Posts by doublelayer 10570 publicly visible posts • joined 22 Feb 2018
How does that have any relevance to this question? It is possible for a completely honest company to have a bunch of money. It is possible for the worst monopolist on earth to be losing money anyway. Are you trying to say that Apple must be a monopolist because they have a lot of money? It seems a lot more logical to argue that Apple are a monopolist because they engage in monopolistic practices.
I think there is a lot to argue about that, and I think the margin should be lower or zero, but it is worth keeping in mind that you can have a payment system in an app that bypasses Apple's in-app purchasing system (E.G. please sign into your account, from which you will pay your bill with your credit card information). It is more difficult than letting a user press a button and authenticate with Apple, but it can be done and is in many applications. This option is very much not available when purchasing apps, although you can go the route of having a free application that makes you sign into an account and pay from there, which developers don't choose to do very often.
But the case is not at all about operating systems. They're not saying that there should be some alternative to IOS that runs on iPhones. At most, they're saying that IOS should allow sideloading, and they may simply be saying that there should be more control of app pricing and a lower commission. If a case did happen with the decision saying that apple needs to provide an alternative OS loading facility, it would be problematic for every manufacturer of android devices that has ever produced a bootloader that isn't unlocked. Even those that were hacked to provide the functionality didn't actually intend to provide consumer choice. So that probably wouldn't succeed, but is definitely not what's at issue in this case.
Signal is not vulnerable to this, but could conceivably have a similar bug. It is open source, so that bug is more likely to be detected if introduced. What's app was not forked from signal (in fact it existed years earlier), nor was signal in any way forked. They're just two apps that look kind of similar. All the infrastructure, people involved, and app code is entirely different.
You can't really detect that. However, if you kill the app, which will happen automatically if you install the update, it will kill any compromised sessions and prevent new ones from starting. You would not know whether you have been attacked or, if you were, what if any data was extracted. There is no log of this from the application itself, as any logs could be written by the malware.
It doesn't seem that it is escaping the sandbox at all. Unfortunately, from within WhatsApp's sandbox, the malware can access contacts, call history, microphone, and camera* because of videocalls. That's enough to compromise the user of the device quite a bit, even if it doesn't let you read email, browser history, or other types of data on the phone.
*If the videocall or voice call function has never been used on an IOS device, this exploit shouldn't allow those to be taken because the permission has not been granted. This distinction does not apply to android, and if a voice or video call was ever used, it wouldn't apply to IOS either.
I don't think they were saying that this hack was created by NSO/anyone external, but that the expertise needed to find and exploit it in the wild, as has been happening, is likely that of NSO/someone external. I thought the exact same thing when I read that line, but the paragraph after that makes it look like the above suggestion. Given that this program is not open source and has an encryption layer on all its network traffic, I would say that it is at least somewhat hard to find and probably signifies some level of sophistication on the part of the attacker abusing it.
I'm not sure about that. From a user perspective, there are probably many advantages to the app method of getting a car. You don't have to try to catch one in transit. You don't have to call in and prearrange something. If taxi places started using apps, you'd still have to a) know which taxi locations are available and b) have installed their app when you are going to the place. And this does at least produce a larger supply of available transports. So there do seem to be real benefits to the users of these applications.
Of course, there are many major downsides as well, both to the increased number of people driving about and the companies administrating the application. I'm not saying they're perfect, or even good. I can't say I use their services very frequently, either. But I don't think it's child's play for a taxi company to duplicate their benefits.
This is when security through obscurity actually has a chance, because security for an antivirus is very different than security for an operating system. The difference is this:
OS security: Malware can't get in, malware can't escalate, etc.
AV security: malware can't evade
In other words, malware wants to break into and exploit things in the operating system, but just wants to hide from antivirus. So the operating system components need to be audited by a lot of people to understand how they work and try to identify any holes before the malware people find them, but the antivirus system needs to prevent the malware writers from doing the same kind of thing to its code.
I remember a time where Amazon was nicer. Not perfect, of course, but you could usually find what you were looking for, which would be sold there. You could get a relatively exhaustive list of all the options for that thing and compare them. Then you could read the reviews and clearly figure out which were fakes, then purchase the thing, which would be sent to you easily enough. It was a very useful experience then. I think this was around the time I used to think of Google as an ally because they opposed crazy break-the-internet suggestions and released a bunch of code as open source. All of this has dramatically worsened. Google's worsening is clearly intentional, but I don't even know why Amazon let that happen to them. They have a lot of resources from selling all of this; one would think they would eventually realize that there are a few things, like having the search results at least match a little bit the search query, that couldn't help but enhance their business.
Those are bad, but another style gives them a run for their most disorganized title, which is companies in which one person or group is responsible for each specific technical area, and no person or group is responsible for more than two of them. If a real technical problem exists, so much time is wasted by the group who got asked about it with the group that should be doing it and the group who knows necessary information to do it that nothing happens. Meanwhile, when one group tries to do something that may be somewhat connected to the things they should do, they run into situations known by a different team but not properly documented, or otherwise properly documented on one of these sheets of paper in the big filing cabinet, and break something. At least somewhat ironically, this structure is usually created under the idea that the systems people should be more organized into specific groups.
They don't have to do that. They control the core, so they can keep adding things to it that are difficult to rip out of the code, and enforce their control that way. That means that some other browsers will, by using chromium, be forced to choose to stay with an old and insecure version, fork and reimplement all of that, or run Google code without protection.
That is true, but I have never seen a system elect to use 127.0.1.2 for an additional service, whatever that might be in this case, and almost every system only bothers to resolve 127.0.0.1 to the local machine unless specifically instructed otherwise. If the addresses were used for multiple internal interfaces, one would need 257 to reach 127.0.1.2. So I'm still not sure why that was suggested and I think I'll stick to 0.0.0.0 until I hear more.
Because 0.0.0.0 means unroutable, and the system won't try to do anything with it unless it has a bug. If I use 127.0.0.1, it will start trying to make connections to services on my machine. If I have a webserver running, that will add junk to my logs and return random 404s from that. Even if I don't have that, there will be some overhead as the browser/application initiates TCP connections that aren't going to work. Why bother? As for 127.0.1.2, I'm not sure why that was suggested. Yes, it's not localhost so it avoids the TCP overhead and local service problems, but it doesn't have any intrinsic benefits (as far as I know) over any other 127.* address, and is less likely to be checked than a proper unroutable 0.0.0.0.
No, what they should do is continue to allow a phone number to be sent as an identifier and a callback, but have that be a secondary one. Kind of like how an email can be sent from one account but have a reply to address for a different mailbox. Blocking would be done on the real number, which would always be sent. Caller ID would start with the real number, and if it wasn't found, continue on the stated number. That way:
If a company owns a block of numbers and sends the main one no matter who calls, the company name appears on caller ID, and the company can be blocked.
If I'm using a spoofing service to make a VOIP call from my number, it will show up as me, but clearly indicate that it's not my normal phone.
If someone else is making a call and spoofing my number, it will show up as me, but the number could still be blocked without blocking my real number, and it could also be tracked.
It is dangerous to allow impersonation of numbers without any detection.
I wonder if there are some numbers that robocallers avoid for some reason. Despite the fact that they've increased nearly everywhere and that a lot of my acquaintances complain that they receive them daily, I really don't. I've only received three types of unwanted calls on my phone, and two have ceased entirely. The first was people looking for the former owner of my phone number, but they all took "That guy doesn't have this number anymore" and left. The second was one specific robocaller with the same message and running a very primitive Eliza bot. One time when this called me, I had a discussion with a friend on how terrible the bot programming was, and forgot to hang up on it. I don't know if anyone listened to that, but they formerly called me about twice a week and they stopped after that occasion. So I probably get one robocall a month, usually the type telling me that I've won a prize. Somehow, the robocallers either decided not to call or don't know my number. I wonder if people making decisions are in that situation too. Having previously had a landline that received many more callers, that situation can be quite persuasive in the do-anything-to-shut-them-up category.
I have used windows devices for years and never had malware on them. Because I installed a very small subset of applications and I trusted them all. I have the same track record with android, Mac OS, IOS, and Linux. That doesn't make all of these the same level of security. The question is not "Have I had malware that I know of?" but "Is it easy for malware to get onto the devices, whether owned by me or someone else?". On that, Windows and Android have a worse track record. Maybe because of market share. Maybe because of bad design choices. Maybe because of specific malware authors. But the data is there.
Really? There are many security researchers, and they have to stay somewhere, especially if they're attending security conferences or going on holidays. If they do that enough, eventually one of them finds a camera. They're also more likely to look for one and have the skills to identify places where one could be. Why is it so unlikely in your mind?
One thing to do, and what I think was done in the Ireland case, is to run an NMap scan on the WiFi network and look at the list of devices. Those that are not obviously there could be dodgy. This is well and good, but it doesn't work against many things and is therefore limited. If the device is recording locally, it cannot be found by any network investigation. If the host is intelligent enough, a network-connected camera would be firewalled from any ability to scan for it, too. But at least the tool is there to catch a subset of available ways to install a camera. My guess is that the first time one finds a camera, one stops using that service for housing.
I think you've described it well. Top posting is great when you've read the older emails, because you see the only thing you need to read, and have the old material below if you need to refer to something. Bottom posting is great when you need to read all of the material, because the order makes sense.
I would still prefer that, instead of forwarding me a chain or at least in addition, the sender succinctly describes why I'm getting it and the information that is the most relevant. Often, when I'm forwarded a message chain of more than three messages, at least two of them will be developing a misunderstanding and then clarifying the real situation, which doesn't help me at all.
I very much agree with you, but there can be problems with some types of contextual quoters as well. My favorite (in the sense of least favorite) are those who drop their comments into the original email train but don't bother to delete the unnecessary portions. In many cases, it would be more helpful for them to quote the relevant portion of the message in their reply, rather than making me search through someone else's email to find the things they wrote. The competition for the most annoying way to do this is currently tied between messages where I've already seen the older ones so I cannot possibly get any benefit from the old text in which their reply is placed, and ones that were not formerly connected to me and contain information I don't need to read, like this example:
---Original message---
From: Not the person whose name is on the message I'm reading
To: The person who forwarded this
CC: A bunch of people I don't care about
Subject: Normal subject
Dear [not me],
[Bunches of meaningless pleasantries that do not matter to me because they're not relevant to the situation.]
[Information about a situation that is not the one I'm supposed to deal with.]
> And, on another topic, the related [my project] project, [summary of my project which I already know], may be able to provide some useful functionality to our project if we can integrate things. Could you link them to us and see if they're interested in teaming up?
[Here's where the sender has placed information I need, like the summary of their project and ways for me to learn about it so I can actually decide this question]
[More information about something not related to me]
[...]
I would much prefer that they just tell me this in one unified message. They could get it across by saying "I'm on a project and we think your project has some useful components that could help us out. [Summary and link to their project]". If they really want, they can forward the original message along with this, but I will read those only if they've asked me to or it is clear that there is information in them I need, not in the hopes of finding more things they wanted to say to me.
How much of that do they have to do before you don't blame them? For example:
1. Them: I'd like to use WiFi. You: No. Their problem.
2. Them: You can run the software on your local machines, which would be a good test case. You: I'm not running unproven software on my machines. That's as bad as connecting your machine to our network. Still their problem?
3. Them: No problem, I have a cellular data connection. You: The building is a massive cell dead site. Have they got reasonable options left?
Yes, they should confirm this with you before they come, but they know you have a network, and they're there to demo something that needs it. They have some reason to expect that you will be able to see their demo. If they came without a machine and asked to borrow one of yours, that'd be very unreasonable. If they wanted you to give them access to an important network, that would also be unreasonable. If they just want an internet connection because the thing they're demoing needs one, it's kind of expected that you have the capacity to connect them and makes it pretty pointless to come do the demo if you won't agree to let them use a connection.
Well, I feel the need to tell you that the spleen can be removed safely if damaged without serious consequences, unlike many other organs. It's not like the appendix where it's removed whenever they've already opened the abdomen, but its purpose is not critical to life and can be served by other parts of the body if need be. So I'd suggest continuing to work at top capacity and never burst.
I'm mostly on your side in that they should be better prepared, but offering a guest connection is common sense. Your external people might want to show you something that is online, or the online test of a system that runs over the network but not on their laptop. Would you similarly complain if they asked to plug their laptop in because the battery is dying? Yes, they should have charged it fully before they came but sometimes they forget, they're there long enough for the battery to run down, or their battery is old. It doesn't seem all that unreasonable for them to expect that you have the same general facilities as every other business and ask to use them when it would be useful.
That depends heavily on how good your mobile provider is and what details they have set for your bill. Unfortunately, while I can usually get access to signal in most places, my provider charges rather a lot for plans giving access to a lot of data, and another larger a lot for any data I consume over my low cap. I think this applies to providers in many places, unfortunately. The other issue is that, depending on where you are, you may enter an area where coverage is not good enough for standard internet tasks. It may be fine for SMS and voice calls, and it might even let you see your email, but have fun trying to look something up online.
I also think it depends a lot on the definition of "a new challenge". This sort of applies to me. Once I've reached a certain level of income, having even more, while useful, is not that important to me. If I am offered more for a job I will find deadly boring, I'll likely turn it down. However, that's not because I really want a bunch of new challenges thrown at me. I want to keep doing interesting things, with new challenges as applicable. I don't want this description to mark me as the person to whom all challenges should be brought just because I'll pay for lack of boredom. Maybe if they wrote these descriptions with actual words that have meanings, it might be more helpful*.
*Actually, it would still be junk. Carry on, then.
There's a lot of discussion of when biometrics can be used, with the "use biometrics everywhere" crowd and the "biometrics is only ever a username" crowd. The truth lies somewhere in the middle. You have to decide where the threat landscape is. If you're afraid that someone will be physically present, such as when police/a criminal have you and your mobile phone, biometrics are risky. If you will be targeted by an advanced group, then biometrics are too easy to forge and should not be used except as an additional security measure. When it's authentication over a network that you're worried about, biometrics offers the ability to ensure that people are present at a scanner you know before they can get in. If you are not worried that someone will break in but you don't want to have the thing open to access from anyone (E.G., a phone that doesn't contain anything sensitive), then biometrics can be a time-saving measure. It all depends on who might break in and how they'd do it.
"6. Don't user GMail or Hotmaill addresses. They look unprofessional, and Google and Microsoft are allegedly notorious for blocking the wrong domains and snooping on your content. You have an ISP. They often supply more than one email address, so use everything they can let you have for free."
No. A hundred times no. GMail and hotmail aren't great, but they have relatively good intrinsic security, stay up most of the time, and you can avoid at least some of their tracking. An ISP email is run on a system with completely untested security except sometimes when the security has been tested and it failed the test. Also, if you move or decide you don't like that ISP, your mailbox can be deleted or placed in a limbo state. Using an ISP-provided email is a security and usability disaster. Don't do that. If you really want security, set up your own email system, usually by getting a domain. If you don't want to run your own mailserver (and you would have many good reasons not to want to), you can use one of a number of domain registrars who will supply email accounts, usually at least one is included with your domain purchase. You can keep that account no matter where you are as long as your domain is still owned by you. If you must have a free account, use a service kept up by a company that does not have the ability to kill that account for other activity you do. Protonmail is a good one for this, but GMail is not that bad when compared to other options.
If you want to try this, make sure it can't send any email but instead just logs the message and copies it to the sent mailbox. As for things to populate, you could always create some dummy addresses that send messages from public sources. I don't know if people would run attachments, but you could always try.
I'm as irritated by bad passwords as the next security person, but let's revisit a few parts of this article:
"An employee is likely using the same password for your internal systems as they are for Instagram."
How am I supposed to know that? Yes, they'd be prevented from using "password", but when they've decided in their life that "F9zna/zv00w" passes all the tests for passwords and they'll just use that for everything, the only way I'd know is if I tried to log in with that and any usernames or addresses I can guess. That's not all that nice. Of course, they can be told not to reuse passwords, but that won't necessarily stop them.
"According to OneLogin, 63 per cent of network administrators don’t require special characters or minimum length passwords. Numbers? 71 per cent don't require it. Upper and lowercase? 72 per cent."
That's a good po... Interesting fig... Well, you just quo...
Sorry, I can't pretend. I have no idea what these numbers mean. You tell me that 63% of admins don't require certain rules, which already sounds kind of weird, but then your next sentence says that 71% don't require it. Is "it" the same thing as covered in the last sentence? Why are the percentages eight percentage points different? Is this from a different source? Who? And the 72% don't require multiple cases? Meaning that either 29% or 37% require special characters but only 28% require multiple cases? And earlier, you told me that 75% of admins "don’t check employee passwords against password complexity algorithms." This implies that they don't check at all, but, in that case, a maximum of 25%, not 28%, 29%, or 37%, could require special characters or multiple cases. So I must be making some really stupid mistake, right? Please tell me what it is.
"And an amazing 63 per cent have not put password rotation policies in place. What are you doing people?"
Holding back my astonishment that, by these and previous numbers, at least 12% of admins rotate passwords but don't check them against any complexity algorithms at all, we don't rotate passwords all that frequently because it means users will respond by decreasing the security of their passwords so frequent rememorization is easier. Yes, we have complexity rules here. But once you've met those limits, you can have a more secure or less secure password. If we make them choose a new one every month, the number of users using a very strong password approaches zero. This isn't new. This has been the recommendation of many security advisors for the past few years. It has been reported here. That's what we're doing.
For the record, my complexity recommendation is designed to maximize entropy. If you go for a short password (minimum length 10 characters or 12 if I'm nervous, the system's important, or the users are willing to be reasonable), you have to use all four types of characters. If you make the password longer, the requirement for different characters is removed as the length increases. And passwords are checked against password lists.
That's the right way to do it, and I'm sure el reg has done that. However, if they wanted to know how many users used password, they could find out. They have the hashes and the salts. They could go through the list, put the salt on "password", and see if it matches the hash. This wouldn't tell them what your or my password is, but if anyone used "password", they could see. So the question is answerable though nobody would bother to answer it.
Good points in theory, but you have to consider the whole set of possible passwords as well as a single user's set. If the length limit is set at 8, then the rainbow table generator can throw together a list of hashes of 8 and 9-character passwords. If the password length is longer but constructed of larger components, a person needs a good list of all of those components. If they're all single words found in a dictionary, that might be doable, but if a user makes any type of adjustment, as simple as switching an o with a 0 or putting an & before the last word, the generation of hashes from all the words in a dictionary won't uncover it. Similarly, if a word is included that isn't in a convenient list, E.G. one the user uses as an inside reference, a term from fiction, a word from another language, etc., it becomes nearly impossible.
I agree with you that the XKCD article isn't entirely correct, but I mainly think that the entropy of a shorter password is underestimated, making the four random words from a set of 2048 options thing look better than it really is. Still, I think that urging length is very helpful, because a password with lots of words and things that the user recognizes but others probably wouldn't makes a password much more secure.
I'm not a downvoter, but I'll do a bit of education. MDM is an Apple feature. They built it. They almost by definition can't abuse it, because they set the rules for how it's used. Also, they don't use it. They built it for corporates, who do use it for internal devices. Apple doesn't make any apps that use MDM, and their OS doesn't need to because it already has such access. It's like saying "Does Google internally use their search engine to abuse users?", I.E. it's a crazy question that doesn't make any sense.
The other reason that you might be collecting downvotes is the typical charge that Apple is busy collecting user data. They don't collect that much data. They make a point of showing this to everyone, possibly because they like bragging. You can fault them for the bragging, but it is a bit annoying hearing people decry Apple for data harvesting when A) they don't do it all that much as large tech companies are concerned, B) you can turn a lot of their data collection stuff off and it stays off and you can prove it, and C) many of the alternatives are a lot worse on all these points. I don't know if that's what you're saying, or what people are thinking you are saying, but your post sounds a little like it might be.
Some guesses there, but this might be what's going on.
Thanks for the broad insult to everyone here. Let me enlighten you on a bit of user behavior.
Here's how passwords usually go when the security policy you mention is instated. Minimum 10 characters, at least one number, both cases, and a symbol. Password changes every month and the algorithm checks against old passwords so you can't duplicate and thoroughly checks against the last one so you can't just change it slightly.
New employee: Uses password anC9@mlzcQ)AX;1mbz
One month in: Changes password to fjZv83na.1/f8a
Two months in: Changes to E8zvhan3oz&
Three months in: Changes to Fnoazlh92*
Four months in: Changes to Thisisthe12thsystemI'vehadtochangethison!
Five months in: Changes to: Gottiredtyping2$
Six months in: Changes to Authenticate0^
Changing passwords can be useful, but forcing people to change them so frequently means that many will degrade the entropy of their password because why bother memorizing a long string of random characters when the information will be useless in a month? It will become obsolete faster for an attacker, but the attacker can gain access to systems and install back doors that do not need a password, so expiring credentials doesn't always help. Meanwhile, users use less random passwords that can be broken more easily, meaning you have a higher likelihood of getting an attacker. Also, the users are less happy.
You can usually find a big book that nobody cares about in any workplace. A place I worked at a few years ago had a multi-volume set of instructions on administering Windows Server 2000, and as this was a software engineering area with few admins, nobody really knew why they were there. I have a feeling a convenient book code can be found when needed.
Microsoft's mobile offering is assuredly dead, but Blackberry is too. Just because someone's making android phones and calling them Blackberry doesn't mean the system survives. The QNX-based OS is dead, the Blackberry company isn't making those devices fully, and they're just a different hardware type running android.
"Ok sure maybe there are some security implications to my new system"
We need to talk about this. After this, I hope you have some extra time because I've got to learn the art of the understatement from you. But first, let's discuss the actual security implications of this. There are a lot of them. Whenever data is hidden from users, it becomes easy to make that data they never get to see contain the important part. It's hard to identify domains that are owned by the actual company apart from those registered by scammers with a bit of forethought. How will that change when domains are random sets of characters? Do I need to answer that?
Also, how useful will it be when I suggest you try out a new system by having to say "Well, I suppose if you do a search on [the site name] or you could always go to fa8enozvl3mz90vnae.airforce". Maybe a little harder for you to remember, no? And easier for you to get wrong, yes? And much easier for a scammer to register a bunch of things and SEO them into your search so you will get it wrong and won't be able to find out until it's much later than it should be, yes?
And even without the many security problems, and we've only scratched the tip of the iceberg on that, this system would require another layer of resolution services. Another set of servers. Another DNS query and some extra delay on actually connecting. An extra series of organizations running the thing with entirely unproven trustworthiness. Another layer of power that could make mistakes. Another layer that a user needs to administrate or stick with the OS default.
This idea is very bad. I know it doesn't compare to your understatement, but I'm working on it.
People can't design edge-only sites without having a lot of problems. They could do that with IE because IE had its own rendering engine that could be changed to produce different functionality than other browsers and the spec. Microsoft just took someone else's rendering engine. It can't really do that anymore. A site that works on edge will also work on any chromium browser, and because firefox/gecko supports most of the frameworks chromium does, it'll work well in that too. Of course, a bad designer can break this, but it's a lot easier to do a chrome-only site than it is to do an edge-only one.
I'm not downvoting, but I think this is not correct. Metadata describes some other piece of data, meaning that if you have a piece of data, any data that describes it would instead be metadata. If my data is a file, then the file size would count as metadata. If all my data is is the expression of a file's size, then its unit would be metadata. I think the definition of metadata specifically depends on the data involved.
On the point of surveillance, I don't think the argument should be "The stuff being collected isn't metadata; it's data", but instead "The stuff being collected is sensitive metadata about calls that should not be collected".
You use some type of data storage, right? This generally applies to any form. They can take it, and if they need biometrics to access it, they can now take those, too. The warrant in this case allowed them to access phones, but a different warrant could allow accessing computers, drives, or other devices.
I'm glad to hear that there may actually be a penalty for their actions. It's been a long time in coming, and I think we can see that it is well-deserved. I'm afraid, however, that as much as they set aside, they don't actually intend to start paying fines any time soon. While this amount would be a large chunk for them, they can continue to operate just fine as it sits in a bank, including using their legal strength to try to get out of paying it or fixing any of their privacy disasters. Here's hoping the fine is charged and paid quickly.
You are probably correct, but there are other examples. South Africa gave up their relatively small nuclear program and had all their weapons and manufacturing facilities dismantled with international oversight, and some countries have chosen to reduce their stockpiles, although not to zero. Not that this proves anything, but the history is interesting.
It's certainly pointless for me, but some people want it. They want a device that they can carry in a pocket but has the screen size of a tablet. They have reasons, and though I don't share them or even understand what the reasons are, they exist for some people to want the device. If they want it and a company can build it, it seems useless to complain about its existence. Just join with me and don't buy it. Of course, this all hinges (pun originally not intended) on the companies' ability to actually make the thing so it has some semblance of a lifetime.
It will have less protection from stuff on the outside of the device, so it might get scratched, but it has an easier folding characteristic because the screen part doesn't need to fold completely flat but can instead curve. This means that it's less likely to simply crack in half, develop a crease, or interfere with the hinge opening properly. If they build the hinge properly such that the screen stays connected to it, it could also better withstand particulates getting into the screen from the hinge area. Of course, there are a number of ways to get this horribly wrong, and I would not be surprised to hear that they've found one of those. Still, outward-facing screen doesn't have to be a problem.
"At this stage of the game I want to be able to buy a really good phone for < £100"
The major problem facing the industry is that you can. Actually, prices might be slightly higher than that, but a phone that sells for £150 can have comparable specs to the flagships. Of course, you're going to play a guessing game about how long security updates will come, but you get that on the higher-priced ones too. There is very little difference between phones made by different companies at different times. They're just flat slabs of glass that look the same and run most of the same code.
I think one important element is that the computing-relevant specs of a phone are pretty unimportant. Of course, you can find a phone that is too slow to handle its tasks, but four cores vs eight cores or 4GB vs 6GB of RAM doesn't matter to most applications. Neither do the advances in cameras--while some people do actual serious photography with their phones and justifiably want the best camera for their needs, a lot of other people either don't use it at all or simply want the ability to quickly capture an image, so all they need in a camera is to end up with a recognizable image at the end. When smartphones were new, you could usually tell when you bought a new one that it had a lot more processing power than the old one. That is no longer the case.
Meanwhile, companies think that any change they make justifies a massive price increase. The mainstream manufacturers think that their new even more high-res screen should be worth a bundle. Palm think making a very small android phone that some people, myself included, would actually want justifies a 200% profit margin, which makes me lose interest immediately. Companies who used to make the cheap and introductory android devices think they can get a lot more money by making the software a bit nicer and multiplying the price by ten. I don't know why they think this, but I don't think it will end well for them.
That has some advantages, but runs into the problem that the gap has to be really small to not be noticed when held close to the user's face. When this happens at greater distances, it's more doable, but for a phone, you'd hear a lot of complaining about the phone with a line down its screen. I think that pretty much any way you build this, it's going to have some major problems at first. Admittedly, they might have done a little more to avoid the problems they have.
To be fair, the typical definition of IT would include a lot of things related to the website, such as where it is being run, where the database is, and what the spec would be, but the writing of the code that runs the site would probably not be a specifically IT thing. It mostly depends whether programmers and administrators are both lumped into IT or not. In most places I have seen, these groups are in different departments and simply connect. On that basis, it's not the IT department's fault if the programmers, in this case outsourced, fail to write the code properly.
If you read the article, it's kind of a lot of people in China who are being forced into this and a bunch of other people who did argue about this and are having their comments blocked or erased. They're getting a bit of support from some engineers at github, but not very much. The information was all there.
I am happy to work longer shifts than is the norm, and perhaps six-day weeks. I won't mind doing it, as long as:
1. It lasts for a short amount of time before things go back to normal (two weeks would be acceptable, a month under exceptional conditions, see point 4)
2. There is some direct benefit to me, I.E. being paid extra, additional vacation time, or receiving some other benefit, not the chance that this will be looked well upon and someone will demonstrate their gratitude later
3. There is some planning so I know when this is going to happen. Not that it has to be scheduled a year in advance, but don't come to me on Monday and just announce it
4. There is a real purpose. If something needs fixing or building quickly, that's fine. If two projects need to proceed and I really have to work on both of them, that's fine. If I'm doing my normal job but they want me to work extra hours for no good reason, that's not fine.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
