Posts by doublelayer

Re: Sick companies self identify

Those are bad, but another style gives them a run for their most disorganized title, which is companies in which one person or group is responsible for each specific technical area, and no person or group is responsible for more than two of them. If a real technical problem exists, so much time is wasted by the group who got asked about it with the group that should be doing it and the group who knows necessary information to do it that nothing happens. Meanwhile, when one group tries to do something that may be somewhat connected to the things they should do, they run into situations known by a different team but not properly documented, or otherwise properly documented on one of these sheets of paper in the big filing cabinet, and break something. At least somewhat ironically, this structure is usually created under the idea that the systems people should be more organized into specific groups.

Re: Chromium next

They don't have to do that. They control the core, so they can keep adding things to it that are difficult to rip out of the code, and enforce their control that way. That means that some other browsers will, by using chromium, be forced to choose to stay with an old and insecure version, fork and reimplement all of that, or run Google code without protection.

Re: My 3 steps to avoiding robocalls.

No, what they should do is continue to allow a phone number to be sent as an identifier and a callback, but have that be a secondary one. Kind of like how an email can be sent from one account but have a reply to address for a different mailbox. Blocking would be done on the real number, which would always be sent. Caller ID would start with the real number, and if it wasn't found, continue on the stated number. That way:

If a company owns a block of numbers and sends the main one no matter who calls, the company name appears on caller ID, and the company can be blocked.

If I'm using a spoofing service to make a VOIP call from my number, it will show up as me, but clearly indicate that it's not my normal phone.

If someone else is making a call and spoofing my number, it will show up as me, but the number could still be blocked without blocking my real number, and it could also be tracked.

It is dangerous to allow impersonation of numbers without any detection.

Re: I bought my Nest thermostat before Google bought them

I have used windows devices for years and never had malware on them. Because I installed a very small subset of applications and I trusted them all. I have the same track record with android, Mac OS, IOS, and Linux. That doesn't make all of these the same level of security. The question is not "Have I had malware that I know of?" but "Is it easy for malware to get onto the devices, whether owned by me or someone else?". On that, Windows and Android have a worse track record. Maybe because of market share. Maybe because of bad design choices. Maybe because of specific malware authors. But the data is there.

Re: Isn't this "news" really an advert for the "security researcher" ?

Really? There are many security researchers, and they have to stay somewhere, especially if they're attending security conferences or going on holidays. If they do that enough, eventually one of them finds a camera. They're also more likely to look for one and have the skills to identify places where one could be. Why is it so unlikely in your mind?

Re: Top-posting makes sense unless you're reading your emails weirdly

I think you've described it well. Top posting is great when you've read the older emails, because you see the only thing you need to read, and have the old material below if you need to refer to something. Bottom posting is great when you need to read all of the material, because the order makes sense.

I would still prefer that, instead of forwarding me a chain or at least in addition, the sender succinctly describes why I'm getting it and the information that is the most relevant. Often, when I'm forwarded a message chain of more than three messages, at least two of them will be developing a misunderstanding and then clarifying the real situation, which doesn't help me at all.

How much of that do they have to do before you don't blame them? For example:

1. Them: I'd like to use WiFi. You: No. Their problem.

2. Them: You can run the software on your local machines, which would be a good test case. You: I'm not running unproven software on my machines. That's as bad as connecting your machine to our network. Still their problem?

3. Them: No problem, I have a cellular data connection. You: The building is a massive cell dead site. Have they got reasonable options left?

Yes, they should confirm this with you before they come, but they know you have a network, and they're there to demo something that needs it. They have some reason to expect that you will be able to see their demo. If they came without a machine and asked to borrow one of yours, that'd be very unreasonable. If they wanted you to give them access to an important network, that would also be unreasonable. If they just want an internet connection because the thing they're demoing needs one, it's kind of expected that you have the capacity to connect them and makes it pretty pointless to come do the demo if you won't agree to let them use a connection.

Re: Generations

I also think it depends a lot on the definition of "a new challenge". This sort of applies to me. Once I've reached a certain level of income, having even more, while useful, is not that important to me. If I am offered more for a job I will find deadly boring, I'll likely turn it down. However, that's not because I really want a bunch of new challenges thrown at me. I want to keep doing interesting things, with new challenges as applicable. I don't want this description to mark me as the person to whom all challenges should be brought just because I'll pay for lack of boredom. Maybe if they wrote these descriptions with actual words that have meanings, it might be more helpful*.

*Actually, it would still be junk. Carry on, then.

Re: Use biometric authentication on mobile phone apps ?

There's a lot of discussion of when biometrics can be used, with the "use biometrics everywhere" crowd and the "biometrics is only ever a username" crowd. The truth lies somewhere in the middle. You have to decide where the threat landscape is. If you're afraid that someone will be physically present, such as when police/a criminal have you and your mobile phone, biometrics are risky. If you will be targeted by an advanced group, then biometrics are too easy to forge and should not be used except as an additional security measure. When it's authentication over a network that you're worried about, biometrics offers the ability to ensure that people are present at a scanner you know before they can get in. If you are not worried that someone will break in but you don't want to have the thing open to access from anyone (E.G., a phone that doesn't contain anything sensitive), then biometrics can be a time-saving measure. It all depends on who might break in and how they'd do it.

Re: Do Apple

I'm not a downvoter, but I'll do a bit of education. MDM is an Apple feature. They built it. They almost by definition can't abuse it, because they set the rules for how it's used. Also, they don't use it. They built it for corporates, who do use it for internal devices. Apple doesn't make any apps that use MDM, and their OS doesn't need to because it already has such access. It's like saying "Does Google internally use their search engine to abuse users?", I.E. it's a crazy question that doesn't make any sense.

The other reason that you might be collecting downvotes is the typical charge that Apple is busy collecting user data. They don't collect that much data. They make a point of showing this to everyone, possibly because they like bragging. You can fault them for the bragging, but it is a bit annoying hearing people decry Apple for data harvesting when A) they don't do it all that much as large tech companies are concerned, B) you can turn a lot of their data collection stuff off and it stays off and you can prove it, and C) many of the alternatives are a lot worse on all these points. I don't know if that's what you're saying, or what people are thinking you are saying, but your post sounds a little like it might be.

Some guesses there, but this might be what's going on.

Re: 20 years...

Thanks for the broad insult to everyone here. Let me enlighten you on a bit of user behavior.

Here's how passwords usually go when the security policy you mention is instated. Minimum 10 characters, at least one number, both cases, and a symbol. Password changes every month and the algorithm checks against old passwords so you can't duplicate and thoroughly checks against the last one so you can't just change it slightly.

New employee: Uses password anC9@mlzcQ)AX;1mbz

One month in: Changes password to fjZv83na.1/f8a

Two months in: Changes to E8zvhan3oz&

Three months in: Changes to Fnoazlh92*

Four months in: Changes to Thisisthe12thsystemI'vehadtochangethison!

Five months in: Changes to: Gottiredtyping2$

Six months in: Changes to Authenticate0^

Changing passwords can be useful, but forcing people to change them so frequently means that many will degrade the entropy of their password because why bother memorizing a long string of random characters when the information will be useless in a month? It will become obsolete faster for an attacker, but the attacker can gain access to systems and install back doors that do not need a password, so expiring credentials doesn't always help. Meanwhile, users use less random passwords that can be broken more easily, meaning you have a higher likelihood of getting an attacker. Also, the users are less happy.

Re: Domain names are all pointless

"Ok sure maybe there are some security implications to my new system"

We need to talk about this. After this, I hope you have some extra time because I've got to learn the art of the understatement from you. But first, let's discuss the actual security implications of this. There are a lot of them. Whenever data is hidden from users, it becomes easy to make that data they never get to see contain the important part. It's hard to identify domains that are owned by the actual company apart from those registered by scammers with a bit of forethought. How will that change when domains are random sets of characters? Do I need to answer that?

Also, how useful will it be when I suggest you try out a new system by having to say "Well, I suppose if you do a search on [the site name] or you could always go to fa8enozvl3mz90vnae.airforce". Maybe a little harder for you to remember, no? And easier for you to get wrong, yes? And much easier for a scammer to register a bunch of things and SEO them into your search so you will get it wrong and won't be able to find out until it's much later than it should be, yes?

And even without the many security problems, and we've only scratched the tip of the iceberg on that, this system would require another layer of resolution services. Another set of servers. Another DNS query and some extra delay on actually connecting. An extra series of organizations running the thing with entirely unproven trustworthiness. Another layer of power that could make mistakes. Another layer that a user needs to administrate or stick with the OS default.

This idea is very bad. I know it doesn't compare to your understatement, but I'm working on it.

Re: Don't want it

People can't design edge-only sites without having a lot of problems. They could do that with IE because IE had its own rendering engine that could be changed to produce different functionality than other browsers and the spec. Microsoft just took someone else's rendering engine. It can't really do that anymore. A site that works on edge will also work on any chromium browser, and because firefox/gecko supports most of the frameworks chromium does, it'll work well in that too. Of course, a bad designer can break this, but it's a lot easier to do a chrome-only site than it is to do an edge-only one.

Re: Doesn't compute

I'm not downvoting, but I think this is not correct. Metadata describes some other piece of data, meaning that if you have a piece of data, any data that describes it would instead be metadata. If my data is a file, then the file size would count as metadata. If all my data is is the expression of a file's size, then its unit would be metadata. I think the definition of metadata specifically depends on the data involved.

On the point of surveillance, I don't think the argument should be "The stuff being collected isn't metadata; it's data", but instead "The stuff being collected is sensitive metadata about calls that should not be collected".

Re: Giving up nuclear weapons? Not likely

You are probably correct, but there are other examples. South Africa gave up their relatively small nuclear program and had all their weapons and manufacturing facilities dismantled with international oversight, and some countries have chosen to reduce their stockpiles, although not to zero. Not that this proves anything, but the history is interesting.

Re: Fixing a problem that doesn't exist

It's certainly pointless for me, but some people want it. They want a device that they can carry in a pocket but has the screen size of a tablet. They have reasons, and though I don't share them or even understand what the reasons are, they exist for some people to want the device. If they want it and a company can build it, it seems useless to complain about its existence. Just join with me and don't buy it. Of course, this all hinges (pun originally not intended) on the companies' ability to actually make the thing so it has some semblance of a lifetime.

Re: Two screens with an infinitesimally-precise and tiny mating junction

That has some advantages, but runs into the problem that the gap has to be really small to not be noticed when held close to the user's face. When this happens at greater distances, it's more doable, but for a phone, you'd hear a lot of complaining about the phone with a line down its screen. I think that pretty much any way you build this, it's going to have some major problems at first. Admittedly, they might have done a little more to avoid the problems they have.

Re: Any blame on Hertz for not actually being in charge?

To be fair, the typical definition of IT would include a lot of things related to the website, such as where it is being run, where the database is, and what the spec would be, but the writing of the code that runs the site would probably not be a specifically IT thing. It mostly depends whether programmers and administrators are both lumped into IT or not. In most places I have seen, these groups are in different departments and simply connect. On that basis, it's not the IT department's fault if the programmers, in this case outsourced, fail to write the code properly.

Re: Who is Complaining?

If you read the article, it's kind of a lot of people in China who are being forced into this and a bunch of other people who did argue about this and are having their comments blocked or erased. They're getting a bit of support from some engineers at github, but not very much. The information was all there.

I am happy to work longer shifts than is the norm, and perhaps six-day weeks. I won't mind doing it, as long as:

1. It lasts for a short amount of time before things go back to normal (two weeks would be acceptable, a month under exceptional conditions, see point 4)

2. There is some direct benefit to me, I.E. being paid extra, additional vacation time, or receiving some other benefit, not the chance that this will be looked well upon and someone will demonstrate their gratitude later

3. There is some planning so I know when this is going to happen. Not that it has to be scheduled a year in advance, but don't come to me on Monday and just announce it

4. There is a real purpose. If something needs fixing or building quickly, that's fine. If two projects need to proceed and I really have to work on both of them, that's fine. If I'm doing my normal job but they want me to work extra hours for no good reason, that's not fine.

Re: And why...

I'm not supporting Apple's decision to do this, but it is not the same as what Google is doing and is not as clear-cut a competition issue. Consider this:

Apple doesn't let anyone else build things running IOS. Google does let other people make android devices. Google does not allow the manufacturers to change defaults if they are running the Google build of Android (they can change the UI, but could not make another search engine the default or decide not to include Google's apps). Manufacturers also can't make some devices with AOSP or other non-Google Android builds if they also want to have some devices with Google apps. So Apple restricts only the customers of their own products, whereas Google restricts the many phone manufacturers that have at least some Android products. If Apple had a massive market share, this would be a factor, but they do not have enough to be considered a risk to customers or competitors, while Android does. That's the major difference between the cases as the law is concerned.

You may say that Apple is still worse, as the consumer has less choice. However, that is a bit simplistic. Apple doesn't let the people who buy those devices make some decisions, while Google tries to eliminate the choice for all users of Android regardless of manufacturer. For example, the reason we can't get Lineage OS shipped on a device is because Google has prevented it. Decide on your own whether this difference is relevant to you, but at least you know why Google is being targeted and Apple is not, for now.

Re: The most dreaded word in IT...

"I have to give honorable mentions to "Uh-oh", "Ooh-kay", and the less brief but still terrifying "Hey [insert your name or nickname here], what do you do when it says..."

Re: Hmm...

With last year's revenue coming to $265.6 billion, it comes to about 01:09:16 of the revenue each month. Then again, this shows more about Apple's scale than it does for the cost of AWS or other cloud services. For the real numbers, we should track down statistics on how much they pay for Google Cloud and how much they paid up front and pay on an ongoing basis for their many datacenters, as they do have quite a bit running in house.

Re: Need better testing

They may tell you everything, but many of them don't really understand the thing you gave them. So as long as you choose ones with a less technical mindset, all they'll be able to say to someone after they've broken the device is "So it's like a phone, but not, but big and like two phones but only one sometimes but also two, and breaky and you can move it around and watch the lights". I think that, if you know enough to identify the children being used, you might know that much already about the product.

Re: Has someone external run the numbers

That is true about calculating exact market share, but it also means that each company can't really know the right numbers either. Each company may have a great deal of data about their own numbers, but they don't know the specifics for the opposition. That's why there are places that do third-party estimation of this type of thing for investors. I haven't seen if any of those have investigated this, but I would not be surprised to hear that they've been asked. If there is a report about this either already or shortly to be released, its contents will dramatically affect the prospects for this case.

Ah, but you see, they were sneaky with their adverbs. You would think that they meant them in the sense of internally abused or internally improperly accessed, but they meant internally accessed but only in a proper way (you probably don't want to know what Facebook considers proper ways to access data) and not abused internally. Should they want some abuse done with the data, they can get an external entity to do it. Adverbs are tricky.

Re: Don't Blame the Victim, But

"While they're at it, they might also do something about the more subtle attacks from USB sticks that allow malware infections."

And that would be? IF the USB does something at the hardware level like trying to fry the board, there are hardware solutions to that problem (although they aren't perfect and don't result in "completely impregnable"). If it does something at the software level, the OS has to respond to any threats. The problem is that the software-based USB threats aren't by their nature detectable as unusual. They represent themselves as various types of USB device, including input, storage, and network. But you can't eliminate any of those capabilities because people use legitimate versions of all of the above. You also can't prevent multiple devices from being connected to one port (which wouldn't even work to protect against most exploits but has been suggested before) because people use USB hubs and some devices have good reasons for showing themselves as multiple classes of device.

Re: It's time...

It should apply, but the GDPR enforcement people don't seem to actually be doing anything. One fine against Google for not all that much, and a few minor actions against minor companies. Haven't they had long enough to start investigating these places? How long do they need to do this?

Re: Extremely poor

That's ridiculous. Not only do Apple design a lot of the components, but they write all the software that runs on top of those. You can like, dislike, or feel a burning repulsion towards IOS, but if you're going to argue about which phone manufacturers copy a lot of stuff, you might not want to look at the android manufacturers that get all the chips from Qualcomm and all the OS from Google. They just design a case to put them in and write a launcher and a few apps nobody uses. I don't think it's fair to say they just copied someone else's work either; they chose the components they wanted and built a device out of them. It's how electronics work--this isn't art here, where using someone else's work shows that you lack imagination.