Posts by doublelayer

Re: Wrong

The fact that someone made a mistake does not mean that we should adjust our laws to let them do whatever they think necessary to recover from their mistake. I have left too late for things before, but that didn't give me permission to treat the public streets as a racetrack to get where I needed to be on time. Making mistakes leads to consequences. Consequences are why you try to avoid mistakes when you can and to have contingencies for when you can't.

Re: the application will be removed on upgrade

Because there is a risk in telling people that they ship this binary on everyone's installation but it's not supported. If, for example, a security vulnerability was found in it, would they really be able to claim that they don't support it, so that's not their fault? They would be blamed for that, so if they're no longer going to maintain it, they remove it. You can always put it back. It appears to be one executable, one DLL, and a resources file for each installed language, so it should be pretty easy to keep even after it's removed from preinstallation.

Re: Word Processing in the Cloud

I'm sure that, if this is true, it was done intentionally by the place of education. If so, they likely did it to prevent students from writing something locally, saving it to a disk which isn't meant for storage of student work, and either losing important work or claiming that they did to get out of turning something in. The same reason why I've been asked to prevent people from being able to save documents except to a network drive, because evidently just telling people is not working.

Re: Would it not be possible to give a patient list to the police...

It should be, and for all I know they may have some method of determining that which for some reason isn't used for many calls. However, criminals who have even a bit of a clue could find ways to relay calls from their location to somewhere local, or even pay someone to make the calls on their behalf. There was a group of adolescents interviewed on a security podcast who operated swatting as a service operations, so they could try outsourcing the work to those guys. It probably won't end well for the less intelligent of those ones, but it offers them another proxy.

For those who are interested in hearing it, the specific episode is Episode 83: 'DING-DONG DITCH' ON STEROIDS (link goes to Apple podcasts).

Re: Would it not be possible to give a patient list to the police...

Fine with me. And those are? The problem with crime of this nature is that we usually don't know all the names and addresses, and when we find out one of them, it's usually more useful to hide it because there's a chance we may find more, while publishing the one we have will just alert them that we're getting close. Some criminals have been arrested successfully when law enforcement has succeeded in unmasking them, but unfortunately not often enough to stop others doing it.

I'd argue against this, but I think you misread the situation so much that it's virtually impossible to debate the point with you. Somehow reporting a problem is the same as advertising, even though I don't pay anybody to use libcurl and the article mentions nothing encouraging use of it. I think you might need to read the article again.

Re: Charge bug bounty hunters an entry fee

It will probably get rid of all hunters, both those who submit crap and those who don't. Hunters may be concerned about submitting a real bug and getting charged for it, especially if companies are being vindictive as they sometimes do. While I don't do commercial bug hunting, I've had the experience of reporting a vulnerability to a company and getting a nasty message back because they didn't like having a problem brought to light, so I'd be careful not to do that if it involved getting a nasty message and paying them for the privilege. I think that's what you'll get, but we can always try. I wish there was a better way, but I don't have one.

Re: What's the betting

I'm sure you can purge the advertising cache files every time Chrome creates them, but that will just cause Chrome to recreate them every time. With a 10 MB limit, it's likely those will be hideously compressed on disk to fit as much as they can in there, so expect to be downloading 10 MB per advertiser when it restarts. The good news: it will probably be different advertisers each time.

This is a good enough reason not to use Chrome if you can't disable this, and I already had a good enough reason not to use it.

Re: Cart Before The Horse?

"But for Bobby and Susy Office Worker, what exactly does AI bring to the table? I can get useless search results even faster? What's in it for me and the millions of other average users?"

If you need to write an email but don't want to be bothered thinking or typing, then you can use this to create a message that looks like it answers a question but really doesn't. If the person you are sending it to isn't bothering to read it, then you've saved yourself some time. Otherwise, you'll end up looking like a person either being deliberately unhelpful or someone with reading comprehension problems. That appears to be the use case for office workers that AI companies have thought of. I'm sure some people will try doing that. I didn't say it would be a good thing.

"BTW, what's the difference between directories and folders?"

The level of abstraction involved in the name. Both are pretty abstract, but "folder" was intended to represent to the user what the thing does, and "directory" was intended to represent to the user how the thing worked. The concept that they're doing is identical.

Re: Don't get this confused with free speech.

I didn't disagree with that. In fact, I was using that as part of my statement that there are always consequences, and that the free speech legislation in the US does not prohibit companies from using employees' speech as a reason to fire them. What I asked about was why the original poster thought their opinions should be excluded on a free speech basis, but that the people in this article don't qualify for the same. I think the law doesn't give an exception to either, which is internally consistent, but their post did not have a similar consistency, nor even an argument for why their exception should be specially excluded from consequences.

Re: Don't get this confused with free speech.

So let me see if I understand your statement correctly:

If someone says something that you agree with then it's a free speech issue and you should be allowed to say it without fear of losing your job. If it's something different, which you probably disagree with, then it's not a free speech issue and bring on the consequences.

Sorry, if your boss can fire you for one thing you said, they can fire you for other things as well. Consequences always apply. The only exceptions are when labor law restricts them, which could be in everything or not. In the U.S., those laws are not strong, meaning that you can be fired for lots of things you may choose to post. This means that I don't expect these workers will get anything in this case, as they can be fired for the statements their managers did not like. It does not mean the views you prefer would or should get to bypass this reality unless the law is changed. I'm having trouble seeing your distinction between what counts and what doesn't other than you agree with one and don't with another.

Re: MIT/BSD anybody?

It's true that Linus didn't have the ability to just switch everything to GPL 3, but he could have done something to make the terms apply to some important part and apply the restrictions to most users. Based on his comments at the time, it seems he didn't have a major objection to the tactics that the FSF wanted to prevent with the GPL 3, so he didn't try to do that.

Re: Eclipse Versus Borland Delphi

"Companies don’t need Open Source if they want to cooperate."

True, but it helps. They could form a consortium and build something closed. That consortium could even sell licenses and that might help make some money. But it makes it really hard for new companies or individuals to join and start working on it as well, and it reduces the number of users, which can be important if you want contributors. They appreciate that it's free as well, but part of the reason that it can be is that there are so many people interested in maintaining it.

Re: Let's say he creates this post-open "contract"

It's not about willingness to pay so much as knowing whether or not I have to. I don't object to proprietary software; if I want it, I will and have paid for it. The companies that employ me do so all the time. The charities I used in my example do so less frequently because, as I said, they don't have a lot of money so asking them to spend five figures on some enterprise software is a hard sell, but they still do it if it's important enough. However, I know that when I suggest the option. I don't say "Let's use Office365" and get surprised that Microsoft wants money for it. Using something sold as open source and then finding out that the license is not compliant is a much larger surprise, especially if I've previously contributed code or donated money to that project.

One of the reasons I might adopt open source software instead of proprietary is the freedom it offers me, and I don't just mean the freedom to read the source and modify it in my environment. Chances are that I won't be doing a lot of that for the infrastructure software anyway. One other freedom that I value highly is the knowledge that, no matter what the authors did, I can keep using this. If the authors gave up and stopped developing it, I still have the software and the right to run it here. If the authors started demanding a higher price than I can pay for some feature, I still have the old software and can work around this change while using what I already had. In either case, I can take the code, make my own version, and work with others to keep the software alive despite it. In an environment where certain uses require permission or payment, I no longer have that guarantee. If the authors have the choice to tell me that my use is now forbidden, then I have lost something that traditional open source provided.

Re: Let's say he creates this post-open "contract"

I doubt it. The ambiguities in all the licenses that implement something like this have already caused problems for projects that switched to them. While I have argued and still believe that the switching was instrumental in some of the chaos, the licenses themselves haven't helped. For example, there's usually some restriction on commercial use, but the license isn't clear what it is. I sometimes volunteer for charities to write software, but that is not necessarily commercial or not. In order to find out whether it counts, I probably have to negotiate with whichever company has written the license to see what they think, and since I'm not likely to pay them much if at all because it's a charity and they're not very wealthy, those people are usually not very helpful if they respond. If I come across a project like that, am I really motivated to contribute to it directly when I'm not sure I can use my own work later? Usually, the answer is no. It's hard enough to find developers who want to work on open source projects, and for reasons discussed in other comments, I have no faith that I'll actually get rewarded for doing the work, so the least I expect is the right to use my own contributions later. If I don't have that ironclad certainty, it might as well be proprietary to me.

I stand corrected. The license does implement that properly. I still don't like it for a variety of reasons, but at least it's not failing in the way I supposed.

Re: It ain't going to work

Any scheme to direct funds to people based on some statistic is going to be gamed if it actually generates money. This is not an easy problem even if someone does think they've written software to manage it. I haven't found a good example of what Merico's software actually generates, but I'm really worried that it will end up being like the managers who try to make something out of lines of code written. You don't need me to tell you why that doesn't work. None of the other statistics work either. I also had a manager who tried to do something with PR frequency, if you didn't open one a week, it was not good for you, and one a day was much better. Obviously, that doesn't help much either. It takes quite a good manager to actually judge the relative usefulness of a developer, and when the manager isn't promoting or firing people, it doesn't make sense to have one. As such, I fear any automatic allocation process is doomed to uselessness. Attempting to use it anyway will motivate people to figure out what brings in money and do that; if writing docs counts, they might just have an LLM generate a lot of long-form documentation and collect the points from that, with a few people making corrections collecting a few more while doing all the real work.

Re: Stop working for them for free.

I agree with you there. The question here is whether Microsoft's purchase of GitHub was required for them to do that. I contend that it was not, and that complaints that Microsoft should ... I don't know, just not be allowed to have bought it because years later they might do something are misplacing the blame. Had they not bought the platform but still trained on its contents, as they have for books, newspapers, and likely lots of other things you can find online, we would have the same problem and we'd still have to resolve it somehow.

Re: American influence over matters IP, and software licensing

Or it might be that the organizations that played a central role in the development of the FOSS concept and the licenses that implement it happen to be based in the US and wrote their licenses specifically to work with US laws as well as international ones. When The Register interviews an American who worked with American IP law, you wouldn't be too surprised that he sounds a bit, you know, American.

Re: Stop working for them for free.

They're running their training efforts on everything public, which already includes all the PRs, approved and not, from all the open source stuff on GitHub. Their ability to do that does not require them to have bought GitHub, since I can get that information just as well by building a basic scraper bot. They have built plenty of scrapers for sites they haven't bought, so nothing prevents them from having it.

You're right that their ownership of GitHub allows them to find some reason to cancel your account, and by the way it also allows them to not bother and just cancel your account because some admin doesn't like you, but that's kind of obvious from the starting premise that they own the platform. In short, you're concerned about their ownership of GitHub, not their exploitation of copyright, but the latter is the damaging thing in this situation and does not rely on the former to exist.

Re: All because of crypto

"I never claimed (and if you disagree: show me were I did) that this is a silver bullet that will magically solve all cybercrime."

I agree, you did not. The person to whom I first replied did, or rather that it would magically solve all ransomware. I've seen the argument before, and similar to the discussion elsewhere in these threads about whether you could start a global trade war to stop ransomware, it could theoretically help but not as thoroughly nor as cheaply as people would like to believe.

I also agree that disabling cryptocurrency, if we could do so unilaterally, would cause some serious problems to ransomware operators. So would several alternative methods, such as making payment of ransoms illegal or having a larger dedicated police force for identifying operators and tracking them until they come to a country in which they could be arrested. We could try all of these things and more. Each would probably have some effect. None would have the ultimate effect we both want, and I fear that cryptocurrency might be among the weaker of them given the scale involved. There are a lot of criminal organizations that have spent time and effort figuring out how to move large quantities of money before cryptocurrency existed, and ransomware has become large enough that they could start to do the same. I think that there is an appetite to shut down ransomware that is strong enough that people are abandoning the step of considering the costs and likely results of possible measures. This has led, in these comments alone, to suggestions to send assassins to kill the ransomware operators and to commit acts of war against the countries in which they are located. Banning cryptocurrency is much less outlandish than either of these, but that doesn't make the description realistic.

Re: All because of crypto

Did I say that you need to keep cryptocurrency because it's so useful? I did not. What I was arguing against was this: "Get rid of cryptocurrency and the problem goes away." Sorry, that would be great, but the problem won't go away with a flip of a switch. If you pretend it will, it will only result in disappointment when you spend a long time convincing people to do the difficult work required to shut down or make effectively worthless all cryptocurrencies and ransomware operators are still around. A counterpoint is that, if we could retroactively disable cryptocurrency a decade ago, I think we might have prevented ransomware because they started with small attacks and small ransoms where finding a transfer method was not worth it, but you rarely hear about a ransomware attack on a personal laptop anymore. Nowadays, it's large groups going after large companies or governments for millions in ransom, and that scale is where finding alternatives is worth the effort and much easier to try.

I don't much care whether cryptocurrency exists. I have none, I don't want any, and the benefits it was supposed to bring it hasn't and won't. Let's still be honest about the realities involved in both the ransomware industry and the cryptocurrency industry before we claim easy answers.

Re: All because of crypto

Challenge: find a way to get £10M from someone who has it and is willing to pay it, into your hands without the police identifying you and you win £10M. Do you really think that, with an incentive like that, people will really just give up if the first one they used isn't working anymore? Can you really not conceive of a method that might work?

What if I give you an extra asset, one the largest ransomware organizations tend to have: if you have some people in Russia, the Russian police won't try to arrest you anyway. That means you can do things in Russia that wouldn't normally work in a different country, if any physical interaction is needed. I'm guessing you have some ideas that don't involve cryptocurrency. And they already have the software, so trying some new ones would be close to free. If it fails and their transaction is reversed, they can always try another method with the next company, or even call back the first company and try again.

Re: Unannounced security tests

If the link they're clicking on is to a phishing test provider, the one your company contracts with, you can probably take a pretty good guess that it's a phishing test. If you're not sure, you can ask whoever sends them out, and if they tell you that it is one, then you know for certain. There are ways to know that other than being the sender. If you're trying to test vigilance, it can be useful to know who will click on something when there isn't someone shouting for them not to; a real attack will not necessarily go to the users who know what they're doing. Clicking on a link even when I'm looking over your shoulder and telling you it's a bad idea is a bad sign, but someone who avoids doing that is not necessarily good enough to avoid the real risks.

"our process for checking suspicious links that look plausible involves clicking them"

And almost certainly telling the attacker that this address exists and has someone who clicks on links, so send some more over there. Sure, it's a lot better than if they actually got what they wanted, and I'm assuming you clicked them on a machine that didn't have any credentials to try to steal, but does the risk of sending information to the attacker about the link clicked cause any concern?

Re: Unannounced security tests

If you know for certain that it is a test, then you also know that there isn't a risk to security if someone clicks on it. Not telling them means that the test is better, because it tells you what things would look like if they were the only or first person to get this message. They can't always count on you having received any phishing attempt before it is sent to them, so they need their own vigilance as well as listening to you. This is why phishing tests at my company are intermittent, so if one person gets a suspicious email and asks me whether I got one as well, I will usually say no completely honestly because I did not get this one. This requires them to either test the email on their own or enlist someone like me to help them do so, which is what we want them to be doing with suspicious mails anyway.

If you don't know that it is a test, tell everyone.

Re: Customers are the security liability

It wouldn't have happened automatically, but it would have been easy to open. I'm not sure about others' workflows, but I read the message before opening the attachments, mostly because there's a chance that the message will tell me that I don't need to bother with that file so opening it is a waste of time, but also to detect risks with the file. If others weren't doing that, suggesting that they might want to read the message first is not a bad plan.

Re: I'm shocked!

I'm curious why people disagree with that? It's not too different from what Firefox says:

Private window: Firefox clears your search and browsing history when you close all private windows. This doesn’t make you anonymous.

Learn more

Of course, Google does a lot more nefarious stuff than Mozilla does, but their warning doesn't hide that incognito is a very basic thing that is limited to the local device. I don't mind that someone sued Google over collecting a bunch of data and tried to link it to their Chrome privacy record, which is pretty terrible, but the message they show does indicate that they haven't opted out of collecting data on their end and nor has anyone else.

Re: Pretty sure you can't change the laws of Physics...

The laws of physics don't change. That's why your radio receives one channel, just Morse code. After all, the first radio experiments worked that way, and the physics isn't any different today. The advantages are in our more efficient use of the laws of physics. Instead of using all frequencies, we limit to a smaller band. Instead of using analog data, we use digital data which can be more tightly packed. Some of the changes are redesigns like that, whereas others are simply improvements in manufacturing technology allowing transmitters to use less bandwidth while not getting prohibitively expensive. The laws of physics say such things as how much power your signal will have based on the distance and items between the receiver and transmitter, that is unless you use other physics hacks like finding a way to reflect it, but those laws say nothing about how low the power level can get before your receiver can no longer use it, let alone how many bits per second you can manage to shove in there. That's down to your tools, and those do change.

As for WiFi, you can have that. Lots of countries have some ISP who came up with this idea and has a public access method. Find which ones do that in your country, they probably exist, and sign up for an account. Congratulations, you have WiFi access from the house of anyone who has the same ISP and didn't change the settings on the supplied equipment. It doesn't work for people like me who buy my own equipment and configure it myself, but my neighbors have these, so you'll have coverage. That is you'll have coverage when you're near someone else's house, but I spend no effort making sure my WiFi coverage extends outside those walls very far. If you're in the street near a house, you'll probably have something, but if you're in a more open space, you won't. The same applies if you're moving between these access points. Most importantly, there are a lot of places without houses where you won't have any APs to connect to at all, and if you want the internet there, you'll need something that has better coverage than home WiFi.

Re: 5G speed not just affected by signal

I would guess that it's for tracking and billing because your provider will be responsible for charging you for billed usage and paying their partner network. Alternatively, it could be related to protection of your data so they can use networks you otherwise wouldn't trust, but I don't know whether their tunneling includes encryption or not. Both of these are guesses, though. I don't know if they are correct.

Re: Correctness and Simplicity

If your comment was meant to explain what I missed, I still don't get it. Yes, one of the reasons people may have used the option the writer doesn't like could be that that one came first. Or that that one is cheaper. Or that that one was faster. Or that that one is better. Or something else entirely. Either way, it still boils down to the author complaining that people don't use the thing they wanted.

Here's an example. I don't much like Javascript because writing it is painful and it lacks a lot of stuff that a proper programming language would have, it's inefficient and calling into anything else is a mess of incompatible standards into which companies like Google want to cram everything. Unfortunately, it is the only feasible option for client-side web scripting, so we're stuck with it. The above two sentences are a better argument than that essay was because I at least told you what the system I don't like is and why, albeit in very little detail. The famous essay doesn't do either. Neither of the approaches refer to a real system with real complaints, but to theoretical systems with complaints that have been deliberately exaggerated. My two sentences are also a bad essay, because if I'm actually going to complain about web scripting, then I need to acknowledge the also ran, which would involve me explaining why Javascript is certainly a lot better than client-side Java was, and it beats Flash, and Silverlight is a word that nobody wanted to see in this sentence. In short, to admit why Javascript is where it is today. I think it is possible to create a better scripting language than JS, but that doing so is not justified because it is too popular for an alternative to be adopted, but I could specify what characteristics a replacement should have. An essay like that would make a point that others could debate. If I instead chose to make a fake language that could be JS or maybe not, then explained that everyone who was involved in it was sloppy and undisciplined, but that the good people couldn't succeed because the sloppy people got to market first, then I'm doing my own argument a disservice by ignoring reality in two different ways.