Posts by doublelayer

Re: "has violated our data security policies by leaking confidential Dutch audio data."

It's worth knowing that Google doesn't only give this data to their employees. If you've used recaptcha, it also has an audio version for those who cannot see the images or for those who are fed up with the stupid image tests. The audio version plays a snippet and asks the user to write down what the audio said. I think some of the clips are taken from random youtube ads, but others have the distinct sound of phone calls or basic microphones recording in rooms not designed for recording, and from the distribution, it's clear that this is not intentional degradation of sound to make the captcha harder. I have yet to hear anything sensitive because I don't do captchas that frequently and they only do a few words, but I do distinctly remember the one that came from a phone call and said "is at 9:00 tomorrow morning", so I really hope the first part of that sentence wasn't in the system in case it said what that person would be doing at that time.

Re: Mozilla

I would suggest that DNS requests be sent to an internal DNS proxy (if you have internal names, that's already there), which can do the HTTPS stuff recursively from there. Failing that, you could send all requests to that as primary, configure it to only know internal DNS addresses, and have the HTTPS address as secondary.

When using DoH, you have to contend with the possible issue of the trustworthiness of the DNS server, but it is not at all required that CloudFlare or Google be used. DoH could be set up by any existing DNS server with relatively little effort. I've taken a look at a basic implementation of a DoH server. I'm planning to set it up on one of my servers to see exactly how difficult it is, but it doesn't look like it will take very long.

Re: Mozilla

In addition to the pier-to-pier problems mentioned above, there are some other problems you might see with that. Depending on cache policies and the definition for "recent" you're using, that could break various things, as many devices maintain their own caches and contact later. It could also be problematic in various less common but still existing situations, for example when a new remote server is spun up and is accessible only by its IP as a DNS name has not been assigned to it yet, or applications that contact their own remote services, as those might have addresses outside of DNS (for example, some programs with group usage, especially games, list servers on their own main system without using DNS).

Re: DNS problem only?

The DNS in question would be the internal one for the company, for example instructing the actual public systems that the hostname could be found on a given internal system, and thus allowing a tunnel into the network to be created when that wasn't really desired. The other option is that some DHCP or static routing misconfiguration reassigned the server to a public IP and nobody noticed because DNS still resolved the hostname properly.

I have to say, though this isn't exactly on topic, that this is pretty much the only thing I'll miss when IPV6 takes over. It's nice to have specific IP ranges that won't be available publicly. Yes, I know that I can run an IPV4 network and NAT out to an IPV6 one, and that I should be firewalling anyway, but private space is nice because I know that, should the firewall be misconfigured, unsolicited traffic still won't be able to reach the server because the address can't be routed to.

My guess is that they brought in some external people at high rates to do it (probably getting them in a rush, too), and that those people took it upon themselves to spend extra money, such as paying for someone to recover data from the hard drives in the mac on the theory that some data might be on that but not yet in the backup. Add in some money for lost productivity and fifty thousand sounds more normal, if still a bit inflated.

Plenty of small places have only one admin. Some very small places have no admin. I, for example, am a volunteer admin for a charity near me. Other than me, they have nobody, outsourced or not. When I arrived, their server was running on the "it better not fall over because nobody knows what it does or how its configured or the login password" paradigm. So it isn't that unusual to have only one admin, or at least one admin who manages all the systems with lower-level admins who do specific systems or systems in specific places. And I could destroy all this place's data in about five minutes should it turn out that I'm evil.

Re: "the Pi is not a toy but increasing used for serious jobs"

"If you buy and use something designed for a different use, especially if you do just because it's the cheapest around, and you have issues, it's just your fault."

They're not buying it for a "different use [case]". The pi is meant to be a computer with the specified interfaces, and they're buying it to use the computing with those interfaces. It is failing to properly do one of the things it said it would, namely receive power from a USB C connection.

In addition, you're not at fault if a product fails to do something it said it would. The designers or manufacturers or sometimes plain bad luck are at fault. If you still subscribe to this policy, I'm pleased to inform you that I've just started a business. If you have a task you want to perform, send me a message detailing what you're doing and what tech you would be using for that purpose. Our business will happily sell you technology with the same feature set for twice as much. You don't want to buy our solution for twice as much? Well fine, but just remember that if the one you buy doesn't work for some reason including a design flaw, it's all your fault because you decided to buy a cheaper product.

Re: Just the cost of doing business

If you're referring to the California Consumer Privacy Act, that doesn't take effect until 2020, so California can't impose any penalties based on that law for this breach. By 2020, I'm sure the various amendments proposed by the many definitely consumer-oriented organizations founded just after the CCPA was passed because some consumers in Mountainview and Menlo Park were just that interested will have been installed in the law and it won't have any effect then either.

Re: China's not England

"Its really just an upgrade of the traditional PC Plod who knows everyone on his beat"

It isn't and I at least wouldn't want that either. Facial recognition isn't a police officer seeing a person and going "That guy is typically here". It's a system that records my presence, possibly reports me as someone I'm not, then keeps my picture on file and cross-lists it with any other pictures from other places and other times, because they've said they're not going to erase any of this data. That's not what a normal police officer does. In fact, a normal police officer shouldn't spend a lot of time identifying unfamiliar people anyway because sometimes we people visit places we don't frequent, and we're perfectly within our rights to do that.

Now let's deal with your contention that this is just an upgrade of the previous role of a police officer. I don't want my police officers upgraded. We've spent a long time trying to give police enough power to stop crime without giving them enough power to harm citizens' rights. There are lots of ways we could "upgrade" the capabilities of a police officer. Let's start with the easy stuff: remove the pesky requirement to get warrants before searching places. That will speed things up dramatically. It will probably also increase the number of criminals arrested, because there are a few people who find out a warrant is being sought and destroy the evidence before the officer gets there. There would actually be some benefits to removing the warrant requirement. The only problem being that WE NEED WARRANTS TO PROTECT PRIVACY! We need a lot of these restrictions on police activity to protect privacy. Without them, the police become a much too powerful institution, prone to massive corruption and criminal activity in their own right. That's a profound downgrade, and we should not let it happen.

Re: Decisions, Decisions...

I "can't blame states" for wanting to control the internet traffic going through them in the interest of state security? I bloody well can, my friend. It's wrong by nearly every metric. It's censorship, violations of privacy, in itself breaks several human rights laws, and opens the doors to many more intense violations typically characteristic of dictatorships. Every country that does that, whether their control is just watching the traffic, blocking traffic, or manipulating traffic, gets as much blame as I can dish out. China, blame. U.S., blame. Russia, blame. U.K., blame. The sooner they cut it out, the better. To the extent I can, I intend to support movements that result in the cutting out of this unjust and completely blameworthy activity.

Re: Lake City IT boss fired for ransomware payment

The story and videos (if watching these, expect to see about ten video ads inserted), make it sound like this, but I'm not sure. It is possible that the insurance company made the decision, but it is also possible that the city made the decision and the insurance company simply covered part of the expense. If the decision was due to the IT person not wanting to do the work of a restore or not having taken backups responsibly while having the ability to do so, I would see firing them as a logical option. Oh, if anyone from Lake City IT is reading this, you're going to want to reimage anyway because ransomware can just sit there waiting for more data to be put in before locking again. Your television station didn't make it clear that you know that, so just to make sure...

Re: It's in its infancy, but it will improve

"Pushing back against facial recognition is a bit of a waste of time. [...] Where you need to concentrate the fight is things like generating spurious criminal charges arising from concealing your face. [...]"

I'm not sure whether to upvote you for your last point, downvote you for your first point, or just boggle at how your last point almost directly contradicts your first point. Facial recognition equipment is in the same category as charging people for not letting them use their facial recognition equipment on you. They're two sides of the same coin, yin and yang. Since we both agree that charging people for hiding their faces is wrong, let's look at the first point. Having that equipment allows them to do the same kind of tracking. It makes it impossible for citizens to have privacy unless they specifically try to, in which case they will be charged. It is not a thing we should just accept, because in addition to it actually being illegal according to current laws, it is so unpalatable to those who like human rights that it should be made even more illegal through additional legislation.

Your comment that "Facial recognition is what cops do so denying them the use of a machine that will help do this is just not going to work" is rubbish for two primary reasons. First, there are plenty of things that cops do, and we accept, but we don't want to extend their abilities. Cops search suspects' houses for incriminating information, when they have a warrant. We could extend this by not requiring a warrant, but we don't because we don't want the police to have that power. We only want them to search places when they have a warrant to do so. Second, facial recognition is not the primary job of a police officer. Even those officers who work directly in public and not, say, investigating existing crimes aren't there to look at everyone's face and determine if they have seen it on a list. They're there to identify crimes and safety risks and deal with them. In almost all cases, they have not seen the perpetrator before, but they still go after them. If the police said they were going to throw away this system and instead employ a bunch of officers whose job it was to go to everyone and stare at their face to identify whether it's on a list, I wouldn't be any happier.

Re: It's in its infancy, but it will improve

* You have a personal tracing device in your pocket RIGHT NOW (your phone).

With as much tracking turned off as I can, and if I was worried that people were actively tracking me with it, I'd leave it at home.

* You have listening devices in your home RIGHT NOW (Smart TV, digital assistant, games console...)

None of those. A few things have microphones and internet connections but I've set them up and know what they're doing. If I was worried that people were actively tracking me with them, I'd disconnect either the microphone or the connection.

* You have behaviour monitoring devices RIGHT NOW (activity tracker, internet connect fridge, home automation...)

None of those at the moment, but I once had an activity tracker that I gave away because I didn't use it. It monitored my heart rate during exercise, and could send it to my phone but I never enabled that. So it was a tracker whose tracking data only went to me, and it lacked the technical ability to report on me. If I was worried that people were actively tracking me with it, somehow circumventing the limitations of the device making this impossible, I'd leave it behind.

* You are using facial recognition RIGHT NOW (Facebook, Windows, Apple...)

None of those. I prefer passwords to log into my computer, and no Facebook account. If I did use a facial recognition system, I'd do so in such a way that the recognition was done using local processing on local data only.

* You are happy to be tracked RIGHT NOW (advertising)

I am not happy. That's why I have ad blockers, tracker blockers, and a DNS filter. Even that is tracking for economic purposes, not complete surveillance, so is not as bad an abuse as what has been considered (and done already) by governments.

Re: Help with "Innovative Solutions"

You may be happy for the Chinese to use your data, but maybe you'll change your mind when you figure out that they can use your data to help improve the technology they use to commit massive human rights abuses on someone else. Consider this (audio), for example. That's what they can use data for, and it can come here once they've perfected it and on the way used it to imprison and kill thousands and eventually millions of innocent people. Are you still fine with it?

Re: A new OS from Google

Of course there is. I have to write a C compiler that's capable of handling every aspect of modern C because somewhere in its massive codebase, Google has definitely used all the things you never think about, oh and also I'll need a C++ compiler too while I'm at it. I also have to write a compiler for dart, go, and rust. However, I'm not worried that they're really compromising the toolchain. I don't actually need the compiled to differ from the source to be worried (though I think it will happen).

First, there will be a bunch of blobs that need to be added to the kernel to get it to do anything. Any or all of these might harbor any malicious functionality, just like now. There is not a good way to avoid that. I'm sure critical functionality will not be available in the open components, and Google will have nicely built all of that in a closed-source component. After a few years, someone will build an open source replacement for it that kind of works a little bit on some apps but you'll have to compile it yourself, root the device, and do some assorted hacking to actually replace it and also it will break a lot. In addition, without the requirement from GPL to release any changes as open source, manufacturers and mobile providers are free to do the same thing to the kernel that they have been doing to the layers above it. Can I say no thanks?

I don't think Fuchsia will be much worse than Android in the sense that consumer devices will contain a similar amount of spyware and irritating or potentially unwanted bits, it will be difficult to impossible to remove or even disable them depending on device model, and very few people would even try. However, given the choice, I would see Android as much better because we already have years of experience getting around some of this. We have Lineage OS, which, for all its flaws and limited device support, is a trustworthy OS that can actually run on a relatively large assortment of devices. At best, Fuchsia means a return to square one to do all this again. But it could be far, far worse.

Re: @heyrick - Sounds like a bored dev is trying to make a name for himself

If you buy something with terms that say you now own that thing and the original owner agrees, then you own the thing. After that, it's your thing to use as you see fit unless you choose to sell or give it to someone else. For example, Apple wanted a new OS in the late 1990s, so they looked around to find someone who had an OS, which they found. They then bought that one and used it to make OS X. Before Apple bought it, it was the work and property of NeXT and it was nothing to do with Apple. After Apple bought it, it was the work of NeXT and the property of Apple, and after pretty much the same engineers who worked on it at NeXT did some work on it for Apple, it was the work of Apple. If I write some code and then you join my team and we both work on it, the final product is the result of both of our endeavors and we both get the credit. If you pay me to join my team, I still get credit if I did stuff. If you pay me for the rights to the software I had a lot of credit for with the clear idea that you get the IP and rights to sell, then you can decide how it will be sold, including what the price will be, how you'll advertise it, and what name you use.

Re: 'Why would anybody notice, particularly?'

I wonder though. It's true that an announcement of an IPV4 block gets reported immediately, but what if I did something like this and announced (we're presuming I have the ability to announce and be taken seriously) a new route for a /2 block, which is around the same size as this block? Once again, almost everyone has a more specific route taking them to the various parts of the network, and completely skips what I said. I think it would be noticed a bit faster, but I doubt there would be "discussion on social media within minutes" because it wouldn't break much. The reason the more typical reroutings do get announced so quickly is that either people start noticing the traffic taking a long time and check the route or the new announcement isn't paired with an ability to actually get to the resource meaning things are obviously broken. If my announcement gets ignored, someone has to notice the anomaly manually and deal with it at that point.

Or that one that is about five meters long because USB works great at those lengths. No, I don't know where it came from. It kind of works, so I keep not throwing it away in case I finally find a use case for it, the same way I keep various other completely working things that don't require anything strange to operate but I don't have any conceivable use for.

Re: "airborne splinters of razor-sharp shards of metal"

I typically remove the screws to reveal the platters, then simply wedge my screwdriver under the platters and give a sharp yank upward. The platters don't survive many of those, though I recommend enclosing the drive in a bag before doing so to prevent the need for aggressive vacuuming.