Re: Apple holding out
How to make money for old rope?
37 posts • joined 18 Aug 2018
Indeed. Let’s not go starting rumours that DoH is somehow more secure than DoT. HTTPS is simply HTTP over TLS, so the only real difference between these protocols is that DoH is a text protocol beneath the encryption rather that DoT being binary (and actually designed for the purpose of efficiently performing DNS transactions rather than serving web pages).
The thing about housing is, an $800,000 house doesn’t really cost you $500,000 more than a $300,000 one. Assuming no huge economic shocks (this is quite an assumption these days, but bear with me), a house is an asset. The only real “cost” is the interest you pay on any loan to pay for it (or loss of interest on the capital tied up in it) which at current rates is almost zero. Then when you consider a 160km daily commute, presumably costing you a minimum of 2 hours a day, without even considering fuel costs / wear and tear, if I could afford the mortgage, I know where my money’d be going!
I realise our government is entirely made up of technologically inept morons inventing ludicrous policies based on nothing but their misguided beliefs of what is achievable but how is it that there appears to be no halfway competent backroom staff steering them?
Even a few minutes consideration of this idea would surely highlight massive technical hurdles (alongside the ludicrousness of suggesting people effectively upload selfies to porn sites of themselves getting down to business). How, for example, are they proposing to address the question of hardware trust? Ie, any facial recognition system based on cameras that can be controlled by the end user is surely destined for failure. Even where the camera itself can’t simply be spoofed (ie a virtual device playing non-stop footage of the fuckwit who came up with this policy), most systems require specialised hardware to avoid simple subversion by holding up a 2D image / video. Are they proposing porn can only be watched on a device equipped with such a camera already? Or will government issued ones be available on request?
And I wasn’t even going to mention VPNs (or good old fashioned piracy).
Interested to know whether the DoH server will be configurable (presumably not by DHCP though). If so, you could potentially carry on running your own DNS, just now it’s going to have to include an awful lot more cruft. This is my primary reason for disliking DoH so much. Given many people run DNS servers on relatively low powered machines (home routers being a classic example), why would you select a protocol that involves wrapping every transaction in plaintext HTTP? Resulting in not only the inclusion of an SSL / TLS server, but a seemingly completely unnecessary HTTP one too. I can see why Mozilla might prefer it, but why is anyone else going along with it?
Another question that doesn’t seem to have been asked is: even assuming the share price fluctuations were actually caused by what was said (let’s not even get into whether any of it was true), how exactly did this cost Tesla the amounts claimed? Yes, their market capitalisation dropped by those numbers, meaning Tesla’s shareholders lost out, but how many of those shares are owned by the company themselves (even if you include planned share issues)? If Musk were suing for the fraction of this “loss” equivalent to his personal shareholding, that would be one thing, or if this were some kind of class-action where the damages would be returned to all the investors / pension funds / etc that own those shares, that would seem reasonable too but claiming Tesla lost this money is frankly ridiculous.
Let’s not forget the time it takes to fill up. A petrol pump can fill a car every few minutes (and a good chunk of this time is waiting for the infernal pay-at-the-pump machine to do whatever it thinks needs doing between your inserting your card and it finally asking for a pin). Electric hookups are lucky to do one or two an hour.
How are they planning on getting the parcels out of the truck and actually to the destination? I’m sure some crazy parcel vending contraption could be developed to allow the customer to get them themselves but you don’t hear or many startups researching that.... and I can’t imagine such a machine is going to improve the truck’s weight or load carrying ability. Likewise, how long will these things wait for you to come out and collect your stuff? I can only guess they’re going to be significantly slower than a driver who can get out and ring a doorbell. This would also be a significantly worse experience for many customers, having to lug potentially heavy packages from wherever it manages to find a parking space. In fact, in many cities finding a legal parking space is basically impossible, leading to the question of whether the AI would copy their human counterparts and simply ignore such restrictions? This seems even more far fetched than Amazon’s drone delivery marketing stunts.
There is one very big difference between the two cases (clearly both patents are absurd). Apple did actually make a phone with rounded corners so were presumably (at least in their minds) simply attempting to prevent others from copying their design. VirnetX on the other hand...
It’s easy to villainise companies for paying no corporation tax on seemingly enormous sales figures but it’s not always quite as simple as articles such as this make out. I haven’t looked at the actual figures but RockStar is potentially a good example of this. While worldwide, there’s little doubt they’ve made massive profits on this franchise. The UK, however, presumably makes up for a relatively small fraction of these sales. On the other hand, given the majority of their workforce is presumably based in the UK, I assume costs to this subsidiary are significantly higher than anywhere else in the world, naturally resulting in vastly reduced profits (or, as I assume from their zero corporate tax payment, a loss). There is not necessarily anything particularly immoral or sinister about this. In fact, were they to start booking profits from their other subsidiaries in the UK (in an attempt to pay more tax here), this would seem equally unfair to taxpayers in the countries these profits were made in (see the case of Amazon / Google / etc in the UK). Likewise, from the UK’s perspective, employing significant numbers of people here, resulting in higher costs, hence low / zero corporation tax is arguably much better than the Irish situation of booking all your profits there, paying trivial rates of corporation tax, whilst ensuring all your costs (i.e. staff / acquisitions / etc) are in higher tax jurisdictions where you would prefer to minimise profits.
The sanity of subsidising such companies with government handouts is another matter entirely, though I vaguely recollect at the time the general consensus was that it was a positive move in encouraging the industry to the UK and some concern that GTA might not actually qualify.
It is perfectly possible for Tesla to succeed without their share price increasing. If by succeed you simply mean becoming one of the world’s largest car manufacturers, simply compare their current market capitalisation with that of Ford. If Musk were more interested in the environmental benefits of electric cars gaining traction than profits, it’s entirely possible he could (continue to) sell cars at a loss, eventually running the company into the ground. Many might still argue this a success.
Good point on the cost of Johnny-cabs, I’d not considered that major change to the business model. Realistically they’re nothing but a pipe dream / marketing gimmick anyway. Whilst self driving tech is undeniably improving, surely even Uber execs can see there is no way the technical, legal, logistical, ethical and image problems of entirely driverless cars are likely to be solved any time soon. Certainly not soon enough to appease shareholders demanding profits.
Apparently Apple shareholders do not agree with this sentiment. 13% increase in share price today (and counting), rocketing them back to “most valuable company in the world”, with a market cap of well North of a trillion dollars. If this is a bad set of results, I’d hate to see what happens on a good day!
Yes. British keyboards (the same may be true of all non-Apple ISO layouts, though I can’t be certain) have a dedicated ‘#’ key. Also, for touch typists, ‘\’ / ‘|’ is significantly easier to reach than on American (ANSI) layouts. I’m actually surprised there isn’t a US ISO layout keyboard, which I would imagine most coders would (eventually) prefer.
Can someone explain the point of SGX? I’m sure there is probably some cloudy explanation for it, but from where I’m sitting, the only people looking to run code in ways invisible to the rest of system are malware authors. Maybe DRM too, but as far as I’m concerned that pretty much falls under the definition of malware, as code that is serving no conceivable benefit to the user who is (normally unwittingly) running it.
"I wrote code for a guy a while back who then incorporated it into a banking malware." - This could be true of just about anyone contributing to open-source libraries.
“I used to write malware“ - maybe not so smart...
Anyway, how long does it take to actually get to court in the US?! He was arrested 18 months ago for a crime he apparently carried out in 2014. Also, does this time forced to stay in the States (away from friends, family and job) against his will count against any potential sentence?
Much as I tend to agree that a memorable long password beats a non-memorable short one, I can’t help but worry that these aren’t really that much stronger. Yes, there are (apparently) upwards of 170,000 words in the (Oxford) English Dictionary, making this on paper appear to be 170,000 to the power 4 (a roughly 70 bit number) but the reality is that most educated native English speakers only know a fraction of this number. Assuming a 35,000 word vocabulary (a number I’ve seen mentioned as an upper bound on real vocabulary size), this quickly reduces to only 60 bits. Assuming all 4 words are fairly common, as with “correcthorsebatterystaple”, the vocabulary size required falls to less than 10,000, rendering this weaker than the random 8 character (53-bit) password, though obviously more memorable.
Another issue with the long password, and one I’ve fallen foul of many times, is whilst they are fine when typing on a real keyboard. Try entering one with your thumbs on a phone screen, or worse, using a PlayStation / Xbox controller and they start feeling less of a great idea. Even more so if there’s a risk of shoulder surfing (the extreme case is with the PlayStation / Xbox), where the random mess of letters and numbers is relatively quick to type and tricky for an onlooker to remember. A set of English words, they may struggle to forget even if innocently observed.
My personal favourite scheme (though I must confess, not one I always employ) is taking initials from a memorable sentence. Ie, the password “ihpcrbtmplm”, can be simply remembered by the phrase “i hate password complexity requirements because they make passwords less memorable”, which is roughly the same strength as each of the above mentioned schemes but obviously quicker to type than “correcthorsebatterystaple” and far easier to remember than “ff3sd21n” (which, being all numbers and lowercase, I can’t see being much better than 41 bits anyway).
This must be some kind of elaborate joke. How does the bear-chested one think anything is going to work following this move? Does Russia not use credit cards? Or international banking (they sell oil, how do they get paid for this)? In fact, are Kaspesky themselves not rather reliant on connectivity to their millions of international customers (updates / cloud AV)? Or is the real plan to simply cut the plebs off from the outside world?
Who gets to use it at weekends / Christmas / take on holidays etc? This might be OK for the work commute (though not if their shifts are consecutive) but I can’t really see this working in practice. Also, none of this cuts down on actual vehicle mileage (energy usage / lifetime of vehicle) so I don’t really see how sharing with others at work makes a great deal of sense. The real fix is to address the reason everyone has to work the same hours in the same places, where nobody can afford to live. I suspect this will be sorted long before self driving cars are allowed en mass on city streets.
My biggest gripe with these buttons has always been the sheer number of products which would “require” them. If you’re going to bother getting a button for, let’s say, washing powder, logically you should probably grab one for washing up liquid, bog roll, fabric softener, furniture polish, scouring pads, multi surface cleaner, kitchen towels, glass cleaner, dishwasher tablets, rinse aid... and that’s just the under sink cupboard. The question is, where are you supposed to store all these buttons? Maybe what we really need is an Amazon keyboard. Or, better yet, perhaps some kind of touch screen device we could carry around in our pockets...
As others have mentioned, at least they’re better than subscribe and save, where you seem to end up entering an agreement to make future purchases at a price that will be determined (by Amazon) at some later date. If the buttons are deemed illegal, where at least you can cancel / return the order if you seriously disagree with the price, how is this subscribe and save feature OK?
If you accept payment by your employer as non-taxable loans, whilst I’m trying to remain open-minded, I’m struggling to summon much sympathy. I’d actually be very interested to know what happens in such an arrangement were the employer to become insolvent. I would imagine when the liquidators spotted those “loans”, the tax man would be the least of your worries!
Given the public key for this is shared via DNS, prior to the TLS connection, why not encrypt the whole handshake with it? Presumably this would help protect against downgrade attacks and the like as well? As it stands, this seems a lot of effort to encrypt just one of the many fields in a client hello. Especially when, in the vast majority of cases, that field is (and will continue to be) announced in a cleartext DNS request. Also, unless I am completely misreading that draft, there appears to be no suggestion of encrypting the server certificate, meaning that this will likely also be observable in the CN / SAN returned by the server, which would appear to make the whole venture rather pointless?
That’s in addition to 240.0.0.0/4 (268 million addresses) “reserved for future use”, in addition to 18.104.22.168/4 (same again) multicast addresses. Given multicast is realistically only usable in highly limited environments (not across the public internet), does this really necessitate a 16th of the total IPv4 address space? As for future use, how is now not the “future”? That’s not even getting into why we need 16 million addresses for localhost (127.0.0.1 is merely the most commonly used from 127.0.0.0/8). I realise many OSes / network devices couldn’t cope with these addresses being publicly routable, but would assume it would be a relatively minor software / firmware upgrade to fix that?
I’m going to start pushing IPv5. The crucial difference being 64-bit addresses. These will obviously more or less halve the network overhead, are twice as easy to write / remember, halve memory requirements on network gear and, rather handily fit into current 64-bit CPU artitectures. The one downside being, only 2.5 billion IP address per person on the planet, so we’ll have to be frugal with our IOT devices!
Just for fun, might as well make it backward compatible with IPv4 (6 can go whistle).
Thumbs up for the idea of storing hashes of different combinations. Though there’s no way I credit many banks with coming up with (or caring about) doing so. Realistically if, like my bank, they only ask for 3 characters at a time, it wouldn’t take much to brute force those hashes anyway... My bank does ask for a secondary password (I think they call it a memorable word), which I guess (again, assuming a massive amount of faith in their security / engineering teams) they could be storing hashed with these different pre-chosen combinations...
I’m with you on avoiding excessive and often unnecessary technology. Keyless entry being a case in point. How hard is it to press a button on a remote to lock / unlock your vehicle, a remote virtually all “keyless” systems still require. Such buttons have the rather handy features of knowing whether you’ve actually locked your car, and rather neatly preventing relay attacks from your hallway / coat pocket. However, going back to physical keys is a step too far even for me. Car thefts have decreased rather dramatically since the 90’s (last I looked, they were down over 80% in the UK) and I can’t help but suspect this may be related to swapping old-school key barrels (which are all too easily old-school hot-wired) for more electronically integrated remote systems. Whilst I’m sure there are some professional car thieves taking advantage of such holes in current technology, I’m pretty sure there are far more teenage oiks with a brick and a pair of pliers looking for some quick thrills.
Biting the hand that feeds IT © 1998–2020