Posts by doublelayer

Re: Who in there right mind would...

Usually, someone without a lot of extra space, such as someone on an old 1970s-era computer. I don't know what the disk situation was like on that, but I'm guessing it was not easy to find twice the disk space to make a backup of the database file and that, if you did, it would take quite a long time to make the copy. Now depending on the size of the file, it's possible they could have made an extra external backup onto other media, but that also might have taken a while. When faced with a situation so seemingly easy (a single SQL statement does it in modern times) with a backup requiring nontrivial effort, someone might trust their intuition for proper coding, which probably worked just fine the last hundred times. Then uh-oh.

Re: Why do us customers bother?

It didn't, but nor is the AMD64 architecture responsible for Intel's many failings. It's not the architecture, but the design. I believe the original post here is responding to comments of the type praising the benefits of ARM when Intel security vulnerabilities are discovered. Those comments, while technically correct in the sense that ARM is not the same as Intel, are making two large mistakes. First, they make an apples-to-oranges comparison between Intel's design and ARM's architecture. Second, they ignore the possibility that an ARM manufacturer might do a similar thing. I interpreted the original post as pointing out these errors and cautioning the writers of such comments that nothing is foolproof.

Re: Or more likely ...

Really? Amazon offers advertisements too. They want to sell things, but they don't care whose things they're selling as long as they don't make one of the items concerned. In order to get you to buy all those things, they need to advertise items to you, meaning data collection, and in order to maximize their profit, their advertising arm will be happy to sell that opportunity to the most motivated merchant. Your description of Google's usage of the data applies to Amazon in every particular. You may have underestimated their appetite for data or how they will be using it.

Re: Do end users have standing to sue over this?

That may be, but although we knew it was very likely, I don't think we had proof that Google had that level of spyware in their code. It would make sense that they did given their previous attitude toward our privacy, but it's also not a very useful method of violating our rights. If their code does provide them enough information to identify apps to compete with and tactics to use when doing so, it also offers the proof of what we assumed. Given that proof, it's time to use it to attack Google for their privacy problems from all fronts.

"It's the attitude towards the person they have asked to fix the problem that matters."

A thousand times this. I have no objection fixing things for my friends or family, even if it's an annoying problem and it's all a result of their actions. I may get a little annoyed if it takes hours to fix it, but my grumpiness is directed at the machine, not the user. That is, I don't have a problem fixing that if they understand that my efforts are helpful and they are benefiting from my work. It's when they complain about my help when I consider saying "not my problem". For example, when I need something from them to finish my recovery and they just don't want to provide that right now because they're doing something else on their weekend, I consider informing them that I too have some ways to spend a weekend so maybe they can find someone else who doesn't mind performing IT work for free. If someone requesting help doesn't do that, they usually get dedicated assistance from me.

Re: Victim shaming

"As for victims the way I see it (my view) is that the victims are the ones who lost money and the people who had their accounts hacked."

You are correct, they are. There are a few crimes with which this could be pursued:

Obtaining access to a computer system without permission: Victim is Twitter.

Accessing protected data without authorization: Victim is account holder.

Theft and fraud: Victim is person who submitted bitcoin.

So all of these crimes can be pursued, including by other countries. The one currently being discussed most by law enforcement is the first one, so that's why the U.S. has gotten into it. That doesn't stop other countries requesting to charge the perpetrators on the others though. Probably the reason for the first crime to receive more attention is the value of the crime; the damage to Twitter is valued highly, while individual victims who lost some money is a smaller thing. I would expect that to also get handled in the upcoming trials though.

Re: other excel woes

"Still no easy way to cycle thru sheets via keyboard (hint CTRL-TAB would be nice)"

In mine, CTRL with page up and down does that. it isn't great if you're at one edge and want to go to the other one, but otherwise it's pretty useful. Maybe that will work for your situation?

Re: Human Rights

"Does China have greater surveillance of its citizens than the USA? I very much doubt that it does overall."

You may think this, but that is incorrect. China really cares about surveillance, and they have it in spades. They have software to track communications over phone or internet. Software to monitor movements using vehicles, and increasingly pervasive camera surveillance with some of the best facial recognition technology. But these only cover the cities, right? Wrong. They cover a lot of the area, and they link people based on any metrics they need. When they decided to repress a group that was annoying them, they rapidly expanded their surveillance to cover the Xinjiang province and areas near it in other provinces. But you had another point to make:

"Far more Chinese citizens live in extremely rural areas where there is no CCTV, just for starters."

Nope. Those areas are indeed poor, without many of the nice conveniences for life which also make surveillance easier. Want to know what they still have? They have cameras. There's another reason for this. China has had a long history of trying to keep tabs on their population. Going back to the 1950s, it was critical to know who was doing what. Back then, cameras weren't really an option, but a strict hierarchy of power and responsibility was. China built that. Now, they can use technology to support it, but they still have that hierarchy. Part of that is responsibility to watch people for certain activities and know things about them. It's inefficient, but it works.

Countries like ours are dangerously willing to surveil us. They have powers that we need to curtail. They have been taking advantage of anything they can think of to increase their capacity. But we can still do things that China has prevented. A lot of the reason for that is that our countries don't use their surveillance powers against us very often. China is better at it because they use it all the time, while our countries may have the capability but by leaving it unused they don't have as much ongoing data.

Our governments may be interested in ideas like a social credit score, automatic checkpoints requiring constant confirmation of a person's identity and status, or elimination of encryption, but it is China that has already successfully implemented them.

Re: There's more..

But in order to make that decision, we have to ask why those professions get those privacy benefits. Lawyers make sense, since they are ostensibly the protection layer between people and their accusers. How about doctors? Why do they get that protection? According to this article on the subject, it's designed to ensure that patients tell medical professionals enough information that they are treated properly. On that basis, you can make an argument that security testing is similar to medical--they are also ensuring that the person or organization who is using their services is healthy, and you can draw coherent though tenuous connections between tasks performed by security testers and doctors. The argument isn't the easiest to make, but in my opinion the argument for medical privilege isn't particularly convincing either.

Re: Why make keyboards

If you're looking for somewhere where it's really hard to find electronics and the road is a day's walk away, Japan might not be it. Japanese is spoken elsewhere, but not so much that you'd expect to stock many Japanese keyboards for the general public there. If they want to create keyboards for languages that aren't well represented at the moment, maybe they should focus on those which haven't been well-established in computing for five decades. There are languages covering millions that fit that bill.

Re: Disabled person

Are you willing to build the system yourself? There are a few things you can do to get that working. Various projects exist allowing a Raspberry Pi to relay audio to such a service, so you just have to replace the recognition on their servers with recognition running locally (CMU Sphinx has proven to be an effective library for me). Of course, you then have to provide your own list of commands and actions to take when commands are heard, so it's not labor-free.

There are also some open voice assistants that run using local software. I've seen types that use a Pi as the brain, which are more open and configurable but sometimes less powerful. This one is probably the most famous, but I have never used it and I don't know whether it's capable of everything you want. I've seen others that use an Android device to power them because by doing so they can use Google's dictation function (requires an additional download but then can recognize offline) instead of building that themselves. That would also work, but initial configuration or recovery should the host device shut down isn't as straightforward as with a Pi. If you want to investigate those options, try searching for voice assistants on FDroid or Github. If you set up either option with a speaker of high enough quality, this should work.

"My God, if they're spooks then they ought to be about paranoid enough to only use a crappy little GSM type phone while at work."

Antiespionage report, section 12: mobile device usage among clearance candidates

Most candidates for this position are using off-the-shelf smartphones. They will be treated with normal scrutiny. Four candidates are using phones without smartphone capability. Two of these are old and are using old devices. While it will be assumed that these people dislike smartphones, these candidates will still be treated with elevated scrutiny. The remaining two are using newer devices without that functionality and will be treated with severe scrutiny. Two candidates are using atypical smartphones, namely candidate 280 is running a Linux-based mobile OS on a device from Pine64, a known provider of secure devices for technical users and candidate 393 is using Lineage OS, a variant of Android with additional privacy features. Candidate 393 will be subject to severe scrutiny. Candidate 280 will be denied clearance and will be further investigated for potential criminal tendencies.

Sometimes, if you want to blend in, you have to do things that everyone else is doing even when you don't want to or they're dangerous for your attempt.

The Pro iMacs have Xeons. All of them are Xeons. The article says this.

Not voting on either comment, but in my case, I don't want that. My case protects the screen, but it doesn't cover it. It protects it by going over the sides, so if the phone falls onto its screen, the case keeps the screen from touching the ground. That combined with a cheap protector over the screen and not dropping it very hard has served me well so far. The case also goes around to cover other sides so it can absorb some shocks from a fall in any direction.

Meanwhile, a case that does cover the screen either makes me use the device with an annoying hanging component or causes me to remove the device more often to avoid the cover element getting in the way. I may want to hold the phone to my ear or have it positioned in various ways in front of me, and something that doubles its area doesn't help in those cases.

Re: Good move

Not as many as you think. For one thing, family names are common but there are still a lot of options for given names to increase the numbers. For another thing, this just plugs in on top of the existing tracking of IP addresses, meaning you don't care how many people with a certain name are in China, but how many people with that name live in each building. If you can track people by their address when they set up their account, you can do two things with that information. First, you can track them even if they move because you know for certain who it was who set up the account. Second, people aren't very original when thinking up usernames, so you can possibly identify people by names on other things that haven't complied with this policy.

Re: Global Internet

"Having assets in the EU is what gives the EU power. If they were not there and yet they could still provide services without the need for an EU ISP would it be as clear cut?"

The only way that would work is if they offered free internet as long as you get the hardware yourself. If they sell you the hardware, they operate in the EU. If they sell service, they likewise do so. To have the ability to do things like that means they would have to have at least some assets in that area, if only a warehouse full of satellite dishes and the account that people pay into before it's routed to the main account elsewhere. The EU could cease those resources if they needed to. The companies can do only so much to have nothing there, and if they do, there's less and less benefit they get from it.

Re: In re tracing cash...

True, but there can be logs of which serial numbers were placed into the ATM before they were printed. Especially when using newly manufactured banknotes, the stacks are consecutively numbered. This is useful to catch people working for the bank who see a large stack of cash and think of the potential to pick it up and run. Going in is another question. I don't think they OCR those bills most of the time, but there is a facility to do so elsewhere and it is done on occasion. Having never worked in that area, I don't know how the scanning is done when it is deemed necessary or how routine it is.

Re: The problems continue

"Pedantically, for something to be a "zero-day" it has to be actively exploited in the wild, before researchers discover it, or the provider is informed."

Even more pedantically, that's not it. The zero-day doesn't start counting up until there is a solution--something we know about and it's being used but there is no patch is still a zero-day. Now you may be correct about requiring an active exploit; the researcher claims that a zero-day exploit can be something that could be used but isn't yet known to be, while something that is known to be used is a zero-day attack. I'm not sure I buy that logic. Either way, if he is correct about these being exploitable and someone starts to exploit them while the Tor project hasn't accepted and patched them, they would become zero-days.

It may be, but unless there's someone else doing the real work on it to make sure it stays working, some of the students might get caught in the trap while it's still in operation. An environment through which students must submit work is a very important thing in education, and when it breaks there can be large problems.

I am young enough that I've used such systems during my own schooling, and two events of problematic failures come readily to mind. First, there was the time when the system simply refused to accept uploaded documents. Every week, starting around 10:00 in the morning and ending at midnight or possibly later. The homework was due at midnight. I don't know how many students were thrown by this, but I had to email my professor with the documents and promise to try again later and that the files would be identical (fortunately this was accepted). The second time concerned a system for automatically detecting plagiarism which reported, on our class's final papers, nearly universal plagiarism. In fact, we had all committed exactly the crimes of which it was accusing us, namely we had copied, with only slight modifications, large chunks of other documents. Those other documents were our drafts for the same paper, which also got submitted into this system's big database. Worryingly, it seemed we had also plagiarized smaller sections from certain works which all seemed to be between quotation marks. Funnily enough, I don't remember that system being used for many other courses.

From the reports, it sounds like it's only LAN-accessible unless the user has done something really stupid. Still, there are too many ways of getting LAN access and too many worrisome ways of exploiting root access to the network device, so it's still important.

Re: Flash is dying, why not e-mail?

That is true, but unfortunately most of those things are worse. Email may have too many security problems to count, but you can pretty much guarantee that an email sent from one place will get to another one, and if it doesn't there are only a few reasons for it. More modern communication apps require a lot more configuration. Ones designed for companies often make it hard to communicate out of the company. Those designed by big companies require sending unencrypted data through their centralized system. Those designed by hardware manufacturers lock you in. And some others require phone numbers or email addresses and essentially provide an overlay; while the features are good, you still need the other mechanism for that one to work. Email and to a lesser extent phone calls and SMS are global and compatible. Most other things aren't.

Re: I'm a bit confused by this.

Because the code is developed in the U.S., meaning that they're not allowed to supply it, even indirectly, through any entities they control or which control them, or through an independent entity which they know will be used to violate the sanctions. If they do, they can be penalized by the American government for trying to break their regulations, which is investigated on a when-they-want-to basis. This means that Google would be handing ammunition to cause them problems to any U.S. administration which has some reason not to like them.

Re: Why I love the Right to be Forgotten

Google is not allowed to collect and store such information from other parts of the law. The fact that the right to be forgotten had to be enacted as a separate section, rather than coming organically from other sections, clearly indicates that it is a separate thing. Among some of the details that make this different is the fact that Google's database does not specifically say any of this; it simply knows that a certain page happens to contain those words; the entry for a page stating "Person X declared bankruptcy", "Person X presided over a hearing for declared bankruptcy", and "Person X fought against creditors who declared bankruptcy" look rather similar. In addition, if they are required to remove access to the page, they are not required to remove it from the database. In fact, they are required to put it in another database so they know not to link to it. The parts of GDPR regulating personal information would have required deletion, which this does not.

And there you have the problem. If you know you will always be working from home, you would probably enjoy doing exactly that. If you knew you would be coming back in six months, you could try to liberate yourself from your agreement to rent and find somewhere nicer to be for those six months. If your workplace might bring people back, but nobody knows when or whether, then you don't have as much freedom. And the worst possible outcome: your workplace might bring people back and hasn't committed to a specific time by which you have to return. Google has done a good thing here just by giving a date well into the future. People can actually make some decisions based on this without fearing that they'll have to cancel plans at short notice.

Re: Bazaar?

Yes, but given that the sentiment, phrasing, and timing was so similar between the posts, I figured it was likely. Especially as the idea was both wrong and rather unrelated--after all, Apple doesn't make devices like this, so they're not that relevant to the discussion.

Re: "Slapping a "Personal Edition" label on a product implies..."

"Sorry, there are sentences like "Slapping a "Personal Edition" label on a product implies you can only use it for personal use, which would be against the license." which are utterly wrong."

Maybe you would accept it if rearranged. Here's what I think it is trying to say:

If a project said that you can only use it for personal use, that would be against the license. Slapping a "Personal Edition" label on a product implies but does not really mean that.

The sentence occurring immediately after the one you quoted makes it clear that they understand that the implication is not true. They are not claiming license violations. They are claiming user confusion.

Re: Did he not

Comment was written somewhat tongue-in-cheek, hence things like claiming he knew what he was doing and recommending that criminals pay attention to environmental considerations. However, it is good security practice to erase disks even when discarding the hardware, so I only had to joke about what his intentions were, not what is a good idea.

Re: Sitting Ducks

Exactly. If you can have enough weapons to be able to take out satellites with a 12-24 hour lead time, that's pretty good. Preparing a ground-based attack might be able to go faster if you rush things, but it's not markedly so. Also, if you attack a satellite from something near it, you can do so in such a way that relatively little damage is caused to other things. If you have to fire your offensive weapon from the surface, you don't have as many options--either you launch what is effectively what you could launch already, or you go for a blast it to pieces approach. If you do blast it to pieces, there's always the chance you might damage something you didn't intend to damage, either causing problems for you or angering someone who was formerly neutral. Even if you still think surface-based attacks are useful, it doesn't hurt to have both options available. If you can stand to wait a few hours, use your orbiting disassemblers. If you can't, bring out the big laser.