* Posts by doublelayer

10479 publicly visible posts • joined 22 Feb 2018

The billionaire behind Trump's 'unhackable' phone is on a mission to fight Tesla's FSD

doublelayer Silver badge

This isn't just a president. If, for example, this was used by the president and their protection detail to coordinate routes, that might work. However, the stated purpose was to be used by campaign officials so that things like the Iranian attack on them don't happen again. Campaigns are made up of lots of people who are not trained in security or anything else, working in all sorts of places doing unplanned things. It is more difficult for them to adapt to restricted methods and they're the kind of people who aren't eager to adopt that in the first place.

A campaign is a lot like a company. Consider what would happen if you had to convert an employer to a restricted communication system for all internal messages. If it was a small company where everyone was knowledgeable about security risks, you could probably do it. I think you can imagine how hard it would be and how many people would ignore you if you tried the same with managers who don't want anything that will slow down their messages, technophobes who have become comfortable with something and resist any change, and processes that are considered critical and indispensable which don't yet work through the system you're trying to switch to. I've had to do it before and, even more frequently, I've had to watch the IT people try it and struggling to implement something against organizational inertia, then catch all the people who deliberately bypassed their policies.

doublelayer Silver badge

Re: really long lines

If they're writing in C, which seems likely given the age and what it's supposed to be, you don't need any line breaks at all. For convenience, set your editor to interpret any semicolon and either curly brace as having a new line after it, but don't actually insert them. Only use /*...*/ comments and do the same with those. Insert a few line breaks so that you don't actually claim that it's just one line.

I'm still expecting that it turns out that ten thousand is the lines of code for some component that is important, but not the only thing in which vulnerabilities are found, or that it can't actually do very much and won't get used. I could see an encrypted text-only message system being built in 10kloc, most of which would be the code for whatever communication system was chosen, but what's much harder to imagine is people using it when they are more familiar with smartphones.

doublelayer Silver badge

Not if, for instance, people like sending pictures. A lot of people do like that. SMS can't handle them. Likely this OS, if it's actually as small as described, can't do it either. Say hello to WhatsApp or something like it. The same applies if people like videocalls. True, they probably aren't needed, but that doesn't stop people from preferring them to voice calls for some reason. If you're careful to use the secure device whenever possible and to do without things that your secure device can't do, then you're in a good place. A lot of insecurity comes because people are not willing to do one of those things.

Pixel perfect Ghostpulse malware loader hides inside PNG image files

doublelayer Silver badge

You don't even need steganography for that. With their current technique, it checks whether a given 16-byte block is part of the instructions or not. All you need to do is not include too many of them. The picture as a whole is a perfectly normal full screen graphic and looks normal enough, but 40k/3.69M pixels would look weird. Maybe you could notice that if you looked at it long enough, but an AI probably wouldn't tell that there are little areas where something looks different in this picture. You could train one specifically to recognize tiny imperfections, but then you're specifically fighting against this one method and might miss plenty of other ones.

doublelayer Silver badge

Re: Windows key...

It probably confuses the majority of phone scammers who aren't that technically aware themselves, but it wouldn't be much of a protection against a website like this one if they tried for about ten minutes. Linux and Mac OS have key commands that would accept commands, and user agent strings will generally tell them which operating system you're running*. So they could easily present the average user with instructions that will run a script on their computer whether it's Windows or not.

* Yes, you can lie about the operating system, but chances are that if you know why you're doing it, you also know not to open a command window and paste things in it. For someone who was given a Linux system by a friend, they won't have chosen to change their user agent. If you have given Linux systems to your family members but switched the user agents beforehand, you're in a pretty small minority even of those installing Linux for others.

Major publishers sue Perplexity AI for scraping without paying

doublelayer Silver badge

Re: AI sounding the death knell for copyright?

I'm sure, given your opinions on copyright being evil, that you embrace the prospect of the elimination of copyright, either through direct legal abolition or through global failure to enforce it. That doesn't mean that is the inevitable outcome. Those who support the existence of copyright can and should try to prevent it from collapsing. You're calling for a preemptive surrender, but we aren't that far along yet.

People have been making similar arguments for a long time. When the internet made it easier to obtain copies of things you wanted without paying for them, people loved to sound the death knell of copyright, but as things developed, it didn't go that way. Piracy actually became less popular when it became possible to more easily obtain legal versions of the thing you wanted, versions that came with less risk of dodgy sites or poor-quality versions. As the companies that make that available start to make terms worse, it's likely that piracy will increase in popularity again, but that can go in both directions.

As for your hope that some countries will decide not to have or enforce copyright law, you may be surprised to find out that they do sometimes make IP themselves. India was in your list, and it has a large and relatively popular film industry. They want copyright protection on those works. If they decided to be egregious in assisting the violation of others' copyrights, they might find that their own copyrights have lost value. As these countries get richer, more and more of their economies will rely on IP. Their current spotty enforcement is not the same as your preferred abolition of the concept, and there is a reason to think that they will improve it, at least for their own IP, rather than go in the direction you've pointed.

AWS boss: Don't want to come back to the office? Go work somewhere else

doublelayer Silver badge

Re: Inverted subtitle logic?

The i prefix was early 2010s, after the e prefix but far from trendy now. For today's trend, you have to capitalize it and stick an A at the beginning.

doublelayer Silver badge

I think your assumption is exactly what they intend but won't get. My guess is that they know there are some people they don't want to lose who will not agree to come into the office and they figure they'll give them an exception and never speak of it again. However, without telling managers that they can do that, they won't get it. Even if they did, workers who aren't aware might not bother asking, or managers might find they can't get an exception approved. So while I think they're planning on exceptions, I think they'll approve far fewer than they're willing to because of bureaucratic inefficiency.

What I mostly expect is rampant noncompliance. People who are really unwilling to return to the office will likely try not coming in to see if anyone gets mad. I don't know what they'll do about that, though in previous rounds covered here, their response seems to have been sending scary emails suggesting that you will be fired any time now, sometimes to the wrong people, then not necessarily following through on the threat.

doublelayer Silver badge

Since your ability or lack of ability to remote work mostly doesn't depend on where you put servers, I doubt that will have much of an effect. It would make as much sense as saying that a primarily remote AWS is bad because it means it's not good for people working in an office. That kind of argument might work a little for a company like Atlassian whose products are at least supposed to be related to teamwork, collaboration, and project management, but AWS doesn't have many things related to that and those they do have (hands up who can name the AWS videoconference tool, which I assume is only used in Amazon but you can buy it if you want) aren't really what people are using AWS for.

Tesla FSD faces yet another probe after fatal low-visibility crash

doublelayer Silver badge

Re: MotorStorm AI

How often does it rain in the virtual world, and when it does, does the simulator simulate camera faults because the rain reflected light in a weird way?

doublelayer Silver badge

Re: Camera only is bad ?

That is kind of my point. You need to collect that much data, undoubtedly involving many deaths, in order to do a direct comparison in the first place, so you can't do a direct comparison because people won't accept that. Even if you did, people won't follow a purely utilitarian system of "fewer deaths is better, so the method that caused fewer deaths will be chosen". If it's not significantly and provably better, it won't be accepted and people are great at resisting changes to the status quo.

Let's assume that someone, and I'm quite certain it wouldn't be Tesla, made a perfect self-driving system. Even when that system has been put to the test, driving in all conditions, and the only accidents it got into were entirely the fault of something else, for example it was driving along when a massive earthquake struck and toppled it off a hill and into a building, there will be some people who resist its adoption. That will be hard enough to overcome. By painting something as perfect when it's only good, we make that problem worse. By painting something as good when it's actually mediocre, we may kill it before we can get any better. And the levels of quality have to include not only pure statistics but the average driver and pedestrian's view on what is reasonable.

doublelayer Silver badge

Re: Camera only is bad ?

To some extent, you're correct. A car that is safer than a human can be convincingly argued to be better. However, you have two major problems. People will evaluate these differently because they're a different type of product. If they see them making catastrophic mistakes that they wouldn't have made, they won't be confident in them even if, with accurate results, they're making those mistakes less frequently than humans would. People will freak out over a situation where a human would crash, and that will be hard enough to overcome. You will not help the point by having lots of other examples where a human driver would have been better able to prevent them.

The other problem is that you won't actually know if they are safer than a human driver until you collect a staggering amount of data that is controlled for everything. Set loose ten million self-driving Teslas to drive on large roads, small roads, urban roads, rural roads, at all times of the day or night, in all conditions, then compare the number of deaths caused to human drivers. Then you can use that data in comparison. With existing data where the software is only used on one type of road and with completely uncontrolled and unmonitored conditions, the data is not comparable. Of course, if you try to implement the necessary data collection, you will get some rather indignant public reactions about the experimental not confirmed to be safe things unleashed on the public streets, so you can't actually do what you need to do to collect the data for that comparison. That is why individual situations are considered by road safety regulators before public testing is permitted.

UK ponders USB-C as common charging standard

doublelayer Silver badge

Re: "wall wart of fortune"

Then you are lucky in comparison. I've found lots that don't list any of those on the device, and their manual only mentions one of them. Great, a 9V power supply. Current, polarity, barrel size, none of those are listed, but I can at least limit myself too 9V. The Dell laptops I mentioned, in addition to not listing their power requirements on the case, didn't even have model numbers there. In order to find the details, I had to find the model number through Windows and look it up on Dell's website.

doublelayer Silver badge

Re: One socket to rule them all

Keep them around for a while, knowing that at some point you'll need one of them. This should last until the third or fourth time when you think you've finally had the occasion where you're going to need them and you test all the cables to find the plug that fits and find that one of the following apply:

1. None of your plugs fit right, even though you've got about forty of them.

2. One of your plugs looks like it fits, and the voltage is wrong, so you cut the wires and used two of them to try to work, and it's not working because it turns out the plug doesn't connect fully, so now you have four pieces of cables instead of two intact ones.

3. One of your plugs fits, but you can't find any information about the voltage and polarity you need because either the manufacturer no longer exists or the manufacturer exists and has twenty different models all of which have different settings and they all look the same.

4. You found out what voltage was needed and you're powering the device, and you're feeling great until it starts to act wrong. This is probably an undercurrent, but who knows for sure.

Then recycle them.

doublelayer Silver badge

Re: I have one problem with USB C

I'm not sure whether the products are technically violating Apple's patents, but I have a number of magnetic plug adapters that were easily purchased. My laptop, non-Apple, is running off a magnetic USB-C connector and cable. Unfortunately a proprietary plug in the middle, so if the cable breaks I'll have to either buy from the same supplier or switch out the little plug too, but neither part was very expensive. It works the same way that Apple's MagSafe did, although there is one difference I have noticed which is that my cable isn't made of the Apple special insulation, which I trust they also have a patent on. You know, the stuff that somehow manages to peel or melt or somehow come off the cable even though no other cable you own has ever done that. But the magnetic part works the same.

doublelayer Silver badge

Re: "wall wart of fortune"

There is, but a lot of devices helpfully forget to note these requirements on the product itself or in the documentation. So if the cable for the product has been lost, or more likely it stopped working and the owner binned it before asking you to source a replacement, it can be difficult to figure out where to find this information.

I recently tried to help solve a problem where two quite similar Dell laptops with barrel adapters needed opposite polarities but the same size of cable. The office that had purchased them thought the cables were interchangeable because they were both from Dell and the same size, so when one adapter broke, they cycled some around. It didn't work, though fortunately none of the laptops broke from it. This is why I want USB-C charging on my laptops.

USB-C isn't perfect and could use some standardization. For instance, I'm tired of devices where only some of the ports can charge the device. I don't think it will break the device if the wrong port is used, but it's still a recipe for annoyance. Compared to previous methods, it's still less frustrating.

Bandai Namco reportedly tries to bore staff into quitting, skirting Japan’s labor laws

doublelayer Silver badge

Yes, you would receive similar pay, although you can give up on raises, but remember that this is entirely to get you to hate it and quit. Some people, certainly I would be one of them, would already hate it at that point. I would find that quite cruel, and although I'd still do it for the funds while finding something else, I would not be content. Maybe you would, but they would notice. They're not paying you to count paper clips because they want them counted, so they will give you a different demeaning task until they hit on something you're not happy to continue. I'm not sure what it would be, but if mere mindlessness is not enough, they have lots of other aspects to add in. For example, how about counting paper clips under a strict time and quality standard so you can't count them well enough? Or they can look for a more unpleasant menial task to assign you. Maybe you would be happy getting paid the same without using your skills, but there is a level of drudgery at which you would not be.

doublelayer Silver badge

Re: Just not with a Ubisoft game?

That is not what "specific performance" means. Specific performance is a court order to follow the terms of a contract. For example, if I've signed a contract to deliver a certain amount of items to you and I don't, you can sue me. Perhaps I'll be ordered to pay you damages in cash, but I might also be ordered to comply with the terms of that contract and deliver the items, with more penalties from the court if I don't. That would be specific performance.

I am not a lawyer either, and so maybe such a construct exists. I have not seen it used, nor could I find it with some web searches. It seems like a bad idea, but worse ideas have been enshrined in law, so that's no proof it doesn't exist. However, I have a feeling it's going to fall into a similar category as things above, namely that even if it does, chances are that it's not going to apply and it's not a good idea to rely on it. For instance, in the specific case of remote working, an employer can say that they were required to allow remote working for safety, if not by law, and therefore the change was not made by choice. Therefore, their nonenforcement of the come to office bit was not because they didn't want it. The contract says it and doesn't have provisions to alter it. The court can be presented a reason to justify other actions. In fact, you might have had a stronger case if you sued your employer for starting remote work than for stopping it.

doublelayer Silver badge

Re: Just not with a Ubisoft game?

It is possible, but it is ambiguous. If, for example, these people used to work in an office and were allowed to go remote during the pandemic, then their contracts may specify the office. As long as that office is still available, not only is that not an intolerable change, from a legal perspective it's not a change at all. I've known many people who want things they don't like to be illegal, but just because a law theoretically lets a court decide doesn't mean they have a strong case. Those who continue to ignore this sometimes find that they've relied too much on a bad assumption.

doublelayer Silver badge

Which is why I made up my scenario. Getting any kind of employment claim has some difficulty, but it is probably relatively easy to get one for "they told me to sit in a room and not move". Getting one for "I am a programmer and they want me to write a stupid program that nobody really needs" or "I am a manager and they're making me check and correct reports that nobody really needs" sounds pretty hard to spin as intolerable changes. Giving a lot of latitude to a court makes things more ambiguous, but it may favor a company that has an employment law expert on call when the changes they're making are specifically intended to bypass other labor laws.

doublelayer Silver badge

It's a vague enough concept that, even though some laws probably forbid something like it, you could probably implement something to get around those restrictions. For example, a law might cover the doing nothing option, but might not cover doing something boring or annoying. In fact, if they actually have you doing nothing, you might find a way to employ the time even if you do have to be present in a location, so doing something stupid might be more effective.

Many contracts are unclear about what exactly counts as an activity you're employed to do, but if it really came down to it, you could always find some boring and pointless thing that sounds like it's part of your job. So you're an IT person, normally administering servers? Well, cleaning out old keyboards could be a job function. Remember that we want to verify that the keyboards still function well for fast typing, so you have to press each key a hundred times and verify how many times it missed. Meanwhile, next door, a programmer is writing a program to intercept and count key presses and verify the machine-generated report against the human-entered report. A manager is one door down from that and has to have a meeting every time the reports differ to discuss why there are inaccuracies in the report. The company can argue that each of those people is doing something related to their job function that could have a beneficial effect on the company if they had to.

I feel guilty for coming up with that method. I hope nobody actually does it.

Parents take school to court after student punished for using AI

doublelayer Silver badge

Re: History repeating

People keep saying this. The inclusion of the word "research" does not remove the other words. The article and court filings all indicate that some amount of AI-generated text was included verbatim in drafts and included edited in later work. How much of the essay was made up of that is unclear, and likely the student doesn't know either. Your assertion that it didn't happen has been directly contradicted repeatedly.

doublelayer Silver badge

Re: History repeating

Those cases have no relation to one another. However, if I try, I am not on your side. If your school mandated fountain pen and informed you that other methods of writing were going to result in a penalty, then you have some good options:

1. Write in fountain pen.

2. Argue that, although they're asking you to write in fountain pen in order to train you to have good handwriting with them, ballpoint pens are going to be common enough that you don't need that skill, and therefore their policy should be changed.

3. Argue that, although you were told to write in fountain pen for handwriting, this course is not related to handwriting and a different form should be acceptable, and therefore their policy should be changed.

And some bad ones:

4. Write in your preferred method without permission and without attempting to argue otherwise, then act surprised when they do what they said they would do.

5. After receiving your penalty, demand that they refrain from enforcing their clear rules, not because you're arguing the rules are unfair, but because you don't like the consequences.

If you want to try an option 2 or 3 argument on AI, you can. We'll all listen and decide whether we were wrong and AI use is more acceptable than we thought. So far, you haven't, and nor have this student or his parents. They've gone for option 5, and you've chosen option 6: make up irrelevant analogies and pretend they apply when they clearly don't and form a coherent 2/3 argument in favor of something.

doublelayer Silver badge

You keep saying this, and you're wrong on several different levels. Starting with the facts, you allege that AI was only used for research. Is that even true? The school's motion suggests it was a bit more than that:

Incredibly, RNH and his parents contend that using AI to draft, edit and research content for an AP US History project, all while not citing to use of AI in the project, is not an “act of dishonesty,” “use of unauthorized technology” or plagiarism

How do you know it was not also used to write some of the paper, whether it was later rephrased or not?

But even if you were right, do you see something in the rules that says "AI shall not be used unless you're using it as a search engine, then you're fine"? I don't see that. So maybe it's the other way and it says "AI is forbidden only for the following purposes" and those purposes don't include searching? Do you see that? I see a global ban on the technology unless it's authorized, which the school indicates they did not do.

doublelayer Silver badge

Take a calculator to early mathematics classes and see how quickly they take it away. Take a more advanced calculator to classes and they'll require you to downgrade. Take an unapproved calculator to tests and they'll disqualify you. Education and testing are performed under constraints. If you deliberately violate them, that's called cheating. If you think the constraints are bad, then you can try to change them, but if you act like they don't apply because you don't like them, you'll quickly discover how much your opinion affects what the rules say.

doublelayer Silver badge

Re: School rules

We don't have the full text of the rules, but "should not and you will be penalized if you do" is equivalent enough to "must not" for this situation.

Sysadmins rage over Apple’s ‘nightmarish’ SSL/TLS cert lifespan cuts plot

doublelayer Silver badge

Re: OK, then let's focus on really strict security

It's not that hard. Although certificate revocation isn't always used, I'd ask the former owners of something I bought to revoke that certificate, indicating either the "affiliation changed" or "cessation of operation" reason codes, then verify them myself. Then I'd consider the domains switched over. True, that would not stop someone who didn't check those lists from getting untrustworthy data, but it's better than assuming and not checking that they did something with their old certs.

doublelayer Silver badge

Re: OK, then let's focus on really strict security

No. The new owner could have a new certificate, but until my old one expires, it would work just as well if I could get some traffic sent my way. As far as the certificate authorities were concerned, the domain is mine until that certificate expires. That someone else owns and operates it now is not part of the certificate system, and they don't coordinate to cancel mine if someone else sets up a server. Maybe they would if they use the same authority that I used, although even then they might not bother, but if we used different ones, then there will just be two certs covering the same domain.

UK electronics firms want government to stop taxing trash and let them fix it instead

doublelayer Silver badge

Re: Repaired or refurbished?

I think we all know why those fees are present. That doesn't change the fact that those fees, and by extension the need for repair techs to charge them, are high enough that it makes repairs expensive and less likely. It doesn't mean we have to find a way of eliminating them and there's little chance that we can. However, when discussing how we can encourage people to repair rather than replace their possessions, we have to understand why they don't. The high cost of labor means there is a floor for the price of a repair no matter how simple, meaning many people will decide that a moderately expensive gamble which might fix their device or might only be the first step before expensive parts have to be purchased or it takes several hours is not worth it when a new replacement could be purchased. In my case, it's much the same, except my alternative is figuring out how to repair things myself. Often, if I can't repair it myself, I assume that calling another repair tech is going to be expensive and doubtful of success because I've already done many of the simplest things, so I am also unlikely to engage the services of one.

'Newport would look like Dubai' if guy could dumpster dive for lost Bitcoin drive

doublelayer Silver badge

That is not how stores of value work. Something is a good store of value if the value you have is reliably maintained. If I bought Bitcoin in 2013, I'd have lots more value. If I bought it in 2021, I'd have lost 17%, not counting inflationary losses, which there would also be if you're going to use them for pounds. If you're using inflation rates to calculate the real value, that has to be included for all of them. This doesn't make it a good store of value. If it was, I could buy it today with the reasonable belief that the value I put in would be maintained.

As an investment, Bitcoin was very good in the long term. That is not the same as a store of value and should not be confused for one. In addition, you are making the unsupported claim that, because Bitcoin rose a lot in the last decade, it will be good in the next one. You haven't been clear whether you think it's going to rise similarly, with a 2034 price in the millions, or be more stable, but you've clearly argued on no evidence that it isn't going to crash. As investment advertisements have said, past performance is not a guarantee of future results.

doublelayer Silver badge

Re: Labeling & Storage

He's been trying to get this back for some time after the drive was trashed in 2013. I'm sure he would happily have gone looking in 2014, in fact the internet suggests that he tried and failed. I merely indicate that, even at the 2013 low of $13 per coin, that was enough value that he should have backed that up and been more careful with the disk until he did. It probably wasn't worth much when he mined it in 2009-2010, but by that point, he would have known that the value had increased and should have acted appropriately. Either he is lying about the value, which seems unlikely because there's no real benefit in excavating a landfill otherwise, or he made a really stupid decision at the time and has to suffer the consequences.

I'd have felt more sympathy if the drive was discarded when the value was very low. It wouldn't change reality, but I could imagine losing something because it wasn't enough to buy a coffee so I didn't look after it. Doing that and later finding that it was worth millions would be quite disappointing but I wouldn't blame myself. Doing that when the current value was enough to buy several cars would be a lot more on me.

doublelayer Silver badge

There is a size of working blank hard drive which is low enough for me not to. A 120 GB spinning hard drive with twelve years on the clock, I don't need that. I probably don't need the number of working hard drives I have. They're not SSDs, those are almost all in use. Maybe it was something like that. You only need about 6 kB for a wallet.

doublelayer Silver badge

Re: Labeling & Storage

It probably wasn't worth very much when it was first mined, so it seemed relatively meaningless, but by the time it was discarded, that value was probably around $90k US, so upgrading its handling might have been a good idea. Back when I mined a small amount of cryptocurrency to see how it worked, I also didn't treat my wallet IDs with care, meaning I lost my all-time funds with an approximate value of $0.23 US, which would be today [checking...] $0.84 or so. I'm fine with this. If I wasn't, I had lots of options.

Opening up the WinAmp source to all goes badly as owners delete entire repo

doublelayer Silver badge

You are right that open sourcing isn't only done when you no longer care about the code. However, it is one of two main times when someone considers open sourcing something they previously considered proprietary. Usually, these are the following:

1. They want more work done on it for their use of it and are willing to give up revenue to get that.

2. They no longer want to support it, and people who still use it are asking for it to be open sourced.

This problem doesn't much affect branch 1, but it is quite limiting for branch 2. I was talking with a company a while ago who in spirit was willing to open source something which I would help to manage afterward, but, even without doing a code review which, given the code's age, wasn't likely, they didn't want to spend the time checking out the legal situation. The code had been inherited from a previous company which had been acquired, and that company got some of it from a university project, so it would have taken some time to check whether the university still owned any of it. The project concerned was in the 1980s and wasn't used elsewhere, so it was pretty obvious that nobody at the university would actually care, but the legal side doesn't really work on the basis of nobody caring. The code is still unavailable today.

doublelayer Silver badge

Re: Simplest solution

To be honest, I brought the word evil in by saying that proprietary was "not evil", but they adopted the contrary argument, still including "evil", with a lot more confidence than I expected.

doublelayer Silver badge

Re: Simplest solution

Do you have one, and remember that your solution also needs to overcome the effects of your previous policy of "if you can copy it, then everyone can have it without restriction and you are required to release it immediately without any compensation". If you don't, I see you retreating into vagueness because your idea is harmful in many ways and you have no ability to do better. Maybe we should consider changes, but a non-specific statement like that doesn't argue in favor or against anything we currently have or anything we could do differently.

doublelayer Silver badge

Re: which permits forking but prevents distribution of modified versions

It depends what you mean by "compiled binary". If you install WinAmp to C:\...\winamp, you have a few options:

1. C:\...\winamp\winamp.exe contains the GPLed code: license is supposed to apply to the whole thing

2. C:\...\winamp\somelibrary.dll contains the GPLed code and winamp.exe loads it: license is supposed to apply to the whole thing

3. C:\...\winamp\otherthing.exe contains the GPLed code, winamp.exe calls this: only otherthing.exe is covered. If otherthing.exe is a direct compilation of the GPL project, then there will be no new code at all, although they're supposed to tell you.

4. A DLL loaded by a separate process, see number 3.

We have the other option of

5. It wouldn't be installed at all. They just dropped it in by mistake.

doublelayer Silver badge

Re: Simplest solution

A super abundant resource? Do you mean the kind of code you get by paying hundreds of people with rare skills lots of money for a long time? Stop paying them and see how abundant that resource is. Some of the code I have bought licenses to isn't simple. It's not something I could just write if I spent a weekend. It often involves doing lots of painstaking labor, for example collecting lots of data, normalizing it into a format that can be easily handled by a program, writing a program that can do useful things to that, and then thoroughly testing that program so I can do things the authors didn't imagine and they work reliably. If open source groups got together and made that, it would be great, but in many of these cases, they didn't and won't because it is too large a task to do without paying people and they don't get enough in donations to manage it.

Let me guess. You think that, because making a copy of the files is free, that means it should be free. That doesn't work. Most of those files will not be created if the creators can't benefit by doing so. Those who are willing to do that for free already do and use open source licenses to encourage others to do the same. I am one of those people. That is me choosing to give my work away. Requiring that everything I do be treated like that would force me to do a different job, meaning less code created, both open source and proprietary. It's a bad argument every time it's tried. I'm not sure I can do anything to convince adherents of this fact, but it remains a fact.

doublelayer Silver badge

Re: which permits forking but prevents distribution of modified versions

If that GPL2 code was linked, yes, maybe. If it was something else, that does not automatically apply GPL2 to the rest of it. It just indicates that they can't apply their proprietary license to those bits. For example, if that was a separate binary which they called to decode something, quite common in media players, their code is not covered by the GPL, explicitly or implicitly. If that code was included in the repo by mistake and isn't required to use it, not covered. Only if they took a GPLed library and included it directly in the application is the code of that application covered as well. Given that code for unrelated projects was coming through, the presence of that code in the repository is not enough to conclude that it covers the whole. You have to read the code to determine what part if any it touches.

doublelayer Silver badge

Re: Simplest solution

Cloud-hosted software as a service has entered the room.

Cloud-hosted software as a service has taken over the room.

Maybe everything you ever run is open source. Not everything I run is. Sometimes, the way to get people to write the code you want to run is to pay them for it, and I don't have the funds to finance the development process myself, but I can easily afford to buy licenses for stuff I want. I prefer to run that stuff on my own computer, but if they're required to hand me the source code in that case, they'll restrict it to running on their servers or whatever environment it takes to prevent me from accessing that code.

Proprietary software is not automatically evil.

Would banning ransomware insurance stop the scourge?

doublelayer Silver badge

Before you hand it to a criminal, it is not the proceeds of a crime. It is your money. You may read that law again, looking for the part where it defines any payment to a criminal as money laundering, but you won't find it. The rest of the chain, yes. Your end of it, no. In fact, the criminal hasn't done any money laundering until they try to obscure the source of that money. If they go out and say "I have some ransom money and I want to buy something with it", they've only committed the original offenses.

Your overeager interpretation is incorrect in several other ways. Yes, I can get £10k of cash and buy something with it anonymously. The bank will record that I withdrew it. The other bank will likely report that they deposited it. However, purchasing something expensive anonymously with cash is not illegal. Buying something with stolen cash is, and if I am a criminal, I might be charged with money laundering as well as whatever crime gave me the cash. The person I bought the expensive thing from is not required to verify my identity. If they too know that I am a criminal, they are guilty as well. If they do not know that, they are not guilty. Some institutions have a requirement to verify identities first, but not to verify the source of my cash. They too are not guilty, because they have complied with their requirement to have a record of the identity of the payer. Law enforcement may ask them for that information during the investigation, but even if it turns out I am a criminal, they were not supposed to identify that before allowing me to complete a purchase. Even more businesses are not required by law to verify identities and do it anyway.

Your page makes that clear (emphasis mine):

Criminal property (defined in POCA) constitutes or represents a person's benefit from criminal conduct where the alleged offender knows or suspects that the property in question represents such a benefit.

doublelayer Silver badge

I don't think money laundering means what you think it means. Laundering money is when someone takes money from an illegal source and hides it to appear legal again. If you pay a ransom, the criminal who received it is likely going to launder it so they can buy stuff with it. You are not laundering it because the money concerned was provably yours. You have not laundered any money, just given it to a criminal, which is not currently illegal.

There are a few crimes which come into play just by giving money to someone. Those include funding terrorism or evading sanctions. However, there are a few provisos that you should consider before you take your comment and do a "s/money laundering/funding terrorism/g" on it. First among those is that, to be a crime, a specific entity must be on a list set by your country. If it's not on that list, those crimes do not apply. They would still apply if you specifically requested use of your funds for terrorism, but you didn't. You may also be off the hook if you can convincingly demonstrate that you did not know they were going to a sanctioned person or group. No, that doesn't mean that you have to show proof that you know who it is going to. For instance, North Korea is under sanction, and if I send any money to them, I've committed a crime. They get around this by operating some businesses internationally, for instance several restaurants, mostly in southeast Asia. If I'm traveling in southeast Asia, I don't have to question and record all the restaurants I visit for their ownership. If I pick a North Korea-run one by accident, that's unfortunate. Only if I pick it on purpose is it sanctions evasion. That is why ransomware is a popular way of evading sanctions, because the current laws do not forbid it.

If you don't like how the current legal situation works, that situation must be changed. It is not money laundering to pay a ransom, and it will never be, but we could easily make it a crime anyway. Doing that would likely help quite a lot. I support doing it. We can't pretend that it is already done.

doublelayer Silver badge

Re: i guess she's saying that law enforcement is pathetic

When you have a plan for having a law enforcement body with the ability and power to find people who are hiding well, whose organization, ringleaders, and many of the participants are in a country that is unwilling to extradite or even investigate them, and who do not need to meet physically, let us know. In the meantime, we will need to plan for how to combat ransomware when you can't catch them. There are only so many of them who will be identified and travel to countries they shouldn't, although when it happens, law enforcement has tended to make them regret doing so.

Trump campaign arms up with 'unhackable' phones after Iranian intrusion

doublelayer Silver badge

Re: Intentionally Be-bugging Computer Code

And also 3. time spent fixing bugs that were deliberately introduced is time not spent fixing bugs that were actually there. It shouldn't be hard for managers to recognize that time is finite. Shouldn't be, but sometimes I wonder.

doublelayer Silver badge

They may be right

They may be correct in a few, carefully limited ways about the quality of their code. Not that it's entirely unhackable, but for example, that NSO's existing exploits wouldn't work on it, that people don't have active exploits for it, that there aren't low-hanging vulnerabilities ready for the taking. There is code that obtains that level of quality, although I have no evidence that theirs is. Still, there are some times where code is good enough that finding a vulnerability directly through it is difficult or impractical, so maybe theirs has that.

However, that's not going to help you when attackers bypass it, as they're already trying to because that's cheaper and faster anyway. The humans are the weakest links in this scenario, and there are probably many limits. For example, the quoted figure of ten thousand lines of code actually makes it more likely that they have thoroughly checked that code, but it means that whatever it can do, it's probably not that many things. Maybe that doesn't include connectivity code because it runs on a different chip, in which case there's a place to look for vulnerabilities. Maybe it does, in which case I'm wondering what communication methods it actually supports to fit into that relatively small code limit. If the answer is that it can send text messages, presumably encrypted, and that's it, then the attackers can cheerfully ignore this and go to the systems on which all the information is stored. Sure, they might miss the last minute messages about something, but they'll see everything important enough that someone wanted a permanent note of it. People don't abandon email or group messages to use phones alone, and an attacker might find all the stuff they want on a different system. Even if the phones are unhackable, that won't be enough, and the phones probably aren't unhackable even if the code this company wrote was.

WordPress saga escalates as WP Engine plugin forcibly forked and legal letters fly

doublelayer Silver badge

Re: Four Fox Ache

Probably the same barriers there always are with a new fork. If a problem is detected in it, who do I think is going to fix it first? Who is going to fix it better? And do I worry that one of them is going to try to screw over the other, for example by making a fix and licensing it in such a way that the other fork can't adopt that fix and therefore delaying their fix?

This happens all the time. When Amazon forked ElasticSearch, Elastic quickly enough introduced a change intended to prevent libraries from working with Amazon's version. They're still fighting that one out, but as I don't use the products much anymore, I'm not up to date with developments there. If I was using these, I'd be worried about SCF's reliability because they might be more interested in making things harder for WP Engine than delivering the thing that the plugin was intended to do. I could use it easily, but I'd prefer not to and I'd be worried if I had to.

BOFH: Boss's quest for AI-generated program ends where it should've begun

doublelayer Silver badge

Re: you just need to ask AI to sum up the numbers

Probably true. I haven't checked the various competitors for how well their creators have hidden this fact. However, at least some of them have decided that making such elementary mistakes is a bad look and have done the same kind of preemptive parsing that there is in the Google search box to catch and complete arithmetic problems before they arrive at the LLM which can't handle them. It doesn't really change anything important; relying on an LLM to do calculations is a bad idea. However, the easiest ones will probably gradually get fixed. For most of us, this is actually a bad thing. The more simple calculations the LLMs can seem to do correctly, the more complex ones they will be given by idiots who will not check their work.

Smart homes may be a bright idea, just not for the dim bulbs who live in 'em

doublelayer Silver badge

Re: "Ask me how I know."

Maybe not the lesson that you had in mind. I'm guessing that yours goes along the lines of "never have smart light bulbs". It's a lesson that I find very easy to use, because I still don't have a use for them and I have no difficulty getting to and operating a light switch.

However, if you are a person who needs (for example, not being able to easily get to or operate a switch due to a disability) or wants (for example, I don't know, but some people clearly do) smart bulbs, the lesson is not that you are wrong and need to change. The lesson is that a lot of the bulbs are bad and you probably want to research the options before buying them. I don't know which category Mr. Goodwins is in, but it sounds like he might be. Just because you aren't in either category doesn't mean that everyone is the same.

Compression? What's that? And why is the network congested and the PCs frozen?

doublelayer Silver badge

When you have people who insist on bad subject lines, sometimes you need it:

Re: Request

Alice, please consider this a high priority request. It is important.

-Bob

Hopefully, you only have one email with the subject line "Request". Even if you do, you may have to delve into your history to find it. But what happens if you have two of them. How do you figure out which one is the important request and which one isn't supposed to happen at all? You could guess based on which one looks more probable. You could contact Bob, but maybe Bob has left for the day which is why he asked you to do it. You could open the headers and see if there is a commonality you can use. If Bob replied all, then probably you could use the other recipients to find out.

Yes, it also causes problems, but sometimes it is necessary.

doublelayer Silver badge

Re: "Shared Cloudy Thing"

It does as much as can be done in that situation. If they're retrieving a file over HTTP, it will adjust to the speed of their connection, and in nearly all cases, including most cloud services, it can be resumed rather than restarted if the connection breaks.

A point-to-point transfer would be better in some cases, but it too would not deal with the problem of a link that takes too long. It can also be more difficult to set up for the uninitiated, and depending on the protocol in use, more fragile.