Posts by doublelayer

Re: Where were the grown ups ?

It depends on your jurisdiction and specific laws, but in some, law enforcement can demand encryption keys, punish you if you don't give them, and report your delay in giving them as evidence of your guilt. In some jurisdictions, destroyed evidence can't be assumed to be against you, nor is it evidence of obstruction unless they can prove that it was against you or that you had been given a legal order not to destroy things before you did. If there's any jurisdiction with both of those, this could theoretically be better. However, in that place, a normal encrypted drive and an emergency drill to destroy it would still be better.

I would suggest never, since all you need to do to get data without it self-destructing is not push the button. Anyone who gets physical possession of one of these before the user pushes the button won't need to disassemble it. They'd just need to plug it in and copy away. If the button works, then anyone who gets possession only after the user pushes the button will likely disassemble it but, doing so won't help. The only reason why disassembly would help is if the button doesn't actually self-destruct the drive.

Re: Life forming

There are a lot of games, and while many, and several that are very popular, take the form of how can you shoot the thing that's trying to shoot you, there are ones that do have puzzles and problem solving. I don't play many of them, but I hope they do a better job than the average text adventure and think it's likely they did.

I too played many of these as a child, but I had a different experience to you. A few of them did have all the things thought through and could take multiple paths, whereas many others were far more limited. I remember many games that would require you to use completely illogical things because you could only break a window with one specific object and they would simply reject any other method you tried, when in real life we know there are many objects that can be used to break window glass. At other times, they taught monotony. I experienced several games where, if you saw a table, you had to enter "search table, search under table, search behind table, search in table, search in table drawer, search under table drawer, search behind table drawer", with a healthy chance that none of those would give you anything, just because there would be one piece of furniture where one of those seven incantations would give you something necessary to winning. This kind of had the opposite problem to the "you can't break the window with the stone statue" problem because that's a realistic difficulty for conducting a real search, but it also made some operations more tedious. That also happened a lot when you had to get information from a character, because you needed the specific topic to ask them about before they'd mention anything.

Don't get me wrong, I played so many of these because there were some really nice and enjoyable ones. Unfortunately, I gave up on playing more because I had this happen far too often and had several games where I either couldn't find the way to keep going or needed to cheat to do so, and knowing that there's half a story left if I can only find the object that can break a window, but it's none of this collection of heavy objects I've already collected, was frustrating.

Re: But How Is It Damage?

Would you like me to run untested code on your computer safe in the knowledge that, since I don't know any guaranteed ways to make it catch fire, I can't damage it by your definition, or might you be a little worried that I can break all sorts of things by doing so? And if I break some things, that would be damage. It's just that, since it wasn't the hardware, it's damage you can repair. You made up the hardware-only definition for damage, it is wrong as you can easily damage software and data, and practical demonstrations of that are easily obtained.

Re: Focus, people

Because none of the nine examples they linked to were wrong, and all had some effect. We could compare them to other types of attacks which have had larger effects or happen more frequently, and The Register does cover other types of attacks regularly. But this article was about an insider threat and they are able to demonstrate that they can and do happen, thus you might want to do something about it. That's not over-selling them, it's accurately reporting news.

Another disconnect between your comment and the reality might be in this part:

"proper implementation of 'Zero Trust' is going to limit what damage an insider can actually achieve."

And this might be a reason for a place that hasn't implemented enough controls on internal behavior to do so, because without a proper implementation, any threat, be it an insider or a compromise, can be much worse. The textbook version of such a policy is also limited by reality in a few ways, meaning that even when policies have been created, there are usually a couple gaps in them which would be good things to know about at least.

Re: "Questions such as the syntax for a particular command "

Something in between would be best. Written by humans so there aren't inaccurate parts, but I want something a little more informative than fitting the list of parameters onto one screen and cutting out as many words as possible so they fit. The typical format in reference pages is more to my liking. I find many man pages to look helpful but not provide enough information. The XKCD man page is far too close to real ones for comfort.

Re: Er...

You do know that the "they" in the sentence you quoted was talking about CrowdStrike, not Microsoft, who weren't the they in any sentences in that comment. And that, while CloudFlare does handle lots of DDOS attacks, that's not related to what they were doing this time? Your comments are not making much sense in context, and devoid of that context appear to simplify to "Programs should just never have errors" which is a very nice option if you can make it happen.

Re: Yikes! Can we afford to stay here?

Unfortunately, you moved from the third lowest province in Canada for electricity rates to the third-highest state in the US for electricity rates. The difference isn't national. States in the US close to British Columbia also have low rates and for the same reason because they're sharing a lot of the hydroelectric power, either by using the same rivers or sometimes by sharing the power plants too. Massachusetts, on the other hand, has a bunch of natural gas plants and shut down most of the rest of it, including old nuclear and coal plants, so they are also importing a lot of their electricity from other states.

Re: Ideological crash. Rust is well named.

And the source for the Rust change being responsible for or even involved in this is where, exactly? Or might that be your religious objection to it? They've got a description of the cause up now. Maybe you'd like to read it before deciding whether to continue with this argument.

They can. If Manchester was the only problematic area, they would have. The problem was that all the nodes weren't working in the same way, so sending you away from Manchester wouldn't have solved the problem, just showed you a different city being down.

Re: How long until it all goes FUBAR?

When was the last time the internet went down for a long time before it came back up, and did that affect everything else? Because from my experience, the answers are never and no. Stuff goes down. Unfortunately, a lot of services run on a small number of providers, and that means that small problems make big outages. But that doesn't tend to be a complete collapse of communications in an area. When one ISP fails, the others tend to still be working, and since I have both a wired connection and a mobile internet plan through different providers, at least one of them is likely to be working unless there's a widespread power issue. I have tons of systems through which I can communicate, from email (colo-hosted), Signal (AWS-hosted), Teams (Azure hosted), Google services (Google Cloud hosted), Jitsi (self-hosted in my house), and phone calls. I have never seen an outage that would take them all down.

And, when there are outages, they get fixed. If I can't talk to someone for a few hours because some system is in the way, that's probably not an emergency. None of these outages have tended to affect the things that really are emergencies. To have anything like what you're describing, you would need system failures that spread, even though that's not how tech failures tend to go, and you'd need nobody fixing them even though the companies that make the services need them running to make their profits and thus hire hundreds or thousands of people to fix them in that situation. The situation you describe could happen if there was a concerted attempt by attackers trying to break everything, but even that would likely be harder than you'd think and, if they were doing that, it would almost certainly be as part of an invasion which would be the bigger concern than not being able to call your friends.

Your amateur radio system is not much different. If you're using anything short-range, then you're likely relying on repeaters to get your signal to someone you want to talk to because otherwise you're only slightly longer range than a big megaphone would be. If power fails for those repeaters, you're disconnected from anyone not in line of sight distance. If you're using HF, then you have more ability to communicate directly with the person you want, though you will also need a lot more power at either end for that to work and I question whether you're operating backup generation for high-power HF transmission.

It's not enough text for me to take a guess. The repetition of "spike in traffic" does sound unnatural, so maybe that suggests LLM usage, but since it's three sentences whose only purpose is "We're fixing it, then we'll debug the cause", I don't really know or care how they generated them.

Re: Funny The Register Could Not Stay Up

That would depend on what business you were in. Let's take two hypothetical businesses and see how it would work for them. Our other alternative involves a couple million in expenses:

Stock trading platform:

Cost of being down for two hours: People who must trade now can't. The price changes significantly, so they lose an opportunity. Possible lawsuits, possible rich clients taking their valuable business elsewhere.

Is that higher than 2M currency: Yes.

Do they have backup: Yes.

Tech news website:

Cost of being down for two hours: People who want to read articles have to read them in the afternoon instead of the morning. Maybe a few of them go to some other tech site and read articles there instead, costing you fractions of a penny in advertising revenue you'll never get back, probably less than the amount of ad revenue they didn't get because I've got an ad blocker enabled.

Is that higher than 2M currency: No.

Do they have backup: No.

If your business loses a lot when you're offline, then you need more backup, and surprisingly enough, that's exactly what we see. A lot of online businesses don't lose much if they go offline occasionally as long as people don't expect it to happen very often. At that point, you do want your solution to be economical, because if implementing the ability to switch to something else, switching to it, and using it through the gap costs more than just letting the outage roll through, they'll do the latter. But, if you can make the alternative economical, more people will use it.

Re: Single point of failure

That's an approach we could take. Just wondering, who are your neighbors and do you think any one of them might have committed the smallest of criminal offenses? You see, I really don't like speeding, I consider that terrorism, so I'm planning to drop a bomb on your neighborhood if one of them broke a speed limit. That's not going to cause any problems for you, right? Oh, in case we live in different countries, would you mind telling your government that yes, this does look like a very overt act of war, but it is just normal law enforcement now and they should feel free to drop bombs on anyone over here they think committed a crime?

Re: Single point of failure

Let's ignore the obvious implementation problems like not knowing who installed malware on the computers that are doing the attacking. I'm sure that, at great expense, we can take all the law enforcement people who investigate technology-related crime away from their investigations of ransomware and financial theft and crypto scams and put them on to investigating botnets that are DDOSing a technology blog, and then we'll find the culprits. Problem solved.

But are you really advocating the technique of treating a comparatively minor crime as terrorism because we don't like it? What would your opinion be when that got only slightly modified to be a crime you don't think should be a crime, like accessing a site without submitting your identity information as required by the Online Safety Act? Some people probably think that can be treated as terrorism too. Are you willing to go along with that? If you're not, and if you are we have much bigger problems, then this is not an acceptable replacement. DDOS is annoying and should be treated as a crime, but it is not terrorism.

Re: Single point of failure

You have an excellent way of insulting everybody. Of course, you clearly intended to insult everyone except infra admins, but you're also insulting them. Do you actually expect that a single infra person can be hired for £24k per year (I'm assuming pounds because $24k or €24k would be lower) and can fix all the problems you would have when CloudFlare goes down if you had originally decided to put them in front of your main systems? Those I work with cost more and have to plan a lot more ahead, including buying other expensive infrastructure in order to do that. You say nothing about how expensive having the infrastructure for that admin to manage would be, since a server swamped by everyone's requests now that there's no CDN to handle it isn't going to be much different from one that can't be reached.

Most businesses that lose millions if their connection goes down for a few hours do have redundant paths, and it costs them a lot more than that to have it. A lot of the internet doesn't have that business model. For example, how much do you think El Reg's outage with CloudFlare's wobbling cost Situation Publishing? A lot of readers would just come back later anyway. That even goes for many companies that involve lots of money. For example, if a video streaming service went down, they've already got subscriptions. Unless it happens so often that they lose subscribers, their customers feel the pain and they don't have a reason to care, and since they can blame CloudFlare this time, they have an excuse that will get rid of most complainants.

But I don't want to get too much in the way of you wanting to believe that you're worth your weight in gold and save millions by your every hallowed key press. One would hope that you recognize that a pizza that's nothing but raw dough is not really what people are going to buy, so though you can't manage the pizza without it, you also can't do so without the toppings or the oven.

Re: Just launched? I've been using it for months

Specifically, it's the expansions of Qwen3 that they released. Models labeled Qwen have been available since 2023 and the third generation since April, but the four variants that are expanded or tailored (vision, for example) are the new ones.

Re: Audricus Phagnasay?!

Criminals smart enough to do the risk-benefit analysis would probably decide the risk of any kind of involvement with North Korea was high enough that it wasn't worth the effort. There is a cap for how much North Korea can pay from the proceeds before it's not worth it for them either. For someone who isn't calculating the risk but goes for the much simpler cost-benefit analysis, the cost for doing this is much lower since it takes relatively little effort to provide copies of a license and store a laptop. Given the large number of people available who are greedy enough to agree to this and stupid enough not to consider the risks, it's not that surprising to me that the price for the service is relatively low.

More broadly, there are a lot of criminals who, when you see the risks they're willing to go to and the benefits they get, don't seem worth it. Small-scale bank robberies, for instance, carry a relatively high risk of getting caught and a moderate risk of having much worse happen to you and tend to have somewhat small payments, and yet people have been willing to do those, sometimes routinely, for a while, at least they did not too long ago though they've gotten much less common. Part of this might be that a lot of us posting here are in careers that are somewhat stable and well-paid, so what seems like a small return to us might be bigger for someone else, but I don't think that's the whole story. I think there are plenty of people who don't think things through, enough that finding accomplices who don't need to do much is easier than we'd like it to be.

Re: $1-2K per month?

"Maybe you could sell the otherwise-unused CPU cycles of your servers to other people."

Sounds great. How much are you willing to pay me for the residual cycles on my computer? It's run by some random nobody you don't know, hopefully I have any security in place for both our sakes, you get preempted whenever I get spikes, and it can't scale above two servers at absolute maximum. I'm expecting a competitive price.

"As to your monthly power bill: did you think AWS, Azure, or GCS would not include (somehow) those 'leccy costs in your bill?"

Of course they do, while I'm using the resources I provisioned. When I am not using them, then that part is paid by the people who are using them instead. The question is whether their markup on the times when I am using it is greater or less than my wasted spend on self-hosted hardware when I'm not.

Re: When you don't return from lunch to log out

You can easily do that with a script, but if you want to do it with a GUI, you can. It's more complicated than it needs to be because AWS, but you can do it. If you expect to need to, which this person probably didn't.

Re: I ask the other way around...

Because the alternative is that when the system shuts down, it gets automatically deleted. There was a person who deleted some old VMs because they were probably unused. Take a look at what the comments said about that. Do you think the dev or Amazon would have been let off the hook if the problem was that important systems got wiped because the opposite was the default?

The problem is that no matter what that setting defaults to, something can go wrong. In neither case is it the fault of the cloud provider. The same thing could happen with owned servers, although it would be less a cost overrun and more a problem when all the disks filled up with unneeded images and new ones couldn't start. Depending on how expensive downtime is, that could even be worse. Oh, but there'd be warnings if the disks filled up, just as there could have been but evidently weren't alarms on cost usage. Computers have lots of options and unfortunately, some of them can have important effects and need to be treated with care.

Re: WHAT?!?

True, and if AWS could add more options including a method of automatically stopping some things when a budget was hit, that would be better. You can script that, but you would have to plan what you wanted to do in an unexpected funding situation ahead of time. However, if all they have is alarms, then you should at least set the alarms.

"the whole we don't agree appeals should not be something thats allowed"

They're not. What the statement translates to is "We're going to appeal when our lawyers have decided what the least stupid sounding acceptable reason is, but we don't know what it is yet. They'll find something; they're lawyers." That argument has to be one of the acceptable reasons for appeal, and their lawyers are going to write something that says it is and will keep doing that until they run out of appeal chances or a court rejects them.

Re: Common sense prevails?

That's technically true but in practice wrong. For example, what if I want to buy a certain laptop minus the disk it ships with. I have enough spare disks, or maybe I want a really big one which I'll install separately. Shouldn't it cost less to sell me a laptop without that part? Yes, it does, if you only look at the cost to manufacture the thing. However, when you look at the cost to have multiple lines, track them so you don't accidentally ship someone a diskless laptop when they don't know how to install the disk and then install stuff on the disk, have double the SKUs on your catalog, manage customer complaints when they select the cheaper one because they don't have any idea what "No SSD" meant, install or remove disks from machines when the demand for one model was different than what they guessed during manufacturing, it ends up not being worth it for the manufacturer and they don't bother.

There are many companies that have options without disks or without Windows licenses, on models where they get enough demand for those that it's worth the expense. For a lot of them, they don't see the purpose in doing either, so they don't. This is not unique to computers. Pretty much every physical product is sold in a way where you get all the parts they decided belong together and don't get to select the ones you want individually. There are potential legal problems with OEM license agreements used for the Windows part, but manufacturers' choices are not those.

Re: Hmm

I am fortunate enough that I have never encountered someone who did this severely. Most who I have found need to say something but don't get too unhappy if their changes don't get made. Unfortunately, I know at least one person who had to deal with someone who demanded so many changes that they went to the extent of deliberately including things for the critic to complain about because they would otherwise send round after round of mandatory feedback and force all the team members to stay late into the evening to implement those changes before deadlines. It did not do that person's mental health any good, and of course introducing deliberate confusion or errors into drafts could have had all sorts of other problematic results.

Re: Hmm

Even if we assume all the opinions in the article are wrong, if we agree to accept the facts alleged, the tech writers were not sitting down with the developers to learn the product; they were communicating by written messages volleyed back and forth. Even if the documentation produced by the programmer was complete gibberish, you couldn't make it better without understanding the software, instead getting the kind of thing you would get if you had an LLM write it: clear, well-organized, grammatically correct, and useless. So I still don't think we have enough information to turn the benefit of the doubt to favor them. And if we aren't willing to accept those facts, we might as well make up any story we like because we have no information other than that from the article.

Re: Hmm

I'm not so sure. Of course, we'll only ever have one person's description of it and they're likely to edit anything that they don't want to appear, but nothing in the description says that the problem was missing things which the writing department asked to be filled in. I've known people, and I'm guessing you have too, who could not review something without proposing changes. I wouldn't count out the combination of people trying to justify their jobs and not necessarily being good at them. Most programmers I know would be all too happy to not write documentation, sometimes so much that they don't even though we don't have any writers to do it instead, and the writers probably weren't getting any complaints if the documentation wasn't good.

Re: ninjed me!!!

How is that the logical conclusion and what does it really tell us? What you have in doas is something that does some of what sudo does with an amount of code between that of su and that of sudo. You lose reporting and monitoring, but maybe you didn't need it, but you still have per-user command filtering, but not as many options, and it's still bigger, which we have been using though probably we shouldn't as a proxy for likelihood to contain bugs. All we have from this is the fact that yes, doas also exists and could be another option.

Re: sendmail.cf

I was surprised to see the comment about m4 not getting used precisely because it's used in autoconf and automake and I see those all over the place. I don't really like them, although I admit they are better than not having them is, but I have to use them a lot and therefore I see m4 and things relying on it with some regularity.

Re: Google maps for Networks !!! :)

But implementors of what, precisely, because if it's an engineer building WiFi equipment, they don't generally have to reimplement the networking part, they have to reimplement the wireless communication part which is very different, and after decoding that to supported traffic, the network equipment they're connecting to handles that part. If they're building that networking part, they're generally either writing code or connecting existing systems together and making them work correctly in a group. In the comment where I described these two groups, I did say that these were a simplification and not the only ones, but lumping everything into implementor is getting the set of students wrong. There is something the student is coming here to do first, and it's likely not poking bits down a single pipe.