Given enough votes, all elections are rigged
aka. Trump's Law
120 posts • joined 2 Nov 2020
We can go on about emasculated mobile operating systems (being limiting) as much as we like but the developers behind these systems have gone through great pains to apply API restrictions throughout the stack with the goal of eliminating legacy security issues, ensuring that phones/tablets continue to work even when an application misbehaves. End users generally don't need to be educated in how to use their devices safely and the inherent limitations are accepted as a consequence of device choice.
By comparison, desktop operating systems are still every bit as fragile as how things started out and overall application software quality for Windows and Linux alike has been regressing of late, even in situations where features have been correctly limited or scoped. People (like me) get paid a lot of money to make general purpose computers less usable in order to protect users from themselves while attempting (often in vain) to keep malicious entities out.
The former is starting to slowly but surely open up in ways which are designed with safety/security in mind, while the latter is littered with many failed attempts at providing basic IT security. Eventually, both will converge on a happy medium but for now you gotta pick your poison!
Cisco has a terrible reputation when it comes to security as well, previously shipping products with nerfed (40-bit) encryption to international customers at the request of the US government. Also, lets be honest here, everyone offering a service which is Internet based (and open to all) will be compromised at some point.
It has happened to big names too including Microsoft, Facebook, Twitter and Red Hat. Not to mention backdoors inserted as part of PRISM. At least since the SolarWinds attack has made big news, so now they will be bolting everything down tightly...
1. The warranty isn’t void. Apple allows disabling Secure Boot with this in mind. They want as many people as possible to buy their hardware regardless of the OS people choose to run on it. That could change in the future but I very much doubt it given Craig Federighi saying it’s up to Microsoft if people want to be able to use Windows on their Apple Silicon Macs.
2. Apple already said they won’t support Boot Camp but who needs it when one can boot from an external drive anyway? Linux (or Windows) could go on a Thunderbolt drive.
3. You can run Linux in a VM using the Apple Hypervisor API. QEMU works and virtualises everything using the proper Apple API already.
4. Apple has a very big incentive to share as much code as possible and change it as little as possible due to committing to support every product they sell for 7 years. We can see evidence of how they adapted the M1 to avoid diverging from the legacy of iOS SoCs throughout this article. While it is a real possibility that things could change in a massively codebreaking way, Apple has a track record of designing their hardware to work with how they develop their software and not the other way around.
Canonical lawyers found that the CDDL was compatible with Linux licensing from an end-user perspective, provided the module is distributed separately from the kernel as a self-contained module. FreeBSD was always in the clear anyway, Illumos is CDDL itself and the macOS kernel (XNU) is licensed as open source software which permits even proprietary linking.
Therefore, we can say Oracle donated the code since the genie can’t be put back in the bottle now!
Microsoft said it best until they became the very thing they criticised with Office 365. There are big, bad downsides to the cloud which don't exist for on-prem software.
For starters, migrating between services isn't as simple as installing a replacement piece of software and opening your files in said software. You end up having to pay someone to migrate your stuff from one cloud service to another, as all your data needs to be migrated from one set of servers you don't own to another set of servers... that you don't own. That's assuming you even can, as not all SaaS uses open data formats.
Then there's the training aspect. Cloud services change constantly. Skype for Business got replaced with Microsoft Teams and smaller organisations got forced over arbitrarily. Google Chat got replaced with Hangouts which got replaced with Duo and Meet; while Google Video got phased out for YouTube.
Finally, you have security issues. Office 365 is a fantastic example of a cloud service which is demonstrably less reliable than running your own stuff. Even old fashioned Microsoft Small Business Servers were more stable and when mail was proxied through a queue-holding mail filtering service their services were more secure too. Nobody could easily phish their way into your mailbox, as an attacker needed internal network access via VPN (good luck exporting that device cert via phishing email) and they had no way to tell who your provider was with any certainty to know what to lie about. Nobody needed 2FA codes as desperately as they do now because only corporate devices could connect to the mail server or authenticate to network resources in the first place....
The cloud has been an unmitigated disaster in a lot of cases. Folks only put up with it because big technology firms have colluded to cripple software so that cloud services are more of a necessity than they should be. Microsoft Office and Apple iWork both supported WebDAV until both companies wanted folks to use their cloud services, then they phased out support as quickly as they could. Then combine that with the eye-watering prices of on-prem software licenses. A 10 user physical dedicated Exchange email server license costs as much as 8 years worth of Exchange Online Plan 1 and that doesn't include hardware costs or labour rates. Once everyone is on-board with only cloud services, I predict the prices will begin to be ratcheted up and up and up until ownership is once again the far cheaper option.
Google Docs does not even allow you to encrypt file contents with a key that Google does not hold. It's a seriously bad choice for governments and industrial uses where sensitive PII is going to be stored there.
Folks should instead use a solution like NextCloud. It is self-hostable, easy to maintain, support is readily available, source code has been subject to multiple audits over the years and the software itself is free as in beer and freedom. The company behind it is German, their software is designed with the GDPR in mind and it can integrate with Collabora Office Online to provide collaborative editing in a web browser. If one uses it alongside locally installed office software then automated end-to-end encryption provides an additional layer of protection Google doesn't.
Even if one doesn't want to self-host, NextCloud has partners like Deutsche Telekom who can host the whole lot for you. Also, if NextCloud Gmbh folded tomorrow, one could always migrate to ownCloud Online, which is also German, has a similar codebase and is also actively maintained. Heck, there's even a Dutch partner called The Good Cloud available, so one could even keep data within their own borders and audit all patches to protect against sabotage!
It is a stable, free version of the software which does not get many, many years of long-term support for each major release. However, when compared to Office 365, even the community version of LibreOffice looks like long term support. Most people really don't need to pay for it, ever.
However, if you choose to buy Collabora Office (one of many LibreOffice Enterprise suites) you get the benefit of tech support and many, many years of LTS patch support like the good old days for something like £15/user/year, which is cheaper than both Microsoft Office 365 and old perpetual volume licensed versions of Microsoft Office 2013/2016. When combined with a simple IMAP server and a decent e-mail software like eM Client, one can have a much cheaper and more productive time for a fraction of the cost.
Thanks in a large part to the UK Government, Microsoft has committed to maintaining full compatibility with OpenDocument formats, meaning people can use LibreOffice with confidence these days and abuse an old Office 2013 license for conversions in the rare cases that LO can't handle it.
Have DNS-over-HTTPS backed by DNSCRYPT convey the correct CA for the site you’re about to use. If it doesn’t match, reject it. Then to ensure phishing can’t happen, just force users to use tokens. Banks can afford to hand out dedicated devices to account holders and ordinary sites can just have users enrol with a TPM (standard in PCs) for webauthn or authenticate using their phone with a QR code (similar to WhatsApp).
Web apps and PWAs can take over. They want everything to be web based so they can realise their mission of organising the worlds information and making it more accessible. Eliminating plaintext protocols, alongside the implementation of CA pinning, helps achieve that goal.
I happen to think the web is a dumpster fire these days and that native apps are better. But developers seem to disagree, opting for bloatware like Electron... bloatware which makes Java look like Mo Farah.
Else they would lose Azure customers fast. It is rich native app integrations with Microsoft cloud services (365/Azure) that keeps them bringing in the cash. If everybody used Linux, Azure AD would be dead. If everybody used web based tools, Office Online would lose customers due to being tied to the abomination that is SharePoint and its inaccessibility to individuals (it is enterprise-only).
Also, there isn’t a single day of the week where something isn’t broken or wonky with Azure and by extension their live, real-time services like Teams. Using a desktop app hides all that somewhat by working offline seamlessly through the benefit of local storage. All that falls over when you can’t save your work because their systems have sharted again.
TL;DR Windows helps Microsoft hide its true incompetence...
Seriously, just because x86 processors are boned doesn’t mean they all are. I would try and fix this on principle, especially since WebAssembly is slowly turning Chrome into an all-in-one virtual machine for running apps...
Now who fancies a nice cup of Java?
Which has totally taken off despite being indie "shovelware" with SNES graphics. It's about the heart and soul put into it. People can tell when a video game is the grinding of corpo-employed meatsacks vs. when it's made by people who genuinely care. It's one of the main reasons I no longer care about scalpers buying up PC parts and the latest consoles... we don't need the latest hardware to have fun these days!
Folks will inevitably move on to Debian in the name of avoiding the risk factor (corporate backstabbing) and they bastardise their packages so much that once people learn the Debian way of doing things, there's no putting the genie back in the bottle.
This is exactly the same mistake Oracle made with OpenSolaris to put short term profits over a long-term future. In the case of Red Hat, this will cost them big money if they're no longer seen as the standard option. Which is a massive crying shame, as Red Hat provides better security out-of-the-box than any other distro on the market today.
I still think the negative claims people have been making about CentOS Stream are unfounded but clearly Red Hat should have known people would throw their toys out the pram...
Fortnite is a video game, and video game stores set the precedent of taking a large cut of developer profits long before Apple ever did. PSN, Xbox Live and Steam all predate the App Store. All of them charged a hefty commission long before Apple’s App Store came along.
This is why people think it’s Epic’s spat with Apple because they’re not going after the video game stores despite the fact they charge far more and hold similar, if not total control over distribution. We also know why Epic won’t go after these video game stores. If they did, console prices would have to go up, making their shovelware far less accessible to vulnerable children and, by extension, parent’s wallets.
I honestly hope Epic loses because their case was made in bad faith, unlike Spotify, who have IMHO a very strong case which deserves a solid legal remedy.
Facebook users get the following:
* Blogging services
* Live streaming
* Instant messaging
* Group communications
* Photo/video hosting
* OpenID authentication
In exchange for these convenient services, they give up some amount of individual privacy. I think most people know what the trade-offs are. I’m not even a Facebook user and I know what they are.
The first method is via the App Store, which allows you to run a restricted set of frameworks, subject to a sandbox created from a set of mandatory access controls. All code which executes must be digitally signed and unaltered, while using a hardened runtime designed to mitigate exploits. This severely limits what any given application can do, relative to traditional computing platforms.
The second method is via Progressive Web Apps. Most of the top apps in the App Store would function pretty much identically as PWAs, so to suggest this is not a valid way to sell apps is inaccurate. Pretty much all Electron apps on Windows work as PWAs on iOS and even technical tools like password managers have web ports. Ditto for anything which you’d just use the website for on an ordinary computer.
Should Apple provide a third method via its Notary Service like what it does for macOS today? Well, right now, iOS enforces that apps can’t be rolled back to old, insecure versions, just like the OS itself. To introduce current macOS non-store distribution methods would ruin that ideal security model. Ideally, Apple should provide a means for developers to run their own repositories which prevent rollbacks, using notarisation to enforce the use of sandboxing and hardened runtime. This would allow for major security improvements on macOS while also granting more freedom to developers on iOS.
It was fast and the battery seemed to last forever compared to my old Nexus 4. Only thing it was missing at the time was Adobe Flash support so I could watch sweet sweet Newgrounds on the go. My priorities were much different back then and my experience with the iPad 4 and iOS 9 left a rotten taste in my mouth (Safari would crash at least 4 times a day).
A toast to Windows Phone! The OS which could have been awesome if Microsoft had stuck with it.
I pity the folks who don’t realise every company is abusive in one way or another. But there is a difference between fruity devices beyond the logo.
Android OEMs charge extortionate prices for devices which barely receive a full 3 year lifespan (Samsung included), Linux phones ship with parts which are already obsolete by modern hardware standards and Windows Phones, despite offering 5 year device lifespans, simply didn’t get the uptake they deserved. Yet in spite of how easy it is for OEMs to openly abuse customers via early obsolescence, we are still seeing Apple consistently update their devices in a timely manner for as long as 7 years from launch, even when they are budget variants.
Even when you buy desktop computers from HP, Lenovo or Dell, you do not see support lifecycles as long as that. Sure, Microsoft offers 10 years worth of security updates but good luck obtaining BIOS/UEFI, firmware and Intel Management Engine updates from your OEM in a timely manner even as little as 4 years after you purchased your machine. My main PC is only 5 years old yet is no longer safe to use online because the OEM won’t provide a proper fix for a critical ME vulnerability identified by Intel’s security tools. We aren’t talking about a cheap box either, costing just shy of £1000.
People can say what they like about App Store practices, applying onerous sideloading restrictions and using their market cap to dictate terms with third party developers. People can also rip into how Apple screws people with a complete disregard for backwards compatibility when it comes to annual major OS releases. Those are valid concerns. However, Apple is less abusive in many other areas which consumers care about and people seem all too eager to forget that.
I thought a pre-requisite for free speech is freedom of expression and surely a pre-requisite of that is not being a slave?
According to the US constitution, slavery is still a valid punishment the moment someone is convicted of a crime. Which means you can take away someone’s freedom, including their freedom of expression, by creating arbitrary laws which enslave those who may think or act a certain way, independent of their codified civil liberties.
I see this all the time.
The software would have been written to meet a spec and rolled out many months after approval. Once the scope, design documents, implementation and user acceptance testing has all had final sign off, it’s way too late to change things.
To adjust the system to handle the new rules would be chargeable out-of-scope works which the company could put any price on, knowing that hiring a third party to do the changes might cost less initially, but more in the long run to take over support.
Additionally, it’s in the best interests of Arizona State (not the programmers) to keep quiet about bugs to avoid being sued into the ground for mistakes made as a result of keeping people locked up for longer than they’re meant to. The development house will have a couple of executives laughing their arse off at this situation, enjoying all the easy money...
Hard paywalls include the same snippet which is scraped by Google and other search engines to get their content indexed. If they would rather not have this be the case, they can very easily change that by not making the content available to anybody who hasn't paid. Facebook does plenty of wrong things but this move is the right one. If news sites don't want their content published for free then they shouldn't publish it for free. By not blocking scraping through both robots.txt and noindex directives, they are implicitly allowing their content to be scraped for any purpose.
If Big Tech started aggregating news from trusted/recognised subject matter experts (as opposed to journalists) and presented this as AI-driven news, a lot of news services would die off very quickly. The truth is that journalism is in a death spiral right now and no amount of governmental intervention will change that. We don't live in such a closed off world any more, information gets out about everything quite quickly.
is the same issue with the same problems.... The solution to the problems associated with AI/ML is freedom, not ethics. Freedom means having access to use, study and modify the algorithm and associated training data used to produce the model used in production.
Beer is a toast to the ongoing prosperity of free software and to a future of free-as-in-freedom AI/ML.
Otherwise Amazon would lose money overall due to a mass cancellation of Prime subscriptions and not only that, once said hornets nest is kicked, folks will cite unfair advertising as grounds to reclaim the entire cost of their subscription...(https://www.moneysavingexpert.com/reclaim/amazon-prime-refund/)
Amazon would instead lower pay for new employees and freeze existing employees pay, much like how Apple adapted when courts in the US ruled they had to pay for the time spent waiting for security checks at the end of a working day at their retail stores (https://observer.com/2020/02/apple-lose-lawsuit-retail-employee-security-check-pay/).
We need bigger changes to fix the mess that is the corporatocracy we live in, as there's little to be afraid of even if these big companies throw their toys out the pram. At the end of the day, cutting their noses to spite their faces doesn't reassure shareholders.
Business use case: Create an encrypted spreadsheet (Office XP could do this in 2001)
Marketing use case: Perform a mail merge involving custom dynamic fields (available since Office 97)
Academic use case: Adding references to your document (Available since Word 2007)
Missing packages: Where's the personal database software? Where is LO Base and/or MS Access?
When decades old software beats out the latest and greatest in common use cases, even when billion dollar companies are involved, you know that these new-fangled HTML5 apps suck. Even more so when entire packages are dropped as a result.
On my Windows PC I have the following engines running:
* Trident (for PowerShell and Outlook)
* EdgeHTML (for anything UWP or OOBE)
* Blink (for Teams, Discord, Google Chrome and Edge)
* WebKit (for Steam and iTunes)
* QtWebEngine (for MS OneDrive and TeamViewer)
In the case of Blink, WebKit and QtWebEngine, each app often uses its own private instance of the engine bundled with the software, meaning no memory sharing as the DLLs differ.
A copy of MSN Messenger back in the day would use ~20MB RAM and reuse the Trident engine, along with every other native Windows application on the system which needed to render some HTML. Thanks to developers taking liberties we also have Electron apps (e.g. Teams) bundling private instances of Blink and V8 consuming ~300MB of RAM each and offering minimal differences in functionality to their predecessors. That's not "natural feature creep" causing said RAM use either, Skype is a native app which uses 120MB RAM.on a bad day.
Perhaps we should all be telling these half-wit devs who want to roll their own private engine instances to nobody's benefit to do one, just like Apple does.
Thankfully, developers now base logins on email addresses and/or phone numbers, obviating the need to use IDs/usernames. With webauthn on the rise and the ability for Secure Enclave and TPM-backed 2FA to be deployed, the only thing left to store is the URL.. which browsers have done for a very long time anyway. With PWAs, folks click on "apps" rather than navigate to URLs anyway.
Additionally. security questions are being phased out as a bad security practice in favour of multi-factor password reset mechanisms, such as requiring users to click a link in their email to then confirm an SMS code which has been sent to their phone.
The whole point of an economy is to economise, as in, to reduce overall cost over time until the product/service is free. Trade is but one vehicle for lowering costs toward the goal of making a given class of product free. Sometimes, breakthroughs mean that entire classes of product go from expensive to essentially free overnight. Personal password management is one such example.
Some clever folks at Stanford invented a solution 15 years ago (called pwdhash) which is super effective, free and doesn't require any passwords to be stored electronically in the first place.It doesn't need any regular maintenance and the algorithm can on a toaster these days. It has permanently resolved the problem of needing to remember different passwords for every service one uses, you just memorise one master password and that's it. Even if your computer breaks, you're peachy as long as you don't forget that one password. pwdhash clients have been implemented for just about every platform, for free and are easy to install and use.
So why should anybody pay for a password manager when this is a solved problem? Sure, the algorithm might want tweaking one day... but the problem at an individual level is solved.
Don't blame Google. Blame the economy for working as designed. Only sociopaths in suits try to prevent people from making things free as in both cost and freedom.
KeePass supports three-factor protection alongside not leaving the boundary of devices you control.
Bitlocker (via TPM) means something you have
Biometrics to cover something you are (to unwrap EFS)
Master password to cover something you know
Given that this software is securing all of your credentials to everything else, I think it's worth having the best possible security. That means LastPass is out of the question.
Running your own BitWarden server would potentially make the above possible too though, as you could use your TPM backed with Windows biometrics for an MFA layer for authenticating. In fact, one could use "where you are located" as an additional authentication factor if one never stores a local cache of the keychain... so in that sense, one could make BitWarden run more securely than even KeePass.
If your employer hasn't blocked your ability to do that explicitly in your contract, kindly inform them that you have a second tech job on weekends and then the IP you write on the weekend belongs to your weekend employer, not them. They've accepted that by accepting your second job. Problem sorted.
In my case, I have no employment contract, so contracting myself to a "small startup" couldn't conflict!
IE had integrated Adblock (TPLs) and a means to auto-generate rules, a decent P3P implementation, support for standardised content ratings systems and implemented security sandboxing before Mozilla Firefox ever did. Also, ActiveX was superior to NPAPI and ironically more secure despite what fanboys claimed at the time (PPAPI was ultimately better but that came much later with Chrome).
If Microsoft hadn’t left the core of their Trident engine to rot so badly, it would have stood a good chance of winning the browser wars. Instead, we now have Microsoft Edge and Google Chrome resting on their laurels.. maybe it’s time for someone at Microsoft to Make IE Great Again?
When you trigger a file download using Edge in IE Mode as a tab, it runs through Edge's engine not IE's. This includes which cookie jar it uses. So, when you're a sysadmin like me who has to implement seamless support for your security-fixes-only document management system which relies upon ActiveX controls, you need Internet Explorer itself. If you don't, file downloads no longer work as intended because the DMS doesn't see the user as logged in when performing downloads.
Until simple design issues like this are resolved in IE Mode, one needs the compatibility option of having Edge spawn an actual Internet Explorer window for legacy sites. This is to cater for users clicking on links which reference the DMS in emails, to allow Edge to be the default but spawn IE automatically as appropriate.
Thankfully, Microsoft now offers the reverse option of having IE spawn Edge for any websites which have not been whitelisted by GPO, closing off the loophole of people using Internet Explorer to actually browse the Internet through links within the DMS.
A partial hash match relative to the URL you are accessing by implementing this measure. Considering they have iCloud access to your browsing history anyway, this move doesn’t give them any more access to your private data than they had before but does stop Google getting partial match info based on your IP.
Honestly, this change doesn’t improve privacy in any massive way but it doesn’t harm it in any way either.
Intel ME provides IPMI and DRM services for desktops. That's like saying HP iLO, Dell iDRAC or Supermicro SIM are backdoors. These are all features so that people like me can monitor the health of the hardware, add security checks outside of the control of the operating system and remediate problems remotely.
You can disable Intel ME entirely and disable the ME coprocessor if it suits your security model, just as you can use server hardware without IPMI features.
Just make sure the data is digitally signed twice and the connection encrypted.
Firstly, by the legitimate upstream developer, each individual file must be checked for the presence of a signature or the files would be considered tampered with. Pinning could transparently occur upon the first installation of any given package and can be self-signed. This would also allow for tamper-proofing of the application itself post-install. For reference, Microsoft encouraged this practice since Windows 98 with Authenticode. It's embarrassing that modern solutions don't incorporate the basics.
Secondly, the package archive should be signed by the repository owner, so that files can be safely mirrored without risk. Certificates should be manually added to the keychain, just like the situation with RPM/DEB packages on Linux distributions. This has been common for well over a decade in the Linux community, so there's no excuse not to implement and enforce this.
Thirdly, all connections should be TLS-secured with a trusted certificate.
At this point, the developer's legitimate source would have to be poisoned, as well as the trusted repository accepting the changes. Companies like Red Hat, Google and Microsoft could work together to provide a vetted set of releases and charge third parties a very tiny fee for the privilege of access... everyone would be happy.
No need to download anything.
Select the Start button, then select Settings > Update & security > Windows Update > Advanced options > View installed update history > Uninstall updates.
Select the update you want to uninstall, and then select Uninstall.
You’ll need to restart your PC after uninstalling the update because this is Windows we are talking about.
When you go from being a platform leader to being a follower.
* GSuite used to be vastly superior to Office 365
* Android had a massive lead in functionality over iOS
* Google's communications tools used to be best-in-class
* People used to widely contribute to Google projects
These days. it is like all the decent, passionate employees have left and been replaced by the same money-grabbing, soulless folks who used to slave away for Microsoft in the early 00s.
I've had ChromeOS devices and I can confirm they stay snappy and don't "degrade" like with proper computers. However, Chromebooks have short lifecycles, where updates and support have historically ended as little as 5 years from the date the product hit the market.
If you want a cheaper and better experience, you can use Neverware Cloudready to get a longer lifecycle and equal performance from ordinary laptops. It's Chromium OS and it's free for home users.
Non-current minor releases don’t get security updates backported because CentOS doesn’t include EUS errata. Without EUS, holding off on a minor point release means no more errata whatsoever. That’s why people have their repos set to 7 and not fixed to a given point release, so they get the latest patches when they are available, precisely because patches are NOT backported to non-current point releases on CentOS in the default Base repositories.
So let me reiterate: How many people running servers would delay switching from say 7.1 to 7.2 and risk compromise?
Biting the hand that feeds IT © 1998–2021