Posts by doublelayer

Re: poor tools can't be blamed?....sure, sure, suurrrrre

You're allowed to complain about your tools. You're allowed to say that a tool is not fit for purpose and require a better tool to complete it. What you aren't allowed to do is *blame* them, as in "It's not my fault it fell apart immediately after you got it. You should have seen this terrible vice I had.". The tool can be worse, but that leads you to have a worse time trying to build the result, not the result simply being of less quality.

That said, there is at least some argument for poor tools if the person concerned was made to do the job using the poor tool in the same time limit needed for the good tool. However, for programming languages, it is likely not that one is better or worse, but that one is better or worse for each specific coder and their experience.

Re: 19H1 (aka the Windows 10 April 2019 Update) is likely to hit in a matter of months..

That's the official name. Just as the 1809 update was called the October 2018 update even when it was delayed until November. I don't know who is setting the numbers or the names, nor do I know what the H is doing in that number now, but that's Microsoft's decision.

Given how many people have mobile phones, it would not be particularly difficult for a child to obtain phone numbers. They could easily get the student's number from their contacts, and with a little effort, gain access to their contacts using a number of methods. I think the risk of bullying is important, as it has proven difficult to prevent. I therefore suggest that we do our best not to make it easier.

However, let's consider some ways the access of these accounts could be abused by others who are not schoolmates. This is yet another source of data, and one that companies would not mind mining. Do we want our children to have their primary school grades analyzed or leaked? I think we can all agree the answer is no. There are many parents who obsessively check the grades of their children, but some of them* would not mind seeing the grades of other children for comparison. They could use this insecurity as an entrance. If we want to overthink this, there is probably a lot of personal information in this that could be used to socially engineer the child, too.

Children do not have much data on them. Their schoolwork can be a very personal thing. Some may divulge it to others, which is entirely their right, but others do not want their friends or anyone else to know all the details. I believe it is extremely important that it remain private to them and their parents. The worst-case scenario with a leaked phone number is irritating calls. This is certainly a thing to be avoided, but I can think of worse things that could be done with leaked educational data.

*Parents spying on students' grades: I know parents who do this, usually by "casually" asking students increasingly leading questions. It is not that many of them, but one is already too many and there is more than one.

Re: Great Read

Not so. The way that Tor hidden services work is complex, and I suggest you read about the details and complexities of it because it is intriguing. However, since you are on the Tor network and the .onion is as well, you don't have to go to an exit node. An exit node is only needed when you want to leave Tor onto the regular web again.

As for how to purchase server space without identification, it is a bit difficult for most hosting companies, but it can be done with cryptocurrency or with cash in a paypal account. You have to go to various places to make that truly anonymous, but it works. The mechanics are left as an exercise for the reader. If you do it wrong but think you've done it right, prison time may occur.

Re: Is everyone taking crazy pills?

That's not the alternative, or at least it shouldn't be the only alternative. The other option is that it works like any other electronic device; it continues to function at its speed but the battery doesn't last as long. You know, like every other phone or laptop.

I wouldn't mind it if they put in an option to underclock for increased battery life, which would be useful both as the battery became old and if there won't be convenient access to recharging for a while. However, I have to wonder what they did to their system that meant it would restart randomly rather than just deplete the battery quickly. That smacks of bad design to me, and the workaround, though perhaps not planned obsolescence, becomes a crutch for defective products. The other option is that they did have obsolescence in mind, and specifically designed it to break. I don't know which it is, but I think the former is more likely. Either way, they messed up.

Re: welp....

"Another - constantly berate your family and friends for how stupid they are and how little they value your time, [...] and you're there only because you cannot tolerate such worthless idiots accessing the internet without someone much more skilled there to take responsibility for watching over their actions [...] [t]hus guaranteeing you will have few people to worry about!"

Thanks for the suggestion. I think that sounds like a wonderful alternative to just not doing it and letting them decide whether they want the system.

If you think that is the attitude that we have, you are not getting the point of our posts. We are not saying that people lack the responsibility to run technology or use the internet. We are saying that some of them lack the knowledge necessary to maintain a self-run DNS server to block hosts themselves and possess other attributes that make support more difficult. Take my post, where I stated that my parents might easily manage to disable such a system in a way that would make it difficult. This is not because my parents have any specific problems. I greatly respect them, and there are many things they can do very well that I cannot do well at all. Unfortunately, Linux administration is not one of those things.

It is not because they disrespect me or my work that this would be problematic; it is because it is complex and I don't need to spend the large amount of time that I predict support will require. If I lived close to them, where I could quickly come over and repair anything, I would likely set it up if they requested. If I could be assured that there would be no hardware interference, I would also set it up. The reality, however, is that the system would probably be interfered with, and I would either have to spend a much longer time repairing it than it would take if I could do so myself, or the users would have to put up with the system being down for a longer time. That does not provide enough benefits to the user or to me as support for the system in that situation to be worthwhile.

Re: Inquiring minds want to know...

"An honest request for advice: how secure is this password? How great is the risk that I may have to spend a day changing my password on some 200 sites?"

This password is not secure. Actually, that's misleading. The password itself is probably fine, depending on length; I assume your name and date combination push the length up, and it is likely not used by others. In that, you're fine. Your problem arises because you use it on multiple sites. This is where it is bad, because it only takes one site to store it in plain text, hash it badly, or have someone persistent check a lot of combinations for them to break into all your other sites. If that happens, it is likely going to happen before you know that one of the sites lost their password database.

Some recommendations:

1. Use a password manager to not have to remember each password. Allowing that to create passwords will ensure that they are strong and unique to each site. You only have to remember the master encryption password to unlock that file. If you routinely have to log in on other devices with no access to yours or you mistrust password managers, you can go with another option, but this is really quite a good option.

2. Use your base, but include a site-specific component to your password. An important note, make this specific part difficult to identify; if it's just the name of the site, it won't stop someone for long. This isn't as secure, but it will protect you from a lot of things.

3. Periodically change the passwords. If you are going to have passwords that are insecure, make sure that they aren't valid for long. If it takes a hash cracker a few weeks to get the database and get your password from it, your password could have been changed before they can use it. Forcing password changes is usually a bad idea because it leads people to use insecure ones, but if you keep having passwords of similar security but change them often, you'll have better insulation against attack.

4. Be vigilant. Keep a list of sites where you have this insecure password system, and if you ever see that one of them is insecure or has been breached, change the passwords immediately.

Again, I'd really suggest using option 1 unless you have a specific reason you don't want to.

Re: The Joy of updates

The major privacy things are kept. After updates, I'd recommend a trip down to privacy/location/system services, though, as sometimes they change or rename them, which can be accompanied with a turning on where you have turned it off. The one that comes to mind was their thing that is now called significant locations, but used to be called something else. I think it was around IOS 10 when that was renamed and reenabled itself. Mostly, however, apple doesn't really change that many settings as compared to android, so you're probably fine.

Re: Who is to blaim for being taken by scammers?

So in any scenario where something bad happens to someone else, they did something wrong. At least, that is the case in a large majority of cases. Why did you open your door for the armed burglar? Surely you're intelligent enough to check the person at your door in some way before you open it to see them, right? Therefore, it's your fault if you get shot by a burglar. Is that the logic you're using?

Unless the victim knows the scam is coming and chooses to go through with it, which only makes sense if they are really a conspirator in the fact, they are not at fault. They could have done something better. They might be viewed as irresponsible and face consequences for it, for example not getting promoted because the company thinks they shouldn't be given any more responsibility, but it is not their fault that something negative happened to them.

Re: Webservers?

Quick answer: yes.

Long question: Why? You could run any OS with webserver in your VM solution of choice. You could exactly virtualize your server environment and share the network connection, thus having local access. If it is a server you don't mind setting up, you could also run apache and any other dependencies (definitely MySQL and PHP but a lot of other tools are supported) directly on windows. I've done it*, and setup is very fast and it works the same unless you have some specifically Linux backends.

*We needed an internal server. They put the windows image on a machine and put it somewhere I couldn't change it. What was I going to do?

re: There is no Refuse option available.

And when the site is not one that you can simply ignore? Sometimes, the site is one you are required to use. Either it is a site run by a business or governmental agency that you must use in order to fulfill some obligation, or in other cases it is the only site providing a necessary service. Other times, there are a number of alternatives, each of which has the same or similar cookie system. I have cookies autodeleted and do some other things to attempt to prevent this from being as creepy as it could be, but it isn't always possible to go elsewhere when these problems arise.

Re: Why are physical checks needed?

The tests were done in Vermont, which couldn't be measured fully because a lot of the areas are remote and rural. If congestion was the cause of these subpar measurements, the mobile companies do not know how to deal with congestion. These aren't metropolises we're looking at; the largest city in Vermont is Burlington with ~42000 people in it, and that is the largest city by 250%. Also, a challenge can't be made because an algorithm says the situation is bad, both because the FCC has set the rules to be much stricter than that but also because someone else could write a different algorithm to disagree. They were required to have ground truth, so they went and got it.

Re: All fine and dandy

But the major benefit of cloud is that it can be cheaper, conditions apply. The cloud providers sell economies of scale where your usage can be balanced against everyone else's usage to reduce the total amount spent on computing so you only pay for what you're using, as well as your risk of hardware problems which again reduces your cost. Otherwise, cloud doesn't tend to offer much more than you could do with your own hardware. There is a minor benefit in having geographically-distributed systems for faster access by people in distant locations, but this is rarely an issue of paramount importance. If cloud isn't cheaper, the only benefit that is distinctly relatable to cloud is scalability, but again, conditions apply. So many people either jump on the cloud bandwagon or refuse to use any cloud-related product whatsoever without actually looking at whether it is useful in the situation.

Re: "our next generation machine learning model"

I think you may be a bit overzealous in your defense there.

"Again, to be fair to Microsoft they are tasked with rolling out a global update for a user base who are 80-90% computer illiterate,"

Good start. I agree that this is a major problem for Microsoft's engineers.

"many of whom bought computers that were either built or upgraded by a 'mate who knows about computers' or the local back street 100% legal PC repair shop."

Some of them are, but most of them are using computers that were built by the companies that build or sell computers, using the software environment that those companies came up with. Dell, HP, Lenovo, etc. have much more market share each than custom-built machines, especially when considering users who are tech-illiterate. Those machines have many of their own problems, and a great deal of the driver or hardware problems experienced by users can be laid at the feet of those companies, but it is not fair to classify most windows machines as built with extremely weird components.

"Think about the chances of all them 'genuine NVidia GeForce Ultra cards for £30 on ebay' working after the update,"

I don't think those are going to work, but the kind of person who goes to eBay and purchases an obviously not-genuine graphics card is the type who should expect problems. The type who buys a computer from the computer store and has done nothing at all to the hardware shouldn't expect anything like those using counterfeit graphics cards.

"but they'll be the same 'know-it-all' teenagers that you'll see posting YouTube videos about how Microsoft programmers don't care and aren't listening."

Those people are probably not the ones complaining here.

"In short - the fact that Microsoft have a development team that can release this stuff without destroying the world more often is a minor miracle (and anyone who works in software development would agree)"

They are not as hyperbolically bad as comments here might lead one to believe, but they have had times where they didn't do what they should have (the initial 1809 deleting files thing, for example, was purely their fault and could have been fixed when the Windows insiders found it rather than after it deleted standard users' files).

"just ask which development environment is the world's best - Microsoft Visual Studio wins hands down - made by Microsoft developers for developers. (and yes I'm aware Eclipse is better for some use-cases)"

Personal opinion, not necessarily one I agree with, either.

Re: This is a nice goal

Perhaps an analogy would help. You are in a boat, which is leaking. The hull is weak, so new leaks are going to form soon. You could spend all your time patching every small leak you see. That is like going to each company and trying to stop them; it will help for a while, but it won't solve the problem. Bigger leaks will form, and you will sink. Instead, you should plug the leaks that are a major problem right now, but put as many people as you can on either strengthening the hull so the leaks stop or sailing the boat to a place where it is safer to be after your boat sinks. That would be like trying to pass legislation about the tech, either making it illegal to use or putting restrictions on it. You may have a lot of trouble actually getting that to happen, but a very low probability of something working is better than a guaranteed bad outcome after a delay that will probably not be very long.

Re: Safe reserves and efficiency

Couldn't they have tested this before they tested it on the moon by taking their small biosphere to Antarctica and leaving it outside? They could start when there is a lot of sunlight and then cover the solar panels if present to simulate the nightfall. If the heater can't survive a fortnight in that, it won't on the moon either. The transit costs would be much less.

I find this type of person to be really annoying, as they have found a bunch of domains that eventually someone will want and will only give them away in exchange for much more than most of them are worth. That said, they have the rights to those domains, and I don't. It's annoying because I want to buy them for less than the domain resellers want to get, but it is not as if they've done anything improper in obtaining them. If they disappear tomorrow, I'd be happy, but I would not do anything nor would I want anything done to them to take away the things they obtained in a completely legal way.

Re: highly skilled hacker

In constructing that malware, there was some work finding holes into the systems. Usually, the default passwords were helpful, but a lot of devices that were supposed to have things like web interfaces limited to local subnets or devices behind NATs and thus harder to find had security holes that nonetheless allowed access. UPNP was a major culprit here, though not in the least the only one.

Re: Recession ???

I want innovations. My phone is fine, and does the things I do with it perfectly well. For that reason, I do not need another, and the phones out there don't do anything new, so that doesn't tempt me either. If someone did come out with a phone that had new features, that might indeed tempt me into buying it. Some new features are useful. Phones with network connections were useful. Phones with touchscreens were useful. A phone with the capability to have a full sized keyboard with moving keys or a clever simulation thereof that still fits in my pocket would be useful. That's why they should innovate. It would cause people to drop their older devices and buy new ones much faster if the new phones did something useful that the old ones did not, rather than being a different size and having a camera with more pixels.

Re: A 'proper' use for the buttons

The "we built a light switch" use case for those is indeed really unnecessary. However, it does sound like you could implement many things with these if you were so inclined. It would depend on things like how long the button lasts on its batteries, how good its WiFi access range is, and what happens to it if I put it outside where things get cold and damp, but there are indeed some use cases I can think of for a network-connected button. That said, there are not that many of those use cases, because most of the time that I'm inside, I could do those things more easily with the computers and/or phones that are usually close to me most of the time. The main utility of the button that I can see is allowing someone to activate it from outside my house (for example when I'm not at home). Even then, it's not a real problem. It's not quite hammering nothing because I say there's a nail, but I should maybe find a screwdriver rather than using the hammer to get it in.

Re: Where he went wrong

Some possibilities:

1. El Chapo didn't want to figure out how to generate keys.

2. Admin wanted to have bargaining chips.

3. Admin wanted to turn El Chapo into police.

4. Admin didn't want to get into a situation where El Chapo has generated new keys and lost them, cannot access anything, and is getting mad. When El Chapo gets mad, people tend to die.

5. Admin didn't want someone else to be able to steal keys, because there could be many informants. If you do want to participate in a criminal enterprise and not undermine it, you can only trust yourself and the leader, so it's best to make sure anything important is done by one of you.

6. The admin did in fact do this, and reversed it in order to turn over the data.

7. The admin wanted to have some indication to the cartel that he was providing useful services, and thus that he should not be shot.

Re: Comparison

"Not being super clued up with the way my American cousins implement their particular flavour of democracy, I wanted to float an interpretation to see if I "get it"..."

The U.K. and U.S. do things very differently, so it's hard to make a parallel. Yours doesn't really apply.

"Is this essentially the same to us Brits voting some nutter into power (some party that is close to the far left / far right), and then when the nutter Government tries to pass the budget which has us spending £20bn on a wall the MP's don't let the budget pass? However spunking £20bn on a wall was in the party manifesto in which they campaigned on."

Not now. That happens too, but at this point, it's two different groups disagreeing. The most analogous thing in British politics is when two parties that are in coalition disagree or one party has a major split. However, even this is less antagonistic because the coalition implies that the parties did agree at some point on their policy, but have separated. In this case in the U.S., one side campaigned on the policy while the other side campaigned on not allowing the policy to proceed, both receiving enough votes from somewhere to get them a position of power. In this case, this happened across multiple elections because terms overlap, but it would also be possible under the American system to have something like this happen in one election. Each side feels it has a mandate to the voters that voted for them to provide for or block the policy. The people who are in charge can't pass the policies that they want because they lack the votes. However, in the U.K. this would usually lead to a vote of no confidence and another election. The U.S. does not allow that. The executive and legislature are independent, and neither can remove the other. So they continue to have a disagreement until someone changes their mind or they just ignore the topic and do other things. Or in this case, they choose not to do anything at all.

Re: Home users...check logs...

Separation is good, but why do you need your guest network to be open? I run two networks as well, but I just give the password to the guest network to any guests and don't change it so they can come back. I don't need to carry the traffic of anyone who comes along, either to have free bandwidth or, now that tracking is a thing, get accused of something done by a stranger.

Re: Free! For up to three collaborators!

"If you think taking physical media to people's houses is an acceptable form of backup, you've been very, very lucky to date."

The implication being that this is not reliable? Media in multiple locations prevents things from being damaged should there be a situation where the site and everything in it is damaged in some way such as fire or flood. You could be more protective of the data by having multiple disks to deal with mechanical failure, too. If you're doing it properly, why is this not a viable way to backup data in that way?

"I don't run my own generator, because even though my job requires electricity, it's much cheaper to pay someone else for the electricity they generate in bulk."

But I'm sure you or someone in your institution runs a system for backup power if the systems that get power are important enough. You could theoretically hire someone to have a bunch of generators and bring one to you, but having one there and knowing how to work it provides a lot of benefits.

"Similarly, I could find someone to "mind" a disk for me, but how is that really better than putting it in a remote data center that has a full-time staff that will look after it."

In many ways, it is not. For every option, you hae to look at the benefits but also the costs. For the datacenter, they include:

Benefits:

1. Someone is there to manage it, so it's unlikely to go offline.

2. They have good physical security, so it is unlikely that someone would break in and steal your data by taking the drive.

3. They manage a lot of data, so it is unlikely to be corrupted or lost by accident.

4. The datacenter is probably a long distance from where you are, meaning that you have more geographic stability.

Costs:

1. You may have to pay for its storage, depending on who is storing the data. If you're just putting your drives in someone else's house, you probably don't have to do that.

2. If some disaster does happen and the data doesn't come back online, you don't know where that data is, whereas you could locate and retrieve a backup you made yourself.

3. Various people you don't know may have access to the data because they run the system that stores it.

4. You don't know everything about the system, so it is possible that someone could break in using a vulnerability and steal it.

5. If something happens to the datacenter, you don't know if that system had backups anywhere. Depending on how their system works, your data may still have a single location even if it's spread across multiple physical devices in that location.

When you decide how you're going to store your data, you have to consider both sides of this coin. If you don't, you end up jumping to conclusions about what is better without having the required information to support the assertion. Both are viable options, and which to use depends on how the above points apply and how important each is in the particular situation.

Re: But why is it so complicated?

HTTPS can be circumvented by some MITM systems, but not by others. A company proxy likely has that built into it, but that's because the company can control which devices are connected to it and configure them to trust the proxy and to allow http traffic to be left unencrypted until the proxy. A MITM system on a standard network can't necessarily do that to you, because the browser will inform you that the traffic is now in insecure HTTP, that is if it doesn't complain more vociferously which some will do. So HTTPS is still useful against many attacks.

Re: 32GB HP Monstruosities

You can't get any modern OS to run on 128MB of memory and 2GB of hard drive space. Not even a modern CLI-only Linux will exist happily in that*. Yes, things have bloated, and Windows is one of those things, but everything has gotten bigger and uses more resources. Therefore, the 32GB/2GB spec is not sufficient for the use case of a workstation.

*CLI-only Linux on 128MB ram and 2GB disk: You can run embedded Linux images on this, but that's not the same. You can probably shove a trimmed-down image into those specs, but it will run terribly. Your issue will most likely be memory. Disk space is less of a concern because CLI packages are so small, but it probably wouldn't be that long before that was an issue too.