Posts by doublelayer

Re: "I did not know that ARM actually prohibited adding instructions"

It really depends what you're doing. In many of the cases mentioned in the article, the unknown instructions are probably very manufacturer-specific, and therefore little care needs to be taken because the code will only run on chips made by that manufacturer. But there is code to check CPU IDs and change what instructions are run. Perhaps the simplest example of that is CPUs with an AES acceleration capacity. It's frequent to have a check performed at the beginning of the code to determine if the processor executing the code has acceleration instructions for AES. If it does, a branch using those instructions runs. If it doesn't, a branch that has the functionality implemented in software and compiled into traditional instructions is run instead. It's not checked immediately before running the encryption; instead it's checked at the beginning and the result determines what code is run for minimal overhead. The same could be a factor depending on what manufacturers choose to do with the ability to create new instructions.

Re: It exists

And that's a very good store. But a lot of devs don't want to release their app as open source and do want to sell it. FDroid has support for neither of these desires. I nearly always check FDroid for an app before I'll go somewhere else, but it's almost by definition going to lack the apps of any corporate entity.

Re: Maintain the rage; it works!

I think that was because they really had no good excuse for withdrawing that app. This probably won't get changed just because people tell Apple that human rights are kind of, you know, important to them. I think they considered whether political freedoms were important to them a while ago when they implemented that change and they decided they didn't care all that much. Sadly, I cannot think of any large enough company in a better situation; all have terrible records when it comes to China, and many have other terrible records on similar issues.

Re: Flock of Seagulls

"I find it hard to get worked up about email hacking."

Then maybe you should think a little more about what email hacking lets you do. First, it lets you target specific people and look at their communications, including those that might be private. We're talking private because they contain sensitive information, not necessarily because they reveal unethical activity. For journalists, that might be the identity of a source. For Iranians living outside Iran, it might be the name of someone inside Iran they care about. For politicians, whether they are likely to support laws the hackers don't like. For a candidate in a campaign, the strategy they're planning to use to challenge their opponent. There's a lot you can do with that kind of information.

But there's a lot more you can do with an email. You can impersonate that person quite easily. You could of course have spoofed their address without having to access their mailbox. But with that access, you don't have to do that; anyone who checks thoroughly will still think the message came from their mail system because it did. Having read the messages they send, you can better imitate their style, making your message more convincing. And you can intercept replies to your message, hide them from the actual user, and reply to them at your convenience.

Have you considered that the more strenuous attacks you mention probably have an email attack as one of their components? It is always possible that [insert group of evil people] have found a device on the internet that they can access and it lets them turn the power off. Given the security of these systems, it's likely there exist a few things of that nature. But you still have to find them, gain access without arousing suspicion, and understand how they work. Meanwhile, it might also be a little useful to gain access to the email of one of the engineers of the company and watch for technical documentation. Now you know how the system works. If you don't have access to the system yet, the credentials you just stole from the email probably help. And if the system either doesn't have an insecure thing online or you haven't found one, your access to the internal email gives you the option to get some malware in. Many targeted attacks begin in just this manner. Usually, it's by spear phishing for credentials or malware installation, but then it immediately turns to email compromise.

If you can't see that email attacks can be quite dangerous, you might need to think about it more.

Re: re: Google Play Store

Nobody said there was a good alternative. Sometimes, we can say that "X is bad" without saying "We have a good alternative to X, and X is bad so you should use our alternative". In fact, we're often more vocal about it when there isn't a good alternative, because it's not easy to abandon the bad thing.

As for actual alternatives, FDroid is probably the best in that it doesn't have a bunch of malware on it. It also doesn't have many apps that the standard non-reg-reading user wants, because they want things from corporates who in turn don't want to open source their stuff. The Apple app store may have a bunch of problems around monopolistic practices, but they are at least much better at keeping out malware. Of course, that locks you in to using an Apple device, and those are getting far too expensive, so that's an option of tradeoffs. Another alternative is that Google get their act together and fix their store. Oh, sorry, I seem to have accidentally pasted in a line from this science fiction story I was writing.

Re: Did you ever bother to read Apple's statements for years....

It doesn't qualify as news? For one thing, the article clearly says that it's not clear what law is being considered. And for another thing, just because it is a legal move under Chinese law doesn't mean it's completely irrelevant; they can follow the law and we might still want to know. And given how many people have commented already, we clearly thought it was important enough to read the article. And for one last thing, just because it follows Chinese law doesn't mean we have to agree to it. Plenty of things that are legal get lots of disagreement. Frequently, that's the first step to having a law changed. Sometimes, it's just people who hold an opinion about what would be nice.

Deciding that something is "not news" is hard. If 1) it happened, 2) people care, and 3) it's unusual or new, it's news. Number three can be optional. In this case, 1) the app was taken down, I.E. it happened, 2) many people have proven that they find the story interesting enough to comment on it here and on other sites, I.E. people care, and 3) the app in question was an unusual one having to do with a protest and interactions with police and the decision to take it down was made on an unclear basis, I.E. it's unusual. It's news.

I think they can do two things, though only the first one is guaranteed to be available:

1. Check what ransomware strain was used and see if it's on a list of ransomware known not to decrypt. If it is, don't allow the company to pay. This can catch some old ransomware, but most strains that don't decrypt and are used nowadays are relatively new.

2. Try to negotiate with the people demanding the ransom for proof they can decrypt. This can be done by giving them an encrypted file and asking them to decrypt it. Anyone with the decryption key can decode that file and then the decryption key can be purchased with more confidence. Of course, only the nicest of ransomware criminals are likely to put that amount of effort in to gain the confidence of a victim.

In general, even with competent technical assistance, a ransomware attack can only be partially rewound by paying the ransom. Instead, get competent technical assistance now, create a backup system that works, and you won't need to pay the ransom at all.

Re: Surface?

According to the article, these devices are running standard Windows and Windows on ARM, both of which can run win32 applications. They're not making that terrible mistake again. I don't know how well ARM Windows can run these programs, and it's quite likely that certain older ones or ones that need lower-level hardware access will not work, but the devices should be able to run many of the traditional Windows programs.

Re: I wish the Internet wasn't so thoroughly controlled by the US

In practice, that couldn't happen. If the U.S. government decided for some reason to take control of IANA and reallocate all the IPV4 addresses to point to different places, let's look at what would happen. First, we would start with the question of why they'd do something like that. There isn't any conceivable benefit to messing with IP addresses because it would break lots of stuff. But we're assuming that they do so anyway. Immediately, the regional NICs would complain. Their word would be considered strongly by traditional IANA personnel, but we'll assume that the U.S. government has replaced all those people with people who don't care. Even in that case, the remaining NICs would probably immediately decide not to honor the new routing rules, and stick to the former system. The only country outside the U.S. that would be affected would be Canada, and I think their diplomats would have something to say about it.

There were stories of politicians saying that ICANN specifically should be made a group under the authority of the federal government. However, it was clear that they had no idea what ICANN did or any intention to change its operations. Instead, they merely heard a news story about the group gaining some independence and freaked out. Expecting technical knowledge from a politician is doomed to failure.

Another system you mentioned could be at risk is DNS. Here, however, you have little cause for concern. DNS is decentralized, at least enough that no national government can mandate changes. Many providers of root servers are based in America, but many others are not. Nearly every country TLD is administered in that country, excepting only the small countries who choose to outsource their domains for sale. The only thing that could happen is that someone in an international ISP would have to change the root server used by their DNS resolver. In addition, even the American DNS providers are private companies and cannot simply be told what to do without new legislation being passed.

Re: "run their Windows 7 desktops in Microsoft's cloudy data centres"

But there wasn't a system that allowed you to not hate everything while doing that. If using a CLI, it was just fine. When doing anything at all intensive in a GUI, there would be lots of lags as data got moved around. So computers were made self-contained. With increasing network speeds, it will be possible for people to do more work on a remotely-located device, already popularized by the Chromebook and cloud services from Google, Microsoft, and Adobe. We will have to see how long it takes for users to realize that their remote client isn't really saving much power for them and that it's sometimes really inconvenient to have all processing dependent on something located a few easily-cut network lines away from you.

I'm sure he didn't think about having to worry about an aerial scan for him, but I doubt he was completely disconnected from all people for seventeen years. For one thing, they didn't specify how he was getting food. It is theoretically possible that he hunted for it and that's it, but given the difficulty in doing this in an area near a large Chinese city and maintaining sufficient nutrition to stay healthy, it's probable that he had another mechanism such as entering a nearby location to purchase or steal food. So he could probably have learned of the existence of drones. If he had thought police would have used them to find him, he could have disguised his location or simply moved to another place, as the police could only find him after having a good enough idea that he was to be found in the mountains there. And that's another point that makes it less likely that he never saw a person for that time, as the police had to learn this possibility from somebody.

Re: Telegram

And both institutions have requested just this. So far, the law allowing them to demand it hasn't been accepted. They might have tried, but I doubt they succeeded in getting cooperation from the companies involved without a law. So when this law gets suggested again, make sure you argue vociferously against it..

Re: This isn't the first time

I don't know about the original example, but it is possible they were referring to the "Republic of Minerva". This attempt at creating an independent island occurred in the Pacific rather than the Caribbean. It's unclear whether Tonga already asserted that these islands (underwater islands, but islands nonetheless) were part of their country, but either way they took them by force and they are still recognized as Tongan territory.

Re: Interesting twist ...

I'll grant you that the tone is a bit harsh. It's useful to know, however, that the devices can be exploited, and probably more easily than they can be jailbroken, to brute force a decryption. IOS devices have for several years had a reputation, deserved or undeserved, for being hard to break into, and some people may have purchased them specifically with that intent. This exploit makes it straightforward to create a brute force device decryptor. I fully expect some company with ties to law enforcement will have made one pretty soon. It only remains to be seen which law enforcement we're talking about and how much we trust them.

Re: Naievete!

That may be true, but that logic could be applied to almost anything. It could be that vendor B has a better shipping system, which is worth the premium. Or that vendor A is unreliable and frequently drops orders. But without knowing that, our theorizing it is just an assumption. What we do know is that these prices are not logical; both your examples are in the normal price range for a patch cable while the one paid in the real case is not. Even if their choice was based on some factors as you described, they would have to be very strong to warrant the purchase price. Given the many available suppliers of such equipment, and the fact that they probably buy ethernet cable with some frequency, it would in virtually all cases be worth it to find a supplier who can deliver cable at normal prices.

Re: I remember when they used to say they were the good guys

I did. I'm sad to say so, but I did. It was in the 2000s. I was younger, prone to assigning things to good and evil boxes or at least along a one-dimensional sliding scale, and Google played right into the good box. They were developer focused, or appeared that way. They released a bunch of things as open source. They took action to make SEO less useful and keep search results relevant, and they succeeded quite often. When someone tried to break the internet with stupid legislation or proprietary standards, Google used their influence as a big tech place to inform the relevant parties that that would not be happening. I still don't know how much of their descent was already in action at that time, but I like to believe that they were once the way I remember them. It gives me some nostalgia while I remove more of their current tech from my devices.

Re: Why aren't you writing these articles slamming universities?

Your comment starts off reasonable. We have all seen subpar teaching in established universities, and we all know there are very good online teaching materials. I'll gladly agree to that.

And you then turn around and say that, because this is the case, all the material online is better than a university. That's just wrong. The course referred to in this article, for example, started off pretty badly in that it didn't teach the concepts people need to learn. And this guy doesn't get credit for useful code someone else wrote either; I'm fine if he chooses to teach from it, but he should properly credit the original authors and choosing useful Github projects does not a good course make. The internet has a bunch of information, and for every very helpful resource out there, there are at least ten pages with something outdated, incorrect, biased, or useless. Your all-or-nothing stance is misguided.

Re: "there was an error message and I clicked on it, what was it?"?

The ones who contact me have realized that the text of the error message needs to be available to me, so they won't clear it (actually they usually clear it after writing down what it said, which isn't so useful when there are two or more options and they chose the wrong one). However, they haven't figured out that all of the text could be pretty important. On the phone, they've read error messages like this: "An error has occurred retrieving mail from the mail server. The error message was some numbers mailserver port something-or-other error blah blah. Please restart the mail client and try retrieving your mail again, or try reentering your account information."* And they will cheerfully loop trying to reenter their mail account information until it is pointed out that GMail probably didn't spontaneously change their password and maybe this has something to do with the network having gone offline.

*Although they typically choose to censor the useful information of an error message with weird gaps of silence instead of filler words, I have put in the filler words here for the effect.

I see the difference, but does it really matter in this very specific situation? If you can't move for the five minutes or so it takes to refuel a traditional vehicle, the person you're chasing probably has gained quite a lead. So you'd still have to contact someone else to chase them while you refueled. For many other situations where speed is important but not critical, the gas engine's ability to refuel faster could be an important factor.

Re: Is he off his rocker?

I can think of some options to fix the SSH issue*. But why should I? It's a bad idea, and I don't want to encourage it by solving their problem.

*But I'm going to anyway. Have the SSH process store keys. Users can drop those keys into an SSH database, and only root needs access to that to verify them. They verify the key is present, challenge the user, then request the decryption key. Alternatively, and a worse idea, is to trust any incoming key enough to establish a session, then request a decryption password, then check whether that key is authorized or not. If not, reject the user and log an intense security warning because it means a person has a user's decryption key but is using an untrusted device.

The easiest solution is not to do this to home folders.

Re: "he can pay you to develop it. Or pay you for setting it up on premises"

All that is true. All that is obvious. All that was known when people put their code under an open license. Nobody said you were guaranteed work, just that you had a way to try to get it. It's also true that it is sometimes easier to get paid making something closed rather than something open.

"BTW: RedHat was sold to IBM. Maybe even its business model wasn't working so well to keep on being profitable on its own?"

You either misunderstand how companies work or you don't know how the Red Hat deal went down. Red Hat wasn't "sold to" IBM because they needed to shut things down. IBM bought Red Hat because it was making a bunch of money and IBM wanted their IP and developers. IBM isn't a private capital company that specializes in trying to get something out of a failing company; they're a technology company and they really liked Red Hat's technology. The fact that Red Hat's business model was pulling in revenue from lots of people probably helped get them to that $34B asking price, too. Strike that, it definitely did.

Re: Always free services

I know the specs are terrible for real cryptomining. However, the specs of embedded devices like IoT junk or consumer routers are even worse, and they get broken into for cryptomining quite frequently. If people can find a way of setting up many free VMs through multiple accounts or the like, it could pay off. If not, just having two means a little mining that costs the user nothing. And there are plenty of other things a user could have one of these do without needing more specs. I can think of some tasks a VM like this could do, and I might never need to upgrade them because I already have stuff to run my real systems that I care about. I somehow think Oracle is hoping that I'd try their free versions, decide I need more power, then continue to buy through them. I don't think that will work as well as they think.

Re: "a full factory reset of their Fitbit device and re-installation of the app"

There are a few companies and open projects that have managed, through repeated and thorough application of reliable testing and concern for user annoyance, to have every update they release work well under nearly all conditions. For those places, I am comfortable updating on day one and, when they eventually make a mistake, be a member of the public that others can learn from. And for everyone else, it'll be at least a month before I let their new thing onto my hardware.

Re: Things you wish you'd seen . . . . .

I bet it was pretty silent. Just a couple high-level execs and engineers staring at an iPhone with looks of complete horror on their faces. Then the phrase "what are we going to do?". The opposite is possible too; whoever has dedicated their life to ever-increasing collection of location going through a bout of maniacal rage. Either way, I'd like to be far away from it.

Re: Fundamentally flawed model

Wikipedia isn't and never will be perfect. What makes it easy to update also makes it easy to vandalize. But it is a pretty good source of background on a lot of things. Something where people are trying to advertise or where everyone disagrees and thinks Wikipedia is a good battleground excepted, but in reality that's not a lot of the pages there. If I want a simple fact, or if I want a quick overview of something, Wikipedia is a good source for that. It's kind of like an agglomeration of the dictionaries, encyclopedias, almanacs, and other assorted reference books of the past. It contains a little information about a lot of things. When more information is desired, it's time to bring out my researching skills I was taught, including my ability to spot misleading data, but many requests for information are not that serious, and I'm glad we have a resource capable of handling most of them.

I'm afraid your description is not accurate. You have described encryption of content correctly, but that's not going anywhere. Your statement "move the “Hey Alice” shoutout to a middle man that will see all your messages in between afterwards" is incorrect because that middleman only informs you how to contact Alice; future messages between you do not go anywhere near the middleman and remain encrypted using the old protocol. This is a better parallel:

Alice and Bob want to call each other and exchange encrypted messages. They can exchange public keys if only they can get a phone line. But neither knows the phone number of the other. Alice could call directory inquiries and ask for Bob's number. If she does this, she must trust that service to provide her the correct number, and she must accept that someone might overhear her request. In addition, someone might have intercepted her call to directory inquiries and be pretending to be them, but she could not tell. With DoH, she has a secure connection to the particular system she trusts. She must still trust that they are giving correct information, but her request to them cannot be intercepted or overheard. Once she has the number, things proceed as before.

That's the good version, explaining the positive aspects. However, DoH also has some downsides. It prevents someone else from tampering with the DNS data, but it also prevents you from tampering with the DNS data. Sometimes, you would like to edit that, whether it be for faster caching or content blocking or internal system redirection. That's why DoH must run alongside rather than replace normal DNS. If it becomes mandatory on something, I will no longer use that thing. It's not, as some claim, a security risk in and of itself--if malware can be detected by a DNS request, the malware can also be changed to use one of a number of alternatives for finding an IP address including having one hardcoded in it. But it does allow circumvention of many tools that are quite important. In most corporate environments, it should probably be disabled and made explicitly against company policy.

Re: 20 years is a lot of time.

But you don't have to reengineer the code if you just want to keep running it. They aren't going to secretly break all of python 2.7. They just won't update it. So it is a lot like an old operating system, as you can't get support or security updates for Windows 98.

For the comparisons to C, try taking C code from 1975 and compiling it and running it today. Likewise, see if you can get modern C to compile with the initial C compiler. In most cases, you'll be disappointed. However, a lot of it will work. And a lot of python 2 code can be picked up, without any changes, and run in python 3. If you have a sufficiently large codebase, it's likely that some changes will be needed, but you don't have to tear down and rewrite. Could they have done the changes differently? Sure, they could have. But it would not be significantly different, because things break. Languages change. They deprecate things in their standard libraries and introduce new ones. Python is not doing something that other languages have not done.

Re: Oldie Here

My site is a lot like that. Unfortunately, I've been informed that using this format on anything else, including temporary sites that the frontend people will replace, is bad because I haven't included at least twelve image files and about five external CSS files that make the page look like the image they have in their head but can't actually describe. When suggesting that they could design the page to their liking, I am courteously informed that of course they don't know how to do that because they don't have technical jobs, but I'm the software developer so I should know how to make a page that doesn't look old. And thus ends the story of why I'm never doing frontend.