Posts by doublelayer

Re: Why?!

Those rights are nice, but not fundamental. The analogous rights are rarely available. For example, if I buy a table, I am given a table. Nothing more. I have the right to use the table as I wish, and to disassemble, modify, or destroy my table. If I rented the table, I may not have all those rights. I don't have the universal right for the table manufacturer to give me their engineering plans for the table, although it might be useful if I was modifying the table. That is a thing I have to figure out on my own if the company doesn't want to get those for me.

The same is true of software. I have a problem with people who sell me a license to use their software in its shipped, compiled, form but implement that software in a way at odds with their license (for example, saying the license will work perpetually but requiring it to be renewed, or saying the license will function on airgapped machines but requiring an online check). I have a problem if companies sell the software as something it is not. I do not have a problem if they refuse to let me see their source code. Sometimes, this is enough for me to choose not to buy their software, as there are major benefits to having the source, but other times, this is not as important.

Either way, I do not have the right to look at their source if they have not agreed to give it to me, any more than I have the right to look at your email if you would rather I didn't.

Re: Logical fallacy alert.....

I'm not sure that's good enough. For self-driving cars, they should reach a safety level of an average driver before they're used, which they have done and exceeded in tests. That's why they are acceptable, though of course they need to verify that they'll pass those tests under more difficult conditions. However, even if we do get a system to perform judgements at the level of an average person (difficult to quantify for topics like bigotry), it can degrade the situation. If we can quantify negative events like this, we can also identify parts where their frequency is excessive, increasing the average. We can also find methods of reducing the likelihood of those events when things are more important, for example moving a trial of a person likely to face discrimination to a location with less connection. With an automatic tool, the parameters can't easily be changed without outright manipulating the result, and a great deal of oversight is needed to ensure that no unforeseen biases are impacting those who the model affects.

A uniform mediocrity is not always enough, and that's still assuming we can achieve that with these tools. I think the evidence shows that, sometimes, we fail even to reach that threshold.

I agree completely. However, my points still stand about the processing differences between raspberry pi zero and any modern smartphone (if only making calls, this isn't a factor). Also, many of the touchscreens that work with the raspberry pi are less capable and more expensive than ones available on consumer devices. I am not familiar with all of the raspberry pi phone projects going on, but the one I did see simply recommended classes of parts to be purchased on eBay and cobbled together by the user. The software looked interesting, but the semifunctional build I saw was fragile and less like the typical rectangle phone factor and more akin to an octopus shape. Unfortunately, the economies of scale available to the mass manufacturers of phones are not as available to those of us who only want one or two of the components concerned.

Re: Hangon

They can. If they routinely monitor their bandwidth usage. If not, they will still see it. On their bill. With a request for overage charges right under it. You don't think the mobile companies are going to warn them of unusual and possibly risky activity on their device that would make the mobile network less efficient do you? They don't have the time for that, and it's definitely not because they like to dole out overage charges.

Re: Looks pretty cool..

The specs are certainly nice, but also they are weird. I don't know what types of memory-hungry apps people are running such that running three of them at once is going to get a lot of benefits from 12 GB of memory. Did someone make a VM host for android that I haven't heard of? Meanwhile, I somehow doubt that the gigantic screen will last all that long on the battery provided. It's not for me, anyway, but I think these things may not be as useful as they sound.

Watch out. At some point, they may just preload all the javascript for you and shove the whole page at you. No real difference, as the javascript does all the requesting rather than the HTML*, but now served from the same server, so a bit slower if that's possible.

*If you also block the javascript from loading remote resources, they can implement a proxy system so all javascript requests are sent through the server from which the page was retrieved and sent on. A bit of overhead for the small pages, but child's play for Google. And given their current use of javascript, they will probably not have too much trouble breaking things if you don't have javascript enabled.

Re: I use SMS...

There are usually usage charges for SMS unless you're on an already-too-expensive plan that makes them unlimited. When those charges exist, they are the ones that don't make any sense because they're orders of magnitude greater than they should be. It's nice that it just works, but most mobile providers figured that out and will charge you as much as they can, either by the message or to give you the ability to send maybe a couple megabytes each month (unlimited, though).

Re: TL:DR version

It sounds more like

"We weren't caught. Sorry about that ... typo. Yeah, it was a typo."

Re: Something not ringing true here ...

"What?"

I suggested two reasons the drive could be encrypted in the middle of an access. They were these:

1. "I suppose one possibility is that the drive could not be read when powered down, and needed a machine to access it. That machine, in turn, could identify that a lot of data was being accessed rather than a standard use, and locked down."

For example, someone modified the drive, and it could not be read without a controller. It couldn't be imaged correctly without disassembly, but if you connected it to the controller, it would show a filesystem that could be read. However, the controller would be programmed to notice anomalous read patterns and lock itself down, blocking further access. This controller could be at various levels, including at the drive firmware level, in a separate hardware device connected to the drive, or in a computer that reads the drive (although the mechanics of getting a computer to do that and boot to it would be painful).

2. "Maybe they were able to get data from a running machine which timed out as well, denying further access to the drives."

For example, the computer was found running, with the drive accessible. They knew or expected that the drive was encrypted, so copied the files from the drive from the running machine. The machine noticed, timed out, or otherwise caused the drive to be locked before they could get all the data.

Was I really that unclear? Are either of these that unreasonable? I do not understand the confusion.

Re: Admins are increasingly looking to serverless computing

As a dev, I don't see my team advocating a switch either. At least on my team, we like having our code run on a system that we know about, rather than a system we don't know about that gets created and destroyed but we don't have any control over when or how. We also don't need a function layer that already needs an external layer to retrieve stuff from and store stuff in when we could just run our code on the one layer and forget about the second billing system. When we decide that's dead, I'll post again.

"I'm impressed. Do they have fibre and Gmail in the heavenly kingdom now?"

Is this a joke? The original quote reads "A distant relative of a friend who had recently died contacted me". The person who contacted them is "A distant relative of a friend", and the friend had recently died. The relative was alive at the time.

Re: Mould breakers

Which is why I want to use a pi over a phone whenever feasible. However, the price of extra components and performance in portable scenarios make some projects that are pi-based less feasible.

Re: Nor a good solution

I addressed most of those issues in my original post. I'll cover them again here and fill in some gaps.

"1. While the blockchain is secure, wallets are not. And in reality, you are at far higher risk of having bitcoins stolen than having your bank balance stolen."

True in some cases, false in others. Against your standard street criminal, the cryptography on mobile devices is a lot more of an impediment than typical antitheft systems on credit cards. Money can be stolen from online we-buy-the-crypto-for-you systems, but I'm not talking about those. I'm talking about the systems where you have your own wallet stored on your own devices.

"2. How is this more secure than Apple Pay, or a banking app on my phone?"

It isn't particularly, but that isn't supported in very many places because Apple, the bank, and the payment location all have to work together on the thing, subject to local laws, etc. In most cases, I'd rather use this, but it is worthwhile to consider that cryptocurrency processing is less centralized. If it had a value (see point 4 and the original post), payments would be more straightforward with a similar level of security, and it would be supportable in most locations. And you wouldn't have to have a specific device, accounts with any company, or credit system.

"3. You need to elaborate why using a bank to make payments is a bad thing, and using bitcoin mining companies to do it is better."

Wrong. I didn't say that. I said that banks have downsides. They include the problems of skimming (this happens more frequently in some places, and even if you can get your money back, it's not ideal to have it stolen in the first place). Crypto can deal with some of those in theory, and you would be doing it with your own wallet rather than an untrustworthy speculation system.

"4. Bitcoin performs a lot worse as a predictable store of value than almost all government issued currencies out there. To keep the value of a currency stable, you do need a central bank to control the supply, and bitcoin makes this impossible."

I specifically noted this. I said it doesn't work with the current use of cryptocurrency. However, supply is limited by the maths, and a central bank (Venezuela's, for example) can't devalue it on a whim. It isn't so necessary for us, but people who live in countries with less stable currencies might see this as a major benefit assuming we eventually create a cryptocurrency that gets used as a currency. I'm talking about the theory. The theory isn't working right now because people think that ridiculous volatility is a good investment system, but it has useful elements.

Once again, I don't trust cryptocurrency. I don't have any. I don't see it as necessary, and it doesn't hold value at this point. But it is unfair to deny that it does fix some problems that do exist, even if they aren't problems for us.

Re: I've got an idea!

Most phones have GLONASS readers in them anyway, and it works better for higher latitudes. So the odds are that anyone using a phone navigation system in Europe uses GLONASS at least some of the time.

Re: NTLM?

That was LM, not NTLM, although NTLM 1 worked similarly and was also bad. This is a newer NTLM that is much better for its time, but not good enough for 2019.

Re: ZpulNg

Complain about smishing if you like, as it really is just phishing over SMS, but spear phishing is a useful term. It is very different than standard phishing, directed at one victim rather than a broad sweep, and demonstrably effective as it has been used successfully by many perpetrators in the past few years. I think that large a movement, and one that has seen results, deserves an identifying word. Similarly, I do not have a problem with the creation of such words as "ransomware" and "cryptojacking", neither of which existed before they became major trends in malware production.

Re: What muppet agrees to pay per hour?

It wouldn't take much effort to make it work; if you write something quickly, you can have a macro replayer retype it slowly and do whatever you please. If you have to have different documents up when the screenshot system works, you figure out the schedule, load up different-looking documents or old versions of whatever you have and have the program have a different one open each time the scheduled collection happens.

Re: next-gen 32-bit microcontrollers????????????

I think the most memory I've seen paired with one of these is 512k, and 32k is quite typical. Of course, they probably have SOCs with more memory somewhere if they're planning to do voice recognition on them, but that gives you a sense of the typical scale of the things. They run one program, connected to a few basic hardware devices, and nothing else.

"You'll always need a device specific kernel, or maybe you should steer clear of x86 specific images as well?"

Not so. An x86 image will be capable of running on any x86 processor, assuming you can get the firmware to find it and boot to it and the drivers are working. Sure, some x86 systems hide the required things to do that, but that's not many of them and you could simply not buy them. Also, some chips that are old enough won't run a x86-64 image either at all or without a 32-bit bootloader.

That's quite different from the ARM landscape, where nothing will boot at all unless someone has tailored a bootloader for the specific device running it and for the specific image being run. This is why it's hard to flash a custom ROM to an android device* and why companies seeking a system that can't be reimaged are moving to it. For single-purpose devices, that's fine, but for computing, it has many limitations. I would want a device like this only if they had a universal firmware system that could boot anything that was written for the architecture. I'm not asking for universal drivers. I'm not asking for source available on every component. I'm asking only for the right to boot to any image I want; it's my responsibility to make sure it can boot.

*Installing a custom ROM on android devices: You can't have an image for the version of ARM used by the chip, nor by the chip manufacturer and architecture, nor even for the specific chip. Your ROM must be recompiled for each device you want to install it on, with a lot of fiddling with it and it never working. That's why these alternate androids only ever run on a few flagship phones.

Re: Who the hell uses Linux

Really?

"For desktops and laptops use Windows unless you're a Mac fan in which case go ahead. Because you want proper device drivers, power management with working suspend and hibernate etc."

You know that Linux runs on a lot of machines, right? With all of those things working? That when it's not working, it's because some manufacturer didn't release proper drivers for the thing so they could be used? Your counter suggestion is to run the single monoculture desktop OS that doesn't have a perfect track record dealing with device drivers either? Well, I guess there's no arguing with that.

"For servers use FreeBSD or a Solaris or similar as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers. Also a robust filesystem for your data and there is ZFS. You don't need things like snapd . For some applications maybe even go IBM."

Well, that was a weird statement. Er...let me parse that a bit.

"For servers use FreeBSD"

Fine, but you know that a lot of the stuff above the BSD is the same stuff that is above the Linux. So there is not much difference in all the stuff running on top of the kernel and base.

"or a Solaris or similar"

Why? I know it still exists, but there are some reasons it doesn't have a bunch of market share anymore.

"as you need an operating system rather than a gaffer tape bundle of kernel and userland from different developers."

Oh, that's why. Again, Linux, BSDs, and Solaris all use pieces in common; the desktop environments are interchangeable. The major difference is the kernel, which in all cases is monolithic. It's just a different one for each case, but all were built from contributions of more than one team. None are particularly taped together, especially after the massive amounts of testing each has received while running a bunch of servers.

"Also a robust filesystem for your data and there is ZFS."

If you really want it, that runs on Linux too.

"You don't need things like snapd ."

That's a bit abrupt to switch back to the point, but I'll point out that you don't have to use snapd, and it's more likely to be used on desktops than servers. It was originally built to run on phones, and it helps with applications that need custom library versions so you don't mess up your environment. Complain about it if you have a problem, but know what it is and more importantly what it isn't.

"For some applications maybe even go IBM."

And again I must ask why. You may have had a reason, but without telling us what it is, you seem to be making suggestions at random with the only point being "don't run Linux". Your basis for this as stated here is full of holes. Try something else.

Re: Can anyone bother to explain

Certainly. You can argue all you like that country X is being unfair to country Y, and I'm likely going to agree with you. That doesn't change the facts I mentioned. If any country tries to funnel all of its connections through a government-controlled system, they aren't doing it to deal with foreign interference because that wouldn't work.

Imagine what would happen if the Democratic Republic of A and the People's Republic of B did this. A is worried that B will attack them, so they funnel all their connections through one system so they can turn off their network at any time. B is also a country, with a lot of power, so if they are planning to attack A's systems, they will put a computer inside A that can be controlled by an agent of B. They could do this by:

1. Use an international phone line to control the system if the network gets cut.

2. Use a satellite connection that they can control to uplink data to the machine.

3. Use a radio transmission to control the system.

4. Put a spy in front of the computer to do the work for them.

5. Run a wire across the border and don't tell anyone (this works better if A and B share a border, and requires the machine to be close to the border).

6. Just use another method to take out whatever they want to take out.

You couldn't stop anyone that way. Sure, cutting off the network would prevent some international attacks from criminal groups that happen to use that way to get in. In the same way, cutting all the electrical lines and having people run their own generators if they really need electricity would protect them from a malicious party delivering a much higher than expected voltage to their building and frying things. However, cutting electricity is more likely to be a method of repression, and the same is true of cutting network.

Re: Backups?

Yes, they should have. However, it doesn't sound as if they had terrible security elsewhere, as they commented that the VMs had different authentication and different setups, thus this attack couldn't be done by a single compromised set of credentials (hopefully). Still, if things are that large, they should have some place where email data was stored on offline and hopefully also offsite media.

Re: I've always wondered...

Emergency data isn't just "An emergency has occurred. Details here." They can include other information, for example communications from responders to a wildfire. That's voice because the people involved can't take the time to type out a message when they are both fighting the fire and looking out for a situation that means they have to get out of there. So there may be some need to put them on their own circuit that can't be restricted. It doesn't mean that other companies or users deserve that.

Sometimes, those questions reveal good answers. However, usually the answers are these:

"1) Why can't you put them through to support?"

I can. Support is backlogged. They'll be on hold with them. That's why they're ringing me, because they're angry about being on hold.

"2) Why is your support phone line so poor they can't even answer a phone, which is their one, primary and sole purpose?"

Either there are not enough support staff (not my responsibility if I'm answering another phone), some are sick, some other customer has a major problem and they're fixing it, it's a time of day where support has ended because we don't run 24 hour support but I'm working late, ...

"3) What do you expect users to do when they can't get through on the line they are supposed to? Write you a letter to solve their support problems?"

Per the answer to 1, I expect them to wait on hold. Then, perhaps, send a letter to the responsible party (I.E. the head of support or their superior) complaining about having to wait on hold. They should not complain about that to me, as that's not my job and I can't do anything about that.

"4) Why are your sales staff - when they get a call and can't get even through to support themselves - not able to have the most basic of support functions available to clear your sales lines for what THEY are intended for. Even if this is a limited checksheet, filing a ticket direct to support on the customer's behalf, etc.?"

Because sales is not support. You don't hire sales representatives for their ability to support customers, because that's not their job. If there is a convenient page that they can give you, that's always nice to have, but many users will either refuse to read it or have a problem that is more complex. In that case, it is not the job of sales to support the systems. I also don't expect that a customer that calls the HR department will get IT help.

By assaulting a sales office when support is bad, you are punishing the wrong people. The people responsible for the problem, assuming that there is a problem, are not the people answering the phones. Those people are trying to do their job, and you are preventing them from doing that without any good reason. As fun as your autodial story was in a BOFH way, it's not the right way to deal with the problem you faced.

I think the point of the original post was more "You can't rely on a specific piece of hardware running forever" rather than "All hardware has the same lifespan". In that sense, that is correct. Software and hardware never had a miraculous period where it would run forever. Some systems will run a very long time, while others would fail quickly.

Re: I'm perfectly fine with minimal text and no images

You can use it fine with no images, sure, but minimal text? Usually, the main thing that helps me to decide whether the search worked is to read the summary text where my terms appeared. I can filter whether results are useful or just happen to mention my search term much more effectively with that than I can with the page title. I can also use that to identify pages that I've already effectively read, if the term was quoted in multiple places.

I also think it should not be possible to charge for linking to a page. That is antithetical to much of the web, and should remain so. I'm directing traffic to someone. If they want to make money on that, they should view me as a positive, whether I'm making money myself or simply thought they were a useful resource. I shouldn't have to pay for the privilege of telling someone they might find something else useful. I don't pay the newspapers if I suggest that someone goes and gets one to read a great article.

Re: Great

"Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing."

Thanks for the compliment.

"1st party phone is a Google pixel"

That involves paying google a bunch of money, buying a hideously overpriced device, getting the wonderful extra google spyware unless I flash it, in which case there is no support... No thanks.

"2nd party phone is a network SIM free phone"

Sure, that is always nice to have. Some networks will make it a terrible pain to get one of those onto their network in the first place. Or maybe the person concerned got the phone from someone else, either an employer, as a gift, or from a previous owner.

"There is clearly nothing wrong with Android if some models get these patches every month, and many do."

Your logic says that there is nothing wrong with [x] if some examples of items in category [x] get good condition [y], with the clear indication that the remaining members don't get good condition [y]? So, in that case, you'd wholeheartedly agree with these statements, then:

1. There is nothing wrong with your car because some of those cars work perfectly well. The fact that it crashed yesterday, injuring the driver because the airbag didn't function properly and putting that pedestrian in the hospital because the brake pedal did not, if you want to be inordinately technical, activate the brakes, was clearly not anyone's fault, or if it was it was your fault.

2. There is nothing wrong with the lunch you had today because some people ate it and survived. The fact that yours, personally, was a little bit contaminated with antibiotic resistant bacteria and so were those of a number of others was clearly a fluke.

3. There is nothing wrong with floors because you can see many people walking on them and being supported just fine. Therefore, you are happy that you are falling through a hole in the floor because there is no problem with the floor over there where you are not right now.

4. There is no problem with Samsung Galaxy note 7s because there were one or two that never exploded. Many others did, resulting in a bit of flames and some injuries, but some didn't, so clearly it was fine.

A little tip, for there to be absolutely no problems with something means that all things in that category must work. That's why nothing is free of problems. Android is not even mostly free of problems.

The only site I've seen that does respect it is, in fact, adafruit. Nowhere else has ever warned me about this tracking, and of course many sites are known to completely ignore it. So you can pretty much assume the answer to what sites don't respect DNT is (*.* - *.adafruit.com). You will unfortunately have to be more active than that to stop tracking, and I'm glad that someone is killing the thing because checking that box probably provided some with a false sense of security about the whole business.

Re: And we thought that Apple stuff was expensive tat

It doesn't compare well in price to Apple's iMac 5k; that starts lower in specs but also much lower in price. Then again, I suppose there must be people who want a 28 inch touchscreen for some reason, and Apple doesn't have that. I'm sure people have a reason. I don't know what it is, but it will come to me, maybe.

In the general scheme of things, both of these machines are much more expensive than will be needed by pretty much everybody. They price themselves out of consumer range, don't include enough processing power to run all the games that serious gamers want to play, and are too screen focused for the massive data processing people. I can see something like this being used by serious graphics users, but that's not a big market, and plenty of them have been satisfied with less.

Re: Re Good job Python isn't a syntax Nazi.

I agree, but sometimes you don't have that authority. I recently had to work with code where the writer (I don't know what is wrong with them, but something clearly is) had mixed tabs and spaces with *every* number of indenting spaces from 1 to 17 and several lines indented at random numbers above 17. This was C code, and the indentation didn't match up all that well with the brackets. Thankfully, this code was put under my branch, so I was able to thoroughly reindent the thing. However, I wouldn't mind something external preventing them from doing that to the code in the first place.

Re: Crypto-busting test case

"If an encrypted computer (I'm going to assume that means "encrypted data on the hard drive" in this case) is a ["]problem with a solution["][my statement], what is the point of encrypting any computer...?"

The point is to prevent data being stolen with a machine. If you were to rob me in the street today, you'd get my computer, but not the data on it. You could try some passwords, but it wouldn't get you in, and the security of my data would be intact. That's because it's not worth a ton of money to you. $190 million in bitcoin, on the contrary, is worth quite a bit to people, including to the people who run this company who could face some negligence cases if they don't get access to the thing. That makes it possible to invest some more resources into brute forcing passwords. For example, if the encryption is done using bitlocker on Windows, the passwords aren't super-secure*. It would be possible to brute force the possibilities of the default code if you had the inclination. For $190 million, the inclination is there more than for the random files I happen to have, and it is thus more likely to be attempted by this company than it is by a street thief who already has the main source of value, the hardware of my laptop.

*The default password for bitlocker is a 6-digit numeric pin. This machine could use a different system and/or a more secure password. This system could in fact not be encrypted at all. However, automatically typing in all combinations of digits is doable if you are willing to spend a couple of weeks on it, and other methods of trying to crack the password are doable too.