Posts by doublelayer

Re: This puzzled me a bit

"64-bit is not better than 32-bit, it's just bigger. We're all chasing the word size believing that it's somehow better - while there are a few advantages, the fact is that the application sizes keep doubling, systems need more memory and higher cpu clock speeds each time."

That is not how that works. Applications do not double in anything, be that disk, RAM, or CPU. When an application is recompiled from 32-bit to 64-bit, the only things that need to get larger are pointers. Those do double in size. The instructions either stay the same, not changing in size, or are changed to new ones for more efficiency. Since they're not using any more data, they're still the same size. Some use of pointers means there'll be a slight increase in disk usage for the binary, but it will be small. More importantly, most storage used by a program is in the form of assets. Databases, media, documents, images, and those stay the same.

The programs that do see a difference are those that use a lot of pointers. Ones that use a lot of other types will have no change. The result is that an operating system compiled for 64-bit will have a significantly higher memory footprint because kernels have to store a lot of pointers so everyone else's virtual memory works. That point, I'll grant you. But it's not double even there.

Meanwhile, a 64-bit processor can do some types of things much better. AMD64 supports operations on 64-bit and 128-bit values that can be accomplished in one instruction whereas I386 requires several to do the same thing. What does this mean? It clearly means faster calculations, and that's true. But since you are focused on binary size, it means that each time a program does an operation like that, its disk usage is reduced by a few bytes as it chops out a few other instructions. This increase in efficiency invites programmers to use the faster processing to add features, so you will see larger programs, but you would (and did) see the same thing if they just made a faster 32-bit chip. Such programs get larger because they do more things, not because the architecture change did it to them.

"Does anyone think that switching to 128-bit is going to improve things in a couple of years?"

It won't happen, but absolutely. CPUs have come to the conclusion that 64-bit addressing will continue to work for a very long time, and it will. However, there are other kinds of chips including GPUs and ASICs that already do some parts of a 128-bit architecture or in some cases an even larger one. These are popular among people who want and are willing to pay for very good performance because they run faster for certain mathematical use cases. I fully expect that such chips will become more available in years to come and that they will be adopted by places wanting good performance. You don't need it in a consumer-level machine, but supercomputers will want it quite a lot. Eventually, gamers will get the same kind of chips so they can drive even higher-resolution screens at even faster framerates. While I rarely need either type of improvement, those things would definitely be improvements.

"On the other hand, do we want the ICO to have the power to kick the doors down and seize everything whenever it wants?"

No, we don't. How about we give them the power to kick the doors down and seize everything whenever they've identified a likely criminal and obtained a warrant from a judge. Since they're an organization empowered to investigate crimes, maybe they should have similar powers to other law enforcement, including the power to keep a warrant application quiet so they can get evidence before someone destroys it.

It's bad because Facebook doesn't control the string "facebook". It's worse because I think we all know the bot excuse is just to deflect blame. No actual business has to put "thereal" in their domain to prove who they are; it's clearly to express that the Facebook-named board isn't, in the opinion of the people with the site, doing any oversight.

The name of your site is not the problem. What you do on that site is the problem. If you run a phishing site for Halifax online banking, it doesn't matter if you call it genuine-halifax-online-banking-biz or iwilltakeallyourmoney.gq; what you are doing with it is illegal, so your site will be taken down for that reason. Trademark complaints are different, but that would only be relevant if the people running the site tried to create an otherwise legal enterprise under false pretenses. Not only did they not do that, but Facebook doesn't even allege that they did.

Re: Hmmm

"Ah yes; the entirely lacking in evidence argument that "they did it legitimately this time means they won't the next time". [...] I am old enough to remember when "innocent until proven guilty" used to be a thing."

They are guilty. The law enforcement entities have been found to have violated laws on data collection and privacy in numerous ways. They started by collecting information they didn't have a legal right to collect. Then they didn't delete information when the courts said they would have to. Then they used data for unwarranted purposes. The only reason those crimes haven't resulted in jail time is that these entities have the ability to decide that they don't want to investigate their own crimes, but they haven't had to hide the information about what they've done. Why do we have to give them the benefit of the doubt when they've already repeatedly proven that they will collect information and use it despite what the law requires of them? The example here was legal and appropriate for the situation, but the inappropriate requests have already come and succeeded.

Re: what a classic!

I think that's why he hasn't, because this is actually one of his longterm plans. Had he done something to take over the company, he wouldn't have leverage to use against his witnesses. By keeping his take restrained, he can get rid of evidence by threatening people from the blackmail file. He also doesn't have to worry about a replacement tech finding out any of his secrets.

Keep in mind that he did a similar thing with his own employment contracts, in fact at least twice. He just didn't have the audacity to try one this big.

Re: Surprised?

"I don't get why people think Apple will use the transition to ARM to lock down macOS. They could have done it at any time"

You are correct, but I think it's likely. In 2006, they didn't want to lock it down. They wrote BootCamp just to prove that. They still allowed running unsigned binaries. I was very happy with them. It's not the same now. They've taken various small steps toward locking down their OS, and they've created another fork which has already seen much more thorough lockdowns. The reason I think ARM might be a good opportunity for them to lock down is that it's easier to say "We have to drop support for multibooting because our chip doesn't support the operating system images currently available" rather than "We decided we didn't want you to run Windows anymore so we're pulling Bootcamp". In the name of security, they've instituted weird and painful restrictions on disk access that don't work which look a lot more like IOS than they look like any other popular OS. They've hidden the settings needed to run software they haven't signed behind obstructive and meaningless error messages. Their repairability scores have been dropping steadily for most of their machines. These are not good signs to me.

Re: Alternate use...

Not at all. There were two points in the post:

1. Pine64 is being silent.

2. They deleted blog posts.

The first point is an opinion, the second one a statement of fact which I couldn't corroborate. I therefore asked for the reasons for the opinion and assistance proving me wrong.

I can't contact Pine64 about their purported silence, because I don't know what you (or a different anonymous person but I'm guessing you're the same) think they're being silent about. So I asked you. You feel they're silent, so you could easily tell me what type of information they could be providing but aren't. I could contact them and ask about their silence. Let's see how that would have gone:

Me: Good morning. I hear that you are being silent, specifically regarding the PinePhone. Why are you doing that?

Them: We're not being silent.

Me: I have a statement from an anonymous person online that says you are.

Them: What does your source say that we're being silent about?

Me: I don't know; they wouldn't tell me.

Them: What evidence was provided that we're being silent?

Me: Not sure. They claimed deleted blog posts but I couldn't find them and they wouldn't point those out either.

Them: So you're asking us about an opinion from a person who wouldn't provide any specifics, whose allegations aren't proven, and you have no reason to think they have special knowledge about this stuff?

Me: Yes, that's what I'm doing. They said you are silent, so you must be. Tell me why.

Them: We've posted blog posts regarding the PinePhone several times in the past months. One in September, two in August, two in July, one in June.

Me: I know you talk about the phone a lot, but you're being silent about some things. Why?

Them: What things?!

Me: I don't know, you tell me.

I thought you actually had something of relevance. You could have pointed me to the deleted blog post. You could have stated your opinion on information that was insufficiently explained. You could have just said "They're being silent about issue X". Want to try any of those?

Re: Whois lookups used to be useful

Depending on your country, most likely all large-enough companies and all charities are already registered somewhere. That somewhere is usually the bureaucratic entity responsible for verifying filings, meaning you know that what is there is at least a little verified. It often includes a web address if the company concerned has chosen to provide one.

Using whois as a proxy for this has two primary problems. You're trying to verify details about the company or to verify that the domain belongs to them. Here's how that breaks:

Verify that the domain is theres: If I'm setting up a fake domain, I can easily put in the information for the place I'm impersonating. It's not independently verified and has never been, so nothing prevents me using that mechanism. I can include a phone number that's intentionally mistyped or, if I think my victims are likely to actually test it, I can set up a phone number for the purpose. Or I find a number for the actual organization which nobody answers and include that. But let's be honest, if I'm a scammer I'm probably planning that my victims aren't going to put that much effort in anyway so I could probably ignore those few who are suspicious enough to call a phone number in a whois record.

Find details about the owner: You're not going to find anything of use. If the company wants you to contact them, and they probably do, you'll find addresses, phone numbers, and email addresses or contact forms on their website. If they don't, you can probably find those details on a map or phone book. Meanwhile, lots of places that aren't companies may wish you not to have those details to avoid spam, disruption, or harassment.

Re: And electricity will be so cheap it won't be metered!

"'CRISPR doesn’t allow the insertion of new genes, just the modification of existing ones.' is mildly reassuring."

Too bad it's wrong. By removing an old gene and placing a section of DNA nearby, the new section can come to replace the old section. It relies on the cells' standard repair mechanisms working as expected, so it's a fiddly process to run right, but you can absolutely replace large chunks of DNA with custom chunks. You can call this a modification, which it technically is, but it can be a modification along the lines of "delete these three pages and rewrite them from scratch". Even when a length limit is hit, two treatments could perform rewrites right next to one another to double that limit (and so on). The current technology means doing this to humans would be dangerous, because there's always the chance that the new chunk gets read wrong or doesn't insert properly, but experimentation on flies will improve this dramatically. It's also unlikely that people would often want to completely rewrite a section rather than replace it with something known. I don't think this is a cause for fear, but we can only decide on the ethics if we're honest about the scale of changes that could be performed with the tool.

Re: Your next lesson: How to miss the point 101

Well, there are many points to this article, and the one that got the most words was the ICO's conclusion about the lack of success to the use of the data. That's a valid point. However, since it is the ICO we're talking about, let's look at what they're supposed to do.

"Our role is to uphold information rights in the public interest. Find out more about the legislation we cover. [Data Protection Act] [Freedom of Information Act] [Privacy and Electronic Communications Regulations] [General Data Protection Regulation] [Environmental Information Regulations] [INSPIRE Regulations] [eIDAS Regulation] [Re-use of Public Sector Information Regulations] [NIS Regulations] [Investigatory Powers Act]"

Their point is data handling and privacy, not election security. They have pointed out that some of the things they talked about are really the purview of other parts of the U.K.'s bureaucracy. What is firmly part of their responsibility is data privacy legislation enforcement. In that area, it doesn't matter whether I've succeeded or even tried to do anything malicious after I got your data illegally; if I have the data and shouldn't or did something with the data I have which is not permitted, I'm equally culpable of the crimes the ICO is there to deal with. Since it's the ICO we're talking about, I think this point is quite a bit more important than several others we could talk about from this report.

Re: will have to think about getting a license each time he/she overrides a library method

"No, there's no equivalence between writing your own new function with the same signature and copying 37 files of 11.5 KLOC."

When those 11K lines are a bunch of function declarations, yes there is. If I create enough functions with the same signatures, I'm copying those lines one by one. I want a library that implements archive operations with a different format so I create a class implementing all the same functions that the original .zip one handles, I've copied twenty lines in a row. Then I decide to implement a new module which does mathematical operations faster, so I retype each line in the mathematical module and implement the functions differently. While I'm speeding it up, I think I can get AES functions to take advantage of hardware acceleration, so that's another set of lines copied.

These lines have to look similar because the function name is the same, the parameter names are the same, the parameters have the same types, the parameters appear in the same order, the function returns the same type, and the function is in the same class. Certain other parts might be skippable, for example comments, but if I decide to properly write comments for my functions, they're going to say similar things. Why would I ever do this if I expected the company who wrote the original interfaces to sue me for my hundred copied names?

Google copied the names for a lot of functions and classes. They reimplemented basically all of the ones available. In other words, they did what you just said I could do, and they did it five thousand times. Why am I allowed to do it but Google isn't?

Re: 65536

I'm guessing they didn't want anyone to say they'd overstated what the screens or image formats could do. Then again, it didn't seem to hurt the storage industry much when they used a definition for kilobyte, megabyte, and gigabyte which was not the same as the definition memory manufacturers came up with, or the portable tech industry when they dramatically overstate battery life.

Re: Hack attack

It's certainly smaller than a lot of other places, so you're less likely to see it if you just look at who runs the servers for everything you use. However, it's worth looking at all the other attacking IPs in your logs, because they're going to represent a lot of the internet. It's really easy to try automatic logins on your site, and people will use any cloud service, VPN, or botnet to let them do it. Unless some provider makes a point of not taking down the systems of people who are particularly malicious, they're just like any other provider. To the best of my knowledge, DigitalOcean is usually quick to respond to abuse requests and is not at all a bulletproof service provider. People use it when launching attacks because it's cheap and convenient, which is basically the same reason someone else might choose to run things there as well.

Re: Nothing rhymed

I don't think that's how any of that worked. The history seems to be that some people worked out a way for laws to not conflict maybe while others did what they wanted to, in many cases ignoring even those people trying to stretch the letter of the law. Those who created the spying programs didn't care what the law said they could do, or even what their own lawyers said they could contort the text into allowing, but instead did everything they could come up with. When laws changed or courts informed them that they needed to stop, they just didn't and waited for the next case.

Take this chunk from the decision:

“in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable, that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications by requiring, by way of legislative measures, the general and indiscriminate retention of that data for a period that is limited in time to what is strictly necessary, but which may be extended if the threat persists.”

Here's how that chunk will get used:

"in situations where a Member State is facing a serious threat to national security that proves to be genuine and present or foreseeable,"

"foreseeable". "Foreseeable"! "FORESEEABLE"! As long as the people at the spying organizations can foresee something bad, they can do many things. I can foresee bad things with ease, and I guarantee you that they can foresee much worse things. Here they have complete authority to activate the powers granted them in the rest of the quote. But of course that section will still impose serious limits:

"that Member State may derogate from the obligation to ensure the confidentiality of data relating to electronic communications"

All good so far, they can throw away their responsibilities. Restrictions are coming, right?

"by requiring, by way of legislative measures,"

Oh no. They'll have to get the legislature's support. This is a major blow, because they'll have to inform the public about what they're doing and why. Except the laws being challenged here already support the measures, so nothing new is required.

"the general and indiscriminate retention of that data"

Well, they didn't hold back about adding sufficient adjectives to let the organizations do whatever they want, did they?

"for a period that is limited in time to what is strictly necessary,"

Ah, they're throwing us a bone. They can do whatever they want, but only for a limited time. Then they have to throw out their data and start over. At least they'll only have a year of my data at any time. Sure it'll be the most recent year, but still, it's nice that they're giving me that.

"but which may be extended if the threat persists."

Remember that the threat will persist for as long as someone can foresee it. And that nobody gets to decide that the foresight is wrong or question whether the threat persisted. I foresee that a new country will form called Evilania, and it will invade our country. As long as I continue to foresee it, I can extend the retention timeline as long as I like.

Re: Sounds like the case against Apple

"What Apple would need to do in the meantime is effectively turn iOS into a hypervisor, and make every app run inside a separate VM so it can't possibly touch another app or the OS except through defined methods."

They already did that. The primary worries about an insecure app is that it might find a vulnerability in that hypervisor, which has happened several times, or that they might find a valuable sandbox that allows access to lots of things. For example, if they get into a sandbox which already has access to contacts, the global filesystem, and the microphones, the insecure code doesn't have to escape the sandbox to do malicious things. To the extent that Apple's review is focused on real security scanning, this is the kind of thing they want to prevent.

Re: Its coming

No, we do not agree. A working facial recognition system, if it's even possible, would be a nightmare. Imagine what a totalitarian country would do with something like that. Imagine what a malicious operator in a democratic country could do with something like that. It could be awful. What it does is provide a mechanism to track a person wherever they go without alerting them and by providing a smokescreen of a potentially useful purpose.

Lots of things would catch criminals faster and reduce crime rates. Some of those things should be tried. Some of those things need to be avoided, even with the extra crime, to avoid creating a terrible situation for the innocent. Systems which destroy privacy or give the police unchecked power are among those types. A working facial recognition system, for that matter even one which doesn't work, does both.

"Have we really become such an emotionally weak society that out up-line managers must spend time worrying about out "mental well being" that worrying about getting the job done and making the company more profitable?"

Not quite. It's always been the job of a manager to worry about such things because the workers' mental wellbeing directly affects their productivity. If workers hate you, they'll try to leave and you'll have to hire new ones. Reduced profit. If workers are constantly distracted by a poor working environment, they'll get less done. Reduced profit. If workers are in a combative environment where they have to essentially fight against one another, then they'll spend time defending themselves or planning their own attacks instead of getting stuff done. Reduced profit. If workers are subject to too much work and burn out, expect them to have other health problems, therefore taking more time off and reducing productivity. Reduced profit. It's been known for as long as there have been workers who had a choice about whether to stay working for the company; it is the managers' responsibility to ensure that workers are in a good enough condition to continue doing work, and those who fail to do it usually see productivity slump.

Re: Classic techie mistake

Again, it doesn't help against anyone else. If he could do it, anyone else could do it. If he was going to do anything dangerous, he'd have done it before, or instead of, telling someone about the problem. It's missing the point and badly to think about sacking him; either you don't care enough about the stuff in the safes to go to the expense of updating the locks in which case you can ignore the problem, or you do in which case your attack landscape is anyone and everyone who could conceivably get to the safes. It sounds like they completely ignored this, and given that their project was being spied on by Soviet agents which they'd rather not have know the information, they probably should have put some thought into it.

Re: They can't fix it, but I know a man that can..

Welcome to the world of used devices. When you go online and buy a used device, it's usually not from the manufacturer. It's from some user who may or may not have damaged the device, meaning you know you're entering the realm of possibly extensive damage. The same is true if you buy from these recyclers or if you buy from someone random who lives near you; there's always the chance that what they call "lightly used" means "only dropped on concrete three or four times". For this reason, I rarely if ever buy used devices that I think are likely to have become damaged, phones among them. When buying other used devices, I require that I get to test things before payment. Those who choose to enter this market know what they're getting into. I have no reason to believe that the phones sold this time were any worse than the average user-sold used device.

That said, it is still a breech of Apple's contract, which is a legal contract. I would prefer that the contract didn't get made, but it was. I'm not saying here that what the recycler's employees did was right or that they should get away with it without consequence.

Re: Not any more..

This assumes that ARM is going to be critical to all OSes in the future. Given that the public doesn't know what ARM is, that's a hard point to prove. Intel's problems in speeding up their chips are well-known, but AMD has succeeded in producing X64 chips with a smaller lithography and they're starting to get into the low-power space. Meanwhile, Intel still has a bunch of cash to throw at their problems.

ARM has several benefits, but one that hasn't been seen often is performance for large use cases. Existing ARM-powered computers usually take the form either of less powerful but cheaper (things like the PineBook Pro, the long-lived battery Windows on ARM machines, or ARM Chromebooks) or lots of cores for lots of parallel operations (every ARM-based server). Apple will probably be one of the first to produce consumer-level machines that aren't one of these two, but just because they can do it doesn't mean anyone else has a need to do so to stay current; if Apple's chips manage to produce the needed speed, it won't stop AMD's ones from doing so too. Unless you expect AMD and Intel to hit limits which just don't apply to ARM, why does it matter which companies switch to it? If you do predict a limit like this, what causes that limit and why?

Re: a button that covers the webcam

If it can be disabled by physically covering it, then there's no way for it to get activated if I have closed it. That means someone can't spy on me through it, either by finding a sneaky way to disable a light, by there not being a light, or by my not noticing the light. Same reason some people really like physical killswitches for some components; we're paranoid people but at least with those we have complete confidence.

Re: When will I get what I want?

I don't think all the features you mention are incompatible with a feature phone of today. If "keyboard" means "qwerty keyboard", it could be for sending SMS messages. The 4G or 5G could be for a tether connection. Bluetooth for an audio device. Admittedly, asking for Linux or Android is a little hard to understand; if they wanted something like the Motorola StarTac they shouldn't expect an OS that lets users develop and run sophisticated applications. It doesn't really matter though because, if the feature phones using a basic OS and primarily targeting 2G networks are insufficient, the lowest-end option with 4G connectivity is going to have that functionality anyway.

It really comes down to what tasks other than placing calls and messages are important. I really appreciate having things like navigation, meaning I need a smartphone with the kind of processing and internal storage that requires. If someone only wants some basic apps, a feature phone of today may actually have similar sets of features as a PDA of a decade ago.

Re: Hmm...

Mostly correct, but this is not always the case. The perfect example of this is a hypervisor. The program it runs is specifically another operating system, but the purpose of the hypervisor is to provide resources for the program and restrict it from affecting things that aren't in its virtual environment. Or, at a different level, operating systems for embedded devices often run one program but still restrict it from doing certain things. For example, an OS I'm using for a small device handles Bluetooth for the application running on it, and so as much as the program that is loaded may want to modify the memory reserved for Bluetooth protocol operations, the OS will not permit it to do so (at the moment, it alerts the developer on its own, kills the program, and loads another one allowing a debugger to be attached).