* Posts by claimed

191 publicly visible posts • joined 8 Jan 2021


Europe wants easy default browser selection screens. Mozilla is already sounding the alarm on dirty tricks


I can’t speak for frameworks in general, or libraries in use, but react doesn’t, and neither does the “ootb” basic app either: https://create-react-app.dev/docs/supported-browsers-features/

You just change the browser list to the list that you’re testing against….

If you’re updating your app and not regression testing then that’s on you. If you’re not testing legacy browsers then getting annoyed you have to fill out a list then just use a “*” policy as you’re just chucking it over the fence anyway; if you’re not testing every single browser and are happy to please most people then than is exactly what the defaults are doing by only allowing recent versions of chrome…

I don’t see the issue, which explains my downvotes!


React (thanks Facebook) and other component based frameworks should make this super easy, as you can then encapsulate your widget and check its cross browser and not worry about it later. This significantly reducing the burden of testing. I know JS slows sites down and all that, but honestly this plus typescript is an amazing step forward in my opinion. Sure, still need to test and try to keep the bloat down, but the trade off is very acceptable to me as both a user and a developer

UK-US data deal could hinge on fate of legal challenges to EU arrangement


Re: Sharing.....but then there's what get shared!

Wow, great point. Your doctor does this?

Apple races to patch the latest zero-day iPhone exploit


Re: improved logic

Could it not also be:

logical and not acting as intended, or illogical but acting as intended?

You know, logically speaking


Re: I agree

Fast forward to where Apple flings about millions of dollars for someone detecting a flaw.


Bad guy now has choice of getting a million bucks and “helping America”, or less and hurting “America” Can you not envisage a scenario where this might still allow for zero days…?

Human motivation, while closely tied to money, is not exclusively so

Local governments aren't businesses – so why are they force-fed business software?


Re: It was only after the implementation began that they revealed that they couldn't.

A requirement of: displays report with metric X (defined as sum of records Y) and ability to filter by a, b, c


User works in department D, and is responsible for providing reports on constituents, for example existing reports are {blah blah}.

To me, a user story is an overview of business requirements. Much better than technical requirements. Give me business requirements, I’ll give you a technical spec I think will cover it and an estimate. We can then prioritize and work on technical features.

Why the fuck should users define requirements, it’s utterly bizarre. Working with people like this is like working with a bunch of Vogons

What happens when What3Words gets lost in translation?


Ok I knew the bit about adding up to 11 but not the transpose but, that’s interesting.

Thing is, I’m not using checksums, my phone or computer is.

Possible !== Appropriate

The reason w3w exists is *because* it’s hard to relay numbers for GPS coordinates between people, especially under stress. The other systems are used by people in the military who are trained to deal with stress.

I appreciate the detailed and accurate argument but I am not convinced


I thought I heard Morgan Freeman say the universe was 15.8 billion years old and was incredulous. Had to rewind. He said 13.8.

Numbers don’t get transmitted flawlessly either.

Yes, people get confused. This is not newsworthy. If I ring 999 and say “help, I’m stuck on snowdonia” but my w3w location is London. Don’t send the ambulance to London without question.

w3w is a great tool, on top of other ways we use to communicate location. We’re not computers and there is no unambiguous way to communicate “I’m next to the tree” to another human. What might be interesting is response times and success rates for emergency services where w3w was used vs where it wasn’t. You can’t talk on false positives without looking at actual positives too. “Sometimes seatbelts fail, so we should stop using them and then come up with a better system”… come up with a better system, then we’ll talk about retrofitting.

Once w3w does the google maps bit and lets you save an area of map, the offline argument is also moot. It’s already almost moot as if I can get a phone signal I can probably get data… except of course places like snowdonia!

FBI-led Operation Duck Hunt shoots down Qakbot


Re: Good

Yea, kinda - because I don’t think they blew up, and they were also on foreign soil and in violation of ‘international law’. Not the same as redirecting traffic and installing executables on domestic servers.

I’m glad they did it in this instance, but now there is a precedent for “we don’t like this software, we will remotely terminate it - cos judge”. Think about peer to peer networks, mirrors, or software updaters for e.g. Huawei



But the precedent is terrifying under a certain light

Arm reveals just how vulnerable it is to trade war with China


Re: Between morphng US regulations and RISC-V

Ok. So what now. It’s been known to be happening (both sides, come on) and this was the best response the West could come up with?

Unless we’re going to war over every minor infraction (no thanks), it’s just how life will go.

So now what, sit back and expect to be paid for old secrets?

I think this infinite growth and protectionism has a limited shelf life, and I don’t think there is any point complaining about IP theft. Keep moving.

Fauna Query Language tamed to appeal to developers


I do wonder

How many people, now, “used to work at Twitter/Google/Amazon/etc”…

I don’t really see that as a credential, frankly. Well done on the paying users but I’m unconvinced what we need is another frigging DB.

Oh my god, you’ve automated indexes? Mind blowing.

How about instead of scaling “easily”, we aim for scaling “efficiently”? It’s not a selling point to say “if you want it to run faster, just throw some more money down the hole!! Look what we learned at Twitter, cool right?”

Resilience is overrated when it's not advertised


Re: Proper resilience

Should call them mirrors, x and y

Using 1, 2 or a, b still implies preference but x and y are pretty much neutral. Actually, even more fun: b and d!

Sextortion suspects on trial after teen victim dies from a self-inflicted gunshot wound


Re: Modern Yoof Culture

Further side point, we used abbreviations for SMS because we were billed by the letter… it wasn’t cool it was necessity. I remember receiving texts from friends written in full English and thinking “wow, they must be loaded”

No fucking clue why they are still doing it, asked my niece and explained the context and she was like “oh I didn’t know that’s why…”… but still couldn’t explain why she does it

Infosec imposter syndrome is real. Here's something that can help


Hunger is essential

To feel satisfied is to die.

That is all I have to say on this topic (…for the moment, later I will no longer be satisfied with this comment)

CLI-beautifying ANSI escape sequences can also make your log files a security threat


Re: Seriously, who doesn't just load log files into a boring old programmer's editor

Or ‘cat -v’, right?

Orkney islands look to drones to streamline mail deliveries


Re: Yeah, bad weather is a problem

What is up with those units? No idea what any of that means

How many Olympic sized swimming pools?

Millions of people's data stolen because web devs forget to check access perms


Re: Is it a database design problem?

This isn’t as clever as you think, I’m afraid…

If multiple users need to be able to see the same data, what do you do? Duplicate data everywhere? Now you have issues with source of truth, increased database size, performance etc

Your critique was you would need extra code to check permissions, but now you need lots of code to do lots of different things AND you’ve got a more denormalized database. Bugs galore…

In general, if you think you’ve thought of a solution to a widespread problem - and your solution is simple - and you have not spent several years trying other solutions: you’re probably not on to a winner.

You’ll end up revising your data model to a permissions table M:M, and then want to optimize those out and end up with something like… an access token! Back to square one

Aliens crash landed on Earth – and Uncle Sam is covering it up, this guy tells Congress


Re: Millions of Parsecs

Mmmm… at the moment we think that, but only because our current calculations are based on c being constant - and we’ve used that to define time. Which is why it’s confusing if you only change half the equation… now, I’m definitely not saying that is not correct, Einstein was pretty clever and I got a 1st in General Relativity at Uni so hope I understand the maths…. But you can’t say causality itself is broken by FTL, especially when that same argument was attempted with the “twins paradox” and Special Relativity. We’re only talking about maths, and it may be that General Relativity is to (the next thing) as Newtonian Mechanics is to General Relativity… That is, a more precise calculation. It would be a bit sad if Einstein has nailed it and all we’ve got left to learn is biology ;)

Google's next big idea for browser security looks like another freedom grab to some


Re: What about Selenium?

See also, UIPath, will use an unmodified browser quite happily thanks, I’ve used this where selenium didn’t work as it doesn’t require (though supports) using the DOM. You can just record the layout of the website and click in exact locations with conditions etc :: is this my bullshit ad? Yes, click

It's 2023 and memory overwrite bugs are not just a thing, they're still number one


Re: Buffer overrun? still?

Look, if this is still being used in 20 years then we’ve got bigger problems.

Look, I’ve left out the code to do sanitization so remember to wrap this in a sanitization function, but this should do what you want.

Look, this code base is crazy interdependent so don’t touch anything unless it’s broken, just pop a new module on the side to add functionality :)

Look…. etc

Now Apple takes a bite out of encryption-bypassing 'spy clause' in UK internet law


Re: False Alarm

Sure but it would last longer than most people’s attention span and all come together once people forget about it


Re: The next law...

Actually brilliant. I vote this for most underrated commentard joke of the year

Rocky Linux claims to have found 'path forward' from CentOS source purge


I would imagine they just terminate updates? So

You’ve got the source - *check*

No punitive action taken based on existing version (support until end of life or contract), *check*

No updates…

Seems air tight to me, if you’re an organization trying to build derivatives, you have play fake accounts ping up games to keep getting updates (which will get stopped fairly easily). If you’re not, then no harm. All seems totally fair, if I’m honest. “Here’s the code for what you’ve bought, give me a shout if you have issues, no I won’t help you if you’ve sold this to someone else and they have questions, they can come to me”

So, unless they terminate support for existing version before prior agreed EOL, I think it’s fine and makes sense…

Small custom AI models are cheap to train and can keep data private, says startup


Who’s paying for this? If you’ve got $500k to whack out for 10 mins of work, let’s assume you’ll get utility from a trained model for 5 years?

That’s still one pretty decent person on a reasonable wage for 5 years… how many people can you actually replace with these as a normal enterprise? These hallucinate, need curating, can’t be trusted…. These are about as good as interns!

Am I completely stupid for thinking this way? I find chatgpt useful, a bit, for ~one task a week (write me a js function that does this, no not like that, like this…. No it will work just use this function…)

Assuming it will get better, it is still not replacing me anytime soon

Google has blocked in its in-car software rivals, claims German watchdog


Re: I don't get it

Tesla have a bunch of apps shoehorned in, as sensors are added I would imagine automakers would want at least a consistent view. BMW won’t want the same parking sensor animation as a Ford, for example. Seats, windows, fuel, battery etc never mind apps or games (why? No idea but they will be there)

Maps and parking camera are just the start, at some point people will find themselves trying to decide between two cars and the infotainment system will swing it

Decision to hold women-in-cyber events in abortion-banning states sparks outcry


Re: Mixed Feelings

I accept the correction, it doesn’t alter my opinion, too many comments in response to me reenforce it


Re: Mixed Feelings

Thanks! Toe fungus is a going to stick in my mind from now on :D


Re: Mixed Feelings

“these laws take away every woman's rights, whether they're directly affected or not.”

Yes, this is my point

This thread nicely indicates that by talking about other issues, we can’t discuss this one properly, and how it’s relevant to the conference. From the rest of your post it seems apparent that you didn’t actually see that this was my point. My failure to communicate, but this is emotive stuff so I understand. As I say, lots of valid things to object to, but I don’t think we should expect the cost/benefit analysis for boycotting a state to have been in any way affected by the LGBTQ laws if the abortion laws weren’t enough. So interesting question for me is why that wasn’t enough, rather than discussing how they also didn’t boycott because there are 500 smaller reasons


Re: Mixed Feelings

I have enough money to buy one child a train ticket out of Nazi-land but I shouldn’t do it because there are thousands of children who need to get out, to be fair I should give them all one penny/cent/whatever.

I was complaining about the article; there’s already enough to object on in this instance we don’t need to object to everything all at once, makes it hard to win an argument. So, actually in favour of paying attention to minority concerns but suggestion this approach is unhelpful. Continue assuming I’m an idiot though, by all means


Mixed Feelings

Not sure lumping LGBTQ laws in with abortion access is sensible. One affects ~50% of the population… the other is a tiny (valid and I have no beef) minority.

It’s just a different league of fuckery; conflating the two helps confuse people who haven’t thought about it that it’s a minority of women who are affected by Roe vs Wade.

Is the story that this woman’s conference isn’t standing up for every other minority? I don’t really expect them to… frankly, I don’t expect them to split their funding across every individual in society and advocate for them all…

50% ain’t a minority though

Cue downvotes, but there you go, that’s my comment

UN boss recommends nuclear option for AI regulation


Re: Too little, too late.

Going to hazard a guess… pretty much where we were 10 years ago, cos that’s where we are now folks

Microsoft finally gets around to supporting rar, gz and tar files in Windows


Re: I am not convinced

I’m a developer, at times, know what I want?

Less fucking distractions, and more available RAM for my actual applications. Shut up Teams and stop eating 4 fucking GB while you’re sitting there doing nothing, I can’t open a fucking browser tab.

Literally can’t code, browse, and be “available” at the same time, with 16Gb of RAM. A joke. Bye Teams… I’ve got work to do

Python Package Index had one person on-call to hold back weekend malware rush


Re: Hacker tolerance

So the government should pass some kind of law against the misuse of a computer? Once we have such an act of parliament (or equivalent in your country), this will solve hacking? Are you sure…


Or do you mean the government *should* implement a country wide network filter, inspect all traffic, and shutdown anything that it chooses to label as “hacking”/“bad”….

I didn’t downvote but I don’t understand what you’re advocating here


Re: Difference between PyPi and NPM?

Depends on how you configure your web app. You can deploy a web app that doesn’t do this, and I wasn’t aware you could do this TBH - don’t know why you would want untested code delivered straight to end users! My understanding is npm wouldn’t do this by default as you can tie yourself up in knots with dependency chain hell.

You can also use the “package.lock” file for npm to specify specific package versions.

Whenever I’ve used this I’ll bundle the whole thing and deploy a static set of packages assembled at build time

Ransomware corrupts data, so backups can be faster and cheaper than paying up


Re: "Cybersecurity" -- A Popular Meme For Our Time!

I’m using a roll-your-own process for home stuff…

Boxes dial into the backup server over SSH and open a tunnel, using a useless user with no terminal etc

The backup server pulls data from the devices using rsync through the open tunnel, and then a hard link copy is performed to snapshot, so if the files change I get a new file, but if not I only have a new hard link reference, so backup size doesn’t go up for these snapshots. Restoring is just another rsync command through a pipe.

Only thing I need to do is manually add ssh keys to the backup machine when I add a new device. Unless they get into the backup server directly, seems to work nicely, but I’m yet to be hit with a ransomware attack at home to test this…

‘cp -al’ for the incremental/immutable trick

NASA tests bot built to slither across, and beneath, alien worlds' ice


Avoid LOS

Lots of testing in glaciers and mountains is the only way. “Get out of that one!”

YouTube's 'Ad blockers not allowed' pop-up scares the bejesus out of netizens


This will be a fantastic lesson in just how little people give a fuck about the ‘content’. The only reason we go there is it’s “free”

There is plenty of margin to be had with less intrusive adverts when the users flock from YouTube to the next platform.

I can easily cut YouTube out, it’s literally a last resort for entertainment as most of the videos are crap or have some dickhead talking over the top of the original clip I want to watch

No way will I pay. Once in a blue there is a must watch, or I need to watch something for work - fine, sit and wait or be paid by employer for that. On my time? Next!

Don't turn it off and on again: Expired Cisco cert cripples vEdge SD-WAN kit


If you’re a device or software producer, please start rejecting certificates 3 months before expiry, then include a bypass which will get you to ACTUAL expiry with a config setting (which can’t be put in early, so disable this on startup or something).

That should give you and your customers some recourse in these events. Yes, it means writing a couple of extra lines of code, and there might be better ways, but this way is better than nothing!

Shopify sees $1.5B loss turn into $68M profit, celebrates by firing 20% of staff


Jobs AI can do?

No more jobs generating factually questionable bullshit?

I’ll believe that when I see it ;)

Apple, Google propose anti-stalking spec for Bluetooth tracker tags


Anti theft

As always there is a white hat version. Hopefully the spec allows for some kind of “you were near this Bluetooth thingy recently, it’s owner says it is on a stolen item - click to report” baked in, without a custom URL so that you can still slip a tracker into a bag/motorcycle and hope it goes past a Good Samaritan and not just the thief. It’s then also evidence against a stalker if you accidentally report theirs, all cloudy and that

Otherwise it’s the end of “thieves stole my X, police did nothing, I found it” stories

Microsoft is busy rewriting core Windows code in memory-safe Rust


The problem is programmers are human. Smart, capable, professional humans who knew their algorithms were implemented perfectly, were wrong. Array bounds overflows occur, and companies get hacked.

It seems like you’re promoting your own library, that you wrote, which has not been audited, battle tested or accepted by anyone else. Recommending that global companies use your random tool vs Rust is arrogant and very very likely to be a worse or incomplete solution - please see: don’t roll your own crypto.

Submit a pull request to some major repositories, set up a website illustrating the use of your tool and when that’s accepted you’ll get global recognition and people will ditch Rust in favor of your superior solution. A YouTube video and a PHD does not put you anywhere near the Rust foundation in terms of capability, correctness or trustworthiness at this point


Re: This doesn't mean you should convert your app to rust


Few people RTFM. So give them Rust, pay them 30k and my credit card info will be waaaay safer than doing the same in C.

Refute that.

They won’t be using unsafe Rust if they haven’t RTFM, will they. They will be using unsafe C UNTIL they RTFM.

Welcome to the modern world, programming is not done by expert ninjas, we ain’t fixing that but we can make their nunchucks out of foam, so let’s do that.

I would also like foam nunchucks as I am accident prone, sleep deprived and distracted, from time to time


Yes, pedantic and also wrong.

Show me the bit on your Venn diagram where safety falls outside correctness… that’s a bug

If the only argument is it’s inefficient, then come up with something better and we’ll use that. We’re not talking pen and paper vs computer, we’re talking one computer vs a slightly slower one….

I cannot see the position you’re taking, our perspectives are so different. This is credit card info, nudes, real people’s lives, not a fairy land of neat and tidy theory.


Oh, another one!

Correctness FIRST.

Runtime checks on arrays/vectors are done to prevent Array OUT OF BOUNDS bugs, you know, those rarely heard of, once in a blue moon mistakes that have no impact…

If you’re indexing an array using a variable that you’ve set at runtime, you have to check the array size at runtime, not compile time.

Yes, please give me a “performance hit” and stop me causing a great big security incident

It’s actually super obvious now it’s been pointed out, hey?


Re: This doesn't mean you should convert your app to rust

Correctness FIRST. Performance is nice, please see Spectre and the fact that CPUs are a biiit faster than they were in the 80s.

Runtime checks on arrays are done to prevent Array OUT OF BOUNDS bugs, you know, those rarely heard of, once in a blue moon mistakes that have no impact…

Cool complaint bro

Eric Idle tells infosec world to always look on the bright side of life


This is how you save Twitter

He’s on to something! Give Tesla owners a blue tick.

Instant verification of Id and why ask for $11 when you can ask for $50k

Wrong time to weaken encryption, UK IT chartered institute tells government


Re: Whose Encryption Might Be "Weakened"?

Doesn’t affect me so I don’t care?

That is childish, and foolish in the extreme. There are a lot of reasons someone so *clever* as you should care:

1) If you find yourself in a society where encryption is banned, and you’re one of the only ones not sending plaintext, youll be very easy to see and as only criminals and kiddie fiddlers would need to, you may find yourself having trouble explaining what you were doing, with no way to prove innocence.

2) You might have friends or family who are harmed by personal, formally thought to be private communications made public or used for blackmail or ransom

3) Once this is allowed, it’s very easy to extend the powers by just saying “look we already do this here and here and it’s fine, so yes we’re going to scan every electronics device and find those creeps still hiding”, at which point you’ll need to up your game and start writing your own firmware and trusting your counterparts are doing it correctly too, because you will not be able to trust your devices as they come, regardless of software

4) Yellow stars - have some compassion, it’ll probably put you on the right side of history

Three quarters of UK tech pros are ready to leave their jobs


Skills shortage

There is a skills shortage in the same way there is a shortage of professional footballers

Plenty crap, plenty good, but the good ones you have to pay more.

Don’t like that? Stay in the lower leagues with the rest of the cheapskates then

British govt tech supplier Capita crippled by 'IT issue'


Re: further pedantry ...

Consider yourself indulged ;)

I’m happy with your logic but I still don’t agree it makes *more* sense to use pants rather than trousers, they’re just different words. Not sure I know enough about the etymology of pants, pantaloons, pantyhose etc to know which came first and is more justified, and I am fine with sidewalk making sense but it’s also not *more* sense than British term. Upvoted nonetheless, also a Brit