Posts by doublelayer

Re: just stop it

Am I failing to express myself correctly? I said that, if you think the government is not paying enough, you can campaign for it to change. It doesn't matter what you think they should be spending the money on, because you can campaign for anything. You are taking a general point about what charities can be used for and deciding that I meant that charities should be buying everything the government should. I did not say it, nor do I intend that. If you think the government is breaking its promises, you can join everyone else in the world who also thinks so, and you have a few options about what you'll do about it.

Re: RNLI vs chuggers

You and I have a different idea about what state-sanctioned murder would involve. Someone dying of accidental causes may well be something the government should prevent, but is not murder. The UK could pay for many more sea rescue facilities than they have. Maybe you think that number should be higher. I defer to your experience, as I do not live or pay taxes in the UK and I don't know what facilities exist. That is not my point. My point is that, whatever that number ends up being, even if they allow you to pick the number you think is optimal, there is a valid reason for a charity to decide to provide more than that, or similar facilities put to a different purpose, using voluntary donations.

For example, let's say that I choose to move to the UK and set up the Non-royal I Bought Some Lifeboats Organization. Because you increased the number of UK-controled boats, I find that mine are not that much needed in British waters, so I choose to sail them over to Ireland, France, Spain, and Norway for a while. I can do that, and people in the UK can choose to donate to it, even though it would probably be pretty difficult to convince either the UK government or UK voters to pay for sea rescue in other countries. That is a case where a charity can obtain a good goal through acceptable means where a government probably will not, and in the opinions of many should not, be paying for the activity. Sea rescue is far from the only example of that, and many of the things that charities do are probably not things you think should be public services.

Re: RNLI vs chuggers

"What if the RNLI charity can't rescue everyone that needs it because of funding constraints?"

Then that's unfortunate. They're probably happy that they were able to save some people, which wouldn't have happened if their funding was zero.

"Completely different matter. It's a UK-based organisation. It does sterling work in UK waters. Are you proposing that a UK charity should be patrolling the oceans?"

As I stated, I am not that familiar with the RNLI specifically. Some charities that do sea rescue do extend past their nation's national waters, whether that be patrolling the open ocean, or more likely, rescuing people who are sort of near national waters but far enough out that it becomes international. Whether the RNLI specifically chooses to do so isn't relevant to my point, which is that an organization that receives voluntary funding can choose whether to operate outside the country more easily than government-funded bodies.

There are charities that do things that governments choose not to do. The benefit is that, instead of needing public support, because you are taking the public's money to fund it, you can have the subset of the public who care contribute the money. If you rely on convincing the government to fund all of the different things that people want done, you'll create a lot of pointless political fights instead. The good news is that this isn't a binary thing. You can easily have government funding for some charitable activities and allow a different charity to use voluntary donations. This also doesn't affect you personally, because if you don't want to donate to some charity, you simply don't. None of that exonerates a charity violating the law like this one has done, but just because one has doesn't mean that all do.

Re: RNLI vs chuggers

"Shouldn't sea rescue be a publicly funded service, like ambulances?"

There probably is some government-funded rescue activity, and as a non-UK resident, I don't know what the RNLI do. However, you start getting into areas like this:

1. What if the government's ideas of how much sea rescue is needed is less than the amount you wish to see?

2. What happens outside their national waters?

3. What happens if the people needing rescue are not citizens?

4. Since it's often a major political issue, what happens if the people needing rescue are attempting to migrate illegally?

If your answers to the above questions suggest that the government is doing less than you want it to, you can have something to add to the available resources. If the government is specifically acting in a way you don't think is right, your additional resources can be used in the way that you think is better.

Re: just stop it

If you want to campaign for government to pay for that, you can. People can vote for it. Your attempts to do that lobbying would likely themselves be considered charitable, though you have to be careful as ones that get too political often require more paperwork. That is not the only kind of charitable activity, however. If, for example, I want to see more medical programs in another country, my government is unlikely to raise local taxes for all of the programs that could theoretically be useful because there is a nearly unlimited number of projects that could use funding and a lot of people don't think their taxes should be primarily directed at other countries. That's when voluntary donations start to make a lot of sense. There are places to which I donate that aren't covered by taxation, and most of them are ones where people probably don't think they should be covered by taxation.

Re: just stop it

"If a cause is good enough it ought to be paid for out of general taxation."

And if you think it is good enough but a lot of others don't, then it won't be. That's why charities exist. Some of them are fraudulent, and some are honest but bad at their jobs, but that doesn't mean that all of them fall into those two groups. You can look at charities that do something you think is worthwhile that isn't being covered by government budgets, and if you think they deserve your donations, donate. Or you can decide that nothing is and not donate. Your understandable decision not to donate does not mean that others should not do it or the systems that charities use should not exist.

Re: To sum up ...

Not a very good summary, really. It comes to the difficult question of, when someone has been scammed out of money and the scam has succeeded in sending money to the scammer, then who should pay the cost for money that cannot be recovered from the scammer. There are a few other situations involved which are more clear, but the tricky one is the one I list above. Google is not the only place that has instruments that can be abused in such a way.

Re: Repeat after me:

I know the annoyance of a new Teams release, but generally, that is not considered much of a cost by the people you need to convince. When you're pitching hiring people to build management tools and infrastructure, training everyone to use Linux, and replacing any software that isn't compatible, you have to go to various meetings where you'll be asked what benefit you expect, measured in currency. You can sometimes measure it in time, which they will mentally change to currency, but either way, you will be asked for that justification.

Avoiding updates you don't like is not very convincing to those people. If they're nontechnical, they ask how much money not updating Windows will save. If they're technical, they point out that you already can block most types of updates and that you usually choose not to so you avoid being one of those people for whom EternalBlue malware still worked. Either way, they're looking for something that's either more obvious or just larger. I listed some examples above, most of which are larger, and even those tend not to convince them. If you want them to change to Linux, you need to understand why they're not convinced, and it isn't a Microsoft employee skulking outside the door with brown envelopes. There are a lot of parts to it, but one of them can be that they don't understand what the benefit is and we are not doing a good job of explaining it.

The author made that point, as well as bringing the old classic that Android is Linux. To me, these are weird things to be proud about, but I've argued against the celebrations of Linux's success on the backs of Android and Chrome OS and it doesn't change the minds of Liam or others like him. To me, the number of Linux kernels running isn't the goal, but the benefits that Linux tends to provide in the areas of system openness, user choice, and hardware and software longevity. Three goals that Chrome OS and Android don't share and deliver badly.

Re: "Statcounter says"

Its effect on the results could be changing frequently. For example, there is probably some attempt at deduplication effort here, but we don't know how they're doing it. If I run a bot that uses a Linux user agent and retrieves a couple thousand pages, whereas the normal user only retrieves three to five, then my bot should probably not be counted as four hundred users. Yet you can't just do it by IP address, because those are shared between multiple devices. That makes it difficult to decide how to count OSes, and the formulas are probably changed from time to time. Add in problems of sample size and you get a dataset that is not that easy to draw useful conclusions from.

Re: Repeat after me:

"Now, this was not cheap - at least in terms of man-hours spent getting the thing to that state."

This is the very important point. I have something sort of similar which only manages a few personal devices, and it's great, but I can't put a company on it. I can't find them a turnkey solution either. I could improve my version to be at least somewhat production capable (the spec for my version is that if I totally screw something up, it is okay if I have to go to it and physically fix it, but that's not going to work for even a small business).

Usually, when some company isn't choosing Linux, it isn't because it would really be impossible to do, or even prohibitively difficult, but that it would take a lot of effort. Whenever you have to justify spending that amount of time, both as a setup cost and an ongoing maintenance cost, someone will ask what you get out of it, and the reduction in Windows licensing is usually not enough to justify it. Freedom to modify the software is almost never even considered a benefit at all, since most businesses don't plan on changing either the Windows or Linux source. Other claims, like Linux failing less or stretching hardware support lifetimes, are difficult to prove or estimate for that viability meeting, and even if you could, might turn out to be rather small savings.

Re: This may seem like

Yes, that would work, and they can and do try it, but it is expensive and there is usually a long lead time between starting the program and having someone who can contribute. If your situation is that there are no or few qualified people, then it makes sense. If the situation is that there are many qualified people, just not here, then they often investigate either bringing some of those people here or going where those people want to be instead. It's not that crazy an idea to try that if there are people who could do the job.

"you now need to worry that your kids might install a 3rd party app store to bypass parental controls"

The parental controls can lock down some settings. It can already be used to restrict people from installing things from Apple's store. If they haven't let it block enabling other stores, it's deliberate. My guess, not having tried, is that parental controls can be used to block that setting equally well.

"or your elderly mother might click on a disguised advert and follow the instructions to install malware"

Sort of a worry, but I'm already worried that my elderly friends* might click on a disguised advert and follow the instructions to hand over their banking details, which they already can do, and that seems to be the more common request of such things. I guess we're back to trying to teach them not to, but maybe this will actually be a benefit to your relatives because you won't assume they're secure when they never were.

* My mother, on the other hand, generally knows what she's doing and has a good level of suspicion, at least partly because I've given out lots of warnings about scams. If your warnings about how they work are not a) detailed and with examples and b) common enough that people would like you to stop, you may get better results by improving them.

Re: Well there's your problem

However, the initial statement implied that using that at all was an indicator of a failure in design. I don't know what their system did look like, and it is quite possible that it has multiple severe security design failures. That websites were involved does not prove it.

Re: Well there's your problem

You can wrap HTTP in a protocol that does access control and run it on an isolated system. You can put lots of extra restrictions around that; a protocol that separately encrypts your stream using asymmetric keys for identity verification is fully compatible with HTTP, as are many other viable access control methods. It's not that bad to use HTML as the presentation format and HTTP as the retrieval protocol if you do that, and they make developing for the internal part of the system easier since you don't have to reinvent those parts.

Whether you agree with this or not, and if you don't, I'm curious to hear what your optimal or acceptable protocol would be, this was not responsible for anything in this case. The failure was not that this user was able to break into the insufficiently secured HTTP server. It was that he had been granted access to stuff he probably didn't need access to, his managers knew that he had the access and was using it but did nothing, and he was willing to abuse those things. The one technical failure that I can see in this system is that it seems like it was pretty easy to extract the sensitive documents and get copies out of the secure environment. That's a big problem, but it is unrelated to how the data arrived at his terminal; you could lock down every connection, encrypt every packet ten times, have keys and passwords and iris scans to access them, and if the terminal can still print on paper and the user can take the paper out, then it won't prevent something like this happening.

Re: lets move forward

It's a bit late to start doing that when this person has been caught for releasing classified documents. Nobody would ever trust what he released again because they know that the military would not give him access again. For doing this, you need someone who looks like a plausible source of leaks and someone who is happy to back up your plans. Someone who is weirdly into conspiracy theories doesn't meet the second goal, and someone who actually leaked documents breaks the first.

There is no simple formula. Prosecutors can request specific sentences that are lower than the expected one at a trial, but they have a lot of control over what they ask for. People who have a lot of useful information to give can often negotiate more significant reductions than those who don't. It could just be that the evidence is so convincing that the defendant sees no chance of getting out of it, especially if they've already admitted guilt in some way or if they have no plan for what they're going to claim happened instead, so they skip what they view, probably correctly, as a forgone conclusion. So if he is going to do it, we don't know what he's expecting to get out of doing so.

Re: Illegal under the DMA

"Or, and it’s just a thought, why not let consumer choice take care of it?"

Gladly. Here's how that can work: every user gets to choose what browser they want to use, based on whatever restrictions exist in the browser and their idea of whether there is a security risk or not. For example, on my iPhone, I won't bother installing anything except Safari. Because everything else will turn my iPhones impregnable fortress into a leaky cardboard box? No, it won't, I know it won't, and you know that too. I won't bother installing anything else because I don't do that much web browsing on my phone anyway, so I won't have much of a reason to do it. Others can choose to use Safari for any reasons they like. Consumer choice is exactly what we're going for here, and it is Apple's restriction that limits it.

Re: Does Pegasus still work on current Apple phones

Right. Apple, who also sued NSO and asked for a legal ruling that NSO is not permitted to own or use Apple's devices, just gave them a backdoor. That's logical, isn't it.

Re: Does Pegasus still work on current Apple phones

The vuln that was used has been fixed and does not work if you have updated. One of two situations are true now, but we don't know which one:

1. The Pegasus developers have found new vulns, are using them, but we don't know what they are so we can't fix them.

2. The Pegasus developers have been locked out of all the ones they've found and are busy looking for more.

Either way, don't count on option 2 lasting for very long. NSO earns a lot from finding new vulnerabilities and putting them to use. They probably keep a long list of possibilities so they don't have to tell their customers that someone is immune for the moment.

Re: OTOH

As I said, that would probably come under the heading of negligence, and you can charge Facebook with that. However, you generally have to prove that it should have been predicted and prevented, not just that it was a problem. If everyone's steering wheels are coming off in the first month, you're likely to win that one. If your steering wheel came off after six years and nobody else's did, almost certainly not. The complicated stuff comes in the middle where some wheels came off but there is some chance it's related to your actions more than their design, or the design that caused the wheel to come off didn't seem all that faulty when they tested it. So you can try, but there is no law saying that any fault qualifies.

This is true, because the point of asking for the source isn't so Facebook can start fighting against them, but to prove Facebook's allegation that NSO has violated contracts against Facebook, and therefore Facebook has been harmed, can sue them, and can collect a judgement. I doubt they'll get it, but that's the theoretical result if they do.

Re: OTOH

Let's think about that. Are there laws against exploiting a vulnerability without authorization? Yes, most definitely. Are there laws that prohibit the existence of any vulnerability, including ones you don't know about? Not exactly. So it looks like it's NSO's responsibility. You could sue Facebook for negligence which might or might not work? Any other questions?

Re: Odd, isn't it?

In my experience, a lot of loud tech people had the same problem. I blame it for the VR trend as well; science fiction is replete with VR and AR technology, but most authors actually considered what it would do, or at least made the technology conceivably useful by writing around the technical challenges. For example, the writings of Daniel Suarez make a lot of use of AR, and it sounds great, but he allows a simple, unobtrusive, unidentifiable pair of glasses to run that for a long time, not a heavy helmet thing, and he includes a lot of complex software so the AR interface can actually identify things about the world around the user. The people trying to build it don't seem to understand why their devices, with two hours of battery life and no connection to the real world, aren't being adopted in the same way. The middle part is hard, but they seem to think they can just jump to the science fiction part.

The same is true of the people who imagine doomsday scenarios, whether just futurists or those who made the technology and want to make predictions for their own purposes. Whenever they imagine a technical advance going wrong, their picture is a lot more like something a science fiction author wrote about than what could actually happen. The authors have a good reason to do that. It's a lot more interesting to read about massive disasters than annoying technical failures. For example, one of the reasons why there was so much chaos in Jurassic Park is over-reliance on a computer program with project management failures, but take out the running from dinosaurs bit and people don't want to read it. Still, Crichton put that in and readers could see it. The pessimists tend to ignore the small failures that are incredibly likely and jump straight for the apocalyptic ones that, realistically, are very unlikely.

Re: What is it with these hard-right muppets?

Sure, but that is an aspect, not the defining trait. Two people can have money and power and nonetheless use those things to do two completely unrelated, opposed, or perpendicular things. To describe us as different on that basis is logical. To describe them as the same based on that aspect is oversimplified.

Re: why we benefit from changing the clocks for summer time

"Where I live its not fully daylight until after 9am in late Dec. Without DST adjustment that would be 10am. So some justification to the travel safety argument."

I think you have that backward. In winter, the clocks are still on standard time, so there is no adjustment and 9:00 is 9:00. I'm assuming winter from the late sunrise. Thus, without DST, it would be exactly the same. The difference comes in the summer only. Of course, you could institute winter time where the clocks go extra forward, making that 9:00 into 8:00, but only if you're willing to have a rather early sunset.

Re: Don't people test edge cases any more? [Time Libraries: The Next Problem]

It generally does, in that if you use a library that has existed and worked correctly in many countries for a lot of years, they probably considered time zones and leap days. It's usually not too hard to find something to help with time. Most programming language standard libraries and operating systems have that handled. Unless you have something they can't handle, the chances are that you will not benefit by either writing your own or trying to find someone else's library for the task.

If you're going to do so, perform the following basic tests:

1. Look through their documentation. If they mention oddities of time zones that they handle, they probably work. If they sound like students putting out something on GitHub, maybe not.

2. Check leap year information. Run this code or language equivalent foreach (int i in [2000, 2100, 2200, 2300, 2400]) print(is_leap_year(i))

If you get true, false, false, false, true, good sign. If you don't, don't use it.

3. Check what they did the last time some country decided to mess with daylight saving time for no reason. For example, you could see whether and how quickly they updated the time rules that Greenland changed in 2023. If they're using the typical sources of information, this could be automatic.

Re: Don't people test edge cases any more?

There is only one unless in their rule:

"It's a leap year when the year is divisible by 4, unless the year is divisible by 100 and not divisible by 1000."

2400 is divisible by 4, divisible by 100, not divisible by 1000. As I structure their statement, that does not allow 2400 to be a leap year. I don't see how you find a second unless, nor how you can make 2400 a leap year and 2300 not one using divisors of 4, 100, 1000, and 25000 singly. It's also just incorrect based on Gregorian rules. There is no rule for divisors of 1000 or 25000 and there is one for 400.

Re: Don't people test edge cases any more?

I'm not sure where you got this, but it is not correct. For example, the year 2400 is a leap year according to the Gregorian calendar, but using your calculations, it would not be one. Your rules also result in a different number of days per solar year of 365.24096. The Gregorian calendar's cycle is 400 years in length and repeats after that. There is no rule based on 1000 or 25000 years.

"Does it matter if December is in Winter or Summer[1]?"

It does to me. If, for example, we're tracking climate changes, we can ask a question like "how has the rainfall in December varied over the past hundred years" and get an answer. If December keeps moving between seasons, it's no longer going to work as accurately. In order to calculate it, you'd have to phrase the question like "how has the rainfall during the period from twenty days before the solstice to eleven days after the solstice" and do all the calculations. This isn't just relevant for months; we get the same effect if we calculate the rainfall between November 17th and January 3rd, assuming there's a reason to do it, because that or any other set of dates consistently refers to almost the same time in the solar year.

It would take significantly less time for December to become October, which would be relatively inconvenient even if it wasn't a complete reversal. However, even if you don't care about that, we get into philosophical areas about why we even have a calendar. If we don't care about the consistency between our date counting and seasons, why have months? In fact, why track years? Just count everything in days so you can give an age when necessary, and ignore everything else. I think we still find that having a way to describe, consistently, times in relation to solar movement, to be something we want to continue doing. Doing that inaccurately is not any better than not doing it at all.

Re: We're very hard coded for a 24-hour sleep cycle

I have not read the study, but I do wonder a few things about it. Specifically, how long they kept that up, because anyone who has stayed awake all night to do something knows that you can do something like that occasionally and be generally okay, but doing it too often has some really negative results. Also, the schedule is probably different depending on how much exertion or stress a person goes through, so people living in an experimental environment probably aren't doing the same amount of stuff as a typical person at a job, a student, or a parent.

Re: Time to go

If you're payed the same amount for every month, then you're getting more per hour or day in February, whether it has 28 or 29 days, because it doesn't have 30 or 31 days and every other month does. If it's something based on the number of days and they treat it as 28, then maybe you have a point, but I'd need to see that algorithm to understand if it applies or not.

I admit to being one of those who doesn't understand why we benefit from changing the clocks for summer time and thinking that we could manage equally well without doing it. Many countries have managed that. But I know why there are leap years and we cannot get rid of them. Most societies two millennia ago understood that and had figured out some method of handling it, so it should be pretty obvious how necessary it is.

And screwing up every human's sleep cycle. We're very hard coded for a 24-hour sleep cycle. Bad things happen when that changes too much. There are some people who have a circadian rhythm that's not aligned with that, but most of them are caused by total blindness where the light triggers used to form normal rhythms are unavailable. From online descriptions, the experience seems very unpleasant.

Re: Oh, come on - this is elementary

Yes, millennials can be blamed for that, as long as you're* willing to take the blame for everything that breaks in 2038. I'm willing to bet that that will be more things.

* I'm guessing that, because you said this, you're not a millennial and probably of the appropriate age to have been around when someone made the 32-bit signed time solution. You probably weren't the one to do it, but we're blaming generations for the actions for a member, so it's your fault.