command. What do we know about the location of control? For example, some government-backed APT groups operate on local business hours. While it's not impossible for someone else to only work 9:00-17:00 Moscow time and take off Russian holidays, there's little reason for them to disrupt their schedule. When you notice that it happens, chances are you've at least located the attacker's time zone and that it might be an organization doing it.

4. Who has used the malware for benefit? Not necessarily always available, but have they extracted data and used it somewhere we know about? for example, if you were attributing an attack on a website to a group, finding the database's contents for sale at least gives you two targets to investigate, the attacker and the seller. They might be the same, but even if they're not, they probably know each other.

5. The old-fashioned return the favor--someone knows what APT29 is up to, and I'm sure the NSA would like to hear about it. We don't know how hard the NSA has tried to gain access to various places where such information is available, but they must have tried and probably have access to some of it. This isn't available to everybody, but in a government hack, there will be a lot of government investigation of what happened.

Re: Infra-red

But again, in that situation, it's the box on the television, not the remote, that's of concern. Whether the remote you use uses IR, Bluetooth, a custom RF protocol, or loud beeps for a microphone doesn't matter; only the Android TV box has the connection needed to snoop on them. The risk and therefore any remediation steps need to happen on the receiver end and the remote's implementation is meaningless.

For now, they know:

1. The DNS queries for the specific domain and all the domains it pulls in. Until DoT or DoH, they'll keep having that.

2. The SNI requests which contain the domain name and the first page URL you request. If you type in a domain name, they get it and "/". If you click a link from a search engine, they get the whole thing. Until ESNI or one of the other suggestions takes effect, that will be available to them.

3. The destination IP. This may be a CDN, but not always. Plenty of people use a server dedicated to network requests which makes it obvious who runs it. Others will run multiple sites on a single server but not on all the other servers, meaning that only that server needs to be interrogated to figure out what the possibilities are.

4. The size and timing of requests. They probably don't go this far, but if they have a server to test, they can try certain likely pages until they identify the one requiring the right number of assets from the right locations. Sites that bring in images and scripts can fingerprint themselves in that way.

Re: All websites don't really need third party trackers and services

"You can maintain state across a session using post or get variables."

But if you do, it gets painful. Whatever variables you use will end up clogging everything, from the user's history to your databases to all the HTML you send to them.

If you use get variables, the users' history, bookmarks, or shared links will contain a bunch of expired URIs which contain old session data which a) doesn't work anymore unless your server filters it out and redirects them to somewhere new which still works and is at least sort of like where they were at that point in history and b) may contain information that a user shouldn't be storing in their history. The second point can be thought of as the user's responsibility, but part of system design should be keeping data private even when it's not yours. If you instead use post variables, the user who returns to one won't have the issue of persistent storage of data but would likely get a warning from their browser that a post action will be repeated with possible consequences. This also doesn't fix the issue of having to handle links with inaccurate or missing parameters.

Meanwhile, you also have to have your system modify every element on every page to send the required data onto the next one. Turning every link into one which consumes parameters and passes them on and including hidden inputs which ensure all your parameters are in every form can be a large task which consumes resources, complicates the page, and makes your backend CMS a mess. If you don't do it, then a user who clicks on a static page which doesn't need the parameters but continues on from that page will find their session data has been lost.

Re: A thought

"Is there any point to Android other than on OLED/LCD touch screen phones and tablets?"

Yes. The reasons differ depending on what you're building, but there are a couple good ones. One is app portability if people other than you are going to write apps for the thing. This could be library services or ebook stores which write an Android app that runs on an ereader and supports their format or can download from their service. If all the ereaders use the same interface, they only have to write the app once. The ereaders likely don't, which is why there aren't that many apps like that, but it's a similar model with streaming video on smart TVs.

For TVs, a general smart TV platform is more likely to get support than a specific one. For example, one of my family members has been asking for my assistance because they've lost access to a television channel on their old satellite system and they want it back. They have a smart TV running some probably awful proprietary system and they also have another proprietary streamer stick which they can use. Neither of these does apps, so I've been attempting to look up whether either has a manufacturer-supplied app for something carrying the channel concerned. With something running a generalized platform like Android TV which can receive apps from people other than the manufacturer, the likelihood that there is something of use is higher. Certainly not guaranteed, but nobody's waiting on the Samsung television feature department to fix a smart TV eight years old.

Another benefit (this one for the manufacturer, not for you) is that Android has a bunch of developers and existing libraries. Linux does too, but for devices using a single screen and basic user interface, the Android developers are already familiar using Android's tools to write apps with that type of interface.

These don't make Android a requirement. A general Linux-based open TV or ereader platform would work well too. But we don't have those. Well, I think Kodi is kind of like an open smart TV platform but as I recall it has trouble with a lot of streaming services because of DRM problems. Nothing is perfect, and in this landscape often nothing is very good, but some things are less bad than others and Android can sometimes get things to the less bad point.

Re: Better computer cases?

That sounds nearly untenable. For one thing, a smartwatch that can be used for the attack needs to be thoroughly reprogrammed. The controlling firmware needs to control the wireless receiver, Bluetooth or WiFi, with sufficiently granular control to make it use a completely different protocol. That's much easier to do with a watch you control rather than someone else's. It's also not easy to replace firmware on a device you can't compromise yourself; firmware updates for nearly every brand of smartwatch are signed binaries uploaded through an encrypted BLE connection. While not inconceivable, actually finding someone, identifying their device, writing firmware which can use the hardware and leave the device functional enough to fool its user, and uploading it without controlling the device itself or the phone talking to it are rather difficult tasks.

The real problem though is that, if you succeeded in doing this, it might not help very much. Watches are really small, so their antennas are short and their batteries can't withstand much use. This means that the range to receive or transmit from a watch is quite low. Also, frequent use is going to kill that battery. An attacker who knows that the watch is supposed to listen to a machine can place it close to the machine and remember to charge it frequently. Someone who doesn't know that is likely to be out of range a lot of the time and become very annoyed when their fitness tracker's battery life suddenly drops (it would be very noticeable). Even if they do succeed in receiving the data, the attacker needs to get it back from the watch. Their only hope is to keep meeting the person with the compromised watch so they can get a daily download, but because of the range limitation, they will have to be physically close to the person with the watch quite frequently. That makes getting the data out hard if there's any information to get after the user unexpectedly went out of range for most of the day.

I fail to see the confusion. The message speaks of accounts, the article of users, users have accounts, on Google users are identified entirely by their account as there is no independent username available to them, hence if an account doesn't exist, the user doesn't exist either. Therefore, the message which was sent should only be sent if a user has not set up an account with the specified name or the user's account has been closed. That wasn't the case, so we have a problem.

Re: Clouds are great!

Running a life-critical system on a cloud system, with no local backup, in one region only, would be negligent to the point there would likely be penalties for the hospital. The same is generally true of any other system where downtime is potentially harmful. It's system design.

You have to keep in mind the ways that exist for making a problem like this less likely. If you run your systems in house but you run the servers from one computer room, what do you do if the UPS in it fails and kills the power. If it will take you long enough to recover from that that you can't withstand the harm caused, then you need a redundant UPS. And possibly you'll need two computer rooms for redundancy so a flood in one doesn't take out the other. Or maybe you even need multi-building redundancy. It all depends on how long you can withstand a failure and how much you're willing to spend to make that failure less likely.

The same is the case for cloud deployments. There's a reason that every cloud has different levels of redundancy, because they have problems. In this case, only one region was affected, so having redundancy across regions would have prevented it. A sufficiently-interested user should have set that up, just as a sufficiently-interested admin should have done for systems running locally. If you're worried enough about a global outage for a cloud provider, then you would either need two cloud providers or to run the systems yourself, but if you're worried enough about a global cloud outage, your systems have to be really well-administrated and redundantly set up to make the risk level the same.

Re: Yes, but ...

I have no problem with the business model. Others will, and it's clear to see why, but I think it's the right of a company to intentionally weaken a product just as it's the right of a company to produce one that's built from lower-power components so it's cheap. As long as they don't build it specifically to fail fast, I am fine with it.

As for a user tweaking it, they should definitely have the right to do so if they wish. The manufacturer doesn't have to make those options easily available to them. Your employer doesn't have to give the firmware source out to the users, or put the settings in the standard interface, or anything else, but if a user finds a way to make use of the components by changing something, that's their right to do. Just as it would be their right to disassemble the thing they own and use the parts in other devices, they can change one of the parts out for something else they own. You don't have to support a modified product, and I'm sure your warranty specified that you didn't support it if they had opened it up and swapped components. Similarly, you could forbid any such modifications for a rented unit.

Companies want to make it hard for people to change how a product runs. I get that. Sometimes it annoys me, but I feel they have the right to do it if they want to. What I don't think they should have a right to do is to sue me if I succeed despite their obstruction, because it means they're making it illegal for me to go against their wishes with something I own.

Re: The rise of Facebook and the slow death of journalism is due to online ads

Depending on how it's done, it can be a bad thing. To minimize costs can be done by finding the costs and identifying ways to not have them, which is good. It can also be done by identifying costs and pretending not to notice them, which is bad. If costs to others, I.E. externalities in economics, are taken into account for the reduction goal, then it's good. A lot of companies try not to ever consider that and dump those costs off on us; now their costs are lower and they haven't done anything.

Maximization in profit can be done badly too. Places that attempt to maximize profit now usually don't pay any attention to what they're going to do later; when that roles around, they'll just try to maximize again. Sometimes, it's necessary to invest in something now, thus getting less in profits, in order to get more profits in the long-term. If profit maximization of this type is done by some company which doesn't push its costs off, then it can only harm that company in the long-term. That's their business. Unfortunately, it usually doesn't. The company maximizes profit instead of investing, extracts that profit until a crisis, then pushes the costs it can no longer manage off on other people.

This is harmful to everybody. It's harmful to the people who have to clean up the mess created by someone who only thought about the short-term. It's harmful to anyone who invested in the company after previous profit maximizers drained the resources that could have produced long-term profitability. It is harmful to other companies who haven't done this because it causes stereotypes that a lot of corporate entities are going to act like this, which is the stereotype the person you replied to was espousing to some degree.

In many cases, they don't. Storage is often charged by the month, not by the hour. Operation is charged by the hour. Therefore, the storage is already paid for and the operation is cut off. If the cap is also a monthly one, the user could in fact continue to store the VM without running it perpetually without exceeding their cap. Retrieval requires certain other charges like bandwidth, but that only happens after the user has deactivated the services creating the unexpected expenses, after which they may increase the cap to run other things during the month.

Re: Only pervy malware not killing

That is really not how international law works. This is not the decision of the U.S. alone; it is also the decision of British courts. While the U.S. could have complied, and I would prefer that they did, the U.K.'s high court concluded that extradition treaties do not place that requirement, just as they don't place a requirement on the U.K. to comply in this case. Each request from extradition is constrained by various limits, including each country's permission to decide they just don't want to comply. In the case you reference, there is the additional issue of diplomatic immunity, for which the relevant law provides. You will likely be happy to know that the law has been adjusted to remove some of those protections should this ever happen again, and I think that adjustment was a good idea, but it would not be legal under the law of the U.K. to apply this new law to the old situation. It is unfortunate, but it shouldn't be the everlasting excuse that prevents unrelated cases from proceeding.

Re: OS?

That depends on your settings, and the best answer is "not intrinsically, but they probably help a lot of the time and certainly can't hurt". If you just block scripts, you can still get an ad with a misleading download link. Javascript didn't play a part in getting the malware onto the computer, so an HTML ad that looked convincing would have been enough. They might not have used plain HTML, in which blocking JS would help, but they could have done so.

An ad blocker is more likely to help, but it's not foolproof either. It won't necessarily get all ads, nor would it detect things like fake sites hiding in search results. If you ever found a link leading to the malware, it wouldn't protect you from the file. The best it can do is prevent you from seeing such a link injected from an ad server.

Re: Can somebody explain the economics?

I wonder if some of them are hoping that the expiration was in error and that someone will come to ask for it back. They might redirect it for a minor ad or SEO benefit so that a nontechnical user can't find their contact information. This means that many users would use one of those domain-negotiation services to ask for its return, which could be more likely to result in a sale. That's supposition though. Some people may think they have a foolproof plan and instead found a foolproof hole into which they're throwing their money. I note that the last domain I let expire hasn't been purchased at all and could be easily obtained by anyone. It seems the squatters realized correctly that I have no intention to pick it up again.

Re: Which appstores?

It depends. They could crack down on those as they have been doing to some success in the past, or they could just push an application to phones that does a little audit of what the phone's used for. Russia's going that way; China must have considered it. Of course, there's also the possibility that they don't have to; just analyze the user's network activity and, if they use any of the apps you don't like, decrement the credit score accordingly.

Re: Step away from the keyboard

Why is that a problem? In fact, isn't that an asset of computing? The person who works as a statistician needs to know how to do statistical analysis and how to make the computer do the heavy computation bit. Their most important skills are knowing how to process data in a useful way, how to modify the processing to get useful views of data without corrupting the analysis, how to get data that represents reality, all that stuff. Why should they also know how the computer is going to go about calculating something once they've told it to? If they want to, they should learn. It might help them, so a lot of statisticians I know are good at programming, though they're mostly programmer-statisticians, so that's not a good sample. Still, if you don't need to know that in order to do what you're doing, it seems strange to assign some demerit to not knowing it anyway.

Do you say the same thing about other computer users? Should the people who know how to make GIMP edit a picture in complex ways also know the different utilities their GPU contributes to the task? Should the person who writes a book in a word processor know how the kernel relays input from a keyboard and how the word processor's text system interprets their keystrokes into characters and commands? In the same way, since I'm assuming you mostly work on computers, should you have to know the way all your equipment was manufactured, down to the logic gates on your processor? If you work in that, should you know how the rare earth elements that are used in it were mined and processed before they got to the factory? With all of the above, there's no reason that someone should be prevented from knowing that if they want, but also no good reason someone should be required to know it when they never deal with it.

I should warn you that some email forms will refuse to accept an address with a + in it and others will cheerfully use it but are smart enough to realize that they can chop off the part after the + and it'll still work. If this feature is useful to you but this is getting annoying, I recommend using a custom domain set to forward things to another address. Anything@mydomain will go to me, but since there's no + in it, the addresses don't get blocked in ill-designed forms nor do automatic spammers figure it out. Also, I can redirect a specific alias to forward somewhere else, such as /dev/null or the original place's postmaster.

Re: déjà vu

I think that's the wrong way of going about it. If it's bad to do that kind of behavior, and both have done it, then there should be a penalty for both, not an acceptance of both. I might not care if each was making the other the victim and the fight was internal, but each is making money off installing adware onto computers of third parties who didn't agree to this. Both should have to pay for each time that happened. Even though that's never going to happen, a step which prevents it happening in future is a good step.

"Erm, with all due respect, that’s bollox imo."

Ah. Is this going to be one of those "I don't have the problem, so there can't be a problem anywhere" opinions? Three devices. A wonderful sample size.

"I have very few, if any, problems with these phones compared to the decade of suffering under Android and Windows Phone. And my very reliable iPhones are half the price of the problematic Androids."

I wonder when you stopped using Android, as it's only been around for eleven years and your iPhones are five years old. Somehow getting Windows Phone in there and having it last a decade sounds hard. IOS devices get the benefit of longer security update lifespans. I've repeatedly praised them for that, but I really wonder what widespread Android issues you have had. Also why you purchased the really expensive Androids if you hate the OS so much; they have cheap ones too, which don't get security updates any longer but still.

"There, fixed it for you. You’re welcome."

No, you slapped on some praise for iPhones and nonspecific criticism of Android, which wasn't even mentioned in the article, without in any way pointing out a problem with any part of the article or comments.

Re: What a surprise

"It wouldn't surprise me if China's digital currency had a way of tracking people and their purchases secretly built into it..."

You would be incorrect. Instead, China's digital currency has a way of tracking people and their purchases explicitly and openly built into it... They don't want it to be secret; they don't need to make people trust it in order to make people use it. They want it well known that, if you use your money for something the state wouldn't like, you're getting tracked down and jailed. They've already been making clear that they're tracking everything else to make their citizens scared of possible repercussions. They have surveillance systems which they describe in detail and don't bother to hide at all, a thing called social credit score which is exactly what it sounds like and is clearly explained, rules about what's not allowed on the internet and a convenient tip line to let them know when someone's violating it, and many more systems of that nature. This is just one more step in that.

Re: I fear that too much shiny is taking a toll on some people's attention span.

That's been tried, and it hasn't sold very much. Not really for any defect in ARM; if you throw 96 ARM cores on a single server, you're going to get some pretty good performance if your task can easily run on that many CPUs but couldn't or wasn't ported to GPUs. However, it didn't increase the speeds that the M1 has and for many of the reasons stated in the article. Server ARM chipsets don't have memory inside the SOCs, so they don't get the very fast transfer from and to memory. They are also able to handle more memory because it's kept separate, so everything's a tradeoff.

It really depends what you care about. I do some compute-heavy things on a local machine, so a processor that runs very fast is quite useful. Simultaneously, I don't need a lot of memory for those things, so an M1 with 16 GB of on-chip memory would probably be quite nice, and I'll have to consider it if my current machines need replacement (they don't yet). That said, many of my compute-heavy tasks aren't time sensitive, so although the M1 could probably do them faster, I don't need them to go faster right now. There are others for whom these advantages are less important. I don't really see much benefit in giving Apple's chip designs blanket praise for revolutionizing everybody or dismissing them as unimportant; both views are limited.

Re: Broken NFS

A less advanced method of having to do a slow manual fix process is to create too many files in a directory. I wrote a program which created a model, tested it, and serialized it out to a file so I could use it later. It would then evolve to improve the model before running another test. It would also create a summary file reporting how well the model had done, so for each loop, I got two files (1.model, 1.report, 2.model, 2.report, ...). Usually, I tested it on a large amount of initial test data, making each loop take ten to fifteen seconds, and would cancel it after five hundred or so iterations, the model being generally good enough then. After confirming the result, I could clear up by doing a "rm *.model && rm *.report".

Then, I wanted to see how it would do if I let it go for much longer. I gave it a smaller set of tests for a new task, set it going, went to see my family for two days, and promptly forgot that I had done it. Weeks later, when I found out that it had been churning away on an infinite task of little importance, I tried to clean up the millions of generated models. "rm *.model" was not my friend. Now, I make sure not to run programs in the same directory where I built them, no matter how insignificant they seem.

Re: Wait, what?

There are various long cylindrical things people might want to take to school with them, and many more things that could look long and cylindrical if the camera doesn't get a good picture. For example, people who walk in a rainy area might carry umbrellas with those long poles so you can carry one over your head. Or maybe they're carrying sporting equipment to use the recreation areas of the school. Or a camera or microphone stand they used to record something elsewhere and now need to return. People who have withstood injuries could use crutches with the long pole part. Meanwhile, someone who did plan to take a weapon could, if the weapon is small enough, put it in a bag; most students I know carry bags. With these provisos, there's a serious question if the cameras really serve a useful purpose. Even more so as they're also scanning faces. I don't know why they're doing that; most school shootings are perpetrated by people who previously went to the same school, just not with weapons. Given the reliability of other facial recognition systems, I hope it's not to verify that the students entering are all known by the school; there'd be queues of students waiting forever for the camera to recognize them.

Re: Old typewriter

Correct. This doesn't much matter though, because I didn't say it was. I was commenting on the original question, which asked about methods of hiding communication. Cryptography and code are two such methods. Additionally, it's frequently discussed in the same places, or often instead of discussing the cryptography. The same is true of Enigma. Although the efforts to break it are frequently discussed, I rarely see articles such as the one here describe how enigma machines worked. Perhaps the appetite among the nontechnical public to hear about the design of a multirotor typewriter encryption system is not very high, whether it was the German, British, American, Soviet, Japanese, or any other model. It's also complex enough that, should someone be interested, they would better be served by looking up the longer technical descriptions of the machines. As a news article, it's too much detail about which few care.

Re: Unusually high score...

I must disagree with a few of your critiques.

Article: ".org owner Internet Society"

Reply: "No, actually the IANA function of ICANN "owns" top level domain names, i.e. has the final say as to who has the right to run the corresponding registry. ISOC sort-of owns the PIR corporation which has been assigned that registry right by IANA."

The ISOC operates and controls PIR to the extent that they can command it to do things like sell off its prime asset, and the sale of that asset is permitted by ICANN. While your answer is technically correct, a place that can effectively manage an asset without many limits is not very different from an owner. If ICANN forbade the sale of a registry and reassigned it, or if PIR was only partially run by ISOC, I'd agree that the statement would have been misleading. As conditions are, I consider it an acceptable though imperfect summary.

Article: "But the subsequent financial reliance on ISOC, even though the IETF also raises money through sponsors and conference attendance fees, has not always resulted in a healthy dynamic."

Reply: "What is unhealthy about the relationship? I've tracked it since the beginning in 1992, and it's always been fine and productive."

This is a statement of opinion, much like yours. I can't say this is at all misleading; if the author thinks that the IETF's reliance on ISOC for most or all of its funding makes it unhealthily dependent, then the point was effectively communicated. I'd like to see arguments from both of you as to the effects, positive or negative, of this relationship, but I at least know where you both stand.

Article: "But those efforts continue apace, not least with China’s “New IP” proposal that would see more modern and efficient systems for networking management than the current TCP/IP approach. That proposed system would have clear advantages, but also have surveillance and control baked into it."

Reply part 1: "First, it isn't "China's" anything, it's Huawei. If NewIP is China's, then the Web is Switzerland's."

No, I'm afraid that's too limited. Here's a quote from the article introducing New IP: "Huawei, China Mobile, China Unicom, and China Ministry of Industry and Information Technology (MIIT) are backing a plan titled 'New IP, Shaping Future Network.'". Huawei is involved, but it's not just a suggestion by an interested company. The last item in that list is a government entity.

Reply part 2: "More to the point, it isn't yet at all clear that NewIP is well-defined, technically plausible, and economically feasible. There are those who think it is none of those things. Thirdly, what is specified so far neither supports nor contradicts the assertion about surveillance and control. All we've seen are a few empty words about the importance of security and privacy."

I agree with this chunk.

Article: "That effort exists, albeit in a half-hearted fashion. The board created a new body to look at its governance... However, a culture is hard to change and the board has insisted on maintaining complete control of any proposed changes to its governance."

Reply: "The Board is still in the process of chartering a governance working group, to be precise. And it isn't a matter of the Board insisting on control of proposed changes; it's mandated by the Internet Society's by-laws, which require a four-fifths majority of the Board to approve by-law changes. The Internet Society is incorporated in the District of Columbia and can only act within the relevant D.C. law and the rules of the US tax system for non-profits, and of course that includes obeying its own by-laws."

You are correct here, but there are ways that a larger effort could be possible. ISOC members have protested recent actions by the board, so the board could perhaps attempt to replace some members by holding resignations and elections. If your members really wanted to change the structure of an organization, a representative board could easily do that. Or they could adopt a resolution stating that they would bind themselves to the results of the investigation, put those results to an election and support those which got supported, etc. Nobody's suggesting that the board can eliminate their own authority, but they could voluntarily give up some of it should they wish to indicate that they understand the complaints of members. They have chosen not to go that far, which may be a good idea, but still the possibility should be acknowledged.

Re: But is it practical?

I'm not sure that's true. I did a search on a phone database. Of the 60 known devices with the 865 or 865+, 53 (all but 7) have dual SIM, 16 have 3.5 mm jacks, a different 16 have micro SD card slots, and 3 have all of those features. I don't think it's the SOC that means you don't often see all those features together.

Re: Web site broken?

On doing a nslookup, it does have an A-record pointing to an IP address in addition to the MX and TXT records. NMapping that to see whether there's anything running on it which responds to pings is left to the reader.

talktalkbusiness.net internet address = 62.24.248.135

Re: Always do the sums

That's important when calculating costs for cloud services which can actually be spun up and shut down in an hour, but it isn't the same for these Macs. AWS requires that you use the Mac for a minimum of 24 hours. That means that, if you need it for an hour per day and five days per week, you have to pay for almost 120 hours (technically, you could cut off the morning of Monday and the afternoon of Friday if you can nicely schedule which hour you need it each day. So approximately a hundred hours rental for the Mac versus five for a different VM, which leads to a very different cost calculation.

Re: I don't understand

I bet the process went like this:

Manager 1: I wonder whether we can get organizations using extra tools if we give them metrics and make it look like they're beneficial.

Manager 2: Yes, but it needs a catchy name to indicate that it's not a sales push. And maybe, if we can think of any, some actual useful features.

Manager 1: Well, the optimal use of our services should help with productivity. While paying us for extra services doesn't constitute optimal, the benefits to the customers, if any, are productivity related.

Manager 2: Productivity score. I like it. But what happens if someone adopts a tool, our score says they get extra points, but it doesn't roll out to anyone else. They might figure that out and cancel the thing that only one person uses.

Manager 1: Simple. We'll score all the users individually and show how other people can gain in "productivity". People who want the total productivity score will be able to see who's not using a feature yet and get them to do so.

[months later]

Manager 1: Why are all these privacy things coming up? This isn't really a privacy issue. It's just for sales.

Manager 2: I don't know. I mean you could theoretically extract information about communication frequency, but nothing about communication quality let alone noncommunication productivity. Using this to grade workers would be ridiculously idiotic.

Engineer: You are assigning sortable scores to individuals, calling it "productivity score", and you aren't expecting some crap manager somewhere to use this without understanding what it really means? Think it through.

Re: Really?

The 1.7% is more concentrated. Some places make it nearly 100%, and some places make it 0%. The places with 100% usually spoof the answer with the correct answer. However, they sometimes choose not to, usually when the correct answer is "don't know that one" and they instead substitute "how about these ads". Their infrastructure for that purpose can also be used to censor something at a later point should they decide they want to do so.

A note: although a lot of ISPs do redirect unknown domains to an ad system, it does not necessarily follow that all of them spoof to do so. Many only do so if the user doesn't change away from the ISP-supplied DNS servers. That approach is annoying, but not the kind of violation of trust that spoofing does.