Posts by doublelayer

Re: The Blackberry Passport...

However, if you're not clear, then both projects fail to meet your standard. Exchange is breaking compatibility by not including the rich message whatever it does, and Thunderbird is failing to be compatible by not supporting it. In this case, I think it's more Thunderbird not supporting it than Exchange not sending it, but I don't know for certain. If you ask for interoperability, I see two ways of doing it:

1. Everything must support the protocol of everything, which either means that I cannot introduce new features because it would break compatibility with anyone else or that, if I do introduce new features, everyone must adopt it. It sounds like neither of us want to do this.

2. Everything must support some standard communication system in addition to whatever protocol they were built for. You can do this, but what's the point? Anyone who uses it is presumably using it for its unusual features, which will be the reason it has a protocol other than the standard. If they just wanted another XMPP client, they have a bunch to choose from. We might as well make that standard email and tell every chat system that they'd better bolt on a mail client. Those systems having the feature won't make anything easier for the users.

Re: The Blackberry Passport...

"This is why, incidentally, I want to see all messaging vendors legally compelled to be open to existing open standards and allow connections from 3rd party client apps."

Well that's an interesting request. How do you intend your system to deal with the situation where someone makes a new chat app because they want to offer some feature that's not supported by whatever open standard you've selected? That feature could be a lot of things, from a different format of media to a new encryption strategy. Most of the apps in your list were originally made to add some new feature that previous chat systems lacked. You could deal with a few of these by embedding more and more information in the message, and old clients just dumping unsupported messages out as text. That would work for a few things, although it's not pretty. However, for anything where the architecture is substantially different, for example if they change the routing mechanism to something decentralized or start using asymmetric encryption with user-provided keys, that won't work either. So far, I have opposed similar requests because I don't have a good solution to this problem and I don't want to lose the benefits of new systems. Do you have an alternative?

Given that we don't know exactly what software they were using or what actions the monkeys' brains were activating, and that this is a person whose companies have been accused by employees of faking sales videos before, I would take that particular demonstration as perhaps not indicative of the product you get.

Re: Less "connected" means less likely to be hacked and randsomed.

What makes you think that the system that took in data on floppy disks had no network connection? Lots of systems had networking and floppy drives. Fewer systems had networking, floppy drives, and an application that was written with security in mind. I'd be more worried about how old the software that was used to process the floppy-provided files was, because if they didn't update the hardware requirements, they may not have changed the software. Keeping in mind that the software was probably written in a time when, even if you did use encryption, it was something that can probably be cracked in seconds nowadays, I don't think my concerns are groundless.

Re: US bias

That's what happens when you shove the entire internet into the training set and push the go button. These programs are not looking through the data to find out which things apply to your country, they're just guessing, and if there's more about the US in their training data, it's going to show up when it randomly looks for answers unless you've crafted your prompts to keep reinforcing your country name. Even then, it's not guaranteed to get things right, just more likely to. I'm hoping that people will eventually recognize that this cannot answer specific detail questions when those questions get past simple (I.E. whenever a simple search wouldn't turn up the answer).

".int sounds okay to me, as it's very unlikely to ever be requested as a new gTLD."

The problem is that .int is already a GTLD, one of the relatively early ones. It's for international organizations, and it's quite strict about it. For example, the official website for the United Nations is un.int. The EU has a few of them, but they usually redirect to something.europa.eu. In practice, it's not as likely to cause a problem as using some other existing domain you don't control just because it's quite difficult to get a .int domain so it's unlikely that any other system will exist and your DNS request will just fail, but still, not the best idea.

Re: "DNS, however, can't prevent internal use of ad hoc TLDs"

Two reasons. Mostly that the land rush has come and gone. When lots of people were buying up names, there was more of a chance that that would happen, but many of those names have not proven to be the commercial blockbusters the investors were hoping for and they're busy hosting cheap domains for scammers and the occasional domain hack, but not even a fun one as was done with two-letter TLDs. Some of them have even been shut down entirely. I don't think people are still hoping to throw money into that.

The second reason is that ICANN already decided that some TLDs were not to be reserved. Back in 2018, they put several TLDs on the never list because some internal systems had used them. If .internal was already used frequently, I would expect ICANN to reject the application should someone try to reserve it after all. I don't have any objection to them doing this, but it's weird for them to make it sound like they've done a lot of work when they have no technology to set up.

Re: "DNS, however, can't prevent internal use of ad hoc TLDs"

No, it's not, because they actually do use most or all IP addresses. If we hadn't reserved the 10.0.0.0/8 block, some ISP would have asked for and been granted it, and we wouldn't be able to use it. In addition, it's quite intrinsic to the way networks are used that IP addresses be available for local use without having to request them from someone else, and private addresses permit this.

Let's consider both aspects with the .internal name. Nobody has requested .internal, and it's unlikely anyone would given how many new TLDs have been issued. Any TLD that does not exist can be created without registration, will be dropped by public DNS, and can be filtered by internal DNS infrastructure.

Re: "DNS, however, can't prevent internal use of ad hoc TLDs"

Theoretically, this could happen. Equally theoretically, they could already do this for any number of names. They could be configured to look for *.internal.companyname.co.uk and drop it. They could be configured to drop any internal domain the admins might set up and drop that. Either way, though, some admin will have to configure their internal DNS resolvers to know when they should be dropping requests that have not resolved yet and when to forward them on, and if they don't do that, the request will still go to the external DNS system. All this does is ensure that the external systems will reject it. However, since .internal didn't already exist, those external systems already would reject it.

Re: "DNS, however, can't prevent internal use of ad hoc TLDs"

Not even that. ICANN has, over years of discussion, decided to take a name and do nothing with it. A name they already were doing nothing with, that nobody had asked to use, and in a set of other names they've already decided to do nothing with. When this idea is fully implemented, nothing whatsoever will change anywhere in the world.

Re: I use....

It seems like a fine limit to me. We may not use anything that long, but having a lower limit wouldn't offer any advantages as far as I know. The 64-character limit also makes it possible to use some strange things, like the encoding of Unicode domains to ASCII. The longest domain name in use is .ファッション, which is in your expected range for length, but since it's in unicode, it's actually implemented as .xn--bck1b9a5dre4c. It's convenient that the limit makes that feasible, as a shorter limit would have required it to be truncated.

Re: Genuinely curious...

One option is that there was a script somewhere which used relative paths and moving the script somewhere else was harder than just linking in the data for it to work on. I've had the experience, in fact I'm having the experience right now, of a script that's not written well but it would theoretically be faster for me to work around its errors rather than going in and fixing it. For instance, a script I have which needs Protobuf and does not work with modern versions of Protobuf. If this were an important part of a system, it would make sense for me to rewrite the logic to use modern behavior, which shouldn't be too hard (I didn't write the initial version), but since I run it manually and on offline data once every six months, I just keep around an old copy of Protobuf in there.

Re: I, for one will not take 'advantage' of this

If they don't offer any non-app ticket options, they're already rejecting anyone who doesn't have a compatible phone. So yes, that might happen, but it's not like it's that new. I also don't think it's likely to happen because sideloading is confusing and that would prevent some people from buying tickets, so they'd like to decrease the difficulty as long as it doesn't decrease their control. Since Apple's store regulations don't prevent any of the things their apps do, I see little reason for them to want people to sideload them. Let's assume that I'm wrong about this and they decide to do it.

Their choice to do something inconvenient for you does not mean we should be barred from other choices. I'm a bit surprised that you're making an argument like that, since people can and have pointed out how the restrictions on apps create inconveniences for them, both users and developers, but you don't seem to think those are important. Why is your inconvenience any more important than their inconvenience? From a legal perspective, Apple's restrictions have an anticompetitive effect and ticket sellers, while quite annoying, generally don't restrict competition more by using an app, so the legal argument doesn't work in your favor either.

I'm a bit confused why the discussion of what is a computer has come up so much. However, the distinction seems obvious to me: does it have an operating system capable of and intended for installing and running multiple applications not provided with the operating system? An iPhone definitely is. Your car and washing machine are not. If you wipe out the firmware of either and install what you like, then you can try to use them that way. The car may be capable of it, though it's almost certain that your washing machine is not able to be used that way.

Re: I think I disagree, but I’m not sure…

So your definition of computer is "it's shaped like other computers"? An iPhone is a computer in every way. It has a general purpose operating system intended to run other software, with the facility to load that software at runtime (as opposed to baking it into the firmware in order to install). Its screen may be smaller, but why would that make it not a computer? It may also have a phone capability, but why would that prevent it from being a computer? Your definitions confuse me. I'm not sure that being or not being a computer is the relevant point here either.

If you do that, then users now have to remember their username. Either they get to set it themselves, in which case they'll pick one reasonably unique one and use it everywhere, or they all get assigned one by the service that makes no sense and they don't bother to remember it. In the latter case, you will have to include mechanisms to recover usernames which are not supposed to be secret information in the first place. You might as well just issue the user a password you generate if you're willing to go to that extent. On the bright side, it makes password stuffing difficult.

Or, and this might be wrong but it's possible, the printer is too complicated?

I hate office printers and try to have as little to do with them as I can. This is especially true when the IT people have tried to set up something to make them easier to use, but it doesn't work. I've had the experience of trying to get a printer to recognize my credentials and print my document and it seems very unwilling to do so. I've had the experience of calling in my colleagues, also programmers, and none of us can. Maybe that's because the printer's broken, though it doesn't say so, but maybe we're all too stupid to understand the obvious method IT had in mind for how to turn this on. I start wondering whether I'm supposed to be pressing more buttons or if the server that's controlling print jobs is not working. Sometimes it eventually works. Sometimes it doesn't.

Most of the time, I'm using the office printer because I don't print much at all and I figure they can spare a sheet, so I don't build up the experience to know exactly what you have to do.

If you have a complex printer system, for example one with multiple printers you can send your print job to, some rule about where the printer you need to use will be which don't include some printers, and several steps when you physically get to a printer, and you write none of it down, don't act surprised when some infrequent users find this less than intuitive. Someone can get confused by that, and it's the configuration, not the printer, that caused the problem.

Re: cleaning alcohol

"What is it that makes a man(or woman) become a beancounter? and what sort of courses do they take there? something that removes all emotions and empathy leaving a heart unbrideled by a conscience"

You know some people think similar things about us? Both accountants and techs tend to focus on one area with a lot of complicated and important details which the other people don't understand or care about.

Me: "I don't know of many universities where you can take a purely theoretical curriculum"

Reply: "Oxbridge"

Well, I didn't go there, so let's see what they have. Taking into account the criteria written in my comment, let's take a look at Oxford's computer science course description:

This course in Computer Science aims to produce graduates thoroughly conversant with the principles of modern computing science, who are able to apply those principles in the design and construction of reliable systems. The course at Oxford concentrates on bridging theory and practice, including a wide variety of hardware and software technologies and their applications.

[...]

Practical skills must also be developed, and the majority of subjects within the course are linked with practical work which contributes marks towards the final examination.

[...]

In the second year, Computer Science students are required to take:

- the core courses in Algorithms & Data Structures, Compilers, Concurrent Programming and Models of Computation;

They have many optional courses that offer practical skills. You are not getting through this degree without learning some practical skills in programming.

Let's check Cambridge, just to be complete:

Practical work is undertaken and assessed in all years of the degree programme.

[...]

You take four papers, including three compulsory Computer Science papers - covering topics such as foundations of computer science (taught in OCaml), Java and object-oriented programming, operating systems, digital electronics, graphics, and interaction design - and the Mathematics paper from Part IA of Natural Sciences.

[...]

You take four papers, spanning core topics:

▪ theory – including logic and proof, computation theory

▪ systems – including computer architecture, computer networking

▪ programming – including compiler construction, programming in C/C++

▪ human aspects – including Human Interaction design, Artificial Intelligence

You also undertake a group project which reflects current industrial practice.

[...]

I don't agree, possibly because my experience about what computer science degrees, at least the first degrees before postgraduate, intend to teach. In my experience, they do teach a lot of practical programming skills. It's not a full set of skills needed to be a good programmer in industry, but it's enough skills to be good at learning what you need when you are in that position. That's not the only thing they teach; there's plenty of theory involved as well, but they do teach practical skills and people do take them to learn those. If they are going to do it that way, I think secure design is important enough that it should be part of the requirements, not a separate choice to be trained later. This might be related to what I describe in a comment below that I've rarely seen computer science split into programming and a more theoretical version, so I assume that most other departments work the same.

The reason that I think secure design is required is that it's not really a design methodology. It's not an option to be picked from a set of choices, but a mindset you gain from knowing what can happen and what you should do to minimize the risks. You can design securely along with any other structure you plan to use, and the concepts involved apply equally well whether you're writing a videogame or low-level industrial control software. In either case, it consists of basic lessons like knowing how to look for vulnerabilities, knowing what likely ones are, and learning how to either prevent them from existing or block someone from trying to use them. It's true that it's very easy for people to design without paying attention to these, and there are cases where this can be somewhat excused if I grit my teeth and admit it, but those exceptions are a very small section of software produced and the consequences of ignoring it in all the other areas can be extremely bad. We could fix this with more security courses, or with more attention to it in normal programming courses, and the latter might actually be more efficient, but I do think we should fix it in the education step as well as the corporate one.

I agree that specific product configurations shouldn't be in there, but should be in the IT security course, but there's a lot more to secure coding than the ways the language itself can have vulnerabilities. There is also secure design, which needs to be taught somewhere. Not just memory safety, but that you need to encrypt some data, hash other data, and be certain about the security of wherever you've stored it. They need to know how an attacker works so they can add the basic security precautions to their code. They need to know about information leakage so they can prevent having that vulnerability. Many of these things aren't about the tools they're using, but how they write their code.

I was taught all this stuff. Some of it was in security courses which were not mandatory, but at least some of it was included by professors who wanted to do this well. Still, those designing courses would do well to ensure it is there.

I can't really agree there. There are lots of certifications for safety-critical software, as there should be, but there's a difference between licensing people to build something, licensing their product, and licensing everyone who does anything at all similar to it. Licensing the product is what they should be aiming for, and a certification of the people building that product can be a way of making it more likely that the product itself will be acceptable during that process. Trying to require licensing standards for all of programming is likely to end with a bad certification test which is difficult to pass and nonetheless doesn't tell you much about the capabilities of the student.

This sounds like the "programmers aren't engineers" cliche all over again, a cliche I believe to be flawed. It assumes that all engineers are like civil engineers when this is obviously not the case. The engineers building your consumer electronics don't need to have any more certifications than the programmers writing the code running on those devices or software with a similar level of criticality. They may be held to standards about security for the programmers or not spewing too much radio interference for engineers, but that's checked on the product and, unless it's quite extreme, only when it causes a problem.

I don't mean by this that security shouldn't get more importance in this. I think having security courses is a good idea, if only because I work in security and if I can stop dealing with the basic things people get wrong, that would let me work on more complicated and useful things. We also need to somehow stop people from ignoring all the lessons that get taught in good courses, whether those are about security, maintainability, or efficiency. I just think that adding a certification to this process won't make that happen.

That's not the structure used by most universities. Usually, there is computer science, which teaches both theoretical and practical programming, and there is IT, which is separate. You don't often get to skip the practical parts when taking computer science, even if you do decide to become a theorist, and if you are pursuing that approach, you'll still find that most of your classmates intend to become programmers. Those are generally the two options. Sometimes, there is a split in computer science where some students take a mostly software approach and some others do a combination of electrical engineering and low-level software, but not always.

I don't know of many universities where you can take a purely theoretical curriculum, nor am I convinced that any of them should run such a program.

Re: You're asking me to quantify Mozilla's market strategy.

I am a trader. I choose which browser to run, paying indirectly by benefiting the organization that makes it. If I use Firefox, I benefit Mozilla by being part of their user base which they monetize in a few different ways. If I use Chrome, I'm benefiting Google by letting them control web standards. If I use Safari, I'm benefiting Apple by having bought one of their products because Safari doesn't run on anything else.

The browser makers are also traders. They provide me a service of value and compete with other browsers to offer useful features. Google provided automatic builtin translation with Google Translate. Firefox provides automatic builtin translation in fewer languages but it runs on my device and doesn't require me to send any data to Google. They are competing.