Posts by Michael Wojcik 12269 publicly visible posts • joined 21 Dec 2007
Yes, though I suspect it's a rather small fraction of total online gamers. Can't be bothered to try to accumulate the statistics.
Personally, there are thousands of things I'd rather do than play games with strangers, but to each his or her own. I can't see any objective reason for calling it a less valid social activity than any other.
Agreed. If the kids are going to use search engines that serve targeted advertising, and they see ads that say "hey, buying these services is illegal", I don't see any incremental harm.
It's like if 2600 had carried advertisements, and AT&T had taken out an ad that said "phone phreaking is against the law, dudes". Or Phrack printing an ad pointing out that distributing malware is illegal.1 Or those "the FBI, Interpol, and Santa Claus will kick your ass if you even think about copying this crap film" notices that have been slapped onto video recordings since Sony v Universal.
1If Phrack carried advertising, of course. PoC||GTFO has ads, but they're old-timey ads that Laphroaig et al clip out of old computer magazines and the like, not actual paid advertisements.
Locations, probably yes. Those haven't changed since NT4, as far as I remember.
Checking the size is pointless. If an attacker has overwritten the files in their canonical locations, it's already Game Over. The attacker has scope to cause all sorts of damage.
What Trend should do is check the signature, except cmd.exe and regedit.exe aren't signed, just like most of the software Microsoft ships. I have no idea why not; they promote Authenticode to VARs and provide (admittedly clumsy) tooling for it. There have been problems in the past with expiring signatures, but Authenticode has supported timestamping for years. And some MS binaries are signed - like the debuggers in the Debugging Tools for Windows package.
Or, better, anti-malware software shouldn't execute cmd.exe and regedit.exe. Why the hell does it do either of those things? Looks like injection vulnerabilities just waiting to be found.
Being a charity is not a defence against fraudsters.
Like, oh, the current US President and his family. But why quibble over stealing money from kids with cancer?
Yes, capability architectures have been done before. That doesn't mean there's no scope for additional research, particularly into a capability architecture being added on top of an existing ISA. Or into performance, for that matter, which remains one of the big practical issues with capability architectures.
Benz invented an automobile powered by an internal combustion engine, so we should have just stopped research into that area there, eh?
Competing agendas going in circles?
I don't see the competition in this case. Some people in government want CPUs that offer stronger protection against various types of invalid-access vulnerabilities.1 Other people in government want encryption backdoors.
Those are both IT security issues, but so is everything in IT, at a sufficiently high level of abstraction. And these two are not directly opposed in any but the most general, ideological sense. The backdoor proponents favor introducing one particular, narrow class of vulnerability. They aren't necessarily in favor of others.
1Capability architectures typically mean better protection against stack and heap smashing, and against reading sensitive data that the current unit of execution shouldn't have access to.
And, of course, impeachment does not remove someone from office. Impeachment and conviction do. And conviction is in the hands of the Senate, which is far friendlier to both Trump and Pence than the House is.
That said, I don't see anything in the Constitution which prevents the House from impeaching both the President and the Vice President in separate Articles of Impeachment at the same time, or in overlapping periods; or which prevents the Senate from convicting both of them more or less simultaneously. Certainly a hostile Congress could impeach and convict the President, then refuse to confirm a new Vice President until the VP had also been convicted. In short, as far as I can tell, it's possible that the impeachment process could be used to elevate the Speaker, or anyone else in the line of succession, to the presidency. It's just vanishingly unlikely.
Yes. I've never used them myself, but they seem to be very common - I know of some in both of the places where I have homes (Michigan and New Mexico), and I've seen them elsewhere on my travels.
The history is a bit curious. Redbox was originally funded by McDonalds to sell a variety of products, but when McDonalds discontinued that business the company switched to DVD and video-game rental. Redbox tried to interest Blockbuster and Netflix in their business, but ended up being acquired by Coinstar, which runs change-collecting kiosks in grocery stores. Redbox eventually picked up Blockbuster's kiosk business.
Apparently they tried to expand into Canada, but demand was too low. It seems the US market is unusually strong for physical movie / game rental. According to Wikipedia, rental sales did drop significantly over the past few years due to streaming, but are still reasonably robust.
why do you feel you owe the company free labo(u)r in the first place?
I don't. I'm salaried, not paid hourly. I'm paid to Get Things Done, and in my opinion, I'm paid very well for that. None of my labor for the company is free; our agreement is I do things for them, and they give me money and benefits in return.
Shirley 40 hours/wk is enough out of any employee
I'm not paid to work a set number of hours. I work when I want, and I do what needs to be done, and we're both happy with the result.
I demand flexible working from my employer, it's reasonable to be flexible in return.
I like the flexibility to read email whenever I get the urge. Sometimes I want to work late at night. Sometimes when I'm in holiday I get curious about what might be going on, and decide to spend half an hour browsing through the conversations. Other times I don't, but it's my decision, not that of some nanny state or self-appointed expert on "work-life balance".
Chrome (and other Chromium-based browsers) and Firefox (and other Mozilla-based browsers) attempt to detect "captive portal" login pages, and show the "you may need to log in" message rather than the certificate-mismatch alert. I haven't investigated how their captive portal detection works.
Presumably, if the user allows the redirection to the portal's landing page, but the landing page doesn't have a certificate that matches the redirection URL, then you'd get a certificate-mismatch alert.
So: User requests a site over HTTPS. Portal detects user is not signed in and redirects (by DNS or IP) to the portal server, which attempts to respond with an HTTP redirect to the landing page, with a certificate for the portal (probably with either a DNS SAN for the portal's FQDN, or an IPADR SAN for the portal's fixed IP address). Browser sees the certificate validation failure but decides - somehow - that it's probably a captive portal.1 Browser shows the "proceed to login" prompt; if the user accepts, it processes the HTTP redirect and validates that TLS conversation normally.
1I can think of some heuristics I might use here, some of which require allowing the connection and examining the untrusted response.
It may be laziness, too.
One of the products I contribute (extensively) to is a large .NET distributed application server which emulates various execution environments. It uses a very wide range of .NET APIs and features. It runs under anything from .NET Framework 3.5 to 4.7. We've never had a problem accommodating a .NET Framework upgrade, that I can recall.
(It doesn't run under Core because it requires WCF, among other things.)
I think I've showed my age in knowing a time when .NET most certainly was not "massively successful"
Well, yes. Obviously it wasn't successful when it was first introduced; people had to adopt it first. That's a meaningless observation.
the very thing .NET set out to do, propietary lock-in, is now back to (or even further back) kindred of VS6 was
I do not think that clause means what you think it means. Or, indeed, much of anything. "back to ... kindred of VS6 was"?
It seems like you're trying to claim that .NET was introduced to lock customers into Microsoft technology (well, yeah, like everything Microsoft was doing at the time); and that now it isn't, because of .NET Core (yes, Microsoft is shifting its business model to accommodate changes in the market); and that this is in some way relevant to ... Visual Studio 6? I have no idea where you're going with that last bit, under any plausible interpretation of your phrasing.
Agreed. I work from home, with multiple groups, and a lot of cross-group work. I haven't found Teams useful for anything. As I've mentioned before, usage is way down from our previous web-chat application, probably because the Teams UX is so miserable and performance is so wretched. (Today I had to close the Teams tab and open a new one, as it was taking upward of 30 seconds to respond to a click on the "Reply" link.)
I can't think of a single thing Teams does well, or even adequately.
There are only two methods of exchanging goods:
1) Barter.
2) An externally managed and regulated medium of exchange.
There are some historical examples of "bottom-up" unregulated currencies. Apparently there is, or was, one in Somalia for a time, with old banknotes that had been issued by the now-defunct government redenominated and used as tokens in some of the urban markets. They had exchange value but only by consensus - there was no external authority guaranteeing them. Another example are some of the exchange mediums used by small non-industrialized societies, typically shells or stones or the like.
But those fail at larger scales because they depend on social pressures (reputation, social mores and sanctioning) to enforce value. Among strangers, which brings us back to your two options. Even distributed cryptocurrencies are regulated by the systems that implement verification and settlement.
I have only a little exposure to Slack, and didn't care for it; but Teams is downright hateful. The UX is ghastly. Even the scrollbars are 1) poorly styled and 2) often don't respond promptly, or in some cases at all. The Teams developers can't get scrolling right.
We switched from a RocketChat instance that only half the company had access to (for Stupid Networking Reasons) to a Teams instance that's available to everyone, and traffic dropped by an order of magnitude. I see a handful of Teams messages a day, and most of them are people joining or leaving teams.
I don't like these chat systems to begin with - I rarely find them particularly useful, and NNTP did it better decades ago. But the relatively lightweight RocketChat was far more successful at actually encouraging use than unwieldy, sluggish, unpleasant Teams.
You belong to a team, one team.
Either you're wrong about that, or your tenant has a weird configuration. I'm a member of 20 or so Teams teams. (I can't be sure at the moment because once again Teams has stopped responding - a common occurrence.) The left pane in the normal Teams UI has a tree view of teams the user belongs to.
Around these parts, we have "Teams" for pretty much anything anyone wants to create a Team for: product groups, products, product components, cross-product projects, actual feature teams, interest areas, and so on. It's a bit of a pain, actually, because the Teams search mechanism is so woefully terrible; searching for a team by partial name pretty much never succeeds. Because substring searching is an unsolved problem, apparently.
Not that long ago I had to create a password for some site that simply told me a password was "unacceptable", with no further details. Now I've forgotten what site it was. I think I simply gave up and didn't create an account.
And I remember some time back using one which silently removed "special characters" from the password entry fields - and used different filters for password creation and user authentication. Took a while to figure out what was going on there.
(Of course, any application which has to filter out special characters from user input is broken and the developers should be sent for remedial training. Injection attacks are a real problem, but you fix them by not passing tainted data into evaluation mechanisms, not by blocking user input. Just the other day I was asked to write a comment on a site which - again silently - stripped out most punctuation characters, including semicolons, parentheses, and hyphens(!). As if those aren't fairly important in English prose.)
you can run the password safe on your cellphone. It's that portable device you have
Right up until you don't have it, because you forgot it, or the battery ran down, or you lost it, or it was stolen, or it broke.
Yes, let's use a physical key that's difficult to copy, valuable, and fragile. That's a terrific idea. Nothing could possibly go wrong there.
Staple Horse Battery is incorrect. Here's why:-
https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/
(Sigh. You could at least try to get the phrase correct.)
Monica makes some decent points, but he's arguing a different question. His complaint about Munroe's comic is ill-founded. He also relies on incorrect assumptions.
First, he claims "As a community we did a great job incentivizing the use of bcrypt and scrypt, and humiliating those who use bad password hashing mechanisms". That is utter rubbish. In breach after breach we see disclosures of password-verifier databases that do not use strong hashing mechanisms. It will be years before there's a decent probability that exposed verifiers won't use weak hashes. And unless a user knows that the entity computing the verifier is using a strong hash, long passphrases beat short passwords with a complex alphabet. Munroe is completely correct about that.
Second, even against resource-intensive hash algorithms like scrypt and Argon2 (bcrypt is not in the same class, since it's only CPU-intensive), dictionary attacks with reasonable-size dictionaries still work well. And users often still choose weak passwords that appear in such dictionaries.
Third, Monica fails to consider attackers who steal resources (e.g. using leaked AWS keys), and attacks which iterate over IDs using the same password, avoiding lockout and common throttling mechanisms. Assuming that brute-force is only feasible for nation-state attackers is flat-out wrong.
Finally and most importantly, Monica's basic argument is that human-memorized passwords are the wrong protection model, and we should encourage something else. Well, essentially everyone in IT security has been saying that for decades. It's not a controversial or underexposed position. And it's irrelevant to questions about how to structure strong human-memorable passwords, which is still a requirement unless you want users to rely exclusively on other classes of verifiers (the "what you have" and "what you are" classes). And there are significant issues with the latter position, which introduces a significant attack surface with some very bad failure modes.
In any case, arguing against human-memorized passwords does not respond to Munroe's comic. It's a different threat model. You can't claim to make motorcycles safer by telling everyone to ride the bus instead.
Sorry, if it doesn't have an adjustable iteration count, it's not a modern password hash algorithm.
Even that isn't enough. If it's not memory-intensive (and not just compute-intensive), it's not a modern password hash algorithm. The state of the art has moved on from simply using large-range cryptographic digests with salts, like SSHA512. Simple adjustable-compute-cost algorithms like PBKDF2 (with common PRFs such as HMAC-SHA2) and bcrypt are starting to get long in the tooth.
Argon2 and scrypt qualify as a modern password hash algorithms.
Tastes will differ - my mother, who is well-educated, widely read, and quite discerning, loves BBT - but I found the couple of episodes I've seen of that show agonizingly unwatchable. This is one of those cases where I'm largely in agreement (and not just amused by) the relevant episode of Pitch Meeting.
Of course it's possible to enjoy a show with horrible characters; I often laughed at Friends, even though the protagonists were all dreadful, selfish, privileged narcissists.1 But BBT didn't work for me.
1And even though it was distinctly inferior to its closest ancestor, Coupling). The original, obviously. The short-lived US remake was an utter failure.
Deepfakes don't need this for "cover". Altered-image and altered-video technology is improving rapidly, and will continue to improve until the alteration signals are too weak to be conclusively demonstrated. Eventually we'll reach the point of pixel-perfect alterations for common cases, where there's no signal at all.
And people already routinely edit and alter their own pictures. Raw image data is cropped, adjusted for lighting, refocused, and modified with all sorts of effects.
The era when photographic evidence had any real probative advantage over, say, eyewitness testimony is coming to an end. That's just the fact of the matter.
"totally secure" is a meaningless phrase, so anyone who claims a system has that property is automatically wrong.
Security is not absolute. It's only meaningful under a threat model.
Even under a threat model, to perfectly guarantee security under that model (aside from degenerate cases) a system would have to verify correct intent and correct information. Thus it would have to be omniscient, and omniscience is physically impossible.
not producing data without a subpoena/search warrant
And what magical process would guarantee this requirement was observed? Or that if observed it was anything more than a rubber stamp? Here in the US, FISA seem happy to grant secret search warrants for nearly any request.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
