Posts by doublelayer

Re: How Can You Tell Without Opening it?

When the subjects are students, they only have one mail account, that being whatever account their university gave them. When at least one of the messages says it came from the university's IT department, that is a logical address for it to be sent to. Until you open it and inspect the headers and/or the content, you do not have a reason to know it's phishing from the subject line and the text in the sender column.

Re: C'mon .. it's 2018 - where do you find students with "no knowledge of phishing" today?

I wouldn't be at all surprised if most of those who bothered to take the survey were people who knew less about the topic. Among other things, I'd typically be wary of filling out a survey for people that just sent me phishing messages, researchers though they may be.

Re: SI

So what if we're on a different planet. The second does not need to change lengths. Whatever you change it to, the planets' days will still not line up, because you can't find a useful (or maybe at all) GCF of the rotations of every rock you decide to put something on. So your best option is to keep using the second, minute, and hour, because then at least you can speak of durations in the same way as people on the other planets.

Maybe for convenience, you could define a rotation unit for the planet you're on to speak of time of day when discussing with people on your planet. When dealing with anything not on your planet, you will need a standard calendar where absolute dates and times could be used. I don't see a date like "2345-06-07 08:09:10 Gregorian, local time 12.0000" as in any way problematic. It tells me the absolute date, allowing me to compare in nearly zero time whether this happened before or after some other event. Meanwhile, I know this occurred at midday, assuming they decide to stick with the concept of 24 sections of a day. If they don't want to do that, how about percentages for local time? That way, a planet with a long day will work perfectly well. 0% = midnight, 50% = noon.

And the second is perfectly defined using a seemingly random number of periods, because it is equal to the second we've been working with for a long time. Why redefine the second when almost nobody is actually using cesium to measure it? The people running atomic clocks can divide, while we can continue using all the standard second-based things we've used for a long time. Meanwhile, we've already limited this to running at sea level, so we can't avoid being arbitrary. For now, convenience. For later, simple utility. One arbitrary thing that prevents inefficiency is superior to two arbitrary things that require us to switch them. That's why we should stop changing our clocks twice a year.

Re: Sad case of science ignoring the evidence

They redefined the kilogram because we already know what the kilogram is. We know this with things that can actually be calculated easily in a science lab, like a specific quantity of a substance with a known density, measured under a known pressure. That isn't infinitely measurable, so it can't be used by the SI people, but they didn't need to investigate why the kilogram chunks had different masses because they knew why and they didn't need to find the one true kilogram because they knew what a kilogram is. They just needed a math problem to give the mass of a kilogram so everyone else in labs can keep measuring mass exactly the same way.

Re: Just a wee little point

It is the price of the pi zero with wifi built in, which I see as this model's main competition. That lacks plenty of the features of this model, but it does offer most of the ones wanted for running headless*. The processor is slower, which would be painful if using it directly or if it has a lot to drive, but it is very low on power usage, also has built in networking, the same memory, and can use the same hardware on GPIO. If you're using something running a GUI or using a bunch of processing, you're probably going to want the 3B+ anyway for the ability to use USB accessories. Similarly if you're going to attach this as networking equipment because ethernet will probably be desirable. For me, all use cases where I don't want either of these will be decided in the zero's favor because it is smaller and requires less power to run. Those can be critical.

*headless use of pi zero: set up the environment on something else so you can have a more convenient experience, then enable SSH and move the card over.

Re: This is good.

I, to provide the other side, am happy that the power decision was 5V over USB. This allows me to power it from batteries designed for phone use, which you can buy for quite cheaply and which are easy for nontechnical people to use. I can therefore carry all the pieces needed to run the pi in a small container, rather than having to solder a battery power system together. I'll grant that, in a situation where space is very constrained, a smaller 3.3V battery would be preferable, but I don't think that is very frequent. The main reason is that the raspberry pi, as great as it is on most fronts, simply does not run very long on a battery. Even the zero will run for only a day or two on a large battery*. For devices to be placed in a situation without any power, usually much more time will be needed. The small batteries that are easily shoved into a small space will not provide enough lifetime for an independent** system.

*Large in the sense of a USB battery for phone usage. There are some really big ones that will run a pi zero for a week or more.

**There would be advantages for some projects in having a pi run on battery for a period measured in months. Unfortunately, that isn't going to happen.

Re: I give SuperMicro the benefit of the doubt.

What action do you need to make you doubt the story? If your only reason for believing it's true is that all Amazon, Apple, and SuperMicro have done is to get grumpy and deny it, I don't know how far they can go. Do they need to sue to convince you? I don't know for sure, but I would believe the companies without some additional evidence. The chip seems borderline feasible, but I don't tend to believe things at that level of feasibility without evidence in the form of named sources, external confirmation, or ideally physical evidence.

Re: Why does the server need any details about the child?

It's not used for identification. It's used as a really creepy tracking device that places a location and audio tracker on the child. Creepy enough if the parents are the only ones with access, but now there is no restrictions on who gets access. Without the server, you couldn't call up the history of where your child has been or everything they said. I'd really prefer that you didn't, but if you want to, a server is needed (of course, there is no excuse for having an insecure one).

Actually, he hasn't used computers since the age of 25, and he is now 68. So he hasn't used computers for 43 years. Or in other words he's never used a computer at all and thinks this is logical.

They should know some things

A manager should have a working knowledge of the big components, not every detail. I wouldn't expect a minister of transport to know the different kinds of tarmac, but I would expect them to know that airplanes are machines that go into the air and land in another place, conveying their passengers and/or cargo to that destination, that pilots are the people who fly them, and that they are supposed to land only at airports. In fact, I expect anyone to know that. Ministers for transport should also know where they fly (I.E. where the airports are and how high the planes are when flying at cruising altitude), how they fly (in the sense of what is needed in terms of fuel, people, coordination, and equipment), and what restrictions there are on who, when, where, how, and why they fly. I wouldn't expect a minister for transport to be able to fly a plane, but if they asked "What is air traffic control", I would say that they are unqualified.

A cybersecurity manager should know what security is, and what poses risks to it. They should know what the internet is, and at least something about how it works and why this creates security risks. Otherwise, how could the manager decide whether to trust me when I say "I have a product that your office should purchase which will provide a completely hardened layer preventing people from breaking into connections over the gopher protocol." That's a thing a manager decides, and they need to know to throw the person making that statement out immediately as a scam. If you don't know that, or at the very least how to find that out quickly, you are unqualified.

Re: SE for me

I am also still quite happy with my SE. The problem is what I will do maybe three years from now when I finally break it. It will happen at some point, and it's already two years old. If apple aren't making a sanely sized model when this breaks, they've lost a customer.

Re: Lets hope

I don't think the disapproval is specifically about machine learning being used on health data; that's been done on anonymized data for years by academic and industry researchers, and is likely to continue. I believe the complaint is about google, which has not before proven itself knowledgable about health, as this isn't much related to their standard business model, but has proven itself to not be great at keeping any data private, even data that citizens and governments believe should be more private than usual.

Re: Build number?

There are three version numbers. The 10.[randomdecimal] one that doesn't matter, the build number, and the version number. The version number is 1809, even though that's the wrong number (see my post above for why it's wrong if you care which you probably shouldn't). You have the build number, which at least goes in order. So when that number goes up, the build is newer. Build 17134 seems to be the final version of windows 10 version 1803. So in short, it's crazy.

Re: A good update?

It's also just the wrong number. These 4-digit numbers used to be two digits from the year, and then the two digit month, which brought us such logical numbers as 1407 (July 2014), 1511 (November 2015), etc. Then they release a version titled the April 2018 update, which actually came out in May, and number it 1803. Hey, 03 means March, guys. From original release date and name, this should be build 1810, and from new release date, it should be 1811. Definitely not 1809.

Re: Security...

I'm going to have to disagree with you there. I'll grant that installing a binary that is untrusted is a security nightmare, because it has a great deal of access to the disk. The other side of that coin is that granting a web app access to the disk also lets them have similar levels of access. It may be sandboxed, but there are infinitely many security problems allowing things to exit their sandbox or run stuff inside their sandbox that affect things outside it, E.G. putting some malware in there and using the scheduler to run it. So don't allow anything untrustworthy to have access to your disk.

On this front, binaries have an advantage in that they can quite easily be loaded into virtual machines, taken apart, run through malware scanners, blocked by security policies, run inside custom sandbox products, and the like. Most of these things can't be done easily or at all with a web app. You can run it in a VM, but the code still knows where you are because it can require a network connection to start. Most other things in the list are completely impossible. What's more, a binary doesn't change itself, or if it does, you can find out. A web app runs the latest code that was pushed to you. That new code could be an update from the authors, the result of someone getting into the server, a result of someone changing the source for a nodejs component, or someone deciding the application doesn't need to exist anymore. This leaves a large landscape for injection of malware, and I don't want it.

In addition, there eventually comes a time where you need programs with disk access. When dealing with data, sometimes you want more than one program to be able to modify it. You use program 1 for some functionality, save the file, and use program 2 to do something different. Web apps are going to make that a disaster. For example, I give you the app mentioned in the article that compresses images. We already have a bunch of tools that compress images, and they can be quite fast. Does the web interface add anything to this process, even assuming it does the job as well as something using the GPU for the math? Somehow, I doubt it. A graphical program with access to the disk can make it really easy to do batch compressions. A command line program can allow scripting of the compression process. A web app can... it can compress images. What is the benefit?

Re: But surely anything better than an "app" for everything ?

They don't need their own apps, and that is quite disorganized. However, would I rather that they have multiple apps or multiple web apps pushed onto my device? I'll choose real apps in this situation. The reason for this is that these apps probably all provide GPS location capabilities to find a car for me, and push notifications to alert me when that car has arrived. A standard app can also offer other features that a web app cannot. So my options are having apps for this additional functionality or changing what a web app can do so it can have the functionality we already have.

Another issue that makes me choose native apps in this situation is accounts and privacy. If I'm doing this all with websites, I probably have to log in very often or let cookies and other data stay there forever. Apps don't need that, because they can store account details locally. Effectively, that's a cookie, but they are restricted to their own data so can't read other cookies that other apps have stored. I can also kill their app without affecting other things on the system in a way that is not as easy to do to a website.

I prefer web to apps in many scenarios. Whenever the system typically involves sending data to a remote location so they can do something with it, that's a case for web. An app is rarely needed for this. But when the app needs to interact a lot with me, both sending me information and conveying my responses to a remote system, I go for the stable and somewhat trustworthy native code rather than the everything-in-javascript dream of the portable web app.

Re: A paranoid mount option ?

We could make that run on a raspberry pi rather easily. If we don't let the standard interface run, it doesn't have any automatic handling for USB disks. Then we block acceptance of other USB devices at the device level. Our display would have to be mounted on the GPIO system, but a cursory check of the pi hat manufacturers shows several options that can do display, touch input, and power from the GPIO. We'd first check what interface(s) the USB device says it provides, and assuming it's only storage, we can grab details about the filesystem and the files on it. We should probably do a quick scan for suspicious stuff, especially windows executables and shell/batch/powershell scripts. This wouldn't help against a USB device that intends on physically destroying a machine, but I don't know whether someone is really likely to start handing those out, and at least only our USB tester would be vaporized. This isn't completely foolproof (for example, you could have an innocent-appearing storage disk that only mounts the malicious stuff after ten minutes) but it'd be pretty good against the typical threats. Should we build it?

Re: Can anyone tell me the advantage of face/print unlock?

I'd imagine that physically picking up someone's hand to get the fingerprint would wake them up. If face unlock works when their eyes are closed, however, that would probably be easy to do without waking them up. When security is included, a PIN is clearly the most secure option.

Re: Play Protect

I recently saw a similarly low-cost phone riddled with malware straight from the factory. Fortunately, it had been purchased by a member of my family for their young child, who could not figure out why it kept making a sound every five minutes though notifications were turned off and that sound wasn't even the sound for notifications. I couldn't figure that out either, but found enough malware that I saw it as my duty to confiscate the device, find a malware-free replacement in a closet, and remove the original from our collective misery.

For this device, the entry points of choice were a to do list app that had been installed in nonremovable fashion and of course the facebook app though probably only half of the malware in that was specifically facebook's fault. That thing was bashed enough times with a hammer before sent to recyclers. Die, unscrupulous android devices, die.

Re: A deadline ?

Well, I may not be able to beat you for age of old junk, but does anyone need a fully functional desktop system and accessories for publishing from, say, 2001 or so? I've got this tower with a wonderful pentium in there, a whole 256 MB of memory, and a 30 GB hard drive. It has USB 1 ports, though one is broken, and of course a slow CD reader that is the major way of getting data into it. Plus a scanner that uses a firewire 400 connection and weighs about sixty kilos. There's a printer, too, some inkjet thing that you probably can't actually get cartridges for, but it's still there. I plead not guilty; this is at my parents' house, and somehow I always get sidetracked though I've wanted to get rid of the thing for at least five years now.

Re: el kabong

Previous post asks:

"b) WHY was it turned into a 'Home' system because THEY broke something?"

That is just how their system broke. There isn't a good explanation possible, and I'm sure when they get around to having an explanation it won't be good.

"c) No PREVIOUS version of windows (to the best of my knowledge) needed any kind of continuous on-line RE-ACTIVATION process to "stay valid" d) what if you leave your computer OFF for MORE THAN A MONTH? Or, how about OFFLINE for MORE THAN A MONTH? e) what if it's a VM that you only run when you HAVE to? [I should test this after I back it up]"

As far as I know, having run an airgapped windows machine for a while (yes, windows 10, don't ask why), windows doesn't need to contact the servers for it to stay valid. It will continue to work. It is just that when updating, it does contact the servers and then assumes that anything they say is correct. So VMs or computers not used in some time should be fine. Computers that updated something in the past week probably aren't.

Re: Expecting test versions to not have problems is amateurish.

As the article states, this is a problem with production license servers and affects non-insider, NON-BETA, production users. Insiders noticed it first because they update a lot so they talk to license servers a lot. It can and has affected other users too, and is most definitely a problem.

Re: Just go Linux

For the record:

1. This applies to non-insiders. It is not beta code that broke, but instead Microsoft's production servers.

2. There are things that you can do in windows pro that you cannot do in windows home. People doing those things selected pro for that reason. If they are affected by this bug, it is more than a minor annoyance or some grumpy license notification.