Posts by doublelayer

Re: FFS microsoft

I think microsoft has a point here. Never mind that the protocol was made insecurely; that was a problem before but it's just reality now and it has to be dealt with. Microsoft can't seem to get people to change from one protocol to the next version that is more secure just by making it available. SMB2 is twelve years old, after all. In that case, it may be needed to add an incentive for that to happen. Sure, it'd be nice if nothing ever broke and people only had to upgrade when they wanted new features, but that's not how software works.

A month ago, I found this old device with an ancient linux kernel on it (version 2.6, proprietary interface on it) in my closet. I played around with it, trying to see if you could run modern stuff on it. The device had no package manager and no C compiler, but it did have various other packages and python. So I tried to download some code from github, and what happened? It wouldn't download because github had instituted a security policy the browser didn't support. I'm not quite sure what it was. I think this is new enough to support https in general, so I assume it was a new version of SSL. So, technically, SSL changed its security policy in such a way that my device couldn't even browse the internet. Still, we want that kind of thing to happen because if we just left it out, we wouldn't have security. We'd have plain HTTP, and whatever version of SSL we started with. That version has become insecure, so we've canceled it. Security requires protocols to change. Sometimes, that means we can't use our windows 2003 servers anymore because it's now 2018. In my case, it means my powerhouse of a 520mhz ARM processor from I don't know how old with its 64mb of ram can't be expected to go online anymore. Of course, if the hardware on which it was running was that important, we could always reinstall it with something modern. Sometimes, that's just how things should be.

Re: "no software will be ever fully secure, sorry.."

I support open source. I don't want only one open source thing to exist. For example, I like Linux and support it, but I don't have a problem with BSD, nor would I have a problem with any other open source operating system. I'm fine that non-free OS are there too, but I don't like the theory so much.

However, if the choices are one open source thing or one closed source thing, I'm going to go with the open source thing, so long as they have similar features--I'm not going to throw away a modern and working product for some code written in 2003 and not maintained. The reason is that, when something terrible happens to it, there are many people who will work on making it work again. If, for example, we had a situation in which everything in the world ran under the same version of Linux, thus making it possible for someone to attack it all and take it down, I feel more confident that someone can get it back up than if it was windows running everything. Neither should be allowed to happen, but if something open source fails, you need to fix it yourself or someone who also uses it needs to fix it. If some closed source thing fails, the people who made it have to fix it, which breaks if the people don't want to, are not available, are busy, or have lost data they need for the task. So, no, I don't want open source dictatorship, but yes, I do tend to trust such software a bit more.

Re: Did the Reg really ...

I think they're just of the opinion that an apple I that won't be useful in any way and may not actually work at this point isn't worth the money. That's not the same as saying there's something wrong with the auction. Frankly, although I'm interested in old computers and wouldn't mind physically owning some of the more famous models to play around with the hardware, I would not pay very much at all for them. Also, I'd probably get bored rather quickly and then seek to get rid of them again because they're useless for real computing and probably a lot heavier than I, who grew up in laptop era, would assume.

Re: Just more BS

They did come up with the iPad size first. However, the first touch product they released was the iPhone. The iPod touch was released after the first iPhone, so it was more that they removed the phone part and made the iPod touch.

Re: Another deja vu?

No, this isn't a zip bomb. Those are zip files or other archive files that decompress to a bunch of data. Sometimes they are also recursive so they decompress to multiple copies of themselves. The goal of an archive bomb is making the system run out of resources: memory or disk if the zips expand to a lot of data, processor if they are recursive. Thus, the program running them will crash or run into problems.

This file wouldn't cause a crash. Instead, it would write files to a location that isn't planned. For example, imagine that you unzip a file on windows in c:\Users\me\extract. Normally, all the contents will be under that folder. The zip file, however, can be constructed so that it also decompresses to c:\windows\system32\explorer.exe. This overwrites it with a different file that contains malware, and now running the formerly trusted explorer process will infect the system. The zip is not meant to crash the system, but to infect it.

Re: elDog

A salted hash of a fingerprint, if feasible, would still be inadequate safeguard. The reason for a salt in a hashed password is to protect large groups of passwords and insecure passwords. The salt, because it is different for each password, means that people can have the same password without that being obvious in a data dump. The salt also makes it less likely that the hashes can just be looked up in a list (a rainbow table). However, if I have *your* salted password and the desire, I can break it. The difference between salted and unsalted is that my work is significantly less useful for breaking into others' accounts after I got into yours.

Fingerprints can be hashed; I hope that happened here. I'm not sure how feasible it is to salt one. In strings, some random chunk needs to be dropped into the string somewhere. Either the fingerprint data needs to have other data added somehow, or the model needs to be serialized and data added to that. If data is added in a fingerprint, it appears to me that that might affect the reliability of a scanning process, producing either false negatives or ways to authenticate with partial prints. If data is added to a serialized string which fits a specific pattern, it would probably be a bit more evident and therefore easier to remove.

Finally, the security afforded by salted hashes is not intended to protect passwords forever. It is meant to limit damage and increase the lead time for an attack, hopefully long enough for the compromised credentials to be identified and revoked. Fingerprints can't be changed. A leak of such data can be used in a number of nefarious ways. Therefore, the distribution of biometric data or data used to represent biometric data are necessarily more dangerous than passwords or hashes.

Re: Hmm...

It is dangerous to refuse to trust someone on the basis of not having a linkedin account. Their account is likely to have exactly what you already have--their resume, their references, and some contact info. The one thing that linkedin has that they didn't give to you is a list of many people they know, knew at one point, or who sent them a connection request when they thought "Oh, I recognize that guy". If you're going to look through that list with the hope of recognizing someone and asking them, you're going to a lot of effort for little reward. Any person with something to hide isn't going to hide it in their linkedin profile; it won't be there at all. If you need to find it, more serious effort will be required. I have a linkedin account, but not for getting jobs. I assume that my qualifications, my performance in interviews, my open source contributions, and my references will be considered. Trust me, there is no other information in my linkedin account that could help you. I have my linkedin account so that I can find a job there, so that people looking for someone might see the profile, and because they haven't managed to spam me enough for me to shut it down.

I sympathize with your frustration with the veto, but I'm afraid it is basically required. The existence of veto rights for some nations reflects the reality that they can basically do what they want, ignoring the U.N. If the U.N., now minus its veto capacity, were to pass something that went against the wishes of the U.S., Russia, China, etc., U.S. Russia China would cheerfully ignore it. I hate that this is the case, but a mechanism that can decide things and kind of get them started as long as U.S., U.K., France, Russia, and China have no problem with it is better than a system that can't do anything at all. As I see it, your choices are about 0% functional and about 0.7% functional. If someone can create a 1% functional or better, I'm all ears.

Re: QA's fault @Phil

The code "if (a = 3)" is not valid. If statements take a boolean condition. a=3 returns an integer (in most languages). Yes, C will read it and interpret it as a boolean because C will do anything you tell it, no matter how obvious it is that it won't help, but it's a type clash and the more intelligent compilers/interpreters will notice it. You could argue that a loop that always sets x=[iterator] is incorrect, because the end value will always be the latest iterator, but you can't always know that. Even if that was the only code involved, the compiler would have to know that op= (set) is a function that has no side-effects while any other function might. If the loop actually read anything as advanced as or more advanced than

foreach account in list {

exposure=account.exposure();

total_exposure+=exposure;

}

then the compiler would be out of luck. Maybe calling exposure on an account does something. No code to remove, no warning to give.

Re: they are right

While I get that the comment was a bit slanted against Microsoft, Microsoft was specifically mentioned to have an insecure client for this, and they need to fix it. In the interest of balance, I hope apple, Mozilla, and Microsoft all fix their clients immediately. Oh, and anyone else who is vulnerable; that's just the group mentioned in the article.

Re: "Offloading positioning to the devices makes it . . ."

I can't wait till another group of researchers uses this to prove that you can mess the positioning up enough to cause navigation systems to mess up. I assume it won't actually happen, but just imagine a ton of evil devices on a road all sending out their actual location shifted left by five meters.

Satnav: "You need to be in the right lane now."

Driver: I think I'm already there.

Satnav: Move to the right.

Driver (requires brain cell shortage, so we know that won't be a problem): *drives into lake*

Satnav: "You need to move even more to the right now. You need to be in the right lane for this next turn."

Although it's actually more likely that people use this mechanism to crash drones.

Re: Hazard creation

A building I frequently walk through has a group that specializes in placing wet-floor signs in the worst possible locations. I think I'm pretty close to knocking my hundredth one over. My favorite is the one they place right at the top of the stairs, on the side you walk down. Instead of moving it about three inches to the right, where it would be up against the banister and basically impossible to topple, they've placed it where people frequently knock it all the way down the staircase. So far, nobody's gone falling down after it, although I do believe the falling sign has hit perspective stair climbers on various occasions.

Re: Dear Microsoft

"Google has some really, really useful services: maps, digitised books, search, mail and lots more - alternatives for some, not for others."

I agree for search and mail to some extent (I know we'd all like to have a personal mail server that we control entirely, but it's expensive and complex), but there are a lot of GPS solutions that work quite well. Google maps may be popular because it comes by default on android phones and can be installed on IOS for free, but apple has their maps for IOS not to mention the many satnav providers. I use a GPS app whose main asset to me was that everything was offline (I have a 3gb per month data cap, so that's useful), but now it also has the benefit of not sending data to people. I've never actually gotten any use out of google books. Every time I've looked for something, google gives me a paragraph and tells me the rest isn't available. Either it is, but only if I purchase through google play, or they have the book but I can't have it.

I can't figure out exactly what Ubuntu is going to do with the data they have. We all know what that data looks like; it's a list of pretty much all the intel and AMD processors released in the last eight years with quite a few from before that. The ram table: 512mb, 1gbb, 2gb, 4gb, 6gb, 8gb, 12gb, 16gb, 24gb, 32gb, 48gb. I'm sure it'll be fun to see how many people are running it on something really old (They would see an intel core 2 duo P8600 for an old backup machine from me if I wasn't still on 16.04), but how is that going to help them. They could go to a lot more effort to figure out what users want by involving them directly.

Re: Monero...

"Third world doesnt denote poorer living conditions. It was the stance taken during the cold war."

Perhaps it was. Now, the terms have been redefined:

First world: Countries with high levels of economic activity and generally high living conditions.

Second world: Term is no longer used.

Third world: Countries with generally low levels of economic conditions. Sometimes also countries with low levels of political freedoms, although less often used this way. People never seem to put China in this group, for instance. Maybe they get to be in the second world?

Fourth world: The same as third world, but used when someone wants to make a rhetorical point that these countries are even worse than "third world" ones.

Definitions change.

Re: excuse me!

I get that they're suggesting that people who might have been infected reset to wipe it out and then reestablish the latest firmware, but if people actually did that, almost all of the devices could be re-attacked in short order and they would all have to reinitialize their networking. No thanks.

Re: Not a problem

In principle, I agree with you. However, there is a case to be made that, even with an actual market, ISPs shouldn't be allowed to intentionally block or limit access to services. Otherwise, you could deal with a situation where eight companies (let's call them A through H) offer services in an area, and each of them bolster their only partial hold over the market by also having a video platform, as many American service providers do. They don't like each other, so they all block each other. If you want to watch video on A's network and C's network, you can't just buy service from A and then pay for C's video, as A will block it. Instead, you could either buy service from them both or hope that someone else will unblock if you pay enough. I wouldn't want to deal with the plans they make available, each with a different set of sites that work, sites that lag, and sites that you just can't get to. They already make it hard enough with the different plans for how much data you can use, what speed you can expect, and how much you're going to pay. Don't add more complexity, because that gives them more control.

Re: What Better Reason to Buy ZTE or HuaWei?

Would that it were so. However, while I can't speak for Huawei, I have seen two ZTE phones purchased by family members. Both had facebook installed by default. Fortunately, on one it was possible to disable it (though not to uninstall it) without rooting, and the other phone was dropped and damaged so I threw it away. Don't assume another country is far enough away to avoid these parasites.

Re: Simple explanation

Ok. This will get a bit of a reaction...

IP addresses are never going to be simple. They are big numbers. The same reason we don't memorize phone numbers for everyone and every takeaway we know means we won't memorize IPs for all the websites we visit or even all the systems we run. However, we do memorize some phone numbers, and some IP addresses. Because they are shorter and have fewer rules, the relevant IPV4 addresses are easier to memorize. 127.0.0.1 is localhost. 10.0.0.0-10.255.255.255, 192.168.0.0-192.168.255.255, and 172.16.0.0-172.31.255.255 are private space. I didn't have to look that up.

This has a certain level of convenience. I've been trying to get an openwrt device to make a range extender for a network, which I haven't done before and evidently it's not as easy as I thought. I've entered the address 192.168.8.1 a lot today, because that gets me to the shell. I've also entered the address 192.168.1.1 a lot, because that's the shell for the actual network. And sometimes, I have to disable DHCP on this device, meaning that I have to set my computer's IP manually. 192.168.8.2 is rather easy to enter. Like it or not, if I have to remember that the shell can be accessed at 29a0:37e9:0103:::382:011f:1, it will take me longer to figure this out and I will be more annoyed at the end.

In my mind, this isn't a reason to ditch IPV6. However, you can't deny (or actually I assume somebody can) that the addresses are easier. I can convert hex just fine, into binary, octal, and decimal. That's not the problem. The problem is that IPV6 requires me to memorize the whole number, which is a long number, whereas for IPV4, I basically only have to memorize "8". The 192.168 part never changes, and of course the network device is .1. For the same reason, I have memorized the IP of a site I use for ping tests. I never actually use the site or type the IP, but I can use my coincidental memorization of its address to say "Oh, DNS is working." I also know my personal VPS's IP address, although I definitely don't need it.

Re: Would you like to play a game?

You can do that. There are only 32 pieces, 5 bits, and a move can be encoded in 11 (piece, new location x, y). The remaining five can be used for "illegal move", "check", "checkmate", "withdraw", and "good move, my friend".

Re: Is there something which..prevents these people..understanding how the internet functions?

>Or as someone else put it "I can explain it for you, but I can't understand it for you."

I wish that was true. Unfortunately, I'm currently taking a break from trying to understand why these network devices don't want to talk to each other, which I am doing so the people who own said equipment don't have to. Once it starts to work, I can but hope that those people don't find a way to break it again, because they're definitely not going to understand it then either.

Re: Xiaomi diversified into making TVs, a fitness band and an air purifier,

Depending on the features you want, their fitness band isn't that bad. Its major feature is the price (for me, $20). There was that scary phrase in the license agreement (that I was not permitted to use this device in any way that would hurt the cause of national reunification), but I decided just to use an alternative open source app, gadgetbridge, so I could plot against Xi Jinping all I want. I mostly got it for the silent vibrating alarm function, but it does seem to work as a fitness tracker rather well if that's your thing.

Re: Interesting photos

OK, that seems logi...I mean what?

"It saves time, money (taxpayer dollars), and labor (also paid in taxpayer dollars, both in field trips and in medical bills if an accident occurs)."

That makes no sense. If a medical accident occurs, the camera won't help. Even if you're lucky enough to experience the medical problem that leaves you stranded and unable to use any communications capability you have directly in the view of the camera, what will that do. Let's also assume that they have people watching all these cameras (national parks are big. It would be a lot of people, paid with taxpayer dollars, for a lot of cameras). Field trips are still required in order to come get you and the medical bills won't be affected. Then, there is the high likelihood that you get hurt out of view of the camera, in which case it won't help them find you at all. They don't have complete coverage. Meanwhile, any management they have to do to keep the park going requires them to go to various places. I'm assuming that their cameras never get broken, run out of power if they are wireless, have cables cut if they are wired, sag due to gravity, get dirty such that their imaging is impaired, nor require maintenance of any kind, so that the cameras don't add to the workload. You'd still need people to go to all these places.

I could see some logic if they were trying to do research on the animal population, although I don't think the cameras they have would be as useful as regular naturalist procedures, but that's not even the argument they came out with. When a camera that can save people when injured comes out, I'll drop my objections and most likely purchase some to put around all sorts of high risk areas. Until then, I dismiss that as pure illogic.

Re: Spitting, just because you can?

No, you don't get to do that. I am not reporting. My job here is not to provide the details we both seem to agree we'd like to see. You complained that you thought the reference to google was an attack on google. I disagreed, and provided a summary of the article which I thought bolstered my point. The details in question, as stated by me, are in the article. More information is not available in the article. If you want it so badly, you'll have to find it yourself.

Finally, you chide me, saying "So, Google does (or doesn't?) know that it does not meet the requirements, but (Google) still "wants chance to get this contract"... wow! Excellent logic." If the article is correct, google would like this contract. Right now, they can't get it because they don't meet some requirements. If the reporter isn't lying, I'm sure you can figure out very many details and start to discuss them. Google could start to meet those requirements and hence become eligible. Perhaps their desire for the contract is enough for them to do that. None of these statements is illogical. I don't see where this deviates at all from the statements in the article.

Re: "Yes, the school environment is abusive."

Google has a chromebook-in-education project. I know of at least two school systems using them. I don't think it's a great idea, as it would be even easier for google to achieve total lockin than apple or Microsoft, but the schools don't ask me. At least on IOS and windows you can install applications from the app store and through side loading. On a chromebook, despite the repeated announcements, you have the web apps and that's pretty much it. Google's applications are going to work better because they've engineered them to work together. Result: a user uses google's OS, google's browser, google's search, google's office, google's mail, and nothing else.

Re: not obvious that the activity is extortion

Post: "It also is not obvious that the activity is extortion or involves money laundering or identity theft."

Extortion:

Definition: "Most states define extortion as the gaining of property or money by almost any kind of force, or threat of 1) violence, 2) property damage, 3) harm to reputation, or 4) unfavorable government action. ... If any method of interstate commerce is used in the extortion, it can be a federal crime." [source1]

In practice: We've put up information that you don't want out there. In many cases (see article) it's actually wrong information, but you can bet we're not putting that fact up. If you want this removed, or, we must reiterate, your true innocence vindicated, you'll just have to pay us, won't you? It'd be a shame if you got denied that job just because the police mistook you for someone else and released you after an hour.

Money Laundering:

Definition: "Money Laundering. The process of taking the proceeds of criminal activity and making them appear legal. Laundering allows criminals to transform illegally obtained gain into seemingly legitimate funds." [source2]

In practice: If the state is correct that this activity is extortion, then by definition the proceeds thereof were obtained illegally. Using those funds to purchase items is therefore money laundering. This relies on the state being correct about the activity being criminal. I cover this above.

Identity Theft:

Definition: "Congress passed the Identity Theft and Assumption Deterrence Act. This legislation created a new offense of identity theft, which prohibits "knowingly transfer[ring] or us[ing], without lawful authority, a means of identification of another person with the intent to commit, or to aid or abet, any unlawful activity that constitutes a violation of Federal law, or that constitutes a felony under any applicable State or local law." 18 U.S.C. § 1028(a)(7)."

In practice: Perhaps this will hinge on whether the pictures of people collected through police procedure are "means of identification of another person". However, current law does hold that, in general, pictures of people does count as identifying. Assuming this holds for mugshots, they were used by these people in order to commit a crime, extortion.

I have no doubt that this does count as extortion. Money laundering can be argued depending on what they did with the money, but they're almost certainly guilty if the facts are correctly stated. Identity theft is more a legal issue. They can figure out the mugshots detail if they want.

Source1: https://criminal.findlaw.com/criminal-charges/extortion.html

Source2: https://legal-dictionary.thefreedictionary.com/money+laundering

Source3: https://www.justice.gov/criminal-fraud/identity-theft/identity-theft-and-identity-fraud

Re: Wonderful

What would be their reasoning? I don't see that they would really care about some people valuing big numbers, or small ones actually, at a lot of money as a big issue. Also, it would be rather difficult to prevent cryptominers from operating, as it could be hard to tell if someone was using power for that or something else. It's always easy to find a country that cares less about something if you want--it seems that the Chinese miners find it rather straightforward to steal electricity, so if some other country tried to ban mining, you could just set up there.

Re: Miranda?

Sorry, but you have it wrong. Miranda rights include only those statements. Basically, it indicates that the interview you're about to have will be evidence if law enforcement find it useful, and lets you know that you can decide not to talk or to have a lawyer present if you want. It includes nothing about collecting evidence. Agreeing to your Miranda rights doesn't, in itself, grant law enforcement any right to tap your communications or go through your posessions or documents. They can ask you for permission for those things, or they can get a warrant to do those things without your permission. Given that limitation, I think those statements, which are about as literal as they get, are extremely clear. Whatever else the FBI may have done needs to be evaluated for legality independent of the Miranda statement.

Re: I'm still waiting for e-mails from Facebook(*) and Google

If you have a google account, the GDPR privacy update email should have arrived about two to six days ago. I'm not saying its contents are useful, but they have been sending them to all gmail addresses I have.

Re: "Safe experimentation"

Interesting. I didn't get that idea, where it sounds like they want to just test in production. All I read from this article was "think of new ideas. Test them. If they work, keep doing them". One possibility is bad, because it leads to code being almost certainly broken and nobody caring about it. The other one is also bad, because it sounds like they think we've never thought of the concept of brainstorming and testing ideas. Which is worse?

Re: I quite like ours...

I wonder how this works better than your standard big screen if you're using it to display remote conferences; I've known people to use big TVs and a camera for that, which is cheaper. If the processing directly on the screen does help, what does it provide that using a windows computer connected to a similar screen doesn't do. Finally, does anyone actually touch the screen, because I'm going to go on record and say that I don't want to deal with an 84-inch touch screen.

Re: Historic revisionism

The problem I notice is that the early internet wasn't exactly private and secure by design. It was decentralized in that you didn't have a few main backbones, but there were central authorities for how you got connected to it if you wanted to host, how you obtained your domain name for identification, what information you had to provide, etc. That doesn't really strike me as a problem, but if you want a network that works like the internet but is actually decentralized, the tor deep web is a lot closer to it than was the internet of the 1990s. Of course, the actual network infrastructure is still rather centralized, but almost nothing else is.