Posts by doublelayer

Re: @tfb - Already patched in Slackware.

"It is not you alone that decides who is to be trusted and who's not, business has also a word to say."

Methinks you misunderstood the main point. The main point was that giving unrestricted root access lets everyone with that access do anything. The business wouldn't want that. Nothing was said about the admins making all decisions; instead the admins would be better implementing a security policy limiting users' access to run stuff with root privileges.

"Also, may I remind you the not so few cases in which a trusted sysadmin locked down networks and systems and denied legitimate users access ?"

And how did they do that? By running commands as root. So if you give ten times as many people unrestricted root access, you have ten times as many people who could do something like that. And your disagreement with the original point was?

Re: KPIs

And that's often because I know any score below a nine (or sometimes a ten) is seen as an indicator that someone has failed. Even though eight out of ten is pretty good, I know there will be a discussion about why there weren't two more points there. Maybe this will cause a lot of problems for the person concerned. Maybe they'll send me a dozen more surveys to try to extract the reason for my withholding those two points. And I succumb to laziness and just assign nines and tens if the thing was fine or above.

Re: And this means

"When the only upwards path is into management you end up with management by people who weren't recruited for managerial talent but could do the technical job"

Sometimes, but usually I find that if that's the case, the people who could do the technical job got promoted into management, and because they either weren't good at that job or just didn't like it, they left. So management is made up of some random people who actually like but aren't necessarily any good at management, while all the technical people who were good at the technical work left because they wanted to keep doing technical work. Meanwhile, anyone that gets hired and can do the technical job well will do so, but they see what's coming and they're just biding their time until a different job comes along.

Re: Good reasons for virtual currencies.

Well, the theory is that it's harder to commit fraud with a crypto wallet than it is with a credit card. With a credit card, they need a relatively short number which will authorize any transaction whatsoever. With a wallet, each transaction needs a separate signing with a private key, so you can't just steal part of the data traffic from a previous transaction and start making new ones. That's the theory.

In practice, we all know how that ended. If you have a great way of keeping the private key private and secure and not known by anyone and easy to get to but also not easy for you to lose, then you're great. Otherwise, you can still lose your money and now you don't have a way of getting it back.

Re: Satellite internet's a'comin

I just meant to reply to the thread, not a specific post. And while you could put a dish there, it probably won't have the ability to contact the satellite without a very permeable roof. I haven't tested this, but I doubt many houses will allow for it. Of course, the installation of equipment is just one problem that needs to be solved before satellite comms work as anti-censorship gear.

Re: Editing Docs from Email

That's dangerous. The user could edit the document, click the normal save button rather than save as, and have the file saved in the temp directory. And then you have to answer the question "Why didn't it tell me it wasn't saving in my folder?" If you make sure they know to save immediately, thus changing what document is being edited, there's less of a chance they will totally mess up what you said once you've left. Still a chance, but a smaller one.

Re: I Hope This Isn't True...

As a relatively young person (I have no problem making and receiving calls), I think the opinion of those who don't like to make calls is concern that the person they are calling will not appreciate the call because they are busy or unavailable. I'm not saying this makes sense; we all have a vibrate mode on our phones for a reason. But that's the reasoning I've heard from some people and those people tend not to make calls very often.

Re: Not sure...

Sorry, but that calculation is not sufficient. You're getting the combinations of 64 characters that can come from a set of 94 possibles. But since characters can be repeated, there are actually 94^64 options. However, since a 63-character password is not one of the set of 64-character passwords, it becomes that series I wrote instead. Either way, it's a bunch of numbers. But just in case you have access to the biggest hard drive and processor factory ever, make sure you check all permutations and all lengths lower than your limit or your rainbow table will have gaps.

Re: "I did not know that ARM actually prohibited adding instructions"

I don't think you understand what is being said. You are telling us that, if you request and parse the CPU ID before every questionable instruction, it would add a lot of overhead. When you say this, you are right. When you say this, you are missing the point. The ID is not retrieved and parsed before every possible instruction. It is retrieved and parsed (only if applicable), at the beginning of execution. Then, things are updated to use the proper instructions. The overhead is only incurred once, and that is a negligible time cost. You ask for examples of things doing this. I would direct you to nearly every program that uses one of the instruction sets that are widely supported but not universally so. Using my example of AES, look at disk encryption programs. They will do exactly this. Other extra instructions are frequently used conditionally by programs such as VM hosts or anything where the marketing includes the phrase "hardware acceleration".

As an example on how this is done, consider this pseudo-assembly, with AES acceleration as the example:

#function that does encryption in hardware:

run_cpu_aes_instruction parameters

return

#function that does encryption in software:

bunch_of_normal_math_instructions parameters

return

#main function:

encryption_function = do_it_in_hardware

//Note: I've written this like a variable. I do know about computers, so I know this would be implemented by storing a number in a memory location or register. I wrote it like this for simplicity of reading

Retrieve CPUID

Parse CPUID

if (CPU can't perform hardware AES):

encryption_function = do_it_in_software

#rest of program

In this simple case, the only thing that's changed is the value of the pointer encryption_function. The rest of the code merely jumps to it. In the real world, there would be more complexity because they'd probably write the code to avoid the function-calling overhead too. But I hope you get what we're trying to explain.

Re: If something is free, YOU are the product being sold

This is far too general. In some cases, it's simply not true. Plenty of software is released for free without expecting data or anything else of value. And, in many other cases, people pay for a product and have their data stolen regardless. To some extent, you could say that "If there are ads on it, you are the product", but that's not necessarily always the case either.

Re: It exists

And that's a very good store. But a lot of devs don't want to release their app as open source and do want to sell it. FDroid has support for neither of these desires. I nearly always check FDroid for an app before I'll go somewhere else, but it's almost by definition going to lack the apps of any corporate entity.

Re: Maintain the rage; it works!

I think that was because they really had no good excuse for withdrawing that app. This probably won't get changed just because people tell Apple that human rights are kind of, you know, important to them. I think they considered whether political freedoms were important to them a while ago when they implemented that change and they decided they didn't care all that much. Sadly, I cannot think of any large enough company in a better situation; all have terrible records when it comes to China, and many have other terrible records on similar issues.

Re: Flock of Seagulls

"I find it hard to get worked up about email hacking."

Then maybe you should think a little more about what email hacking lets you do. First, it lets you target specific people and look at their communications, including those that might be private. We're talking private because they contain sensitive information, not necessarily because they reveal unethical activity. For journalists, that might be the identity of a source. For Iranians living outside Iran, it might be the name of someone inside Iran they care about. For politicians, whether they are likely to support laws the hackers don't like. For a candidate in a campaign, the strategy they're planning to use to challenge their opponent. There's a lot you can do with that kind of information.

But there's a lot more you can do with an email. You can impersonate that person quite easily. You could of course have spoofed their address without having to access their mailbox. But with that access, you don't have to do that; anyone who checks thoroughly will still think the message came from their mail system because it did. Having read the messages they send, you can better imitate their style, making your message more convincing. And you can intercept replies to your message, hide them from the actual user, and reply to them at your convenience.

Have you considered that the more strenuous attacks you mention probably have an email attack as one of their components? It is always possible that [insert group of evil people] have found a device on the internet that they can access and it lets them turn the power off. Given the security of these systems, it's likely there exist a few things of that nature. But you still have to find them, gain access without arousing suspicion, and understand how they work. Meanwhile, it might also be a little useful to gain access to the email of one of the engineers of the company and watch for technical documentation. Now you know how the system works. If you don't have access to the system yet, the credentials you just stole from the email probably help. And if the system either doesn't have an insecure thing online or you haven't found one, your access to the internal email gives you the option to get some malware in. Many targeted attacks begin in just this manner. Usually, it's by spear phishing for credentials or malware installation, but then it immediately turns to email compromise.

If you can't see that email attacks can be quite dangerous, you might need to think about it more.

Re: re: Google Play Store

Nobody said there was a good alternative. Sometimes, we can say that "X is bad" without saying "We have a good alternative to X, and X is bad so you should use our alternative". In fact, we're often more vocal about it when there isn't a good alternative, because it's not easy to abandon the bad thing.

As for actual alternatives, FDroid is probably the best in that it doesn't have a bunch of malware on it. It also doesn't have many apps that the standard non-reg-reading user wants, because they want things from corporates who in turn don't want to open source their stuff. The Apple app store may have a bunch of problems around monopolistic practices, but they are at least much better at keeping out malware. Of course, that locks you in to using an Apple device, and those are getting far too expensive, so that's an option of tradeoffs. Another alternative is that Google get their act together and fix their store. Oh, sorry, I seem to have accidentally pasted in a line from this science fiction story I was writing.

Re: Did you ever bother to read Apple's statements for years....

It doesn't qualify as news? For one thing, the article clearly says that it's not clear what law is being considered. And for another thing, just because it is a legal move under Chinese law doesn't mean it's completely irrelevant; they can follow the law and we might still want to know. And given how many people have commented already, we clearly thought it was important enough to read the article. And for one last thing, just because it follows Chinese law doesn't mean we have to agree to it. Plenty of things that are legal get lots of disagreement. Frequently, that's the first step to having a law changed. Sometimes, it's just people who hold an opinion about what would be nice.

Deciding that something is "not news" is hard. If 1) it happened, 2) people care, and 3) it's unusual or new, it's news. Number three can be optional. In this case, 1) the app was taken down, I.E. it happened, 2) many people have proven that they find the story interesting enough to comment on it here and on other sites, I.E. people care, and 3) the app in question was an unusual one having to do with a protest and interactions with police and the decision to take it down was made on an unclear basis, I.E. it's unusual. It's news.

I think they can do two things, though only the first one is guaranteed to be available:

1. Check what ransomware strain was used and see if it's on a list of ransomware known not to decrypt. If it is, don't allow the company to pay. This can catch some old ransomware, but most strains that don't decrypt and are used nowadays are relatively new.

2. Try to negotiate with the people demanding the ransom for proof they can decrypt. This can be done by giving them an encrypted file and asking them to decrypt it. Anyone with the decryption key can decode that file and then the decryption key can be purchased with more confidence. Of course, only the nicest of ransomware criminals are likely to put that amount of effort in to gain the confidence of a victim.

In general, even with competent technical assistance, a ransomware attack can only be partially rewound by paying the ransom. Instead, get competent technical assistance now, create a backup system that works, and you won't need to pay the ransom at all.

Re: Surface?

According to the article, these devices are running standard Windows and Windows on ARM, both of which can run win32 applications. They're not making that terrible mistake again. I don't know how well ARM Windows can run these programs, and it's quite likely that certain older ones or ones that need lower-level hardware access will not work, but the devices should be able to run many of the traditional Windows programs.

Re: I wish the Internet wasn't so thoroughly controlled by the US

In practice, that couldn't happen. If the U.S. government decided for some reason to take control of IANA and reallocate all the IPV4 addresses to point to different places, let's look at what would happen. First, we would start with the question of why they'd do something like that. There isn't any conceivable benefit to messing with IP addresses because it would break lots of stuff. But we're assuming that they do so anyway. Immediately, the regional NICs would complain. Their word would be considered strongly by traditional IANA personnel, but we'll assume that the U.S. government has replaced all those people with people who don't care. Even in that case, the remaining NICs would probably immediately decide not to honor the new routing rules, and stick to the former system. The only country outside the U.S. that would be affected would be Canada, and I think their diplomats would have something to say about it.

There were stories of politicians saying that ICANN specifically should be made a group under the authority of the federal government. However, it was clear that they had no idea what ICANN did or any intention to change its operations. Instead, they merely heard a news story about the group gaining some independence and freaked out. Expecting technical knowledge from a politician is doomed to failure.

Another system you mentioned could be at risk is DNS. Here, however, you have little cause for concern. DNS is decentralized, at least enough that no national government can mandate changes. Many providers of root servers are based in America, but many others are not. Nearly every country TLD is administered in that country, excepting only the small countries who choose to outsource their domains for sale. The only thing that could happen is that someone in an international ISP would have to change the root server used by their DNS resolver. In addition, even the American DNS providers are private companies and cannot simply be told what to do without new legislation being passed.

Re: "run their Windows 7 desktops in Microsoft's cloudy data centres"

But there wasn't a system that allowed you to not hate everything while doing that. If using a CLI, it was just fine. When doing anything at all intensive in a GUI, there would be lots of lags as data got moved around. So computers were made self-contained. With increasing network speeds, it will be possible for people to do more work on a remotely-located device, already popularized by the Chromebook and cloud services from Google, Microsoft, and Adobe. We will have to see how long it takes for users to realize that their remote client isn't really saving much power for them and that it's sometimes really inconvenient to have all processing dependent on something located a few easily-cut network lines away from you.

I'm sure he didn't think about having to worry about an aerial scan for him, but I doubt he was completely disconnected from all people for seventeen years. For one thing, they didn't specify how he was getting food. It is theoretically possible that he hunted for it and that's it, but given the difficulty in doing this in an area near a large Chinese city and maintaining sufficient nutrition to stay healthy, it's probable that he had another mechanism such as entering a nearby location to purchase or steal food. So he could probably have learned of the existence of drones. If he had thought police would have used them to find him, he could have disguised his location or simply moved to another place, as the police could only find him after having a good enough idea that he was to be found in the mountains there. And that's another point that makes it less likely that he never saw a person for that time, as the police had to learn this possibility from somebody.

Re: Telegram

And both institutions have requested just this. So far, the law allowing them to demand it hasn't been accepted. They might have tried, but I doubt they succeeded in getting cooperation from the companies involved without a law. So when this law gets suggested again, make sure you argue vociferously against it..

Re: This isn't the first time

I don't know about the original example, but it is possible they were referring to the "Republic of Minerva". This attempt at creating an independent island occurred in the Pacific rather than the Caribbean. It's unclear whether Tonga already asserted that these islands (underwater islands, but islands nonetheless) were part of their country, but either way they took them by force and they are still recognized as Tongan territory.

Re: Interesting twist ...

I'll grant you that the tone is a bit harsh. It's useful to know, however, that the devices can be exploited, and probably more easily than they can be jailbroken, to brute force a decryption. IOS devices have for several years had a reputation, deserved or undeserved, for being hard to break into, and some people may have purchased them specifically with that intent. This exploit makes it straightforward to create a brute force device decryptor. I fully expect some company with ties to law enforcement will have made one pretty soon. It only remains to be seen which law enforcement we're talking about and how much we trust them.

Re: Naievete!

That may be true, but that logic could be applied to almost anything. It could be that vendor B has a better shipping system, which is worth the premium. Or that vendor A is unreliable and frequently drops orders. But without knowing that, our theorizing it is just an assumption. What we do know is that these prices are not logical; both your examples are in the normal price range for a patch cable while the one paid in the real case is not. Even if their choice was based on some factors as you described, they would have to be very strong to warrant the purchase price. Given the many available suppliers of such equipment, and the fact that they probably buy ethernet cable with some frequency, it would in virtually all cases be worth it to find a supplier who can deliver cable at normal prices.

Re: I remember when they used to say they were the good guys

I did. I'm sad to say so, but I did. It was in the 2000s. I was younger, prone to assigning things to good and evil boxes or at least along a one-dimensional sliding scale, and Google played right into the good box. They were developer focused, or appeared that way. They released a bunch of things as open source. They took action to make SEO less useful and keep search results relevant, and they succeeded quite often. When someone tried to break the internet with stupid legislation or proprietary standards, Google used their influence as a big tech place to inform the relevant parties that that would not be happening. I still don't know how much of their descent was already in action at that time, but I like to believe that they were once the way I remember them. It gives me some nostalgia while I remove more of their current tech from my devices.

Re: Why aren't you writing these articles slamming universities?

Your comment starts off reasonable. We have all seen subpar teaching in established universities, and we all know there are very good online teaching materials. I'll gladly agree to that.

And you then turn around and say that, because this is the case, all the material online is better than a university. That's just wrong. The course referred to in this article, for example, started off pretty badly in that it didn't teach the concepts people need to learn. And this guy doesn't get credit for useful code someone else wrote either; I'm fine if he chooses to teach from it, but he should properly credit the original authors and choosing useful Github projects does not a good course make. The internet has a bunch of information, and for every very helpful resource out there, there are at least ten pages with something outdated, incorrect, biased, or useless. Your all-or-nothing stance is misguided.