* Posts by Michael Wojcik

12132 publicly visible posts • joined 21 Dec 2007

We're not Meta support: State AGs tell Zuck to fix rampant account takeover problem

Michael Wojcik Silver badge

Re: Pendantic

Yeah, a pendant is when it goes down, not up.

Reminder: Infostealer malware is coming for your ChatGPT credentials

Michael Wojcik Silver badge

Coming for your ChatGPT credentials

Well, coming for yours, maybe. They can't come for mine, as I've never used the damned thing.

(LLM research: sometimes interesting. LLM application: never interesting.)

Michael Wojcik Silver badge

Re: "With more employees relying on ChatGPT"

I wish. I've seen far too many people in IT using LLMs for text and code generation. (Really, any would be "far too many". But I've seen quite a few report doing so.)

Windows 10 failing to patch properly? You are most definitely not alone

Michael Wojcik Silver badge

And it's not just the individual updates. Windows Update itself is a huge piece of crap, as is the overall update process. The nagging and eventual forced installation. The world's slowest, most opaque installation technology. The utter lack of usability or useful diagnostics — has anyone ever seen an error from Windows Update that wasn't just the hex exception code? Most of those are regular Windows error codes — call your own goddamned FormatMessage function, Microsoft! The multiple reboots. The way Microsoft has made it progressively harder to figure out what's in a given patch.

I had grudgingly gained some appreciation for Microsoft in the Vista timeframe, when they made a serious effort to improve security and fix some of Windows NT's worst failings. They squandered that long ago, and Windows Update is a good example why.

'We had to educate Oracle about our contract,' CIO says after Big Red audit

Michael Wojcik Silver badge

Re: FUD

Eventually people have to upgrade to a newer Java release, for one reason or another. They use third-party software that needs a more-recent version, for example. They want support, and the old version goes out of support. Their developers want the shiny new features.

When you upgrade, you get the new license terms.

As others have pointed out, the solution is to not use Oracle Java. There are a handful of alternative distributions with better licensing terms, such as Adoptium. (Horrible name, but it works well enough.)

Michael Wojcik Silver badge

Thing is, the Oracle licensing team is incentivized to find billable non-compliance today. What happens tomorrow is Not Their Problem. And if Oracle ends up robbing Peter (sales) to pay Paul (licensing), that'll still look good on the next set of quarterlies — even if it precipitates long-term decline.

As with much of modern capitalism, it's full of perverse incentives, and many organizations continue to function mostly because there's enough tension between opposing goals and friction within the organizational structure that no one really succeeds well enough to bring the whole thing down.

Dutch government in panic mode over keeping ASML in the country

Michael Wojcik Silver badge

Re: Blind to the US?

ASML not being able to sell to the US is largely irrelevant. Not many people believe in these dreams of US chip autarky, particularly for the latest process nodes. Or in the fantasy of moving TSMC's production to the US. The fact is, the US would hardly notice a ban on EUV litho equipment.

Michael Wojcik Silver badge

Re: Blind to the US?

A trade war between the US and the Netherlands, besides being idiotic and overwhelmingly improbable, would be a disaster for ASML. ASML makes the only EUV lithography machines, but those machines are useless without the extremely pure silicon wafers required for the smallest process nodes, and the US is the only source of those. And that doesn't appear likely to change anytime soon. See the discussion in Conway's Material World.

Of course, ASML isn't selling EUV litho equipment in the US (in any significant way). Sibelco / Quartz Corp aren't selling the ultra-pure silicon feedstock in the Netherlands, nor is SEH selling those silicon wafers there. The consumers are TSMC and Samsung. So it's already trilateral; and Sibelco is Belgian-owned, and SEH is Japanese-owned, even if they're manufacturing in the US.

It's almost like there's some sort of complex, global web of trade relations at work.

Michael Wojcik Silver badge

Re: Hmm

Judging by the up-down vote ratio, apparently we have about 80% anti-immigration right-wing nitwits reading the forum today. Well, they don't call it "populist" for nothing.

Michael Wojcik Silver badge

Three people with no sense of humor so far. How many more will you catch?

(Seems like there might be some joke to be made about "extreme ultrawhispering" or something, but I can't make it work.)

OpenAI goes public with Musk emails, claiming he backed for-profit plans

Michael Wojcik Silver badge

Man, most of the posts only have two downvotes. We apparently have passed Peak Musk and are running dangerously short of deluded Musk-oxen to carry his water. If everyone just accepts that Musk is an ass, who will entertain us?

Michael Wojcik Silver badge

Re: OpenAI Musk and Microsoft

300 pounds of shit in a 200-pound bag?

Rapid7 throws JetBrains under the bus for 'uncoordinated vulnerability disclosure'

Michael Wojcik Silver badge

Re: JetBrains Mono font

Ugh. I loathe, loathe, loathe JetBrains Mono and its accurséd ligatures. We use Upsource for code reviews on one of my teams, and I had to disable font downloads to get rid of all the damned ligatures. (Upsource lets you configure a different font for some elements, but not all.) Of course, disabling font downloads is a good idea anyway, because, hey, stupid additional attack surface.

If Kernighan and Ritchie had wanted us to use ligatures in C, they ... well, they would have been wrong. It's a terrible idea.

Michael Wojcik Silver badge

My mother studied Russian for years, and had a number of books in Russian. But don't trust me when I tell you this.

World-plus-dog booted out of Facebook, Instagram, Threads

Michael Wojcik Silver badge

Re: And for just a short period of space time

"Think of the stupidest person you know. Then realize that quantifying 'stupidity' as a single-dimensional variable is something only a stupid person would do."

Michael Wojcik Silver badge

Re: Why login to Meta?

And the only way they have plausible deniability when someone takes over your account.

Michael Wojcik Silver badge

I STILL can't log on, even with log-in codes

Scott Aaronson posted something similar on his blog.

To his credit, he admitted this might prove to be to his benefit.

I do understand people using social media to stay in touch with family and friends. Multicast media is certainly more efficient than point-to-point; it's hard to stay in regular contact with even a fairly small group by mail / email / voice / SMS / and so on. I also admit I just don't stay in regular contact with more than a few people, because I can't bear to use social media, and I don't make that effort to keep up those point-to-point lines of communication.

But people who follow casual acquaintances, strangers, companies... it's hard to see how that's not toxic. Even someone like Zvi Mowshowitz, whom I regard as a serious and respectable thinker (even if I often disagree with him), and who clearly gets a lot of information which feeds into his own work from Twitter, does not, in my opinion, make a good argument for using social media extensively. I'm just not convinced that it's a particularly useful source of news and other information, however carefully curated. I have never yet seen anything reported where I thought "I wish I'd seen that a couple of hours earlier on Twitter!".

Michael Wojcik Silver badge

Look, you may think your name is "Lady". Your family and friends might think so. The government might think so.

But Facebook developers know better. At Meta, if the code disagrees with the universe, the universe is wrong.

US and Europe try to tame surveillance capitalism

Michael Wojcik Silver badge

Re: Anonymous de-anonymization

Agreed. Deanonymization was demonstrated convincingly multiple times in various studies. The data brokers hiding behind this sort of weak anonymization are lying, and they know it.

With differential privacy it's possible to quantify just how much information is being leaked. Regulators could force data brokers to use DP, in an auditable fashion, and penalize them for exceeding some threshold; but that would be difficult, and it's hard to argue that it wouldn't be better to just force the third-party brokers out of business, frankly. (And I say that despite having defended limited targeted advertising upthread.)

Unfortunately surveillance capitalism is one of those manifestations that's useful to both the private sector and the state, so the public-private tension that is responsible for most real reform isn't present. For every politician or regulator who sides with the consumer on this, there are a thousand law-enforcement and intelligence types clamoring for more surveillance and supporting the businesses that provide it.

Michael Wojcik Silver badge

Re: Just ban tracking/targeting

if the products were indeed as good as advertised, advertisement wouldn't be necessary in the first place

This is simply naïve. Maybe you belong to some cabal of product users who can evaluate all new products for merit and circulate a list of the best available, but here in the real world, there is no magical access to some merit-ranked list of what's for sale.

In 2013, over 275,000 books were published in the US. I can't keep track of that many new publications. I can't even keep track of publications by all of the authors I like — I probably could, if I spent a fair bit of time creating a system for that, but I have better things to do.

Thanks to Kindle advertisements, over the past few years I've discovered a number of authors whose books now rank among my favorites. There's no plausible way I would have found all of these otherwise. Yes, some other new-favorite authors I found in traditional bricks-and-mortar bookstores, for which I am eternally grateful; but bookstores can't carry everything, and when I browse in a bookstore (or library) I can't look at more than a small fraction of what they have available.

Some of the websites I enjoy, I learned about through advertisements on other sites. Again, it's unlikely I'd have been introduced to them in any other way.

I don't watch a lot of synchronous media, but I do occasionally watch something on YouTube. A couple of the creators I watch routinely were recommended by friends; a couple I knew of from other sources. Most are the results of YouTube recommendations occasionally getting it right. I have no idea what input vector resulted in YouTube's popping up a link to CPG Grey's history-of-Tiffany video a couple of years ago, but it did, and the result was a decent chunk of entertainment (across Grey's body of work) that I was also able to share with Granddaughter Major. Advertising FTW.

It's a whole wide world out there, and due to sheer volume it's not particularly discoverable. Maybe you don't like advertising, full stop; fine, that's your opinion. But to claim that consumers would find everything they might value without it is sophomoric rubbish.

Michael Wojcik Silver badge

Re: Just ban tracking/targeting

As I've mentioned in the past, I have on a number of occasions been served advertisements that were clearly to some extent targeted, which informed me of products I was not aware of, which were of interest to me, which I purchased (or had purchased for me as gifts), and which I appreciate owning. Mostly books, and mostly on my Amazon Kindle. (Though, oddly, another example which comes immediately to mind is my Grip 6 belt, which I like very much and only learned of through a YouTube ad, of all things. There's treasure everywhere; it's just a question of how much shit you have to dig through to find it.)

So I can't claim targeted advertising has been of no benefit to me. Yes, I agree, 95% percent of it is woefully misdirected, and much of it is obnoxious. On YouTube most of the ads I see are for some horrendous game or for Grammerly, a software package I have despised since it first appeared and which has only succeeded in spurring my loathing of it since.

That said, I strongly support opt-in on a fine-grained basis (e.g. merchant by merchant, and for wide-ranging merchants like Amazon, category-by-category; and also device-by-device). And only collecting very limited data, such as prior purchases with that merchant — no demographics, no location, no other ancillary information.

Michael Wojcik Silver badge

I ended up dropping Brave and replacing it with Vivaldi on my phone, partly because Brave wasn't very stable, and partly because I was so tired of the damned cryptocurrency ads. I'd probably put up with one or the other if I had strong evidence that Brave makes a substantial difference; but I use my phone browser rarely, so it probably doesn't, in my case.

Uncle Sam intervenes as Change Healthcare ransomware fiasco creates mayhem

Michael Wojcik Silver badge

Ah, the "ecosystem"

This incident is a reminder of the interconnectedness abject failure of the domestic health care ecosystem

FTFT.

Thank goodness gullible morons let the private health insurers scare them away from reform in the 1990s.

Fidelity customers' financial info feared stolen in suspected ransomware attack

Michael Wojcik Silver badge

Re: Is there some way to hold identification info offline?

Virtual merchant-locked, tight-limit credit cards are a thing.

Michael Wojcik Silver badge

Re: Georgia on cybercrims' mind

That seems a rather dubious theory. Physical geography is not usually an attribute that you see a lot of ransomware affiliates chattering about. Typically it's whatever low-hanging fruit the updated scanners being run by the bot-army-as-a-service has picked up today, ranked by depth of pockets.

Trump supporters forge AI deepfakes to woo Black voters

Michael Wojcik Silver badge

Mystifying

It's hard to imagine why Mark Kaye or anyone else might think such photos would in some way convince anyone of anything. If Tim Scott's cringe-inducing ass-kissing hasn't done that job, nothing will.

The "Black vote" of course is in no way monolithic. Voters are often persuaded by irrational impulses and impressions, but I think it's highly probable that the number influenced simply by images — real or fake — of either candidate associating with people of a particular demographic is quite small.

Michael Wojcik Silver badge

Re: Except

That might be beyond our current capabilities.

It's certainly beyond his.

Twitter's ex-CEO, CFO, and managers sue Elon Musk for $128M

Michael Wojcik Silver badge

Yeah, I've been reading through the back catalog of Tim Urban's WaitButWhy, which is often entertaining and sometimes thought-provoking, even if only in a just-a-blog-post manner. But whenever Urban mentions Musk I know I'm in for some breathless hagiography. True, these posts antedate Musk's Twitter disaster, "pedo guy", and some of his other more notorious failings; but, seriously, even in 2010 someone thoughtful like Urban couldn't tell Musk is an utter tool? Yet Urban literally called him a modern Galileo.

But that's the thing. People are bad at evaluating others, and they're bad at reassessing their own ideas in light of new evidence. We are, as a species, very vulnerable to cults of personality, and sometimes people who are socially awkward or anxious in particular ways are even more vulnerable than average. (Less-developed defenses? Perhaps, but I think it's more complicated than that.)

Really the only solution is to distrust everyone else and be correct about everything all the time, which is my preferred approach.

Michael Wojcik Silver badge

Re: Screw that

Wow, is this one hard of thinking. I'm not surprised it chooses anonymity.

Michael Wojcik Silver badge

Change Healthcare attack latest: ALPHV bags $22M in Bitcoin amid affiliate drama

Michael Wojcik Silver badge

It's also possible the affiliate did get paid but is pulling some other sort of scam, or that a third party drained the wallet. Malware providers and users often have terrible OPSEC, and malware itself is often poorly written and full of vulnerabilities, as documented by "malvuln" on Full Disclosure.

You might think that for large cryptocurrency transactions users would use a fresh wallet and take it offline immediately after the transaction is complete, but (as anyone who reads Molly White's site knows) that's generally not the case. Things people wouldn't do with one-thousandth as much in cash they'll happily do with cryptocurrency. It's like even the trufans don't really believe cryptocurrency is money.

Flying car biz Alef claims 3K preorders, still hasn't done a proper demo

Michael Wojcik Silver badge

Re: Poorly Made Plywood Mockup

But who wouldn't want to drive around in something that looks like an overgrown space heater?

Hilarious.

Michael Wojcik Silver badge

there are very good reasons why we don't all fly them to work every day

Yeah. For one thing, they're so strict with the rules.

(Joking aside, I agree with you. Seaplanes are an uncomfortable compromise between planes and boats, but they have their justifications. Car-copters not so much.)

Michael Wojcik Silver badge

Re: Flying car

Between the no-doubt horrendous noise of the ducted fans and the pants-soiling terror, what's not to like?

Flying cars are one of those terrible ideas that some people just refuse to give up on.

Michael Wojcik Silver badge

I've seen more plausible vehicles pictured on the covers of 1970s SF magazines.

OTOH, really looking forward to the Haynes book for this one. ("Routine maintenance: Lubricating the cockpit bearings.")

Michael Wojcik Silver badge

Re: A good investment

I'd trade in those NFTs too. Go all in!

German defense chat overheard by Russian eavesdroppers on Cisco's WebEx

Michael Wojcik Silver badge

Re: Another party might have joined the conversation.

I find it difficult to assign that much competence to the firm in question.

Ransomware ban backers insist thugs must be cut off from payday

Michael Wojcik Silver badge

Astonishingly naïve

One is that 'it will drive the problem underground.' Will company directors really knowingly break the criminal law?

I have to wonder if Mr Martin has ever followed the news.

Forbidding payments is a useless gesture. It's security theater as legislation.

It does not significantly alter the motivation to attack, because attacking is extremely cheap and largely conducted by affiliates who are strongly motivated. It does not significantly alter the motivation to pay, because the whole point of ransom payments is that they're difficult to trace.

And as the entire ransomware industry becomes increasingly automated — which is more or less inevitable because of the economic advantages — it won't matter even if all payments were prevented, because the bot armies are not sensitive to the rate of return.

As always, this particular line of argument only demonstrates which "security experts" are any good at security thinking.

Michael Wojcik Silver badge

Re: Sometimes doing nothing is the correct answer

You clearly don't know how ransomware organizations operate.

They're franchises. Infections are performed by "affiliates", most of whom are low-skilled skiddies. They'll attack anyone in their sights, even if the probability of a payoff is low. Infecting is cheap; it's profitable even with a very low rate of return. Increasingly the process is automated, making it even cheaper and less subject to the whims of attackers, defenders, or governments.

Meanwhile, it's entirely plausible that companies would find ways to pay ransoms under the table.

The idea that forbidding payments would have any significant effect is a pipe dream. And comparing it to kidnapping — a very difficult, expensive, and risky crime — as the article does is nonsense.

The federal bureau of trolling hits LockBit, but the joke's on us

Michael Wojcik Silver badge

I don't know of any organization that considers Microsoft's telemetry an IDS mechanism, and I'd be extremely leery of any that do. That would be remarkably shortsighted.

Michael Wojcik Silver badge

If your backups for the past month are also encrypted because the attackers used "sleeper" ransomware, your DR procedures won't offer much recovery.

Judge orders NSO to cough up Pegasus super-spyware source code

Michael Wojcik Silver badge

Re: Code.....C......Diffie-Hellman........chacha20 (extern)

Save us, oh lord, from amateur cryptographers.

Michael Wojcik Silver badge

Re: OTOH

At this point, what the steering wheel has come off of is your analogy. Stop digging.

Michael Wojcik Silver badge

Re: Not Even a Fig Leaf

I love the "not designed" part. "This gun is not designed to kill good people." Well OK then.

(Of course, according to the NRA, guns aren't designed to kill people. People are designed to kill people.)

Indian tech minister vows to stop Google removing local apps from Play Store

Michael Wojcik Silver badge

Re: Choke...

I can't even muster up much cynicism for rent-a-friend. It's just too damn pathetic. And largely doomed, because most of the market for this sort of thing will just fall into the "AI" chatbot hole; it's easier than interacting with actual human beings.

Michael Wojcik Silver badge

I find it astonishing to think that more than slightly more than half of those surveyed do not intend to commit to spending nothing on cloud computing service initiatives.

I mean, it's a fairly unsurprising statistic, but thinking it in that convoluted fashion is definitely an effort.

It's that most wonderful time of the year when tech cannot handle the date

Michael Wojcik Silver badge

Re: Oh, come on - this is elementary

Indeed. None of my code had any problem with 2024-03-00.

Michael Wojcik Silver badge

Re: Don't people test edge cases any more?

Well, the WWW can enlighten you on that one. From the first result from my search: "In 2011, Samoa switched time zones, skipping directly from Thursday to Friday."

Elon and the terrible, horrible, no good, very bad legal week

Michael Wojcik Silver badge

Re: But they'll all look the same up against the wall

I can provide plenty.

Whoops. Now someone on the Internet knows you're a dog.

Water worries flood in as chip industry and AI models grow thirstier

Michael Wojcik Silver badge

Re: I've said many times that...

Yes, the US Southwest, for example, has extracted a lot of its paleowater from sources such as the Ogallala. Texas, Arizona, and Nevada are likely to face drastic groundwater collapse in the relatively near future. California will be insulated somewhat by its economic and political power, and New Mexico by its low population density and widespread use of traditional water-management techniques. Colorado has water-management issues — the state water authority has had its power somewhat subverted by various backroom deals — but its mountains are the source of enough seasonal groundwater to see it through. Utah also has good mountain supply, and its state government is generally effective. And things aren't yet quite as bad in the high plains.

Texas's size won't help it as much as in California because Texas is historically rather less effective at wielding its political power (in part because of its isolationism), and because the Texas ranchers and other rural residents have much less political pull in state politics than agribusiness does in California.