Yes, a regime founded on prosecuting alleged-propensity-for-thought-crime would be a fine addition to our current state of affairs. Let's just put that whole idea down and back away slowly.
Posts by Michael Wojcik
12317 publicly visible posts • joined 21 Dec 2007
Page:
- ← Prev
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- Next →
Can Amazon's AI really detect fear? Plus: Fresh deepfake video freaks everyone out again
Dry patch? Have you considered peppering your flirts with emojis?
Omni(box)shambles? Google takes aim at worldwide web yet again
'Hey Google, remind Greg the locks have been changed, and he should find a new place to live. Maybe ask his mistress?'
Re: Dystopia, one improvement at a time
Frankly, jake, that's a load of crap. By that standard, no primary research is "an actual new invention". And the most important novel aspect of Spanner is its handling of time skew, which is in no way anticipated by Paxos. (And, by the way, I'm very familiar with Paxos and its many variants.)
Re: Dystopia, one improvement at a time
Google havent invented anything for at least a decade
Bullshit. I'm not a fan of Google, but they do considerable primary and applied research. The 2012 version of Spanner had novel features, particularly in its handling of time skew. The same can be said of Percolator. Google's SHA1-collision research was significant. Google researchers have made a lot of contributions to ANNs. They've done some QC work which is potentially useful, if we ever reach the point of having commercially viable QCs (I'm not holding my breath). And so on. Google has produced a lot of tech for large datacenters, as should be obvious.
Google researchers have published nearly 500 papers so far in 2019.
This information is all readily available. While I imagine you and the other knee-jerk Google-bashers would rather revel in your ignorance, the fact is that Google funds quite a lot of R&D.
Let's attack Google for its actual sins, not the faults we imagine, eh?
NSA asks Congress to permanently reauthorize spying program that was so shambolic, the snoops had shut it down
Re: So lemme get this straight....
Agreed. It is vitally important that the rights of the guilty be protected as well. While societies recognize a reason and justification for curtailing those rights (e.g. by incarceration), if that becomes an excuse to disregard those rights completely, you no longer have a civilization worthy of the name.
Overstock's share price has plummeted. Is it Trump's trade war? Bad results? Nope, its CEO has gone bonkers...
Re: I'm not trolling
If there was any dirty dealing, they'll find it
A dubious and unprovable proposition. Yes, often the SEC do identify insider trading, partly because the people who do it are often idiots with abysmal OPSEC. But we don't know how many instances they miss, because when people get away with it, it looks like normal trading. It's not like property theft where there's an unexplained absence of the property to serve as proxy evidence of the crime.
Personally, I suspect Byrne was not involved in any stock-price-manipulation scheme here; it's too clumsy. I think he's genuinely deluded. But that's just a guess.
Re: Uncharitable
"Black Wednesday" was some four years before the euro was even announced
Well, three-and-a-third (BW September '92, euro name announced December '95). And the idea of the euro, i.e. of European monetary unification, is in Maastricht, which was signed in February '92.
But, yeah, Black Wednesday had nothing to do with the decision not to adopt the euro.
Y2K, Windows NT4 Server and Notes. It's a 1990s Who, Me? special
Re: Shutting down the wrong server
Even the first gen RIB (before RILOE I and II which came before ILO) did a proper power-off.
RIB and RILOE were proprietary Compaq (and later HP) technologies. iLO is proprietary HPE. Not all NT4 servers were made by Compaq.
iDRAC is proprietary Dell, and I don't believe it was available in the days of NT4.
So what's your point?
Ohio state's top legal eagle just made it harder for the FBI, ICE, cops to snoop around its DMV DB for people's faces
Re: Not too surprised..
The traditional conservative outlook is 'I'm getting on with my life, your business is none of my business when it doesn't affect me'
A lovely idea, but it has nothing to do with "conservative" as it applies to Ohio. This is the state that gave us Simon Leis, after all; and that was in Hamilton County (Cincinnati), generally one of the less-reactionary parts of Ohio. The state with the infamous abusive mayor's courts. A state that went to much trouble to purge voter roles of voters the incumbents deemed undesirable, using the despicable "use it or lose it" tactic, and engaged in other voter suppression such as the notorious HB 194.
World recoils in horror as smartphone maker accused of helping government snoops read encrypted texts, track device whereabouts
Re: Was already "mentioned" back in July
Oh, NSO Group are a horrible bunch. They've appeared in numerous stories and reports from organizations such as Citizen Lab over the past few years.
But it's not like the Israelis have a monopoly on this sort of thing. Cellebrite, who claim to be able to unlock any iPhone and sell that tech to police, are also Israeli. But the US has Palantir, Italy has Hacking Team, and so on. There are plenty of these commercial bad actors in the IT security space who make surveillance tools for governments, and who display an impressive lack of ethics.
Quick question, what the Hull? City khazi is a top UK tourist destination
Re: Great Victorian tilework
I was a little surprised to be taken on a tour of the architectural highlights of Hull, and not to be taken to see a town hall, or a church, or similar though.
Were you taken to see new construction? According to the spam my email filter catches daily, there are many exciting real-estate investment opportunities in Hull. (Why Hull? Is it the phosphorescent waterfowl?)
Re: Pedant's corner
I was on holiday on Lake Michigan last week, and from there, it doesn't appear Britain has any lakes at all. Just some moderately large ponds. (Little Traverse Bay, where I spent most of my time, has three times the surface area of Windermere, and it's not even a particularly prominent feature of Lake Michigan.)
But as a longtime Ransome reader (and occasional scholar), I'll grant that little lakes can be deserving of the title too. Ditto meres and tarns and broads and waters and the rest.
Re: Pedant's corner
I have to agree. For foreign tourists who want to do the Lake District main tourist traps just to say they've done them, I suppose Windermere must get a quick look, just like the Potter cottage and the rest of that sort of thing. But you get a much more pleasant experience almost anywhere else.
I remember once spending a nice hour or so with my folks just poking about the ruins on Hardknott Pass, which we'd taken because it looked like an entertaining route between wherever we were and wherever we were going. Hardly saw another soul the whole time. This was some decades ago, and maybe things are more crowded there now; but I bet it's still a lot better than the LP's picks.
J'accuse! Amazon's Rekognition reckons 1 in 5 Californian lawmakers are crims in ACLU test
Re: You really don't want it any more accurate than that
So, facial recognition introduces 'reasonable doubt' into its findings.
Wrong. Reasonable doubt is inferred by juries. It's not implied by anything in the evidence. It's an attribute of interpretation, not of data.
You can claim that facial recognition should lead juries to infer a degree of reasonable doubt, but there's no guarantee that any given juror will see it that way.
I'm really happy with that because it means that I won't be arrested, tried and convicted for a crime that I have no knowledge of just because an algorithm said so.
I find your abundance of faith disturbing.
Being attached to the front of the officer, it's not always in a good position to capture what's going on
And sometimes at a critical moment, leading to a frustrating and controversial gap in the record. That's what happened in the Deven Guilford case, where bodycam footage showed him arguing with the officer, getting hit with the officer's stun gun, and charging the officer; but not the subsequent fatal shooting.
In that case the officer involved was not charged by the investigating DA, but I believe the wrongful-death suit is still pending. If that goes to trial it will be up to a jury, and the bodycam footage can reasonably be interpreted either way.
It does need to be regulated, yes
Having the video (with an integrity mechanism) go to a third party rather than the police themselves might help, in theory. But it's hard to see how you'd prevent that third party from being coopted by one or more of several interested parties (the police, intelligence agencies, criminal organizations, gossip mongers, ...).
Intel: Listen up, you NUC-leheads! Mini PCs and compute sticks just got a major security fix
Typical of Intel drivers
Intel have long shipped drivers with lousy, low-quality code. It's clearly an organization that does not care about this aspect of its products. The initial code is shoddy; then under sufficient pressure (complaints from big customers, threat of vulnerability disclosure) they'll make an update available, but leave it to system and OS vendors to push it to customers.
And I agree with Dan 55 - their website is rubbish.
Should I ever buy another PC, I'm going with AMD. I've had it with Intel.
Chin up, CapitalOne: You may not have been the suspected hacker's only victim. Feds fear 30-plus organizations hit
AWS arguably shares some of the blame
Cloudflare's Evan Johnson has a good explanation of what Capital One did wrong, and is of the opinion that this kind of problem is difficult to detect and prevent, and that AWS doesn't do enough to help customers secure their systems against it.
It's interesting to note that the underlying issue was an SSRF vulnerability in a security component - the WAF module. So the Capital One admins had gone to some effort to secure their site using well-known mechanisms, but missed an inobvious vulnerability in a firewall configuration. This is rather different to, say, the Suprema breach, which was straightforward incompetence on the part of the admins; or the now-commonplace "we didn't secure our S3 buckets" failure mode.
Re: Spiteful
Agreed. Also the insanity defense is rarely successful even when a defendant meets the criteria.
In this case, while I agree Thompson is almost certainly not in good mental health and needs (and deserves) treatment, I think it's also clear that by the current legal standard in the US she's fit to stand trial and receive punishment, including fines and incarceration. Whether the punishment she potentially faces, or whatever she actually ends up receiving, is appropriate and proportional is another question. But unlike some of the people tried for hacking, she appears to have done actual harm.
For the record, I (like many people in the US) think the statutory punishments for many crimes in the US are grossly excessive; that the US incarceration epidemic is one of our great national disgraces; and that "tough on crime" politicians and their cronies are foolish or immoral. But that doesn't mean that people who knowingly do wrong should suffer no consequences simply because they're somewhat emotionally unbalanced. Plenty of other people in that situation don't go around committing crimes.
I'd be interested to know whether she ever sought treatment for her mental-health issues. She apparently has been unemployed for nearly three years (which I'm sure takes its toll), but was often employed since 2005, and presumably would have had health insurance during those periods. Did she take advantage of it? Far too many people don't.
Not very Suprema: Biometric access biz bares 27 million records and plaintext admin creds
A question to those in the security industry - is this normal?
It's a perverse question. There isn't any "normal" in this area for IT security firms (or security BUs within IT firms, etc). There's too much variation for there to be a meaningful single cluster of "normal" practice.
In my experience, IT security vendors mostly fall into one of two categories. There are those which make an effort to have adequate broad IT-security knowledge, so they devote some resources to hiring and training employees in IT security in general. These are the ones you see sending developers and other technical staff - not just sales and marketing - to security conferences. You see their employees writing and presenting for IT security organizations like ISSA. There's some external sign that they have people doing security research.
The other category are vendors that are only concerned with selling products in some narrow category. They may have some genuine expertise in that area (or they may be selling snake oil), but they often show a bewildering lack of basic security knowledge elsewhere. That generally means their products are rubbish, of course, because they either don't have people who understand security engineering, or they don't listen to those people if they do. And it generally means that they have poor security practices elsewhere, as in this case.
Re: I guess they're off the Christmas list now
Well, it's hard to tell, because we don't know how many data stores quietly get their security improved after a breach elsewhere is published, and consequently are never breached. While we continue to see examples of massive breaches due to gross incompetence, we don't know how large the pool of insecure but not-publicly-reported sources is, and whether a significant number of sources have been taken out of the pool.
It's entirely possible that for every Suprema or First American there are a dozen firms which see the public disclosure, realize they're in a similar boat, and silently fix the problem before it becomes public. There's no way for us to know. Have they already been quietly breached by non-publishing attackers (criminals, intelligence organizations1, etc) before remediating the problem? No way to know that either.
The rate of massive breaches isn't getting better. The population of still-vulnerable targets might be getting smaller. Or it might be growing, as more firms move data to public clouds or otherwise increase their attack surfaces without due diligence. But I can't think of any way to measure that, directly or indirectly. The breach rate isn't a well-correlated proxy because there are too many variables.
1Arguably a redundant formulation.
HTTP/2, Brute! Then fall, server. Admin! Ops! The server is dead
Hardly a surprise
HTTP/1.1 is a badly stovepiped protocol - but then most communications protocols are, because protocol design is difficult. Also, new protocols have to be relatively uncomplicated to get traction, which inevitably means that if they become popular they'll see new use cases and feature creep which complicate the original design.
HTTP/2, on the other hand, is a ghastly mess from the ground up. It was rushed through the IETF to jump on a Google bandwagon (or, if you prefer, to try to pull the standardization reins on a runaway Google horse). I followed some of the HTTPbis mailing list discussions for a while, but they were too depressing to continue with. All other concerns sacrificed on the alter of pushing more "content". It's almost enough to make me miss SNA.
Re: Someone really needs a refresher.
Nor is TCP "the transport layer" or IP "the network layer".
The OSI model does not fit TCP/IP well. It doesn't fit anything well, except rump OSI implementations such as ISODE.
More importantly, if a reader doesn't know what HTTP/2 is, the sort of handwaving gloss that's used in the article will be no help whatsoever. It's neither correct nor usefully incorrect.
What do Windows 10 and Uber or Lyft have in common? One bad driver can really ruin your day. And 40 can totally ruin your month
Organizations should update drivers
Yes, good luck updating drivers. I have a Dell laptop that's two years old, and has one of the Intel network drivers with the idiotic bug that causes it to log a pointless message to the Windows event log every minute. Intel apparently fixed that years ago (and, obviously, it should never have shipped the thing in the first place, but then Intel is no better than most OEMs at quality control), but Dell still hasn't made the updated driver available for this machine. It's also not available through Intel or Microsoft.
The fact is most OEMs and system vendors can't be bothered to make updated drivers available, at least in any consistent fashion.
We checked and yup, it's no longer 2001. And yet you can pwn a Windows box via Notepad.exe
Re: "buried in Windows since the days of WinXP"
It certainly was designed to be, but Bill had them remove this feature
Rubbish. Multiuser support may have been removed from userland in non-server versions of Windows, but it most definitely remains in the kernel. All NT versions support multiple WinStations, Sessions, and Desktops, and every thread has a security token which identifies what user account it's running as.
What Citrix added was userland support for making use of those multiple WinStations, Sessions, and Desktops. RDP does something similar, as does Fast User Switching.
While Windows (even the server versions) is not particularly good at supporting multiple simultaneous users - certainly not nearly as good as pretty much any other multiuser OS - that's not because some feature was removed from the kernel.
not without using a browser exploit first anyway
Well, problem solved! Or not. (Of course, with many users running browsers with elevated privileges in the first place, once that browser exploit is available there's no need to elevate.)
In any case, this "the attacker has to be able to run unprivileged code first" mitigation is not nearly as useful as some people seem to think. It provides no defense against insider attacks. It provides none against social engineering. Against malware in the software supply chain. And so on.
Re: Over Confidence
Shame they dissolved the Trustworthy Computing Initiative team before they ran a modern source code vulnerability scanner over ALL the code that goes into shipping versions of windows
Yes. Such as Microsoft's own static-analysis scanner, which is a near-state-of-the-art hybrid of simulated execution and symbolic analysis. (There was a good paper on it from Microsoft Research in CACM a few years back.) Data tainting and data flow analysis find this sort of thing easily in cases like this, where, as Ormandy wrote, there's simply no validation.
They have the technology. They have the resources. They just don't have the will.
US insurers face SEC probe over web-access bungle that exposed 'up to 885 million' files
Header aches in Firefox, Tor, Brave and Chrome as HTTP opens new security holes
For the love of...
So, RFC 7838 explains (implicitly) how this is different from a simple HTTP redirect. It's transparent to the client. It's transparent to TLS - the alternative service has to provide a certificate that's valid for the original origin server. It's transparent to the request - the Host header doesn't change, for example.
What it doesn't say is why. Why is any of that desirable? The ostensible aims of Alternative Services, as explicitly detailed in the RFC, are all satisfied by HTTP redirects. (For that matter, some of them are satisfied by reverse proxies for many use cases, or by periodically terminating persistent connections and forcing clients to reconnect, the overhead of which amortized over many requests is negligible.)
I haven't tried to trawl through the discussion archives for the I-D to figure out what justification the authors1 came up with for this. Anyone know offhand?
1Incidentally, and while I don't mind the Google-bashing above (which is well-deserved in general; QUIC and the like are a pox), the authors of 7838 are from Akamai, Mozilla, and greenbytes. (The last, of course, is Julian Reschke, author of a number of HTTP features.) So usual suspects, in other words, but not directly the usual suspects of Google.
Web body mulls halving HTTPS cert lifetimes. That screaming in the distance is HTTPS cert sellers fearing orgs will bail for Let's Encrypt
Re: An issue of Google's own making ...
In particular, it's trivial to inject Javascript malware into an HTTP connection. People who run NoScript and the like have some defense against that, but for most users it's a gimme. Everybody using unencrypted WiFi at a coffeeshop or the like is an easy target. Attackers can run cryptomining or try popular CSRF targets, etc.
Re: DV's only
EV certs are dead, since Chrome and Safari stopped displaying them, because users ignored them
Possibly overly optimistic. While browser manufacturers scorn EV certs, the CA/BF loves them. Their Code Signing Working Group mandated EV certs for code signing (as if that wouldn't be a fucking nightmare) in their draft spec, and - as some may remember - Microsoft briefly adopted that position, before backing down in the face of ISVs waving torches and pitchforks. It wouldn't surprise me if the CA/BF keeps pushing EV certificates for years to come, even with the browsers ignoring the distinction. And they'll try to wedge them into more non-TLS applications.
I agree that EV certificates are largely pointless - the additional cost doesn't buy much, considering that CAs have a record of not performing the additional verification properly (or at all, in some cases), and the HSM requirement for key management is not universally enforced and was poorly written in the first place. (FIPS 140-2 L2 security on the HSM isn't worth a damn, and prevents people from using inexpensive hardware with open-source drivers.) But CAs and the CA/BF will try to find ways to keep the EV cash cow alive for a while yet.
Re: I still wait for Let's Authenticate...
In a sense, the only half is authentication - if you can't authenticate, the encryption is useless because you may simply be talking to a MITM or other ne'er-do-well.
For that matter, now that RSA is deprecated for key exchange by pretty much everyone, and the world is shifting to ECDH and other Kx protocols with forward secrecy, X.509 certificates often don't play any part in encryption regardless. In modern TLS (which is not the only, but by far the most common, use of X.509) certificates are primarily for authentication.
Our hero returns home £500 richer thanks to senior dev's appalling security hygiene
Re: Ahhh passwords...
There are other problems with these "partial password" schemes. They're really not a good idea.
LibreOffice handlers defend suite's security after 'unfortunately partial' patch
Re: logo?
It is when you're trying to teach Joe Stupid to extend the functionality of their office suite when things need to get done that the suite foesn't do out of the box.
I'm not sure what "things [that] need to get done" in an office suite are best done with a moderately-obscure1 LISP variant with turtle graphics.
VBA may be (is) absymal, but Logo is really not a good choice as an alternative. I don't see any good justification for including the package in LO.
1And, yes, I've used Logo. Had a copy of DR Logo for the IBM PC back in the day.
Fed-up graphic design outfit dangles cash to anyone who can free infosec of hoodie pics
Page:
- ← Prev
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- Next →