Posts by doublelayer

Plenty of small places have only one admin. Some very small places have no admin. I, for example, am a volunteer admin for a charity near me. Other than me, they have nobody, outsourced or not. When I arrived, their server was running on the "it better not fall over because nobody knows what it does or how its configured or the login password" paradigm. So it isn't that unusual to have only one admin, or at least one admin who manages all the systems with lower-level admins who do specific systems or systems in specific places. And I could destroy all this place's data in about five minutes should it turn out that I'm evil.

Re: DNS problem only?

The DNS in question would be the internal one for the company, for example instructing the actual public systems that the hostname could be found on a given internal system, and thus allowing a tunnel into the network to be created when that wasn't really desired. The other option is that some DHCP or static routing misconfiguration reassigned the server to a public IP and nobody noticed because DNS still resolved the hostname properly.

I have to say, though this isn't exactly on topic, that this is pretty much the only thing I'll miss when IPV6 takes over. It's nice to have specific IP ranges that won't be available publicly. Yes, I know that I can run an IPV4 network and NAT out to an IPV6 one, and that I should be firewalling anyway, but private space is nice because I know that, should the firewall be misconfigured, unsolicited traffic still won't be able to reach the server because the address can't be routed to.

I don't know what calculations you tried, but I think you're missing a variable necessary for the calculation of the false negative rate, namely the number of people in the sample who were supposed to be detected. Given that the sample was "the public" and the number of faces in the database is known but the number of people in the database who were actually there is entirely unknown, I would say that, even with an estimation of total sample size that we can assume is completely accurate, we cannot determine or even estimate the false negative rate.

I have no objections to judging the system as crap right now for its abysmal success rate and the unjust plans for its use.

Re: I like the idea

Personal self-driving cars don't have to be part of a taxi net. It'd be an optional choice you could do to make money. For those who don't need the money and value immediate access to the vehicle, it wouldn't be a very good use case. It'd be sort of the same as allowing people to rent out your normal car if there was a convenient way to let them in, which doesn't sound like a popular program idea to me.

If this were attempted, there would likely be a requirement for dedicated vehicles for that service. In that case, I assume there would be charging stations located throughout the service area. When a car was low on power it would remove itself from the network, drive to charge, and only put itself back online when it had charged. Whenever there were gaps in traffic where more cars were available than in demand, the cars with the lowest charge would drive themselves to the charging stations as well.

Re: Lake City IT boss fired for ransomware payment

I concur in your argument, but most people whose job is hiring IT directors have different ideas. Keeping the systems up right now is their primary goal, plus getting new systems up as fast as possible. Thinking about the longterm is on the list but lower. At times, usually for financial reasons, backup plans are specifically left unfunded (no ability on the part of the IT director to reallocate funds to backup from something else). Of course, in that case, I'd at least have an improvised backup system, but I wouldn't support firing the IT director for a backup problem if this was proven to be the case. And then, there are those cases where someone does some misguided maths and decides that it might be cheaper to pay the criminals than to manually recover and a tech site says it's sometimes a good idea, which could also be a decision made by someone external to IT (though if that happened where I'm working, I'd protest the decision and make plans to leave. I admit, however, that these possibilities are unlikely to be the case in this situation.

I'm not a downvoter, but your question is unanswerable and missing the point. Nobody knows how many people were present, as they didn't test it on that. Also, most of us here, myself included, are not that happy having a 80% rate of someone innocent being taken in for questioning on the back of a system that violates citizens' rights.

Re: 32 Gigs

Most machines in that class have their storage on soldered-on EMMCs. It's flash and not bad from a speed perspective, but nearly impossible to replace. Usually, these are best with a card in the available slot for all user data storage, but things that have to be on the main disk can still rapidly use up the remaining space, especially Windows updates.

I'm not saying there is a good reason for complete immersion for a while, but two points are, in my opinion, valid:

First, people might really like the guarantee of water resistance if they think they might run into a water-related accident that could kill their phone. I've had that happen before--I was asked by a friend who was away to ensure a filter was running on a swimming pool they managed as they were trying to sell that house, and I slightly missed the edge as I stepped over. My phone did not survive the two seconds of immersion. If I thought that would happen again, I'd get a phone likely to survive. The same could be true of people who go out on boats for a while, people who frequently use their phone outdoors (E.G. navigation) when there are puddles about, or people who worry about being caught in the rain.

Second, Samsung said their phones were waterproof, and showed examples which were wrong. It doesn't matter if we don't really think the uses of the phones are worthwhile if they were intentionally misleading people about it. If I make a drill and say you can drill through stone with it, you better be able to drill through stone with it or I have been misleading. It's not enough to say "Anyone really wanting to drill into stone would get a more professional tool. They should only be using a drill like that on wood." I said it in an advertisement, and fortunately that's one point where it's not legal for me or anyone else to lie.

Re: Since Google invented it

You're missing the point. "Google invented search" means that Google invented an algorithm or rather a set of algorithms they used to create a search engine that was better than the others at the time and is still good today. Of course they didn't invent the concept of searching resources. Similarly, Gutenberg invented a useful form of printing press, but didn't invent the concept of printing or the printing press as a type of product. Arguing that he gets the credit for stuff that existed before him would be weird, but so would be attempting to deny him the credit for developing a technology that proved to be a very successful and influential implementation.

Re: @heyrick - Sounds like a bored dev is trying to make a name for himself

If you buy something with terms that say you now own that thing and the original owner agrees, then you own the thing. After that, it's your thing to use as you see fit unless you choose to sell or give it to someone else. For example, Apple wanted a new OS in the late 1990s, so they looked around to find someone who had an OS, which they found. They then bought that one and used it to make OS X. Before Apple bought it, it was the work and property of NeXT and it was nothing to do with Apple. After Apple bought it, it was the work of NeXT and the property of Apple, and after pretty much the same engineers who worked on it at NeXT did some work on it for Apple, it was the work of Apple. If I write some code and then you join my team and we both work on it, the final product is the result of both of our endeavors and we both get the credit. If you pay me to join my team, I still get credit if I did stuff. If you pay me for the rights to the software I had a lot of credit for with the clear idea that you get the IP and rights to sell, then you can decide how it will be sold, including what the price will be, how you'll advertise it, and what name you use.

Even if we could magically decentralize CloudFlare and make people write nice HTML or at least store their own scripts, the internet wouldn't be a lot less fragile. The reason for that is that there are very few places that process all our traffic. There's only one line leading to your house that actually works, but that's a short length that isn't the main issue. The issue is that there's only one line that connects your ISP's local unit to whatever center they have for sending it out of local, and only a few lines (or maybe just one) connecting large areas to other large areas. What happens when cables stop working? Large parts of the internet lose connectivity. Routing around that kind of damage requires a web of lines, but a lot of the world operates on chains of lines instead. It's hopeless; the internet can't really route around damage. We just put our systems in lots of parts so we can weather most small disconnects and otherwise we're hoping nothing really bad happens.

Re: But... why?

I think it was probably something like 2400:xxxx:.../12, I.E. a more specific address that then got truncated by the typo. For example in IPV4, if someone did 12.34.56.78/8, some programs would just assume that to mean 12.0.0.0/8.

Re: Desert Solar Power ?

Rooftop solar panels, while they can power a house, would not be at all powerful enough to take the load of a cloud provider's datacenter. They could put a bunch of solar panels on the ground elsewhere, but they probably won't. However, as such a sunny state, there are quite a few people with solar panels connected to the grid supplying solar power at certain points. Nevada is one of the best states in America for renewable energy.

For a source, see this chart with data from 2017 (it seems from a quick search that solar use has been climbing since then). While the sorting (I did the without hydro option) makes it look like Nevada is actually not as great, its proportion of solar/wind to total is about the same as most of the ones that look to be ranked higher. Depending on which column you use, it looks bad not because Nevada isn't working but because they don't have much hydroelectric power and they're not as big as some other sunny states like California.

I don't mean to assign any credit for this to Google, but if they're going to put a datacenter somewhere, this isn't the worst state from the perspective of environmental impact of attaching to the grid.

Re: Expensive concerts...

The latest IoT isn't usually on something modern either. Usually, your choices are some version of Linux grabbed by the devs at random before they started coding the app, a version of Android grabbed by the engineers from the "tried and tested" AKA "at least two versions behind" group before they started building the prototype, or a custom lightweight OS that they paid an arm and a leg for and never actually gets security updates, but as long as it's not running the grid people won't bother to try to hack.

Re: Things that breed ... things that heal

There are always those things that you expect to break but yet somehow hold on for a very long time. I was given a thermometer at one point, the kind that measures the temperature outside with a probe. It was clearly made as cheaply as possible, with lots of parts that really felt like they would fall off if you pushed hard enough. I put this on my window from which I was constantly knocking it, but it withstood very frequent falls to the floor without ever losing a piece. It also managed to last about twelve years on a set of batteries. It's still going strong, despite my firm belief when I got it in 2003 or so that it wouldn't last until 2004.

I don't think these are backdoors, the Chinese military is better than that, but let's look at a few possibilities in general.

If I want to embed a backdoor into something but not get caught, I have a few options. I could do the standard hard-coded credential backdoor. This has to go unnoticed by the public. If it is seen, it can be tracked to me depending on how much the company wants to protect me. A patch will be demanded to remove the credential, and after that's installed, I'm stuck. I might instead choose to use some libraries I know I can break into. I'd use the latest version with the vulnerability I want, and I'd probably leave a few different ones open. I'd make the access mechanism complex so people can't easily stumble on the way in, but this mechanism lets me have deniability because I can play the "incompetence and not malice" card. It also lets me patch one of my vulnerabilities and maybe get away with leaving another one open. It does take more programming skill to implement this well.

That's how backdoors work. The reason I don't think these are deliberate is because coding standards are so bad. If they were in the middle, I'd have some suspicion, but nobody needs openSSL from 1999 to get a backdoor and that's just calling attention to problems. However, there's one more thing to consider.

If you were the Chinese government, and you wanted a backdoor in Huawei equipment, and the company didn't already have one for you and wasn't planning one for you, what would you do? This would be my plan: I'd get a PLA programmer employed at Huawei. The person I chose would be very skilled and knowledgeable about the type of equipment. If possible, I'd train them on Huawei source code, to which I assume the Chinese government has easy access from a government contract or having broken Huawei's corporate security. This person would then insert some carefully crafted vulnerabilities into the code for the devices. Nobody will notice internally; they're letting obviously insecure libraries through. When libraries are updated, this code can remain for quite a while, being disguised by the unintentional vulns left in by poor coding. This would also be harder to detect because so much focus is being placed on understanding all the rest of the codebase that my relatively small addition can last a while without being questioned.

Re: AVG FREE ANTIVIRUS, I AM LOOKING AT YOU.

How about this one that happened to me just a few months ago. My father (he's not reading this, so I can safely call him nontechnical) wants to do something his laptop can't do right now. I find him a good piece of freeware (in this case true free software with code on github, score) that does that. Knowing how search engines work, I give him the address to type in over the phone, no fooling me. The site looks nice and clean, with only one link saying download, so all I have to do is get him to select the x64 instead of the x86 and we're done and I can show him how to use it. The problem is that I have an ad blocker and he doesn't. He clicked on a download link and installed the thing it auto-downloaded (fortunately not malware but definitely not the thing I had in mind). I got him to run a defender scan just in case and removed the unwanted application with extreme prejudice next time I was near. Ads allow people to infect good sites with their nastiness; this is why we need to block them.

Re: So EE can't now tell its customers to upgrade to a cheaper plan if they've opted out?

It's a marketing message. Even if it would be a thing I'm interested in, it's marketing. If I stopped you on the street today and said I was selling laptops for any piece of scrap paper (always assuming I was being honest), I'd be marketing to you even though you would probably see how many pieces of paper you could find in your bag. This is the deal with advertising. Sometimes, it actually tells people about things they decide they want. Sometimes, it is an annoying intrusion. Those two sets aren't necessarily mutually distinct. This is why we have things like opt out/in methods for customers to tell places whether they want to see the ads; I have opted in to some communications and opted out to others because I've decided what I want to see.

And there doesn't technically have to be. Firefox supports it, but you can use any DoH server you please by changing the config. I've suggested running a system-wide DoH client that performs requests for applications that communicate with it locally. However, I wouldn't expect Chrome to make this easy to change.

That's unlikely. If he was killed by someone else, they would have had to go to a lot of trouble to get the death ruled natural. His business partners and family members, those who are having property taken to make up the debt, would announce immediately if there were any suspicious parts of the death so they could delay or even prevent their property being seized under the theory that whoever was responsible for his death could also have stolen the money. Since they're not doing that, this leaves only two logical options: 1) he actually did die and you figure out the details that make that work or 2) he stole the money and faked the death, and the company either knows about it or have given up on being able to catch him.

While the first option is possible in that he could have lost the money through some other means and then died coincidentally, possibly aided by stress after losing all the money, the second option is a lot more logical, especially with the small number of large withdrawals as described.

Re: Yay!

I can't really agree with a zero and a 4 being the only models. The zero is great for its use cases as a controller for hardware, battery-powered machine, or headless WiFi device, but it's pretty much useless for everything else. It can't so easily be used for education because the price in getting its weird HDMI (that mini one that is between standard and the small one people decided to use) to connect to a school monitor and the USB OTG cable and hub to get input devices makes it more practical to just use the standard pi for that. The compute module helps people build stuff with the pi, which encourages open source development and helps support the foundation as well.

Re: Good reason

I can see only two times when a factory reset of a light bulb would be desirable. The first is when ownership over the bulb is about to be transferred. Given that we're talking about cheap light bulbs and not phones or computers, that seems relatively unlikely, although the app reset mechanism would work just fine in this scenario. The second and in my mind more likely situation is that the bulb is not working properly and does not respond to app commands to reset, resync, or reconfigure. In this case, the app can send out its code all it likes and the bulb might easily ignore the reset code because it's broken. The software needed to receive the code is more complex because it has to run the bluetooth receiver and properly decode the result. A simple program in the bootloader that responds to power on/off can run at a lower level, just as a physical reset button could. These options circumvent the problem of a software stack that might break too often. They also introduce the difficulty of flipping switches or removing bulbs from sockets. It's a game of tradeoffs.

Re: AI database

Alternate suggestion: don't store them at all. Not in Google's database, not in a normal personal database, not in your whatever-it-may-be database, nowhere.

Re: @Splurg The Barbarian - No, no, no, no, no!

But this requires a large amount of user buy-in. If a hundred users start spamming voice assistant things on average once a day, it will be nothing at all compared with the millions of users actually saying real things. Even if we scale it up to a thousand people and twenty times a day, it's still a drop in the bucket. That's one thing neural networks are useful for. We'd need a lot more junk data. If we try to automate it by recording specific things, they won't have to bother with the algorithm; they simply find the weirdest spikes in the data and delete that from the dataset, if they don't find the recording of "Alexa" or "OK Google" being used and program the units to stop recognizing it.