Posts by doublelayer 9408 publicly visible posts • joined 22 Feb 2018
1. Totally agree.
2. Sure, but that's not a surprise.
3. And the alternative is? I don't know of any tablet with interfaces (yes, you can get a cable to connect a small subset of USB devices to an android tablet, but the IOS devices have one of those too and almost nobody uses either). What interfaces are there that Apple lacks and a comparable small tablet has? This isn't being compared to a laptop.
A case costs very little, and offers a lot of advantages. The major advantage is that you can choose between them, for aesthetic, functional, or protection purposes. You need no special knowledge to choose one. If you want one and don't want to search, you can go to a shop and look at the shelf of case options, think for a minute, and pick one. The tablet works fine without a case, and isn't going to shatter immediately (although it's a tablet, so it's by no means well-constructed).
Meanwhile, there are reasons not to implement everyone's desired feature into the device itself. I don't want a rubberized phone. In my experience, it doesn't add much protection and does add a lot of pointless volume. It helps the device stay put and not slip, but I have a metal device that already doesn't slip very much. Meanwhile, I do want a case that will protect the device from damage should I accidentally drop it, so I bought one of those. Whatever additional feature you want, you can get the case that does that. There is a difference between making the device resilient enough not to break (every manufacturer should do that) and implementing a feature desired by a small subset of users and forcing it on everybody (no thank you).
I'm not excited about 5G at all. Let's discuss why, though. The main reason that the companies want it is because it increases speeds and capacity, clear wins for them, as customers will stop complaining for a bit about congestion. That's well and good, and I have no problem with it. However, it requires them to grab all the radio spectrum from the regulators again, which is kind of annoying, and it requires them to put a mast in many more places. I don't have sympathy for people who make up stories about nonexistent health problems, but there is a relatively good argument that a system that requires very close spacing of equipment to work properly may not be sufficiently engineered, especially given the large expanses of empty space where coverage is important, but 5G speeds are not.
You are right that speed is not an important thing. Unfortunately, you seem to believe that the upgrade in speed will cause the companies to start caring about other things. Why? They haven't changed anything else, and they can easily have the mindset that "We just provided you a massive speed boost. Why do you want anything else?". I'd be happier dealing with a trustworthy mobile company that hasn't provided the 5G speed boost than the kind we have now, even with increased speeds in urban areas. Among other reasons, I don't really need fast mobile traffic much of the time because I use WiFi for most connections and don't use high-speed applications on the data connection.
What I do need is coverage, an understandable plan and bill, and some freedom with my connection. For example, a connection that allows me to connect lines that aren't receiving much data most of the time without paying a massive premium for the capacity I don't use. 5G does very little for me, and even for those who need faster speeds, it is only a minor help. It's a nicely engineered solution to the problem that is not a big problem. Giving it credit for solving a problem that it hasn't solved yet and might not solve at all is making it overhyped.
So your first idea is to do something illegal to a government employee, for which you'd probably be imprisoned, while mine is to go to an entity whose purpose is to be able to enforce the rule that the enforcement agency has been ignoring? Imagine that. I don't relish the idea of going to court, but if it can't be used to protect the public in some cases, with lawyers as there must be, then what good is it.
If there is a case for the class action law suit, surely it's this? The rules don't simply recommend against or ignore the issue of selling this data; it's against the rules. So couldn't both the mobile providers and the FCC be sued on behalf of every mobile customer? Hey lawyers, you like making a bunch of money from class actions that the class never sees? Here's your case. It's fine. Keep the money I'm owed for this. As long as you stop it, you deserve the money. Just make them pay you a lot for every victim.
Another way to do this wrong is to read out terminal commands to people. I remember one particular occasion rather well, when I was at university and helping a beginner student who had a disk quota problem. They had run out of space because their code had many segmentation faults and they hadn't been deleting the resulting core dumps. The problem was that we had a few tools that produced core dumps with different names, so "rm core.*" wouldn't necessarily get them all. So I started reading them a command "rm, then a space, then asterisk core dot asterisk". They didn't quite type that exactly as stated.
You probably know what happened next. I no longer read out terminal commands. I type them in myself or I'll write them down for you with a written notation to confirm before you run it. By the way, I did have extra rights and was able to recover a relatively new copy of their code from the grading system.
My method when I eventually became too tired to continue disinfecting the machine of a family member was to take their admin rights away. They really didn't complain too much. Then, they decided to upgrade from windows 7 to 10, didn't like 10, and downgraded via the 7 install disk, creating many problems and incidentally creating a new admin account. I was called in to help them find their critical documents, and I made it clear that I would not be working on this computer anymore if they intended to continue using it like that.
"I've been downvoted here before for pointing out that the flaw in USB that has it "believe" a device is what it says it is cannot be fixed and keep back compatibility. I'm still correct about that."
I didn't see this before and am not downvoting, but that point is somewhere between off the path and wrong. USB devices are what they say they are. A malicious device issuing keyboard commands is a keyboard. It needs to be identified as a keyboard in order to do keyboard things. It might be a physical keyboard with keys, a programmable keyboard, a dongle for a wireless keyboard, or a thing that issues key commands for a malicious purpose. In all cases, it is a keyboard. The computer does not err in trusting it when it says it is a keyboard. It errs when it doesn't ask for verification that the user intends to connect a keyboard. Of course, such verification can be difficult if that is the only input device available, so that is a thing to consider when trying to install a more restrictive policy. However, the "flaw" you have identified is a feature of USB that is required for the thing to be universal. The only way to change that is to have separate incompatible ports for each type of device (I'll vote against that).
A good erasure tool: dd. For a typical disk, if=/dev/zero. For a disk that you a) want to sell and b) want to be very sure about*, do a zero pass, a random pass, a 1 pass, another random pass, and a final zero pass. Have fun getting through that.
*In reality, a disk that is old enough such that data can be realistically recovered after zero passing it without government-level hardware is probably not worth reselling. A disk that contains data so critical that you are worried that it might still be recovered after the multiple passes I suggested should be physically destroyed.
I don't use it in pretty much any situation, but I think that a basic text editor should be shipped by default on any OS. Not necessarily one that can cope with a lot of things, but a thing that you can be guaranteed is there when you have to write a script on someone else's machine. For that reason, they should leave it fast, basic, and minimalist.
All of that is true, but this still has some benefits, namely these:
The government will require places to make secure devices, at least of any type that they intend to buy, and will make a certification process available. That means that consumers who value this have a thing to search for and a certification that indicates a good level. More secure options and more information about exactly how secure the things are can't hurt.
Next, there is some chance that large companies, wanting to sell to the government, will secure and certify some things that weren't secure before. Anyone buying these things gets the benefits of that. Those companies might also focus more on security now that they are partially required to do so, meaning other products they make could become more secure. Again, it's a thing in the "not guaranteed but can't hurt" category.
Finally, a law like this helps to set a precedent for a more restrictive law. If an IOT system is used to harm consumers, the fact that it didn't follow these certifications could be used when explaining why the manufacturers were negligent and should be held responsible. Since America isn't covered by GDPR, this could at least provide a legal basis for a few types of rights that GDPR makes more available.
Satellites providing internet service orbit in range of the rain forest, and plenty of places that are less urbanized have mobile coverage. The uninhabited areas probably don't, but we're talking about the people who live there, and a lot of them have access to communications tech as much as anyone else.
Some people think technology hasn't progressed the way it has. Had they said that the people there probably wouldn't care about the domain, they'd probably be correct. But they have to go the whole distance to try to make this dispute sound even more ridiculous than it is and say that there is no internet access there. A bit of an oversight.
And why do these companies want those TLDs? They already have the respective .com domains, and nobody is going to take them away from them. Whatever thing they would have put in their .amazon tld can also be put in the exact same place in .amazon.com. Ditto for all the other companies setting up domains. These additional domains don't seem to serve any purpose to users or companies.
But Apple does care about the 1% who jailbreak. I don't know why they care, but they do. I have to assume that at least some companies would care about their routers being reflashed as well, but most of the ones I've seen couldn't care less what they run as long as you buy it. It's the ISPs who aren't so happy with your own hardware being used.
But routers won't be causing it. SDRs will be causing it. And fines and prison terms can be doled out to the people using the SDRs to interfere.
As for open firmware on routers, I can use it to ensure that my installation is secure. At the very least, that's one fewer pier in the botnet. It allows development of software for these devices that improves security for the users and the internet as a whole. Most importantly, there is no good reason to ban it.
Original: "None of which has anything whatsoever to do with this article, which is about regulations covering interference."
Reply: "I disagree that it's unrelated."
Unfortunately, you have it very wrong. Let's analyze this.
The regulations are about RF transmission. They are not about security. They require that the manufacturers vet their software to make sure that it doesn't blast RF at random wavelengths. It doesn't. WiFi chips don't do this unless you have the really bad and possibly broken kind. So it requires manufacturers to certify something that they already do, while prohibiting other software being installed on the devices at all. That software doesn't modify the chip to interfere either, because nobody wants a radio blowtorch. So what really happens is that replacement software that doesn't have any harmful effect is being banned for no good reason. Meanwhile,, any security problem in the original router doesn't get tested and can continue on.
That's why your botnet argument is very bad. A default firmware can be fine, but is usually not. A replacement firmware is almost certain to be better in terms of security, and allows users to do things like prevent UPNP and configure a good firewall, which may be restricted or made difficult by bad default firmware. Forcing inclined users to use only the stock firmware means that they will be less secure. It's like arguing that we must ban microwaves because they cause spikes when you turn them on, and an attacker could plug a bunch in around a target and cause a circuit breaker to activate. It is technically true, but misses the point because people don't do that with microwaves and banning them doesn't prevent the problem.
Some things are too obvious to have to specify. For example, "the code must finish within our lifetimes", shouldn't have to be stated. "The code should compile", "the code should not alter files in random places", "the code should not develop sentience and a desire to kill", we don't need to say these things. Similarly, if I ask for an authentication system, the default is that I want a security mechanism. I would need to specify something like 2FA capability or specific mechanisms for recovery, but a system that uses plain text storage or base64 as an "encryption" algorithm is not a valid solution.
That really depends on the system it's being put into. There are plenty of systems that properly hash a password, sanitize the input, and so on, but they don't simply plug in to a codebase with a function call. You have to know enough to integrate them with your database and connect the frontend to them. That's not a big job--it can be completed in a day or two. Still, we aren't suffering for a lack of good "hash and salt this password" libraries but for people who know to use them. Similarly, it is not hard to write these libraries. The issue with people who reimplement this in a few hours is not that they mess up or build something insecure, but that many others don't bother dealing with the security.
"My personal view is that less communication access is entirely acceptable"
You are welcome to have that opinion, but here are some reasons that it's not very common. First, people need mobile phones, because wired phones don't really exist as they once did. In the areas that were served by landlines, we will require mobile service to have the same level of coverage. we require this in many places where mobile signal is not great, and therefore are supportive of plans to increase coverage in those places where we are frequently.
Second, mobile communications have been touted as the new system for everyone and everything to communicate. Emergency services, for example, have been switching from their radio systems to mobile. I understand why they're doing it, and some of their reasons are real problems with their previous system. However, it's hard to see that as viable when there are empty places in the map. Even if I'm not going there, it is important that emergency communications can happen there.
My opinion, to the extent it agrees with yours, is that we don't need to have signal on every possible location on Earth. There are places where people don't go, and the benefit of having mobile signal there is low. However, there are plenty of places where people do go where there still isn't any mobile signal. I would like to see the companies working to fix that rather than work to sell ever more expensive contracts and obtain rights to as much spectrum as they can.
And there are certainly other ways the plot could go, but most of them are similarly depressing, just in different ways. Nuclear explosions are not fun, so your options are:
1. Be vaporized at the center of an explosion
2. Die in the destruction that is far enough away from the center that you weren't vaporized
3. Die in the fires spreading from the destruction outward because a lot of stuff burns
4. Die from fallout which can be blown by winds nearly anywhere
5. Miraculously find a shelter strong enough to withstand the fallout without poisoning you, and die inside for lack of provisions, extreme heat, etc.
6. Miraculously find a shelter strong enough to withstand the fallout without poisoning you, but open it too soon and die of fallout anyway
7. Miraculously find a shelter strong enough to withstand the fallout without poisoning you, and have a load of fun finding a safe place to go when you eventually come out
Let's just agree not to drop any nuclear weapons. Everyone on board with that?
Wholeheartedly agree. I think we should take the people who have no firewall on incoming traffic and put them in a mixer with those people who block outgoing traffic on all ports*, then only use what survives. And all those security nightmares like UPNP should be off by default, especially as most consumer-facing routers simply have a page saying "Enable/disable UPNP", without explaining to them in any way what UPNP does and why you might want it or not.
* Does anyone have a suggestion as to what port and protocol to run a VPN server on so traffic will generally be allowed through weirdly restrictive firewalls? No, I cannot use 443 as I already have something running on that, but virtually every other port is free and I like to avoid the times when my traffic simply doesn't go through on the default.
I suppose it could be that, but if you have a network that doesn't use physical SIMs (CDMA network on 3G devices, devices with ESIMs, CDMA networks sometimes just at random), your only way to switch service to a new device is to have the carrier do so with the IMEI of the new device. You can't do so yourself. If they don't have a physical location near to you, they can do it over the phone, though in my experience they asked for some verification that I had the previous device (I suppose if that was broken rather than just old and being replaced I would have had to show up at their office). I don't know if this works on networks without this, as I've never had to call up a service provider to switch phones around when I had a physical SIM that could be swapped into the new device.
A coworker recently wrote a piece of code that had a bit of a problem, and asked for my help debugging it. Its problem was that it tried to allocate about 300GB of memory and didn't check for errors after allocating. In order to debug it, I had to receive it. I think that guy is now guilty of various heinous crimes for sending me his diabolical malware which would have totally destroyed ... well temporarily disabled ... well made me press control C on a whole debugger session had I run it rather than just reading it. It's clearly a lot worse than what this person did. Which law enforcement office do I report him to, and how many decades in prison is he going to get?
I prefer having the IFEs, not because I find their features useful (I've never used one), but simply because they usually have the ability to charge USB devices. This can be quite useful after the laptop battery or book didn't last as long as you wanted and you're stuck with your phone for the rest of the flight. Otherwise, you always have to save enough power in the phone battery because you know you'll need it to get navigation or transportation when you land.
To put this in context, he typed in a bunch of characters. That's it. He did not break into the system's hardware or software, and he did not destroy it in any way. He typed into a field whose purpose is to receive input. The same thing would have happened if I was typing a message in but wanted to say more than its input limit. Unless it tells me this before I send (and if it has a buffer overflow it almost certainly doesn't), I wouldn't know when I've hit its limit. The only difference is that my characters would be a natural language message while his were not. If there is a situation where a user error from a user that is not acquainted and should not have any privileges can cause a safety risk, the system needs to be patched. If there is a situation where such error can cause a safety risk aboard an aircraft, then that system needs to be completely removed from aircraft and returned to its manufacturer, ideally by catapult into their security office.
Would you blame me for pressing every icon on one of these to see what they do? What if there is a certain pattern of icons that would cause the navigation system to reroute to Antarctica? What if the movie selector will zap the pilot with a massive surge of current if I watch two separate videos after clicking on the clock five times? What if the engines are disabled if I type in a 257-character message? If they shouldn't be able to do things, don't give the user-facing devices the ability to do those things.
He was faced with a system requesting input. He simply tried some type of input. It is the responsibility of the system to handle that properly. The better analogy is repeatedly locking and unlocking your own hotel door, because that is what the door is meant to do. If it so happens that, after unlocking a hundred times in one day, everyone else's door stops working, that's clearly the fault of the door system. Similarly, he did not try to disassemble the device or access it in some unusual way (connecting strange USB devices to the port to see if they could inject code). He merely entered input into a field that expected input. The same thing could have happened if he wanted to write a relatively long message.
Not only that, but this effectively deletes a large chunk of his employment experience. If the company that he wants to apply to sees that he has previously shown ethics and has a problem with that, he won't be hired there. Meanwhile, he won't be getting any references from that company even as most companies want to see references from the most recent employers. Depending how long he was employed there, he may find it significantly harder to find employment, and that's if the company doesn't have a method of putting him on a blacklist. If they do have that ability, he may not get another job for a long time or without making a significant upheaval. That would give me a lot of emotional distress.
I humbly suggest the following additions to all dictionaries. I release these definitions into the public domain in the hope that they will be recorded for those who are unaware:
Unhackable:
: /ˈst(j)upɪd/
Adj.
1. Nonexistent or imaginary: We have a normal computer and an unhackable one.
2. Extremely insecure: The company has built an unhackable lock.
3. Destroyed or rendered nonfunctional: The plane carrying the machine crashed from a great height, and therefore both have been rendered unhackable.
My [noun] is unhackable:
Phrase
1. I am an idiot.
2. My [noun] is probably a lot worse than its competitors.
3. My [noun] won't pass a standard penetration test.
4. My [noun] won't pass a non-penetration security test either.
5. My [noun] might not pass a safety, fitness for purpose, or functionality test either, while we're on the subject.
6. Unless you can physically obtain one of my [noun]s, it probably doesn't even exist outside my marketing documentation.
Note: Unlike other definitions which use or logic, I.E. usually only one definition applies to a specific occurrence of the term, the preceding phrase definition uses and logic across all definitions.
Why, nothing of course. You see, as the market share of our wonderful rendering system increases, people are showing that they acknowledge that we provide the best, fastest, most secure, and most open engine available. We gladly extend our code to anyone, which is why we have made the Chromium™ engine completely open source and offer it to any user or company out there. We also offer all our services that are built into the Chromium™ engine and can't be removed without tearing the codebase apart to these companies, no questions asked except sometimes when they will need some API keys to distinguish them, but that's clearly a normal and justified thing to do with open source code.
With more and more people using the engine, any potential problems such as a framework that allows extensions that users install knowingly being able to block some parts of their traffic (yes, I know, but it happened) can be fixed extremely quickly. We aren't saying that it will be free of defects, but it will be better than the other options out there because it was developed with a very Googly mindset. We'll have so much data about everything that happens that we can find any risks to users' security or privacy and fix them immediately. We confidently expect that, in the next few years, the market share of our major competitors such as Gecko and WebKit will decrease to zero as competing browsers, which we totally support by the way, realize the superiority of this engine.
Google autocomment software, version 38.159.2581003.627501869274030461957286834
Well, we had to do something useful with our extra programmer-hours, didn't we? Like all google services, this autocomment software is completely open source. You can use it by getting an API key from Google's developer program and calling the three functions available in that interface. That's what open source means, isn't it?
I'm usually in favor of some schedule of release if the bug is not fixed in a reasonable amount of time, but that reasonable amount of time has to be calculated separately for each new bug and take into account updates by the company involved. That release only helps if it encourages a company to work on fixing the bug when they otherwise would not, not as a stick that really does not always provide the same benefit.
These people weren't trying to use bitcoin or any other cryptocurrency as a currency, which was its original goal. They simply wanted to jump on the bandwagon of thinking it would soar in value once again because blockchain, which sounds technical and people like to talk about on TV. They probably didn't have any specific distrust of government, unlike those who want to replace fiat currencies with cryptocurrencies, for whom trust is a very different issue. Those two groups must really hate one another.
"if the wallets were securely encrypted, how do the auditors know what is in them?"
Bitcoin is public, so you can read all transactions associated with a wallet if you have the ID of that wallet. The key to access the wallet would be the encrypted thing. Therefore, you could see how much was in each wallet but you couldn't spend any of it without breaking the encryption. I'm glad to see that this company is knowledgable enough to figure this out without, you know, waiting three months for some external auditor to do something so simple for them. It really helps my estimation of their competence and trustworthiness.
GDPR came into force almost a year ago. They're subject to it now, and it requires them. That is assuming their contract doesn't say something about account closure, which many do in order to indemnify the company when they delete users' data after accounts are closed.
Once again, blame is not the correct way to deal with an account compromise. Whether the password was bad or not, the client did not take an action with the intent of allowing an attacker in. Yes, there are good practices that would have helped here, but not following every good practice does not automatically make any problem someone's fault.
In that case, I could come to your house, find a place where you have been too lax with your security, and blame you for the fact that I broke in. Should I do that, the blame for breaking in belongs only to me. Good practices mean that it is less likely that I'll be able or inclined to break in, and as such benefit you because you don't have to involve law enforcement. You may have entered a contract with an insurance provider that requires you to follow certain practices in order to get benefits. Still, I am not rendered innocent if you forgot to lock your door.
Victim blaming. It's wonderful, isn't it? The ISP didn't cancel the account or delete data when they were required, and someone else managed to get in and start spamming without assistance of the original account holder and despite their attempts to stop it, but yet it is the original person who is to be blamed for this?
If you're sending me a party invitation by attaching something to an email, you might want to look at doing something else, as that certainly looks suspicious and I doubt I'd be opening that.
In most cases, the sender will include information in the message body about the attachment and why it's there. It's not that unreasonable to read this information closely and follow up with the sender if there is confusion, and many malicious attachments are somewhat easy to spot. Whenever there is doubt (did they really want to send me a random .pdf when the message simply says "Could you take a look at this?"), it's worth checking in, if only to determine what they want me to do with this if they did intend to send it.
What data can and should be kept is another issue, but to correct one of your statements, we're not suggesting that they "[a]llow someone to close down an email address WITHOUT any verification", but that they close accounts that are inactive. It's a good measure for them to take as the account is no longer paid, may be required by a contract which initiated the account in the first place, better adheres to privacy laws, and prevents problems like the one mentioned in the article. When they didn't bother to do that and were contacted about an account sending spam, they could also disable the account, either simply for spamming people which is what they would do anyway or because they've now had their attention drawn to an account that shouldn't be live.
I think that, in most cases, the problem getting old code to run on something newer is all the old libraries it thinks it should be using that don't work the same, or exist, as they did so long ago. This wouldn't be able to help with that. It might be able to do some things, like taking a binary and making it run on a different architecture, but it's probably a lot more limited than we'd like.
This is why I don't consider the repairability of phones when I buy them. I expect that they will work perfectly for some time*, and then they will develop a fatal mechanical problem. Whatever the problem is, the fixing of that problem requires the manufacturer or mall store of completely untested mechanical ability to tear the thing to shreds, substitute a part that always costs more than it should, and put it back together in such a way that it feels like it is coming apart at the seams and is likely to develop another mechanical fault soon.
Meanwhile, if this is an android device, I fully expect that there will be no security updates let alone OS updates after a length of time, which makes the device more dangerous to use online due to all the "It's 2019, and a $something_simple can PWN your android phone" articles that get posted here semiregularly. So when I purchase a phone, I do my best to ensure that it is going to be able to run Lineage OS for continued updates, and that it does not cost enough that I'll be worried when something irreparable breaks without notice.
*In my experience, phones tend not to develop these mechanical problems for quite a while if treated well. I have kept my devices long after the next few models have been released and, for android, all software support was dropped. When they eventually break, it's more useful to find a replacement rather than try to have them repaired.
More explanation is required for that statement. We all know about the biometrics problem (can't change them, you carry them with you where people can steal copies, etc.). Those don't apply to 2FA. So what are the problems you're referring to and what are the "simpler, more reliable ways" to fix it?
This is a real problem. I have done this by having multiple auth tokens (one for corporate systems, one for personal systems, and one that I got because you could program it to do different things). I'm planning to change the firmware on the programmable one to hold multiple keys and use a series of button activations to choose the one to use. It seems very straightforward to do, and entirely capable of that. It may be possible to replace the firmware on more typical keys as well, but I don't know for sure. Also, as a bonus, when I finish with that idea, someone who steals it will have the fun experience of trying to figure out exactly what pattern of button presses I've set for my keys. They're very hard to steal and nobody wants it that badly, but I kind of want it to happen just so I can imagine someone getting annoyed trying to use it maliciously.
"Also, pardon my ignorance, but how would I connect a cell phone to my computers? Do I need to install some kind of USB wireless device? I am indeed interested in 2FA, but it seems that there are different explanations of how to do it, each with a different set of unexpressed assumptions."
There are many ways to authenticate with something physical. A good system will let you choose, which throws out some companies, unfortunately. However, a good system will look like Duo Security (I am not in any way connected with that company. I just use their product to authenticate some places. I don't administer it either, this is purely a user's view).
With this system, you have a few options to authenticate. After you log in with your username and password, you are presented with a list of choices, so you can have multiple active options and use the one that is going to work. The options available include these:
1. Their primary suggestion is their own mobile app. You get a push notification, but it is not connected to your phone number. You have to have an internet connection for that to work, and you authenticate by pressing a button on your phone.
2. A code, also from their app. This is used if you don't have a connection (the code changes every thirty seconds based on a secret known to your phone, and becomes invalid afterward. Duo's is a 6-digit code that you enter on the thing you're logging into.
3. A phone call/SMS to an approved number, meaning you can use a landline. You do have to log in with proper credentials or that won't work, but that one could be abused by a local attacker.
4. A USB token like the ones mentioned in the article, either one that only works with Duo's system which the administrator probably has a gigantic box of, or an independent market one that works with a lot more (what I have).
This does not require that the thing you're connecting to having or allowing a USB device, or your phone having a connection at all times. If you simultaneously don't have a smartphone, don't want a USB device, and don't have any kind of phone with service, then I don't think there are other options. Still, this means you can use the authentication using a number of paths.
Also, that may confuse cryptography with cryptographic systems. Rolling your own cryptography nearly guarantees that you will make a stupid mistake and your crypto will be broken a lot faster than you thought. Using someone else's crypto that is proven to work but changing the container format and/or transmission protocol means that the people attempting to read your communications will have to pick both of those apart before they can start to crack the key. It prevents them from having a pre-built module for it that they can set going, and you're still using a proven algorithm.
I agree that they haven't been a major problem yet. However, there is a place where you don't have that clear a boundary. Case one is on a VM host, where one VM can run its own code and take memory from another VM. You can't block the malicious VM from running code, and you will have sensitive data in memory at some point even if it is only authentication data. The drive-by access by javascript is possible too, but requires more knowledge of the system, so is unlikely as you say. Another possibility is that access to certain parts of memory that are rightly removed from your segment may allow privilege escalation. I don't know where they are or how hard it is to use them, and I don't think people are finding that yet, but if we left them unpatched, it might be worth criminals' time to find out.
I didn't say I agreed with it. In fact, I think it's a shortsighted addition. Still, it's important to characterize it properly. Unlike forks of cryptocurrency projects which cause people to lose value or get confused as to how to use it, monero's "hard forks" do not affect existing currency unless it changes in value as a response (it's massive decline over the past few months was not related to the recent fork, but instead because people have started to realize that long numbers with bunches of zeros are not really worth very much). The mining process is the only thing that is changed, for good or ill. Ill, by the way, by most reckonings.
I'm sorry, but that is not correct. Monero has the "hard fork" stuff in deliberately. It is how the currency is designed. It was there from day one. The purpose is to defeat people building specific chips to mine the thing; if the method for mining changes every year or so, nobody can build a specific chip that produces good value for a while. Therefore, people mining with GPUs and CPUs that handle more general purpose math get most of the value from mining. The term "hard fork" means that the fork of the code is final, not simply another group making a different version, but the project as a whole changing it.
Argue if you like that it is not a good idea, but don't claim it's a weakness in cryptocurrency when it was built in by design.
Original: "For example, it sees no problem with kidnapping foreign nationals to serve as pawns in diplomacy."
Reply: "China or America are we talking about?"
China. Definitely China. The Huawei thing is a different story where there isn't a clear difference, but I don't remember anyone being kidnapped simply to show that a Western country isn't happy. The Canadians arrest a person for which there is an extradition request. They didn't immediately extradite them, they are putting that through their legal system and are also handling the legal complaint by said person through their local legal system. Meanwhile, China takes a Canadian hostage for no reason. They did not accuse that person of a crime, they did not charge them, they were not complying with a legal request of another country in international law. One country is performing their normal legal process, the other thinks that detaining people for no reason is a legitimate diplomatic tactic. Don't support that by pretending they're the same.
It does. The connection to the internet and the things you connect to are not the same. It is logical to call the sites online information services, but the network that lets me get there is not providing information. These definitions may help:
Information service: A service where the provider has information and sends it to me.
Communication service: A service where the provider allows me to connect to something else and exchange information with that something else.
On that basis, the line that carries my data is communication, as I am requesting to get information from El Reg. El Reg is an information service, but is not facilitating my communication with others. The separation is intrinsic to the protocols of the internet.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
