Posts by doublelayer

Re: Hmmm..

I think you've gotten things the wrong way. Fiona didn't claim that she was not responsible, simply that others could also be held responsible and she didn't let that happen. The person who decided to put that file on a production server, which was not Fiona (the article makes that clear) should perhaps not have done a straight copy-paste from development to production. That's not new. Anything sufficiently large has stuff in the development folder that isn't to be released in production, and usually a script or two to try to manage that. I'd argue that these others weren't very responsible, and thus that turning them in would have been a pretty nasty thing to do, but I'd also argue that Fiona did little or nothing wrong and was unfairly attacked for a thing that did no damage and was clearly not intended.

I see your point. I like civility, and I would like to see everyone, from kids to those a couple generations older than me (who aren't all that much better at it), to start being more polite in conversation. I'm afraid, however, that making an electronic device ask for them will turn it into the worst parody of those over-obsessed people. You know the ones: the people who have actually said the phrase "You didn't say the magic word" without irony to someone over the age of three. It also happens that many of the requests a device like this answers aren't typically said with "please", including most of the ones in my original post. The please essentially becomes another required wakeword for the device, and loses the meaning we* were trying to get across. As such, this has the potential to be counterproductive, and I think it will be pretty silly or irritating, depending on your viewpoint.

*We: In the sense of parents, people programming the devices, and people setting up the devices. As I'm a member of neither group, perhaps "they" would have been the better pronoun.

Let's really think about this. I don't mind if people want to donate cycles to finding this answer. But why do we care about it? I really like lots of abstract math problems, but they didn't find and execute a new algorithm that can solve these things; they brute forced a bunch of options and found one. If we should need to solve this problem for some reason in the future, and I'm willing to assume we've found one even though I haven't a clue what that would be, does this program give us a new, faster, or organized way of solving for it? From what I've seen, it does not, and we'd have to put more resources into a brute force search. So let's not give it the kind of credit that you've implied. The examples you provide gave us new algorithms, and they turned out to be useful later on. All we got from this are three big numbers.

Computing resources can be quite cheap in cases like these. If that's the way people choose to use them, then that's fine. But let's not give this more credit than it deserves.

Re: It's the way Android takes control of the OS away from the user

I think it's mostly correct. The device will continue to perform some functions. That is true. But as the time between last security update and today increases, it's more likely that malware, anything from a malicious app in the Play Store to a malicious web ad, can get at something I don't want it to. As such, I wouldn't be comfortable using a device without recent security patches for sensitive things like banking or sensitive email. And after a certain point, I wouldn't be all that comfortable using it for slightly sensitive things like most email or having my contacts on it unless I also had a certain degree of protection such as rarely using the web browser so I'd avoid exposure to potentially unsafe code. And while I have some degree of confidence in my ability to detect dodgy things and stay away from them, I don't have that confidence for most of the general public and security is frequently a group activity. I don't expect that I'll have the security update hours after it comes out, but if I'm over a year out of date, I'm a little worried, and if I'm over three years, I'm quite worried. When it's someone nontechnical instead of me, those times are reduced.

Re: Not only am I going to continue using Windows 7 on my main PC...

This is where the easy answers stop. Of course Windows updates are annoying, and they can really mess things up. But it's also true that some of them have useful security patches in them. You've mentioned that the last update applied was in May of 2017; I'm guessing it was the EternalBlue patch, released in March of that year but pushed out with extreme force in May because it was being actively and very successfully exploited by malware. And although I'm sure you're competent enough to prevent most attacks from getting into your systems or damaging things if they managed it, there are other places out there who lack that. For them, the advice to always install security updates is well-founded, because they will at least be able to prevent certain types of malware which could impact their processes or cause data loss.

It's useful to think how easily malware can be installed. If one person using one of your machines is tricked into launching a binary, whether that's by social engineering, a redirection of a download, or something else, security patches are designed to prevent that binary from getting to all the things it's probably after. They're not guaranteed to have discovered the vulnerability the malware is using, but they do patch several each month. If you have enough confidence in your security that you'll catch the binary without needing that, you may be right. Unfortunately, many have had that idea and found out that they were wrong only after seeing the damage wrought by a successful infection.

Re: Does not fry the users lap?

Maybe I'm one of those few who do use a laptop on my lap. Then again, mine has side vents and I'm not running all the cores at max power, so no burning here. There are many times when I want to use a computer and there's no convenient surface around, such as in a train/car, auditorium without the folding tables, or house with extended family present so all furniture is being monopolized. I figured lots of people did that. Maybe it's not as common as I thought.

Re: Taxi Drivers Unite

I'd recommend you consult with a legal or financial advisor before trying to put that into effect. While business expenses incurred by the business concerned are tax deductible, that doesn't apply to many end users who would be taking the ride outside of work. You can't usually deduct your taxi or rideshare bill from your taxes, even if you need it to make money. For the same reason, consumer purchases of automobile fuel aren't tax deductible even if you really need that to get to work. I assumed you had planned for another reason for the payments to be tax deductible, which is where the charity/nonprofit (different term for different countries) discussion came from.

Re: re: PiTop

The complaint was about the people who make a laptop enclosure for the pi, not the foundation themselves. It's a reasonable complaint, as if you are buying in a currency, they often will at least tell you the cost in that currency. The places that sell the pi give the purchase price in the local currency, after all. As for this company, they have a .com address rather than a .co.uk one, but they have a London address. I'd expect them to have a currency selector on their store, but evidently not.

Re: Isn't satellite broadband pretty much one-way ?

Short answer: no.

Long answer: Satellite phones. Satellite media uplink stations. Current satellite internet. None are new, none require powerful transmitters on the surface. They don't really require all that powerful transmitters on the satellite either when you compare them to lots of other things.

Re: So because you don't want it, no one else should be allowed.

I think the comment meant that it shouldn't be encouraged, or at least "it is not the case that we must encourage it". I'm not sure I agree with that, but I believe the intended point was weaker than you've described. There are many advantages in working remotely, and there are also disadvantages. Enforcing either could be harmful, but encouraging one over the other might not be. Fortunately, I don't think I'll have to decide on that policy at any point in my career.

Re: And if Huawei allowed unlocked bootloaders

No, I can't see those at all. I can see a pointless ban by the American government as part of a trade war, nothing else. I don't support that, but just because some people somewhere chose to paint the company as a security risk when they're not, that doesn't make every other possibility true. You've claimed that people are out there bricking devices with intentionally damaged firmware and then claiming refunds, but you can't point to who is doing it or when it's happened. In addition, it's completely illogical.

It'd be similar to saying "There are people out there who go into stores, steal the batteries from phones that have replaceable batteries, and replace them with lookalikes that also contain a tracking function and can be primed to explode if the people who built the replacements want to turn the phones into explosives. Therefore, we should not allow replaceable batteries." That statement and yours are similar in that A) nobody is doing that, B) if someone did do that, it'd be completely pointless, and C) if people did do that for whatever reason, the suggested course of actions would not stop them.

Re: IoT malware targets Intel machines running Linux

It's stated that the access method is SSH, so some options include:

1. SSHing with poor or default credentials to root because not all Linux users are, in your words, self-respecting.

2. SSHing with poor or default credentials to something that isn't root, then elevating to root if the user has sudo privs.

3. SSHing with poor or default credentials to something that isn't root, and therefore installing as a user process. It's not as effective, but it'll mine sometimes and that can't hurt the criminals because why should they care?

I have a public-facing server with SSH enabled. Root can't log in, and anything that can log in has an undisclosed username* and either a seriously difficult password or keys only. Lots of automated login attempts occur, but not all of them are people fruitlessly trying to log in as root. Many are trying things like "admin", "system", "user", or the machine's domain name. The people trying this must be doing it because it sometimes works.

*Undisclosed username: This is not a security measure; I know that security by obscurity doesn't work. What it does let me do is set up a monitor for the SSH logs that can inform me if someone is trying to log into an actual account, thus filtering noise from the pointless attempts. If someone does get a real username, I will know about it and I can figure out where that information came from and where this at least a bit more sophisticated attack is coming from. Unless that filter activates, I don't have to worry about the automatic SSH bots. And while we're on the subject, *checks logs*, nobody's guessed any real usernames since the server was set up two years ago.

Google almost certainly spent a few of their billions on a team of attorneys to draw up a contract that lets them do anything they want, as long as it doesn't break the law, but also some things that do break the law because who's going to check, and insulate themselves from any developer action. Meanwhile, they also have the resources to make sure a challenge in court will last long enough for the other party to run out of money, and if someone smallish challenges them on this contract, I fully expect to see that tactic used.

Yes, it is such an argument. If Hong Kong's internet is cut off, all the data centers will become less popular. Nobody will set up new ones, and people wishing to have servers in a place that can be accessed in China but aren't controlled by China will leave for other locations, probably South Korea for the main Eastern connections and eastern India for overflow. The investment in Hong Kong's data lines will have been wasted, and access to approved data inside China will be made slower because fewer lines will have to take the traffic. That's without considering the loss in business when all the people who used to use those datacenters look at all the datacenters in Singapore and figure that those will work just fine.

Yes, we think backups are the solution. Backups isn't just the big box of tapes with all the data from last weekend on them; it includes everything that allows data recovery when data is lost. Whether that be snapshots, extra copies, or the big box of tapes.

You're right that having to restore from backup at the level of off-site external media is costly in time and money, but there are some things to keep in mind:

1. We only suggest doing that if you have to, I.E. the backups that are online and easy to restore from don't work. Frequently, more persistent ransomware will have found those and screwed them up. Yes, you can configure them not to be vulnerable to the typical attacks, and that will protect you from the majority of lazy ransomware. If it does, that's great. If it doesn't, fall back to offline media.

2. Restoring media may be an expensive DR option, but that's to be expected. This is disaster recovery; you only do it when there's been a disaster. There are lots of other disasters where you'd have to do the same thing, but having to rebuild from scratch would cost much more. If the cost is too high for the business, it might be worth constructing a cheaper backup system or one that restores more easily.

3. Paying the ransom is a terrible idea. It guarantees that you have the same problem that let the ransomware get in. They might also stay resident in order to hit you again in a few months or maybe just to add your machines to a botnet.

4. Paying the ransom is immoral. It funds criminals when there is another option, and increases the probability that an attack like this will happen again. If you pay the ransom, you are making someone else pay the real cost for you. That's bad.

Re: Random identifier

If they're doing what they say they're doing, the random identifier is just that, a random string assigned when the request comes. In that case, it wouldn't be attached to any other data, not by hash or anything else. Then, after six months, the key with the random string is deleted so anyone looking at the data couldn't be connected with other recordings from the same source. And if they did that, things would probably be fine subject to some extra considerations like the aforementioned backups storing strings for longer, which wouldn't identify users but would allow collating recordings for a device.

But we have no way of knowing whether they are keeping to that. And they have to have known previous to this that having people listen to recordings is dubious at best, but they didn't stop doing it until right now. If they do what they say they're going to do, then I'm quite a bit happier with them. And so far, they haven't lied about not doing something they are really doing, but haven't been particularly proactive in determining when something they admit they're doing is problematic. We'll have to watch them; if they decide to do something like this again, we have to nip it in the bud.

Re: My uninformed comment

UDF is the solution? I've had a read through the wikipedia article about UDF, and I have my doubts. We'll start with the problem that it's designed for optical media. As in media that can be written a couple of times at most, not one that might have an operating system boot off it or store frequently changed files. There is a version not specifically designed for limited-writes media, but there are others designed specifically for that purpose. This brings us to the next point.

There are a bunch of revisions of the UDF spec. And we all know what that means: lots of poor implementations that support only some of them. And it's not just different release versions, but multiple types of filesystem inside UDF. The wikipedia page includes many statements about what versions different implementations support. Actually, they don't say that. They instead tell us what different implementations "claim to support". Sometimes, such a statement is followed by a statement that only certain subversions are correctly supported, and much of this is for reading only.

My third point can best be made with this quote: "The UDF specifications[7] allow only one Character Set OSTA CS0". When this is a key point in the summary of a spec, and they follow it with a discussion of when this doesn't play well with other encodings, I know it's not fun to deal too much with this filesystem.

Re: Ban nontreplaceable batteries

It could easily just be heavier use. If you do more things with your phone, you'll have used up the battery faster (I.E. it doesn't last as long even when new) and put it through more cycles because it kept getting discharged. It could also be that your phone is less power efficient than the one mentioned.

While I'm entirely in favor of phones having more user-replaceable parts, I don't particularly care about anything other than the battery, and I don't care all that much about that either. I know people can replace other parts of phones, but all the devices I've seen this on have been somewhat unstable (E.G. replaced screen panels that don't really feel like staying firmly on the phone). For the battery, I'm really hoping that, after four years or so of use when I'd like a new battery, I can find someone who is making compatible batteries today, rather than shipping compatible ones they've had on the shelf since the release of the phone or releasing batteries that look like they'll probably work, and once they get shipped here individually, I can plug them into my phone I don't want to replace just yet and see if they really do.

In purchasing a phone, I expect that, at some point, it will develop a serious mechanical problem. I could try to fix it or get someone more skilled with a soldering iron to help me, but I know that's likely to make the device function worse. That's why I try to go for cheapness. Modern cheapish Android phones are quite well-built, and I don't feel like I've lost much if it turns out that this one doesn't stay together as long as I hoped and I'll have to replace it after three years instead of six. I can't guarantee any reasonable lifetime of a device, but I can make it so that when the inevitable happens, I'm out much less than I might have been.

Re: Junk "science"

"Technically you are correct. But if you compare good arxiv "preprints" with published versions you'll find that many have only very minor changes."

In general, Wikipedia provides a useful, comprehensive, well-researched, and balanced summary of pretty much every topic. It's a great start for gaining some basic knowledge about something. And if I want to, I can go in and mess it all up. So can a lot of other people, so there's always some chance that the page you see there has been recently vandalized to contain incorrect information. Similarly, Arxiv is a great resource, given it allows members of the public to access papers without having to pay a journal that isn't actually doing the important part, and for that I'm quite grateful. Still, Arxiv can be polluted by useless documents, too. I haven't read the "paper" produced by these people, and I don't intend to, but just because they've posted it on a mostly reputable site doesn't mean that its contents are of any use to anyone.

Re: Penalising loyal customers - helps competition?

This applies to pretty much every network provider I've seen in any country.

"Get our new UNLIMITED DATA plan just 29.99/month"

"How many lines do you want? 29.99/month/line above four, 43.99 for three and four, 59.99 for the second, and 85.99 for first."

"How much data at usable speeds do you want? 29.99 for 2 GB, 39.99 for 3 GB, etc."

"Do you want to be able to make voice calls with that plan? Add 4.99/month/line above four, 6.99/month for three and four, ..."

"Choose your free phone to go with this plan. Your choices are the latest iPhone at only 54.99/month for the rest of eternity, the Samsung flagship for the same price, a weirdly chosen midrange Android for 34.99/month and wondering why that's the one chosen, the Huawei for 44.99/month, [scrolling, scrolling] [option to choose no device not found in list]"

"Enter discount codes. [These codes may exist, but the most you'll get is a 15% discount on the first month]"

The companies might have a better plan, but I'm too busy hating them to be able to call and ask about it.

Re: I wish my users protected data like this efficient PA

I take the point about asset lists not always being up to date, and I don't think that's the necessary solution to the problem. Yet it's still not the fault of the user concerned. They were, perhaps annoyingly, sticking stubbornly to their security training. In other words, they were doing exactly what we'd want them to do in the case of an attempt at social engineering. Repeatedly shouting at the user to give you information doesn't help prove the point. Asking the user to call back with a trustworthy number does do that. There are other ways to authenticate as internal and/or trustworthy, but none were mentioned. Worse, the user who acted in compliance with their training and was actually able to provide the required information without leaking potentially secure information was penalized in a frankly pretty irresponsible manner.

Re: How it looks to me

It doesn't hurt all that much if other people get slices of the data. Many of them are showing Google ads anyway, and most of the other data collection isn't for ad competition but for spyware purposes. Why should Google care about that?

Also, implementing real checks that catch copied malware code that hasn't been hidden in any way would take, like, a month for a few Google Play engineers. They could be working on something else. Something more useful like ... Android security updates and getting those running on more devices? No, not those. These are cloud engineers after all. How about ... malicious extension detection for Chrome? No, not that either. They're not focused on that type of code. Another idea ... thinking ... thinking ... got it! They could work on preventing ad blockers from working. Sound good to everyone? Well, we've identified the best use of developer time. Go back and get that implemented guys.

Re: Keep calm and just install something else

It is a tech site. That's why we know about the potential problems with no security updates, and why we aren't happy to see this being sold to unsuspecting purchasers, both technical and nontechnical. And maybe we can install something, but there are lots of points to consider about that:

1. Some may be locked down or lack driver support for anything other than Chrome OS. So in that case, we can't.

2. Some may lack the specifications to run anything else (E.G. really tiny storage). The purchaser probably doesn't care because they just wanted to run Chrome OS, but it would prevent a useful installation of something else. If this specification limit was the reason for dropping support, I'd drop my objection, but it's clearly not.

3. Maybe the thing to replace Chrome OS doesn't work as well for the intended purpose. For people like us, a full Linux installation would probably be much more useful. For someone else, the lack of any complexity in Chrome OS might have been a selling point. They chose to buy the device because of (or in my mind in spite of) the OS, so it stands to reason that they probably want to keep it. This especially applies to schools; they need laptops that can run a browser and are cheap enough that they can be replaced. Of course they could do that with a Linux distro running on that or similar hardware, but that requires a Linux admin who they'd have to pay. The selling point of these that got them adopted in so many schools was that you didn't need to spend as much time on administration. It turns out you have to spend that in money for new hardware that doesn't provide you any benefits.

4. There is no good technical reason for dropping support like this. If they released a new version of the OS and said "Sorry to any chromebook users still stuck with 16 GB of storage, but we'll need some more for this version. We'll give you security updates for this version for a bit longer, but you will probably want to buy a new one or expand the storage if possible eventually", I wouldn't complain. If they released new versions that need more processing so they run slowly on old hardware, I'd complain about poor coding practices but they would have no policy complaints from me. But they're not doing that; they're setting a death date for the devices and then cutting them off at that point for no good reason.

Re: A note of CA license plates...

Maybe, but with that description of how the plates work, it doesn't sound all that hard to fake. It wouldn't stop someone who was looking at the stolen car, but works just fine when you're worried about someone taking down the number while the car is in motion, which is exactly the situation in this case.