Posts by doublelayer

Re: I'm perfectly fine with minimal text and no images

You can use it fine with no images, sure, but minimal text? Usually, the main thing that helps me to decide whether the search worked is to read the summary text where my terms appeared. I can filter whether results are useful or just happen to mention my search term much more effectively with that than I can with the page title. I can also use that to identify pages that I've already effectively read, if the term was quoted in multiple places.

I also think it should not be possible to charge for linking to a page. That is antithetical to much of the web, and should remain so. I'm directing traffic to someone. If they want to make money on that, they should view me as a positive, whether I'm making money myself or simply thought they were a useful resource. I shouldn't have to pay for the privilege of telling someone they might find something else useful. I don't pay the newspapers if I suggest that someone goes and gets one to read a great article.

Re: Great

"Why did you buy a 3rd party phone if you care so much? Only an idiot would do such a thing."

Thanks for the compliment.

"1st party phone is a Google pixel"

That involves paying google a bunch of money, buying a hideously overpriced device, getting the wonderful extra google spyware unless I flash it, in which case there is no support... No thanks.

"2nd party phone is a network SIM free phone"

Sure, that is always nice to have. Some networks will make it a terrible pain to get one of those onto their network in the first place. Or maybe the person concerned got the phone from someone else, either an employer, as a gift, or from a previous owner.

"There is clearly nothing wrong with Android if some models get these patches every month, and many do."

Your logic says that there is nothing wrong with [x] if some examples of items in category [x] get good condition [y], with the clear indication that the remaining members don't get good condition [y]? So, in that case, you'd wholeheartedly agree with these statements, then:

1. There is nothing wrong with your car because some of those cars work perfectly well. The fact that it crashed yesterday, injuring the driver because the airbag didn't function properly and putting that pedestrian in the hospital because the brake pedal did not, if you want to be inordinately technical, activate the brakes, was clearly not anyone's fault, or if it was it was your fault.

2. There is nothing wrong with the lunch you had today because some people ate it and survived. The fact that yours, personally, was a little bit contaminated with antibiotic resistant bacteria and so were those of a number of others was clearly a fluke.

3. There is nothing wrong with floors because you can see many people walking on them and being supported just fine. Therefore, you are happy that you are falling through a hole in the floor because there is no problem with the floor over there where you are not right now.

4. There is no problem with Samsung Galaxy note 7s because there were one or two that never exploded. Many others did, resulting in a bit of flames and some injuries, but some didn't, so clearly it was fine.

A little tip, for there to be absolutely no problems with something means that all things in that category must work. That's why nothing is free of problems. Android is not even mostly free of problems.

The only site I've seen that does respect it is, in fact, adafruit. Nowhere else has ever warned me about this tracking, and of course many sites are known to completely ignore it. So you can pretty much assume the answer to what sites don't respect DNT is (*.* - *.adafruit.com). You will unfortunately have to be more active than that to stop tracking, and I'm glad that someone is killing the thing because checking that box probably provided some with a false sense of security about the whole business.

Re: And we thought that Apple stuff was expensive tat

It doesn't compare well in price to Apple's iMac 5k; that starts lower in specs but also much lower in price. Then again, I suppose there must be people who want a 28 inch touchscreen for some reason, and Apple doesn't have that. I'm sure people have a reason. I don't know what it is, but it will come to me, maybe.

In the general scheme of things, both of these machines are much more expensive than will be needed by pretty much everybody. They price themselves out of consumer range, don't include enough processing power to run all the games that serious gamers want to play, and are too screen focused for the massive data processing people. I can see something like this being used by serious graphics users, but that's not a big market, and plenty of them have been satisfied with less.

Re: Re Good job Python isn't a syntax Nazi.

I agree, but sometimes you don't have that authority. I recently had to work with code where the writer (I don't know what is wrong with them, but something clearly is) had mixed tabs and spaces with *every* number of indenting spaces from 1 to 17 and several lines indented at random numbers above 17. This was C code, and the indentation didn't match up all that well with the brackets. Thankfully, this code was put under my branch, so I was able to thoroughly reindent the thing. However, I wouldn't mind something external preventing them from doing that to the code in the first place.

Re: Crypto-busting test case

"If an encrypted computer (I'm going to assume that means "encrypted data on the hard drive" in this case) is a ["]problem with a solution["][my statement], what is the point of encrypting any computer...?"

The point is to prevent data being stolen with a machine. If you were to rob me in the street today, you'd get my computer, but not the data on it. You could try some passwords, but it wouldn't get you in, and the security of my data would be intact. That's because it's not worth a ton of money to you. $190 million in bitcoin, on the contrary, is worth quite a bit to people, including to the people who run this company who could face some negligence cases if they don't get access to the thing. That makes it possible to invest some more resources into brute forcing passwords. For example, if the encryption is done using bitlocker on Windows, the passwords aren't super-secure*. It would be possible to brute force the possibilities of the default code if you had the inclination. For $190 million, the inclination is there more than for the random files I happen to have, and it is thus more likely to be attempted by this company than it is by a street thief who already has the main source of value, the hardware of my laptop.

*The default password for bitlocker is a 6-digit numeric pin. This machine could use a different system and/or a more secure password. This system could in fact not be encrypted at all. However, automatically typing in all combinations of digits is doable if you are willing to spend a couple of weeks on it, and other methods of trying to crack the password are doable too.

Re: This is really tight

There could be a lot of benefits in having publicity. Don't publicize the errors much, just say that they were fixed, and the person reporting them got $large_amount_of_money from you. That attracts others to try to find vulnerabilities in your system so they can get $large_amount_of_money too. Not that you always pay them a large amount--that depends on the scale of the bugs they found for you--but if the bugs were indeed critical, they deserve it and you can use it.

Re: An open letter

I'm aware of that, and perhaps my joke is not the style of rebuttal you would submit to the professor personally. That doesn't change the fact that he is wrong. It doesn't change all of the reports made to all of the companies that never did anything (for an example, see the tracking watches that have been known to be insecure for a year but are still insecure, about which multiple articles have been posted here in the past week). He seems to think that negligence doesn't exist. Either the company fixes their thing or they calculate that it is not important enough and are fixing something more important. That's not true; companies sometimes choose not to fix anything because they are spending all their time on the next product. That is a problem, it happens too often, and something needs to be done about it. Disclosure is a way to get something done, and if this professor refuses to acknowledge that the problem exists, he can't help to fix it. So I would argue that my comments, informal and inappropriate in tone as they would be if I submitted it as an official rebuttal, are still accurate.

Re: Putting dates in names

Perhaps I should clarify my statement. Neither mv nor cp complain about copying a file over another one *by default*, which is how everyone runs them. Since these tools don't do a lot of, to me, more obvious things without my having to tell them with switches, I would think that -i should be on by default. So much did I think this that I assumed that it was.

Re: SS7 hacked?

"One suspects that it's [phone hacking] easier and more lucrative now that everyone and everything is cloudy."

Easier, maybe. More lucrative, no. In general, all the things that used to be expensive are cheap now. People don't need to hack for cheap calls over long distances, because that is included. The only types of attack that are prevalent on the network are pretending to be someone else and intercepting others' messages. Given how little attention is paid to all those scammers spoofing caller ID, it is clear that the only type of hacking that is getting dealt with is message interception, which isn't that big. The attackers have to use this in combination with other things, usually social engineering, so most try the easier method of social engineering everything from the victim, rather than social engineering some things and accessing the phone system for the rest.

Re: An ARM version might be more useful...

Maybe, but you would need to connect it to an HDMI screen and USB input devices. That doesn't make it less disposable because you could keep those parts even if you were paranoid enough to destroy the pi (you don't need to), but it would be clunky. Unfortunately, there isn't a convenient system for using a pi portably. As much as I like it, battery performance isn't great and there isn't much hardware that can be carried without trailing wires behind you. For portable usage, the easiest solution is probably still the old-fashioned laptop.

Re: "but it also treats mobile users like adults capable of making their own decisions"

You want more selfishness? Fine. I don't want people to give up all their information because it gives companies that seek to violate my privacy more ammunition with which to attack me. Either they will have better systems for gathering and using information I don't want them to have, or they'll have collected a bunch of my information from other people I've met. Does that logic work for you?

On the topic of saving people from themselves, that doesn't need to apply to everyone. I think most would agree it applies to children. Adults can walk into dangerous situations if they want, but if I see a child doing that, I'm going to stop them and explain why that is a bad idea unless someone else is already doing so, even if they're not my child. The app concerned here targeted older children, giving them a relatively substantial amount of money for a person in middle school while taking a bunch of information, probably without explaining exactly what information and what they were going to do with it. Am I allowed to save them from themselves?

Re: Ex designer of military kit

Disclaimer: I have never used military equipment. I'm not stating things, I am asking them.

All those requirements about what the machine must withstand make a lot of sense for why the prices are higher. However, I have a couple of questions. First, do they require that a device be capable of use in all of those situations simultaneously? For example, I would have assumed that machines intended to be installed in airplanes would be distinct from other classes of devices, as a ground or tank based machine would not need to sustain the G forces, the weird acceleration, or the recoil of firing plane-mounted guns. Second, do military computers really have the same specifications of top of the line machines? I don't know about the military models, but every time I have looked at or been requested to find computers for difficult environmental conditions, the options have been the following:

1. Machines with very old specs, usually something designed for windows XP or some old version of android.

2. Devices with somewhat modern specs, but with little access to the system. You stick with the OS installed on it and just write your application over that. This can be problematic when the device is running some restrictive OS like android (there are many of those).

3. Devices that seem to have a modern processor, but are very heavy, power intensive, and run very hot. These would often be unacceptable for military use per the specifications above because they use fans to dissipate the heat and, as far as I'm concerned, seem to be of somewhat dubious build quality.

I would assume that most military machines are running a slower system that is capable of running the program required, but does not have a ton of extra speed or graphics capability. From the original post, the machines described were sufficiently behind the machines of the time in terms of computing capability. From your experience, is most military hardware more advanced or more restrictively specced than I had assumed?

Re: Can he actually provide proof that the Facetime bug actually caused him a problem?

If the bug was used, it can be proven. When the call comes in, the phone will ring normally, bringing this to the attention of the person in the meeting. The records will show if someone grouped themselves into the call. Whether you can prove harm can be tricky, but it wouldn't be hard to prove that the bug was used, and having that happen in a private deposition would probably be enough reason to say there was some negative outcome for you. If they did their research, they can probably prove fault by Apple. If they only have some evidence that someone listened in some way, they probably won't.

Re: Bug?

Given that the phone is ringing, it's not that useful to a spy system, as you would only get thirty seconds of data before they answer or hang up on you. It is still a major problem, but it is a very small and mostly useless backdoor if you were in an actively malicious mood.

Re: But but - Apple protects our privacy!

Apple didn't do this as a symbolic gesture. That app was running before the cert was revoked, and those installs have presumably all broken. There was a problem, actively existing, and Apple fixed it. In addition, they never allowed the app into the appstore, meaning they were already blocking it. Only by using this workaround and not telling Apple about it could Facebook get the app onto people's devices. When they found out that Facebook was doing that, they put a stop to it. Exactly what did Apple do wrong here?

Re: poor tools can't be blamed?....sure, sure, suurrrrre

You're allowed to complain about your tools. You're allowed to say that a tool is not fit for purpose and require a better tool to complete it. What you aren't allowed to do is *blame* them, as in "It's not my fault it fell apart immediately after you got it. You should have seen this terrible vice I had.". The tool can be worse, but that leads you to have a worse time trying to build the result, not the result simply being of less quality.

That said, there is at least some argument for poor tools if the person concerned was made to do the job using the poor tool in the same time limit needed for the good tool. However, for programming languages, it is likely not that one is better or worse, but that one is better or worse for each specific coder and their experience.

Re: 19H1 (aka the Windows 10 April 2019 Update) is likely to hit in a matter of months..

That's the official name. Just as the 1809 update was called the October 2018 update even when it was delayed until November. I don't know who is setting the numbers or the names, nor do I know what the H is doing in that number now, but that's Microsoft's decision.

Given how many people have mobile phones, it would not be particularly difficult for a child to obtain phone numbers. They could easily get the student's number from their contacts, and with a little effort, gain access to their contacts using a number of methods. I think the risk of bullying is important, as it has proven difficult to prevent. I therefore suggest that we do our best not to make it easier.

However, let's consider some ways the access of these accounts could be abused by others who are not schoolmates. This is yet another source of data, and one that companies would not mind mining. Do we want our children to have their primary school grades analyzed or leaked? I think we can all agree the answer is no. There are many parents who obsessively check the grades of their children, but some of them* would not mind seeing the grades of other children for comparison. They could use this insecurity as an entrance. If we want to overthink this, there is probably a lot of personal information in this that could be used to socially engineer the child, too.

Children do not have much data on them. Their schoolwork can be a very personal thing. Some may divulge it to others, which is entirely their right, but others do not want their friends or anyone else to know all the details. I believe it is extremely important that it remain private to them and their parents. The worst-case scenario with a leaked phone number is irritating calls. This is certainly a thing to be avoided, but I can think of worse things that could be done with leaked educational data.

*Parents spying on students' grades: I know parents who do this, usually by "casually" asking students increasingly leading questions. It is not that many of them, but one is already too many and there is more than one.

Re: Great Read

Not so. The way that Tor hidden services work is complex, and I suggest you read about the details and complexities of it because it is intriguing. However, since you are on the Tor network and the .onion is as well, you don't have to go to an exit node. An exit node is only needed when you want to leave Tor onto the regular web again.

As for how to purchase server space without identification, it is a bit difficult for most hosting companies, but it can be done with cryptocurrency or with cash in a paypal account. You have to go to various places to make that truly anonymous, but it works. The mechanics are left as an exercise for the reader. If you do it wrong but think you've done it right, prison time may occur.

Re: Is everyone taking crazy pills?

That's not the alternative, or at least it shouldn't be the only alternative. The other option is that it works like any other electronic device; it continues to function at its speed but the battery doesn't last as long. You know, like every other phone or laptop.

I wouldn't mind it if they put in an option to underclock for increased battery life, which would be useful both as the battery became old and if there won't be convenient access to recharging for a while. However, I have to wonder what they did to their system that meant it would restart randomly rather than just deplete the battery quickly. That smacks of bad design to me, and the workaround, though perhaps not planned obsolescence, becomes a crutch for defective products. The other option is that they did have obsolescence in mind, and specifically designed it to break. I don't know which it is, but I think the former is more likely. Either way, they messed up.

Re: welp....

"Another - constantly berate your family and friends for how stupid they are and how little they value your time, [...] and you're there only because you cannot tolerate such worthless idiots accessing the internet without someone much more skilled there to take responsibility for watching over their actions [...] [t]hus guaranteeing you will have few people to worry about!"

Thanks for the suggestion. I think that sounds like a wonderful alternative to just not doing it and letting them decide whether they want the system.

If you think that is the attitude that we have, you are not getting the point of our posts. We are not saying that people lack the responsibility to run technology or use the internet. We are saying that some of them lack the knowledge necessary to maintain a self-run DNS server to block hosts themselves and possess other attributes that make support more difficult. Take my post, where I stated that my parents might easily manage to disable such a system in a way that would make it difficult. This is not because my parents have any specific problems. I greatly respect them, and there are many things they can do very well that I cannot do well at all. Unfortunately, Linux administration is not one of those things.

It is not because they disrespect me or my work that this would be problematic; it is because it is complex and I don't need to spend the large amount of time that I predict support will require. If I lived close to them, where I could quickly come over and repair anything, I would likely set it up if they requested. If I could be assured that there would be no hardware interference, I would also set it up. The reality, however, is that the system would probably be interfered with, and I would either have to spend a much longer time repairing it than it would take if I could do so myself, or the users would have to put up with the system being down for a longer time. That does not provide enough benefits to the user or to me as support for the system in that situation to be worthwhile.

Re: Inquiring minds want to know...

"An honest request for advice: how secure is this password? How great is the risk that I may have to spend a day changing my password on some 200 sites?"

This password is not secure. Actually, that's misleading. The password itself is probably fine, depending on length; I assume your name and date combination push the length up, and it is likely not used by others. In that, you're fine. Your problem arises because you use it on multiple sites. This is where it is bad, because it only takes one site to store it in plain text, hash it badly, or have someone persistent check a lot of combinations for them to break into all your other sites. If that happens, it is likely going to happen before you know that one of the sites lost their password database.

Some recommendations:

1. Use a password manager to not have to remember each password. Allowing that to create passwords will ensure that they are strong and unique to each site. You only have to remember the master encryption password to unlock that file. If you routinely have to log in on other devices with no access to yours or you mistrust password managers, you can go with another option, but this is really quite a good option.

2. Use your base, but include a site-specific component to your password. An important note, make this specific part difficult to identify; if it's just the name of the site, it won't stop someone for long. This isn't as secure, but it will protect you from a lot of things.

3. Periodically change the passwords. If you are going to have passwords that are insecure, make sure that they aren't valid for long. If it takes a hash cracker a few weeks to get the database and get your password from it, your password could have been changed before they can use it. Forcing password changes is usually a bad idea because it leads people to use insecure ones, but if you keep having passwords of similar security but change them often, you'll have better insulation against attack.

4. Be vigilant. Keep a list of sites where you have this insecure password system, and if you ever see that one of them is insecure or has been breached, change the passwords immediately.

Again, I'd really suggest using option 1 unless you have a specific reason you don't want to.

Re: The Joy of updates

The major privacy things are kept. After updates, I'd recommend a trip down to privacy/location/system services, though, as sometimes they change or rename them, which can be accompanied with a turning on where you have turned it off. The one that comes to mind was their thing that is now called significant locations, but used to be called something else. I think it was around IOS 10 when that was renamed and reenabled itself. Mostly, however, apple doesn't really change that many settings as compared to android, so you're probably fine.

Re: Who is to blaim for being taken by scammers?

So in any scenario where something bad happens to someone else, they did something wrong. At least, that is the case in a large majority of cases. Why did you open your door for the armed burglar? Surely you're intelligent enough to check the person at your door in some way before you open it to see them, right? Therefore, it's your fault if you get shot by a burglar. Is that the logic you're using?

Unless the victim knows the scam is coming and chooses to go through with it, which only makes sense if they are really a conspirator in the fact, they are not at fault. They could have done something better. They might be viewed as irresponsible and face consequences for it, for example not getting promoted because the company thinks they shouldn't be given any more responsibility, but it is not their fault that something negative happened to them.

Re: Webservers?

Quick answer: yes.

Long question: Why? You could run any OS with webserver in your VM solution of choice. You could exactly virtualize your server environment and share the network connection, thus having local access. If it is a server you don't mind setting up, you could also run apache and any other dependencies (definitely MySQL and PHP but a lot of other tools are supported) directly on windows. I've done it*, and setup is very fast and it works the same unless you have some specifically Linux backends.

*We needed an internal server. They put the windows image on a machine and put it somewhere I couldn't change it. What was I going to do?

re: There is no Refuse option available.

And when the site is not one that you can simply ignore? Sometimes, the site is one you are required to use. Either it is a site run by a business or governmental agency that you must use in order to fulfill some obligation, or in other cases it is the only site providing a necessary service. Other times, there are a number of alternatives, each of which has the same or similar cookie system. I have cookies autodeleted and do some other things to attempt to prevent this from being as creepy as it could be, but it isn't always possible to go elsewhere when these problems arise.

Re: Why are physical checks needed?

The tests were done in Vermont, which couldn't be measured fully because a lot of the areas are remote and rural. If congestion was the cause of these subpar measurements, the mobile companies do not know how to deal with congestion. These aren't metropolises we're looking at; the largest city in Vermont is Burlington with ~42000 people in it, and that is the largest city by 250%. Also, a challenge can't be made because an algorithm says the situation is bad, both because the FCC has set the rules to be much stricter than that but also because someone else could write a different algorithm to disagree. They were required to have ground truth, so they went and got it.

Re: All fine and dandy

But the major benefit of cloud is that it can be cheaper, conditions apply. The cloud providers sell economies of scale where your usage can be balanced against everyone else's usage to reduce the total amount spent on computing so you only pay for what you're using, as well as your risk of hardware problems which again reduces your cost. Otherwise, cloud doesn't tend to offer much more than you could do with your own hardware. There is a minor benefit in having geographically-distributed systems for faster access by people in distant locations, but this is rarely an issue of paramount importance. If cloud isn't cheaper, the only benefit that is distinctly relatable to cloud is scalability, but again, conditions apply. So many people either jump on the cloud bandwagon or refuse to use any cloud-related product whatsoever without actually looking at whether it is useful in the situation.

Re: "our next generation machine learning model"

I think you may be a bit overzealous in your defense there.

"Again, to be fair to Microsoft they are tasked with rolling out a global update for a user base who are 80-90% computer illiterate,"

Good start. I agree that this is a major problem for Microsoft's engineers.

"many of whom bought computers that were either built or upgraded by a 'mate who knows about computers' or the local back street 100% legal PC repair shop."

Some of them are, but most of them are using computers that were built by the companies that build or sell computers, using the software environment that those companies came up with. Dell, HP, Lenovo, etc. have much more market share each than custom-built machines, especially when considering users who are tech-illiterate. Those machines have many of their own problems, and a great deal of the driver or hardware problems experienced by users can be laid at the feet of those companies, but it is not fair to classify most windows machines as built with extremely weird components.

"Think about the chances of all them 'genuine NVidia GeForce Ultra cards for £30 on ebay' working after the update,"

I don't think those are going to work, but the kind of person who goes to eBay and purchases an obviously not-genuine graphics card is the type who should expect problems. The type who buys a computer from the computer store and has done nothing at all to the hardware shouldn't expect anything like those using counterfeit graphics cards.

"but they'll be the same 'know-it-all' teenagers that you'll see posting YouTube videos about how Microsoft programmers don't care and aren't listening."

Those people are probably not the ones complaining here.

"In short - the fact that Microsoft have a development team that can release this stuff without destroying the world more often is a minor miracle (and anyone who works in software development would agree)"

They are not as hyperbolically bad as comments here might lead one to believe, but they have had times where they didn't do what they should have (the initial 1809 deleting files thing, for example, was purely their fault and could have been fixed when the Windows insiders found it rather than after it deleted standard users' files).

"just ask which development environment is the world's best - Microsoft Visual Studio wins hands down - made by Microsoft developers for developers. (and yes I'm aware Eclipse is better for some use-cases)"

Personal opinion, not necessarily one I agree with, either.