Posts by doublelayer 7687 publicly visible posts • joined 22 Feb 2018
I sometimes wonder why people leave things this late to renew domain names. After all, there's no chance they're not going to want it and if they did go bankrupt, it's still a more valuable domain name than in general. Renewing the thing for several years is so cheap there's no harm in doing it.
I don't use these services, and I wouldn't object if they simply ceased to exist. Other people do like them, and they want them, and people know they could make money by giving those people what they want. Whatever you may think of them, it's not us who get to decide if a replacement is made. If the original falls, there will be many attempts at replacing it and we will have to deal with that, whether we like it, hate it, or are indifferent.
"Why would the same rules not apply to a different non nato country attacking Poland?"
For two reasons. First, because it only matters whether the country being attacked wants to do something. The same reason that, if you punched me, I could decline to press charges and tell the police that it's fine and they would leave you alone. There is no requirement that anything that could be considered an attack gets an instant response.
The second reason is that it appears accidental. Even when I heard the initial reports that it was a Russian missile, my initial thoughts were that this was not a deliberate attack on Poland but a missile intended to hit Ukraine that missed. Certainly something Poland would have complained a lot about, but not necessarily worth starting a world war about. Calling in NATO to discuss it would have been a way to indicate to Russia that a mistake like that was really not good and bad things could happen if they weren't careful. If the newer reports that suggest it could have been a Ukrainian missile trying to shoot something down prove correct, it is still an accident and not likely to start a war. As I'm not Poland, I cannot say what their government would have or will do under each case, but that's a pretty good reason why they would choose a different action, which contrary to your statement is entirely within the rules.
No, not like a Ponzi scheme. It could be like a scheme, but the specific type would be a pump and dump scheme. The different schemes have very different executions which leads to differences in detection and recovery. Importantly, a Ponzi scheme requires a central operator taking Ponzi's place, and a pump and dump scheme can work without one with individuals working, either in concert or without coordination but to the same effect.
It might also not be a scheme at all, given that the major difference between a pump and dump and a bubble is about the private thoughts of participants. Definitions are important.
I suppose, but those "ownerships" aren't exactly very useful. With a stock, you own a piece of a company that will never listen to you about what it is doing and which the company can damage with little risk. With wine or art, I hope you actually bought it to enjoy that aspect, because if you bought either with the hope of making money and you can't, having an expensive liquid to drink won't help much if you don't appreciate the qualities that make it so expensive and you can get something nice to look at for much cheaper. Every investment comes with some risk, so I wouldn't automatically assume that something having a more obvious tangible value means that much. This doesn't mean that cryptocurrency is good (I recommend that nobody buys it as an investment), just that tangible value is no guarantee of anything.
At one point, setting up a relationship with a broker did require the minimum deposit that you claim. Today, not so much. Online trading platforms have significantly reduced minimums and fees such that several of them have values of zero for both. Trading stocks or other exchange-traded things for a retail investor is significantly easier than cryptocurrency in many ways, although it's not really that more likely to work out. People who are new to investing often don't know what they are doing, and that holds true for stocks and cryptocurrency. Stocks are less volatile most of the time, so they're less likely to lose everything immediately, but not guaranteed at all.
Your reference to GME (to other users, an American company GameStop which was talked up by an online message board and had a surge in activity in 2020) suggests you should already know this. After all, people were buying that stock without having a clue about it. Some people suggested a reason the company could have more value. Their suggestions weren't understood and could have been lies designed to get others to buy it and increase the price so that the original buyers could sell at a profit. A lot of people made money from that. A lot of people lost it. The stock is trading 94% below its peak during that craziness. This is the chaos that comes from people gambling (it could be called investing for people who studied the situation, but since they didn't, it's no different) with things they don't understand and, in most cases, make no effort to learn about. If you put a lot of your money into something, it's useful to know something about it.
I'm guessing you have had debt, specifically a credit card. If you use a credit card like I do, essentially just as a way to make payments with all bills being paid off in full as soon as they come in, this counts as repeatedly taking out debt for a few weeks and successfully paying it. This establishes a history of credits without you having to pay any interest and is one of the safest way to increase a credit score. You are more likely to have gotten good credit terms with a history like that than if you have never used a credit card and literally have no credit record for banks to look at. You could have gotten one even under those conditions just with information about your job, savings, and income, but given that you're online and probably in a developed country, I think it's likely you have a credit card somewhere that you use.
It's still illegal to look under the CFAA in the United States. Finding files without snooping is a grey area, but reading lots of files, even if they do contain evidence, is not permitted when the service being performed doesn't require it. Whether or not a crime was committed, and based on the actions of law enforcement there has been no confirmation, searching a drive is already illegal.
As with most of you, I'm approached by many people who know me asking me to fix their machines, and as with some of you, I'm not always thrilled with the prospect of doing what could be quite a lot of work for free. People like those mentioned in the article is one of the reasons I still accept each request when it comes in. Even when I don't want to. I've seen way too many repair techs who violate the customer's privacy or who do very shoddy work (the kind of person who thinks wiping and reinstalling Windows with no backup counts as successful repair). Meanwhile, since I have the skills concerned, I also don't know any repair techs I know I can trust. I therefore can never recommend someone to go to get a device repaired at a shop and would usually advise against it, so much that I take on the work if they don't have another technical friend because there's no options left.
That article had "The UK", a country name as in a member of the UN. This one has "Canada", the same thing. Unless you still think Canada belongs to the UK, your complaint is invalid. The other article didn't describe the university as "A European university", so your suggested sentence is also invalid.
That really depends how obvious things were, but it would have to involve a pretty low effort before you're breaking your contract or the law. I don't doubt that criminals have been captured that way, and I am inclined to believe that your story isn't a lie, but it certainly isn't justified for other snooping to occur.
Wrong question. It's not whether you wrote http.get but where it runs. Does http.get connect to another computer for that to do the HTTP work, or does it do it on your computer? If the former, it's an RPC and your program is not like anyone else's. If it's the latter, it's still a local procedure. No, an HTTP request does not count as getting that server to run your procedure. It may run some of its own, but it will not accept arbitrary calls and may not be performing a computation, for example if it simply returns you preexisting data.
RPC doesn't mean anything where you ask another machine to do something. RPC has a narrow meaning, where you call a function which is executed remotely. Calling a function that retrieves data from a remote location but runs locally is not an RPC. Next, you'll be saying that the 1000 count was right because look at how many RPCs were called to transfer the network request along its path. RPC has a specific meaning, and if you want to use it in discussion, it's useful to know what it means. The same way that "database request" and "database record" are not the same, that "byte code" and "machine code" aren't the same, that "Linux" and "Unix" and "Posix" aren't the same, and that "disk" and "partition" and "volume" aren't the same applies here as well. If you don't want to be wrong, you have two options: don't use technical terms you don't understand or learn enough that you do understand them.
I see you've never worked as a programmer. That's not how it works.
Here's an example. I have a task to do. The code we have that is involved is terrible. Nobody disagrees with this; we all think it's bad. I could overhaul this for a better version, completing the task some time in January. I could also patch around the problem that prevents the completion of my task, write the new stuff, and complete that next week. We're doing the next week plan.
It's not about needing the task completed. This isn't time-sensitive. It's not about disagreement about the overhaul being useful. However, they want me to be able to work on different things in December, and by patching, I'm not introducing any really big problems (no risk to safety, security, sensitive data, just the code being harder to maintain and significantly uglier. I don't have the freedom to tell them that I'm ignoring them and starting a redesign on my own, and if I did, there's always the risk that I discover around the beginning of January that there's a problem and it's going to take longer than we guessed, which wouldn't go down well. I have had lots of things I thought were good ideas, but when there's a team working on something, that idea has to be sold to them and to management before you can just do it. Even if you're in a senior position where smaller ones don't need anyone's approval, you still can't take out large chunks of time or make massive changes without notification and some kind of oversight.
And if you insult the workers based on your wrong understanding, they get defensive. You're right that the less respectful way you inform someone they're wrong, the more likely they are to punish you for it. My guess was that the person in this case was already planning on leaving and wasn't going to take any more public insults. Had he wanted to stay, his response might have been different. In neither case was he wrong nor was Musk justified in his statements (or in my opinion actions).
No, it's a rather important technical difference. An RPC and a networkk response aren't the same thing. If you have both, then you need to see whether they're both slow or whether only one is. If only one is and you do a significant amount of work to reduce the instances of the other, you've wasted a significant amount of work.
If Musk wants to play this game, he can amend his statement and start fighting with them about the number of requests they make on some other system. It won't stop his original complaint from having been wrong, and his second one might also be wrong if he doesn't try figuring out how it actually works. If he hasn't fired them, there are probably people whose entire job is profiling the system and understanding what causes delays.
The programmer did mention several problems. This wasn't attempting to hide bugs or inefficiencies, as they didn't seem to mind suggesting large overhauls. It was a fight about a specific technical issue, namely how many RPCs are there to perform the operation. Musk has a claim, and the programmer has a claim. I'm more likely to believe the programmer, given that, as you said yourself, "Musk isn't a programmer and it would be highly unlikely that he'd know all the ins and outs of Twitter's code base".
"I can't see how this body can operate without breaking national or international laws."
Quite easily, both in theory and in practice. National laws are easy: it's the government. When they pass a law making this organization, they give it an exception in the regulations that would otherwise apply. International law is a bit harder, but there are few international laws about hacking, relying on the old standby of extradition requests linking national laws. Since the national law has specifically allowed the action, that's not going to work for any country that wants to submit a request in defense of their local criminals.
Which brings us to reality, where that doesn't happen anyway. Sure, a few countries, especially Russia, allow ransomware operators and other cybercriminals to operate without prosecution, but they don't give them state protection or anything. If those criminals get harmed, their host government isn't going to act to defend them. It's akin to expecting a government to start a war when a drugs group loses a shipment to customs inspectors. It doesn't happen with drugs and it won't with malware.
I'm curious what you mean by crypto transactions, as most banks do not accept cryptocurrency or allow conversions. They do, however, allow you to transfer your own money to someone else who will perform that service for you. Do you want to block banks from transferring to any organization that converts cryptocurrency? If you do, that is unlikely to work, as users could withdraw on their own or use a different middleman to perform the transfer, and the infrastructure to ban that transfer isn't really a feature of the current system (if you put this in place without banning cryptocurrency outright, the law would be struck down almost immediately when a rich cryptocurrency platform sued).
Well, as it's not actually going to make programmers irrelevant, there's not much risk in it for them. But yes, people do that. Programmers have written lots of things over the decades to make their job easier, which in turn means you need fewer programmer-hours (less time, which means one programmer can do more tasks). That's a good thing for the people who use programs and indeed for programmers themselves. If we hadn't done that, the availability of usable personal computers would have been significantly slowed, meaning fewer jobs as there would be much less demand for software.
We don't strive to create artificial antiquity just to make things easy; we prefer quality and efficiency. I've seen arguments for not updating inefficient processes because the people who do them would need to learn to do something else, and such arguments are usually unfounded and futile (even when it's tried, it doesn't work out for long).
I don't copy obvious code. For that matter, I don't copy non-obvious code, because that's a recipe for it breaking and having me completely stuck. When I review others' code, I read it to understand how they did what they did. Then I apply the lessons from their solution. Sure, when it's a function call, my line will look like their line, but when it's a wider function, my version will look different from theirs because mine will be tailored to my problem and will omit things I didn't need. My variable names will be explicitly related to what they contain, rather than the shortened form common in examples. My functions will be divided where logical for my use case, not what makes for a clear explanation. I have learned instead of copying and produce a better result for it.
If they work like every other university I've seen, they have a computer science department with its own implementation of nearly everything that avoids as many of the systems from main university IT as they can. I've seen that structure quite often, and while every other department uses the main systems, CS eschews them all for homebuilt alternatives that, although they're a bit uglier and not as organized, also don't go down or lose data. I think the CS faculty both know how to build things well and that they will be happiest if they only use their product but don't open themselves to supporting the rest of the institution with it.
Curiously, someone was complaining last week about a company being identified as from Bavaria rather than Germany, so it seems that the writers can't please everyone no matter what level of regional names they use. I have a feeling that pointing out that neither statement was incorrect won't convince people, but I've done it anyway.
I'm guessing they probably took a while (if ever) just to fix the error they found, if their company works anything like every place I've worked. I think the only thing about the Agile Manifesto that was understood by companies was the part where they say "We value working software over documentation". Usually, the policy ends up being "If the documentation bothers you, you change it. You can put whatever you like in there. Nobody will review your change until the new starter tries to use it for something.".
Where do you live? If it has privacy legislation, you can contact them and request them to take it down, and when they ignore you, you can file a report about it to hopefully steer a regulator in the right direction. If you know a good lawyer, you could also try suing them for copyright violation as you almost certainly didn't release that picture under a license that permits this, but you'd have to do the work for that one yourself. I won't do these things as I don't want to upload any pictures of me, but as you've already done it, at least the first suggestion is feasible and not too difficult if you live in a location that facilitates it.
Only if the system is written to associate names with photos. This system, on the other hand, appears to do it the other way around, so posting photos of other faces with your name attached won't prevent them from connecting two photos of your real face and correctly naming you if there's enough data. Their database would just think there are a lot of others sharing your name who look different. Theoretically, you could upload a ton of photos of you each connected to fake identities, but that requires giving them a lot of data and the creation of the fake identities isn't as easily automated.
No, it means the code was probably written wrong without having to store it in cleartext. The following workflow would accomplish this bug without storing a cleartext password:
Enter old password
Enter new password
If old password doesn't match hash, report error.
If old password doesn't match rules, report error.
If new password doesn't match rules, report error.
Hash new password and store it in database.
It just has to run the rules against the user-entered string, which it already has because it will check it against the hash. For all we know, the coding error could be even more basic. My version has a statement run twice when it's only needed once, but it could also be that it was only being run once but on the old password instead of the new because someone mistyped a variable name. That version could in turn be changed into my version when the "Isn't checking new password against rules" bug was fixed by a lazy developer who put in the necessary statement without removing the erroneous one.
I could see it happening for a few reasons.
First, it wasn't "just because of a personal disagreement", though that definitely didn't help. If the change needed to be sold to someone else, it could be done as "failure to make repairs specified in the contract, necessary to continued functioning of the equipment, and after repeated requests". That sounds a bit worse and can get others to accept it.
Second, it's a big figure, but that's about 35 laptops. We're not talking a massive company here. The person doing this could already have been at a high enough position that cancelling the contract could be in their authority. If they couldn't find anyone else to provide replacement laptops at a comparable price, there could be problems, but they're often interchangeable and with multiple available suppliers. They may already have planned for multiple suppliers and the change just involved switching some orders from approved supplier 1 to approved supplier 2, which would likely have gone through without issue.
It usually involves choosing a username that looks like it might be correct but isn't, such as replacing characters with ones that look similar or padding it with something that would be logical, then relying on people who previously associated the check symbol with the account having been verified as correctly representing the person or organization it claimed to.
That stuff has been decentralized. You can set up lots of turnkey open source services that do those things. Take Zoom, for instance. I have a server running Jitsi, an open source videoconferencing system. Mostly because when I set it up for 2020, I never shut it down, but it does still work. That's not the only option for that service. All you have to do is use one of those instead of using the free services that have some degree of support, don't require technical people to set up, and don't charge you for bandwidth. Is it that surprising that the average person isn't rushing out to copy my Jitsi server? When there is a person who wants decentralization, the software is often there for them to use.
Also, do you really think Musk has the knowledge to write an RFC and protocol at all, let alone one that is designed well and scales correctly? I wouldn't count on it.
"Content producers using twitter to reach customers would find $8 a month to be a huge bargain to promote themselves."
You appear not to understand what the $8 is for. They already have a program doing what you suggest. It's called advertising and it costs a lot more with more controls. This program doesn't do the same things and does not offer the possible benefits that posting ads does.
It can be done legally, both in the U.S. and elsewhere, but generally with a lot of agreement. You can't legally require someone to work that many hours, but you can require them to do enough stuff that they would have to and specifically indicate that they're earning a salary and it's not about hours worked. If they didn't know that was coming, don't expect them to put up with it for too long, especially if the law specifically says they can quit with no notice at all.
As for advantages, there are no advantages. Two people working normally accomplish a lot more because they don't spend a quarter of the time looking at the clock and thinking about how much they hate the person who hired them, then burn out in a few months. The only time where it helps to have one person paid really highly for really long hours is when they have especially rare and needed skills and you can't find a second person who knows what they're doing or if you do, it would take too long for them to ramp up on things. That's not Twitter's situation, so they're just going to get a slight performance increase for about three days before their engineers start slowing down for survival and to make time for the many interviews they're undoubtedly on.
You're going to need to better define what losing means. Since Twitter's now his, the only ways he couldn't survive at Twitter is if he sells it (good luck finding anyone who wants to buy it now), gets it taken off him in legal charges (not likely and they would take forever), or dissolves it (which also takes a while). However, he could easily destroy it within a Truss. He'd still be the owner and operator of a thing called Twitter, but depending on how badly he manages to screw this up, it could be unrecognizable. I wouldn't have expected it to be that fast, but the number of things he's broken in a couple weeks suggests I gave him more credit than he deserves.
"Does the app refuse to operate if it can't grab your contact list?"
That'd be an easy way to do it. Anyone who installs this in the first place is willing to accept dodgy software in return for getting into the events, so how many will cheerfully install and activate the app but balk when it demands access and won't work without it? They might not even know about that until they install it in preparation, having already paid for their Qatari lodging and whatever tickets you need to attend.
You're correct about it continuing to spy on you, although I'll point out that you wouldn't need a full rootkit unless the user did a factory reset of their device and a lower-level exploit that doesn't change the system partition would withstand an app uninstall. I don't think they will use either, though. Still, they will be able to collect a significant amount of information while it's running, so even without a beachhead on the device, there's information about you which can be used to drive further attacks if they're motivated to do so. If I scrape your device's common storage and any data I can get by making the user accept permission requests, that's useful in targeting users later or selling to interested parties. I'm not really sure what Qatar would actually do with it, but it's not likely to be good.
I think Microsoft should and probably will lose this fight as well, but some of your accusations are a bit weak.
"At least now we know it [the acquisition of GitHub] was simply to make the theft of all those resources easier for them..."
Come on. It's publicly available. I can clone all of that. It doesn't take an expensive ownership and operation to point a downloader bot at the site and start cloning all the repos meeting some criteria. If that was their reason, not only did they start their evil plan years before they started using it, but they've come up with the least efficient heist ever. This suggests their reasons were probably unrelated, given that they can and did get training data for copilot from locations they don't own.
Why, though? I think it's aged well, with modern articles still being relevant and enjoyable. If you don't like it, I'm curious what you see as changed since you appear to have been a fan for quite a while. The most logical complaint I can guess is that it got repetitive, but I find that the articles are a lot less repetitive than certain comments advocate (those people who think someone needs to be killed in every episode, for example). I could see some ways it could be taken in a bad direction, but I don't think those have happened or are likely to as long as Simon remains in control. Your question implies that you have critiques, and I'd be interested to hear your views.
The solution to this is to have the tech people from both sides do a preliminary examination of what will be needed. Don't let sales just write a contract without knowing what work needs to be done or what money needs to be paid.
It's an issue in either direction, although the example in the article is usually worse because it indicates that the business is one of those whose business plan is hiding charges from customers until it's too late to change course, which is justifiably hated. I presume there are contractors who use that as their business model (I've not had to run a transfer like this, fortunately for me), but I've certainly seen other businesses who take advantage of this tactic. The ones who quote you a price, and you find it acceptable, and the legal paperwork that you get to see doesn't mention other costs, but when you're just about done with that, they bring out the other fees.
That is probably more common than not, but I am a fan of open-ear designs for some cases. When traveling outdoors, I prefer not to obstruct my hearing when it could be important for safety. When working closely with a small group together, I like being able to hear if a discussion starts so I can take part (although this is less common than working next to people who I don't want to hear). There are also other occasions where having the ability to hear the world around me and the feed from my device simultaneously can be important or just desirable.
I imagine the loud music does get people to drink more given that all chance of useful conversation is annihilated, but in my experience, it also deters repeat visits as conversation is one of the nice parts about going somewhere with friends or colleagues. If I'm enjoying myself, I'm more likely to want to stay and keep ordering things.
They're not likely to leave the baby in there after it's born, you know. As for the mother, it is a place for them if they're convicted criminals, and she is. Pregnancy isn't an escape mechanism. If the prisons don't have the ability to look after someone with those medical needs, then they're either not intended to and she'd be sent to one that has the required facilities, or the prison isn't fit for purpose, but in both cases, that's a possible problem with a particular prison, not a reason she should be exempt from anything.
You won't get any arguments from me about the people who gave her money being dumb; there's a reason she got no investors who knew anything about the industry. The rest of your claims, however, are complete rubbish.
She was a student when she recognized the existence of a problem. She didn't have any knowledge of how to accomplish what she wanted. It's like me saying "I've discovered that it takes a while to fly on planes and faster ones are really expensive. I know, let's build a cheap faster plane". That's all well and good, but I don't know how to build a cheap faster plane and she didn't know how to build a blood testing machine that worked on smaller samples. After trying to build one and recognizing that she didn't have a clue what she was doing, she started lying about it and submitting fraudulent documents to investors to steal their money, knowing the goal was not being achieved. Until that started, she was just stupid, not a criminal, but it only took a few months to make the switch.
"Cybercrime losses are exploding because of the ease of transmitting ransom payments across borders."
This is your problem. You see cyber insurance as paying ransoms, which sometimes happens, but that's not what it's mainly for and that's not what causes most losses. That insurance pays for a lot of things other than ransom payments, and some policies have been sane enough to prohibit paying those at all. They pay for recovery from damage. They pay for investigation of an incident. They pay for losses like having to pay for credit protection or liability for people whose data was stolen (theoretically). These things will not be stopped or shrunk meaningfully by stopping ransomware, and banning Bitcoin also won't prevent the most damaging ransomware either. You are looking only at one aspect of the problem and come to inaccurate conclusions on your limited understanding.
Not exactly, though there are parallels. As the comment was written, it was a "we should ban assault rifles and there will be no more violence" argument. That is false, and using a lie to make an otherwise functional point harms an argument very badly.
I'm not going to argue a position on guns, as it's not relevant to this conversation, but the point with guns is that there are uses for them other than committing murder, and one has to balance those uses against the benefits from banning them. That can result in "no guns at all", "all guns at all times", or somewhere in between with specific types allowed and others not. The same applies to cryptocurrencies or anything else you name, since every item will create harm to somebody in some way. The general point is not viable (we could prevent the need for cyber insurance much more effectively by banning computer networks, but if I argued that we should, you'd reject it as the unworkable plan it is).
The argument was based on a fallacious statement, suggested a plan that is not viable, and did not attempt to address the ramifications the plan would have if implemented. I contend that it is simplistic to the point of incorrectness.
I disagree. They definitely need to mature. Insurance has to calculate risk. That means that, for example, many insurance companies won't insure a property that's been smashed by the same natural disaster several times, is at high risk for another one, and has no precautions taken for when that happens. They've calculated that they're likely to have to pay for a very expensive repair and that nobody will pay a premium that would pay for a new house every three years. This doesn't please the owners of that property, but the insurance companies can decide whether they're willing to take the risk. They need to apply similar logic to whom they'll insure for cyber risk and what they'll do for them.
The most famous occasions have been ransomware, so I'll use that as an example. If the insurance company plans to insure a place for ransomware damage, they should probably check whether there are backups isolated from potential attacks, what restoration would look like, and the likelihood of damage that the backups won't handle. That makes a major difference to how much recovery is going to cost. They also have to look at the attack surface and internal security standards to at least estimate the risk of a successful attack getting started and spreading. Maybe they can also consider that paying a ransom is a bad idea which only increases the risk and stop doing it. This is how you do insurance-companying, and if cyberinsurance can't do the calculations that most other companies have, they deserve nothing from the rest of us when their acceptance of stupid risks lands them in bankruptcy.
You misinterpret the law. Sending stolen money over a wire isn't wire fraud. It is theft. Wire fraud is transmitting messages related to a scheme to defraud someone, whether successful or not, and other crimes may be in play if you successfully get something from them. The wire fraud charges are related to using false pretenses to get a system to send money you aren't entitled to, and they would apply even if the system didn't send it, for example if a manual review caught it.
Usually, they mean that all the interfaces are on the one board. Even if you don't have a graphics card sticking up from your motherboard and you're using only a M.2 disk that's mounted directly, you probably have an external power supply needed to convert voltage for the system and at least some of your ports are external to the board. If I'm being particularly picky, your RAM also probably runs perpendicular to the device and those look like boards too. The SBC label is less "there is no second board" and more "everything is on this one board".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
