Posts by doublelayer

Re: Make like trademarks, not patents or copyright?

"the publisher still stands ready to fix any significant bug or security vulnerability that might pop up."

You don't have that now. The publisher will try to fix any bug or vulnerability that they feel is bad enough to cause them a problem, but not otherwise. This is annoying, but there has never been any requirement that manufacturers of anything, software or otherwise, fixes a problem you might have unless it leads to safety issues. You can sometimes return a product based on those, but not even that in all cases.

It's not really a parallel to trademarks either; to keep a trademark, you must continue to use it in business, not to make available the products with which you once used it. If Apple decided they were shutting down but wanted to keep the name for computer products, they could make a single Apple Computer which sells for a million dollars and contains as the only processor an RP2040 and a tiny screen, no battery, no disks, and no ports. Insert your joke about actual Apple prices and product features here. They can still keep the name, even if all the Macs are dropped.

Re: Hmmm..

"You will never fix *anything* if you put off trying because "doing that one thing won't fix it all in one fell swoop"."

You will also never fix anything by just making changes because you're aware of the problem but not how or whether your changes will address it. That approach is likely to have more counterproductive effects, because after a few "Something must be done, so how about this" attempts, people lose the desire to keep trying things at random.

"Copyright should be 20 years" is a policy that's going to cause several big changes in the area of IP. We don't know what all of those are, but even those which can be assumed are being ignored by many here who are proposing it. For example, if copyright was canceled that quickly, then you could use Windows XP for free without legal problems, which is ... basically what you already have because Microsoft hasn't sent anyone to punish those who leaked the license generator. It's not enshrined in law, but it is what happens de facto. That's not what people are asking for, though, which means that when the change to copyright means that software support and availability hasn't changed, they'll want to introduce a new change. For example, some posts here which have advocated some type of mandatory publishing of source code, which will cause a lot more changes. In the meantime, the shortened copyright term will have caused a lot of chaos in other types of intellectual property that don't become as obsolete in two decades, and someone will want to clean that up. This idea seems to have been written after about five minutes' thought, and that's a poor way to fix any problem.

Re: Coppyright length

"Where is that income stream coming from? Obviously from the pockets of music consumers (e.g. subscribers to streaming services), but less obviously, by diverting money away from current, less well-known artists, into a small pool of incredibly wealthy artists and corporations."

No, that's not the case. It comes from people who still like that music, even years on. If everybody decided that they've heard that music and they're done with it now, there would be no income stream. It exists because people who listen to music, buy it and put it into something else, or ever make a choice of a particular piece are choosing that one. The successful artists are making a lot of money, and the corporations that have those artists in contracts are making even more, but they're only making that much because the music available through those contracts continues to be popular. Under your system where that popular music becomes free, you're going to get even less money going to new artists for a simple reason. Here's an example.

The current method:

Advertiser: We want to put some music under this advert. We could buy the rights to a very popular song from the 1980s for $bunch_of_money, or this less well-known song for $bunch_of_money/4. Which one do you want?

The shortened copyright method:

Advertiser: We want to put some music under this advert. We could buy the rights to a song which is not well-known for $bunch_of_money/4, or a very popular song from the 1980s for $0, which a lot of people are listening to because anyone can have it for free. Which one do you want?

In the second scenario, the artist who wrote that famous song will be getting nothing, but the new artists will also be getting less. You would have a cheap streaming service which just has all the popular music, not including the last twenty years or whatever limit you set, and they'd be able to charge much less because they keep all the profits.

Re: I might as well sign-over my pension check to Amazon. NOT!!

"I did not find any which excluded 5G (OTOH, none promised 5G would work)."

Out of curiosity, why do you want that? If your device doesn't support it or the signal isn't present, it won't be used. If your device does support it and you travel somewhere that has it, you get to use it. They tend not to exclude it because they don't really care which signal you're using, so whatever they have, they'll use that to provide you the service. The rest of your considerations make sense, but I'm not sure that finding one that is specific about that will be possible or would be helpful.

Re: Every year is worse

“All too often, technologists solve problems by introducing additional layers of technology abstractions and disregarding simpler solutions, such as outreach and engagement,”

As a counter to that, sometimes we do that because not doing it is viewed as laziness, incompetence, or worse.

User: I loaded this file which starts as valid XML, then goes into complete corrupted garbage. The program crashed.

Programmer: [Idea: engage the user] Sorry about that, but this program doesn't handle corrupted files. In this case, could you repair the file and send that through?

User: You're just going to let your terrible code crash when it receives invalid input? How unprofessional can you get?

Programmer: Point taken. It's not great. I can do something to at least prevent a crash.

[One day later]

User: I put the corrupted file through today, and it doesn't crash anymore, but it doesn't work.

Programmer: What happens?

User: Nothing happens. It just ignores me.

Programmer: [Idea: user experience outreach] Can I watch how you're using it? [...] Why did you just close that message box? [...] Yes, but could we just take a look at the message to see if it's an error I have to fix? [...] See, it says the file is corrupted and needs to be repaired. So you need to repair it.

User: So you're just giving me the error message and making me deal with it?

Programmer: [Engage? Outreach? Options exhausted] Let me think about this and get back to you.

[Three days later]

Programmer: I'm thinking we should have a library which can parse truncated XML, present the user with a graphical structure document, and provide them a rich editor so they can repair data without modifying a file. Either that or an office in a different building and some code to intercept and delete emails.

Re: Looking back (nothing to look forward to)

In honesty, those things are not gone, just less common. For the same reason, I often complain about the size of smartphones today as I'm in the group that liked the small ones, but you can still find those. The problem comes when you want all four of those together, and also long software support and someone else has ported other versions of Android to it, please. There won't be a perfect option and some compromises are unavoidable, but there are still options.

Depending on how you rank those desires, headphone jacks and SD card slots are quite common, just not on the most expensive devices. Look at the medium range and you're likely to find a device with both of those in at most five tries, probably fewer. Replaceable batteries are less common outside the very lowest end. However, you can still find at least some devices with those that aren't very weak. The most famous devices that fall into that category are the Fairphone and the Samsung Galaxy Xcover line, neither of which I have. If some of those things are more important than others, you can also look at companies that aren't as famous as phone manufacturers go.

Re: You missed a question.

"I don't expect that UEFI would be able to forcibly write this file to a local filesystem."

From other posts, it appears it's not trying to. However, it certainly could if it wanted to. The firmware has hardware access to the disks and has filesystem drivers for some of them. At most, someone would need to include a new driver in it if it doesn't have the one it needs, because the firmware cannot be blocked from accessing whatever hardware it wants. There's a bit of a space limit on most firmware partitions, which limits the size of the bootstrapped attack vector, but not such a small limit that it's likely to protect you if anyone did write firmware that bad.

Re: You missed a question.

I'm not sure how that folder indicates any particular risk, given that you can run a system service from any folder. They could as easily write it to a user folder, anybody's, and run it just the same. For the same reason, they could write it into any Linux installation if they were willing to, but presumably they didn't compile it for Linux.

I wonder whether this works on encrypted OS disks, where the firmware doesn't have the keys to mount and write to them until the user enters a code. It could always insert the software after decryption occurs, right before booting that disk, but if it's running at the start, that might stop it. Either way, I can't imagine why someone at the design stage didn't explain how stupid this plan was, or more likely, what happened to those who did.

Probably not, since it's just looking at the package it comes in, but it's not designed to do every task they have. It's just intended to reduce their costs from dealing with stuff that's sent back by people who are unhappy with its quality, and they want to catch the things that are likely to lead to such complaints. That isn't going to eliminate the existence of fraud.

That said, you could always train a new one on all the products that are typically sold and give it an x-ray generator so it can investigate the contents of packages. Why does this not sound like a good idea?

Re: "Do not enable macros on documents received via email, unless the source is verified"

When that protocol was younger, it still contained all of that, but it didn't check any of it. I could open a connection to a mailserver, submit a message with any headers I liked, from any address I liked, with a long fake history if I pleased, and all that would be available afterward to try to track me down would be the IP address with which I connected to the first real server in the chain.

Nowadays, there are a lot of patches designed to prevent that from working, and most servers actually check those. However, it doesn't stop people from trying the old ways. I've run my own mailserver at times, although I don't now, and looking at what bots tried to do was instructive. Several types of attack were attempted, including many spoofed emails and some attempts to get my server to act as a relay for messages going to others. Fortunately, relay attempts were rejected and spoofed emails went to a separate mailbox for curiosity until I just sent them all to /dev/null. Still, not only can a mail client be manipulated to show an inaccurate source, headers can be spoofed if your server isn't careful.

Re: I think I get it...

Original: "Fortunately the office looked in the car and based purely on a glance was able to determine that there was no need to question any of us"

Reply: Becuse they were looking for a Mexican national in a blue Ford pickup, and you were obviously pastry white Brits in a green Chevy sedan?

If that was the logic, that's terrible logic. If they're willing to use "Not the right kind of car" as a reason not to question them, then they don't need to pull over that car, do they? If they're willing to assume that the person they're looking for could have changed cars, then that part of your argument has no importance. As for the appearance of the person, there are a variety of time-tested ways to make yourself look different which actors have been testing for decades. You can't prove that one of those people was the person in disguise along with some compatriots who had provided the replacement car. Either the situation justifies pulling over every vehicle and questioning the occupants or it requires a more specific search pattern, most likely the latter. The anecdote they supply doesn't appear to have followed either.

That's possible, but there are only so many entomologists. Most of the people walking by would not be one, so the chances that that particular nest would be found by an entomologist are rather low given how many nests there are. There's also the chance that the entomologist, having completed a long day's work studying some other ants, wouldn't look closely enough to determine that these were an undiscovered species and just walked past thinking that they already understood what was going on.

If we posit an alien species that has the travel technology to end up here, there are basically two situations:

1. There are a lot of planets with life on them, in which case why are we of particular interest to the aliens who have likely already seen plenty of them.

2. There are few, possibly only two, living civilizations in the universe, in which case how would the aliens discover our existence so quickly?

My only solution to either hypothetical is to admit that, if aliens show up, we were probably quite close to them or it happened by accident.

Re: Crazy valuation??

Frugality is still a good idea, because a person who has all the same things as the situation 1 guy but doesn't have debt is better than both. Frugality, though, can go to a level where it is harming you. To pick an obvious example, if you were so frugal that you neglected your own health, then you'll find out that repairing medical problems is a lot more expensive than preventing them.

My simplistic financial advice: avoid debt when you can because it's quite dangerous, but if things are bad enough, there are things that are even more dangerous. This leads to very different results based on your needs, income, and career potential, and some of it will be subjective. The same advice applies to companies as well; a company can refuse to spend on everything and have a nice balance statement for a while, but it's likely to cause problems as time goes on.

Re: Crazy valuation??

"Surely if they're approaching break-even it's financially healthier?"

Not surely at all. Consider two situations:

Situation 1: You have a full-time job and you earn a nice salary, but you have expensive tastes and have spent a lot of money on stuff you didn't really need. As a result, you find yourself in debt in order to afford your living expenses.

Situation 2: You have no job but you occasionally find money on the street, and you've identified some places where food is quite cheap. So far, nobody has interfered with the cardboard box in which you live, along with your meager savings.

The person from situation 2 is not only breaking even, but is turning a profit. Their situation is not better than the person in situation 1. If something bad happens, the person in the first situation is much more likely to be able to handle that, and they're also more likely to be able to fix their debt situation than the other person is to consistently maintaining those savings.

As this applies to Twitter, let's assume that somehow they are at a break-even position, which I doubt. They need not only to maintain that but to start turning a profit so they can pay for the things that allow them to keep existing. If they've reached their financial situation by cutting a lot of expenses, they run the risk that some of those expenses weren't as unnecessary as they thought, because if their systems fail, they will no longer be earning any revenue. Maybe they'll be able to run their systems on the payroll they have now and they'll continue to get advertisers to pay them, but if either of those fails, they may find that their break-even position has turned into a loss-making position when they weren't expecting it.

Re: I wouldn't call it malicous compliance, but yes, I have a story

Do you have any level where it becomes the company's responsibility? If I bang on every door with a problem, a suggested solution, and volunteering to do it singlehandedly, how many people have to say no before it stops being my responsibility and you stop blaming me for the consequences of that problem. As the original poster indicated, they didn't even create the problem. I also assume that, had they attempted to fix the problem and introduced a new problem, you'd be blaming them for doing that when management hadn't approved.

Why do you jump to assuming that this person's failure to solve a problem that nobody cared about and they didn't create caused the demise of the company? It seems more logical to me to assume that the company's inability to work on the problem was a symptom of inept management which caused the collapse, something an individual tech, even if they took the initiative to fix everything above the complaints of management, couldn't solve.

Re: Missing part

It was more of a generic example than what happened in this case, since I don't have almost any details. While there weren't many VPNs of the type we use nowadays, there could still have been more steps to access the login prompt than "telnet hostname". In addition, the stuff I suggested to check when you've logged in was still important in the 1990s, so it was still worth making sure the account worked as expected.

From the article:

perhaps the MD knows enough about Unix to know that the password couldn't be all numbers, and that's why he cleverly said "oh" instead of "zero". That ought to stymie any would-be miscreants.

I'm not actually familiar with any such limitation, and it doesn't appear to affect my Linux machine now. However, if that was the case, the person setting the password should know the limitation and it wouldn't take long to figure out what the obvious answer is. Also, if I had been there, I would have assumed that such a simple password was the temporary password used to gain initial access, to be changed later by the user. I figure that, if they told me the wrong thing, they'll come back in ten minutes and say it doesn't work. If they don't, they probably got in and changed their password successfully. It's not as good as asking for clarification at the time, but I don't see following the dictation to the letter (pun originally not intended) as "screw[ing] them over". A reasonable worst case is that the director came back in a few minutes. The absolute worst case is that the new admin reset it a few days later.

Re: Missing part

If the user was intelligent, they would have tried their account immediately. That's a good idea, not only to make sure that you dictated your password correctly*, but that your account has the stuff you need in it. Did the admin remember to add you to all the groups you need but didn't ask for? Does the server require SSH keys and the admin used one that used to be yours but isn't the one you want? Do you need to log into a VPN to access the server? You might want to know those things before the admin leaves. You do that on Friday, which means testing your password on Friday.

* Dictating things with a specific format isn't deterministic. If someone reads you some letters which are probably an acronym, do you capitalize them all? All lowercase? And of course the fact that there is a possible character pronounced "o", so you should always pronounce the other one as "zero". Whenever I'm reading passwords, I end up saying the case of letters a lot to avoid this problem. While I'd probably ask for clarification, there is one way of pronouncing the string "11o554", so anyone who understands passwords should know to be specific if they don't mean that.

Re: Plan B.

Yes, you can do that. The most common reason why sites don't load anymore is to do with encrypted connections, which are very common. Old browsers may lack support for the later TLS versions, may have outdated certificate management, or both. That's pretty easy to intercept and handle transparently.

The reason that we don't go farther than that is that there's relatively little in it. It would allow you to browse on nearly any hardware, but only by getting some other hardware and manually configuring it. In many cases where that would work, it's often easier just to use the new hardware for the internet and either replace the old hardware or just use it for whatever purpose has caused you to keep it around.

It also doesn't cause completely safe browsing. It would put an extra firewall on any exploits that use a script to try to interfere with the host, but the browser sandbox, while flawed, is frequently tested and patched in that respect anyway. You could accomplish the same thing by refusing to run any scripts, and your proxy will have similar problems; either a malicious script will be unable to affect the system, or it will be able to affect your proxy from which it can do the same things it could do on the local device. The more common security risks while browsing are either something a human typically filters, such as whether this site is the kind of place you want to enter sensitive information, or privacy-related, such as whether you're sending a copy of everything to an advertiser. A proxy can't deal with those any more than a local program can.

The USB path wouldn't be fast, but it would take several hours (ideally about 4.5, but I'm willing to double that). That could be completed overnight. I wonder whether installing and activating Windows by phone is really a shorter process. Also, if you want to go faster, does that machine have an ethernet connection? That is probably faster.

Re: What you're missing is that they're _right_.

While most of those are reasonable, they're generic and may easily fall into the categories of request that aren't feasible.

For example: "I want my applications to spin up and work, every time." Great. Everybody wants that. Let's assume we have the people who wrote those applications and those who administrate them all here trying to improve things. There's still no information about what happens when they don't work correctly, which means it's much harder to fix the problem. Sometimes, the errors people report are things that can easily be fixed by patching the code. Sometimes, they can easily be fixed by changing the configuration. Sometimes, they're the user failing to process something and either invoking the software in an incorrect way or not dealing with a message the software generated. We can't know which of those categories applies without specifics, and if it's the latter, it is likely either impossible to fix or is more efficient to train the user on correct operation than introduce more code. This is a question the IT department has to work with the users to answer, and it has to be a polite problem-finding attempt from both sides. I've been part of this as a programmer, and I've found plenty of cases where the code is at fault and many others where the user is. This is, of course, if you have the programmers available. If they work for another company, you may not be able to make them change the code, and if they have a lot of users, you may not be able to get them to change the code for a use case that's specific to you. The IT department may not be able to handle each request.

Here's one that tends to work out worse: "When you make changes to how I do my job, I want that change to make my job easier, not harder." I'm sure you have had some changes which made your work much harder and weren't necessary. The problem is that a lot of users use a request like that which, in their mind, means "I'd like there to be no changes at all". That includes things that introduce needed security, such as the change from every resource being open to the internet with simple authentication to having a VPN. In the four-level example you provided, I can see why that would become a usability issue (though I doubt you have that many levels), but some users will complain with the introduction of a single one. At some point, the user's aversion to change has to be balanced with the benefits created by the change. Some changes will introduce more steps to the user and are still necessary. If we could eliminate everything that annoys people, we'd have lots of money from users who never had to deal with annoying systems again. If I were one of those people, I'd use that money to build great hiding places for when that all collapsed, because the systems can't be infinitely easy without compromising on other important aspects.

Re: would resist any change to get it removed,

It fits what you wrote pretty well. When is it reasonable to make someone adopt new software, with the added burden of figuring out the new process? This depends on the primary focus of the company. If they're focusing on short-term productivity, that likely means that they don't want to stop using the old tools unless they absolutely have to. If they're focusing on long-term productivity, they may be happier to replace something that's not completely broken yet. If they're focusing on employees' wishes, the decision might come down to the specific employee's willingness for change and displeasure with the options rather than the productivity difference. If they're focused on other things as listed by the post that replied to you, they may make the decision based on whether either option has more security, whether one is cheaper, whether one improves efficiency, etc.

Every company has a different approach to how they'll handle situations like this. It often comes down to personal decisions combined with the primary goals of the directors.

Re: Not bad, not bad at all.

"And just as a general remark. Since we seem to have more and more applications that work on the FF base, would it not be an idea to make it a code base with extensions for e.g. Firefox, TB, Zotero..?"

I don't think it's worth doing for a few reasons. It leads to a lot of clashes between the projects. For example, there are licensing problems. Zotero uses AGPL, while Firefox and Thunderbird use the MPL. If you merge them, somebody is going to have to change their mind, and they don't want to. Depending on how you merge them, you might also end up including more stuff for one program in the main codebase, and users who don't intend to run it would actually end up using more space for the combined program than they would for the subset they're using. I have Firefox and Thunderbird here, and I have Kiwix which is also based on XUL, but I don't have Zotero or, as far as I know, anything else XUL-based here.

The closest you could get is separating out the application from the common components, including XUL and Gecko. The first application to be installed installs those common components, and any subsequent application looks for and links with them. That would work, but as with any other platform, it introduces some dependency. If someone uses the ESR version of Firefox and the non-ESR version of Thunderbird, which one picks which version of the components is going to be used? Do you trust that Mozilla has kept all versions perfectly backward compatible or that the new version probably doesn't use anything that new? The most likely outcome is what happens with Java or Python. An installed application checks for the version it wants, if it's not there, it gets installed, then nothing does a great job of removing the old versions because theoretically something else might be using it, and now you have nine JREs.

With this set of problems, I'm afraid I do typically conclude that using a bit more disk space is the easiest way to guarantee that it all works well. In a disk-constrained environment that for some reason uses all of these applications, one could manually verify the versions that share a library and link them all to the same copy of that, but I don't know when that would be worth the effort.

I also find most webmail interfaces to be basically usable if all you want to do is look at some messages and send one, but not so good if you want to search or process them in bulk. The other reason I use a mail client is it makes things much simpler if you have multiple email accounts, and I have quite a lot of them.

Some protocols did support compression, but doing that means that the uncompressed data takes up more space on the server and requires extra processing every time someone downloads it. If it's not going to be accessed or modified by the server other than to send it to you, there are advantages in compressing it once and just sending that compressed version, even if the speed doesn't change.

Also, it isn't guaranteed that the speed would be the same. Compression can be set up to compress as much as possible, which is slower, or to compress at a certain speed. If the compression speed was lower than the network speed, as would be the case with an old CPU or one that's serving a lot of connections, it would either slow down your connection to wait for compression to complete or make the compression less efficient so that it could send as fast as you could receive. Either way, that would be slower than compressing once and just sending you that.

I've seen this in practice when I was compressing a disk image to send it over a network. The image was certainly going to get compressed because a lot of it was empty space or very compressible text files. I originally set the compression level rather high, and this was running on an ARM chip, and not a particularly fast one. It took hours to compress that way. Meanwhile, the destination for the data was on a local network, so it would have been pretty fast to just send it. I ended up lowering the compression level to optimize the time spent compressing and the space the file would eventually take, a tradeoff that any server eventually has to make.

Re: Advantage of 7-Zip

The file names may be important as well. If you're encrypting the contents, you may not want to rename the files to hide what they are, but leaking that metadata could be undesirable. That's in addition to the risk of replacing a file with an unencrypted substitute. Nothing is foolproof, but it's usually safer to encrypt a lot rather than leave a few things out on the assumption that nobody will care.