Re: Pendantic
Yeah, a pendant is when it goes down, not up.
12132 publicly visible posts • joined 21 Dec 2007
And it's not just the individual updates. Windows Update itself is a huge piece of crap, as is the overall update process. The nagging and eventual forced installation. The world's slowest, most opaque installation technology. The utter lack of usability or useful diagnostics — has anyone ever seen an error from Windows Update that wasn't just the hex exception code? Most of those are regular Windows error codes — call your own goddamned FormatMessage function, Microsoft! The multiple reboots. The way Microsoft has made it progressively harder to figure out what's in a given patch.
I had grudgingly gained some appreciation for Microsoft in the Vista timeframe, when they made a serious effort to improve security and fix some of Windows NT's worst failings. They squandered that long ago, and Windows Update is a good example why.
Eventually people have to upgrade to a newer Java release, for one reason or another. They use third-party software that needs a more-recent version, for example. They want support, and the old version goes out of support. Their developers want the shiny new features.
When you upgrade, you get the new license terms.
As others have pointed out, the solution is to not use Oracle Java. There are a handful of alternative distributions with better licensing terms, such as Adoptium. (Horrible name, but it works well enough.)
Thing is, the Oracle licensing team is incentivized to find billable non-compliance today. What happens tomorrow is Not Their Problem. And if Oracle ends up robbing Peter (sales) to pay Paul (licensing), that'll still look good on the next set of quarterlies — even if it precipitates long-term decline.
As with much of modern capitalism, it's full of perverse incentives, and many organizations continue to function mostly because there's enough tension between opposing goals and friction within the organizational structure that no one really succeeds well enough to bring the whole thing down.
ASML not being able to sell to the US is largely irrelevant. Not many people believe in these dreams of US chip autarky, particularly for the latest process nodes. Or in the fantasy of moving TSMC's production to the US. The fact is, the US would hardly notice a ban on EUV litho equipment.
A trade war between the US and the Netherlands, besides being idiotic and overwhelmingly improbable, would be a disaster for ASML. ASML makes the only EUV lithography machines, but those machines are useless without the extremely pure silicon wafers required for the smallest process nodes, and the US is the only source of those. And that doesn't appear likely to change anytime soon. See the discussion in Conway's Material World.
Of course, ASML isn't selling EUV litho equipment in the US (in any significant way). Sibelco / Quartz Corp aren't selling the ultra-pure silicon feedstock in the Netherlands, nor is SEH selling those silicon wafers there. The consumers are TSMC and Samsung. So it's already trilateral; and Sibelco is Belgian-owned, and SEH is Japanese-owned, even if they're manufacturing in the US.
It's almost like there's some sort of complex, global web of trade relations at work.
Ugh. I loathe, loathe, loathe JetBrains Mono and its accurséd ligatures. We use Upsource for code reviews on one of my teams, and I had to disable font downloads to get rid of all the damned ligatures. (Upsource lets you configure a different font for some elements, but not all.) Of course, disabling font downloads is a good idea anyway, because, hey, stupid additional attack surface.
If Kernighan and Ritchie had wanted us to use ligatures in C, they ... well, they would have been wrong. It's a terrible idea.
I STILL can't log on, even with log-in codes
Scott Aaronson posted something similar on his blog.
To his credit, he admitted this might prove to be to his benefit.
I do understand people using social media to stay in touch with family and friends. Multicast media is certainly more efficient than point-to-point; it's hard to stay in regular contact with even a fairly small group by mail / email / voice / SMS / and so on. I also admit I just don't stay in regular contact with more than a few people, because I can't bear to use social media, and I don't make that effort to keep up those point-to-point lines of communication.
But people who follow casual acquaintances, strangers, companies... it's hard to see how that's not toxic. Even someone like Zvi Mowshowitz, whom I regard as a serious and respectable thinker (even if I often disagree with him), and who clearly gets a lot of information which feeds into his own work from Twitter, does not, in my opinion, make a good argument for using social media extensively. I'm just not convinced that it's a particularly useful source of news and other information, however carefully curated. I have never yet seen anything reported where I thought "I wish I'd seen that a couple of hours earlier on Twitter!".
Agreed. Deanonymization was demonstrated convincingly multiple times in various studies. The data brokers hiding behind this sort of weak anonymization are lying, and they know it.
With differential privacy it's possible to quantify just how much information is being leaked. Regulators could force data brokers to use DP, in an auditable fashion, and penalize them for exceeding some threshold; but that would be difficult, and it's hard to argue that it wouldn't be better to just force the third-party brokers out of business, frankly. (And I say that despite having defended limited targeted advertising upthread.)
Unfortunately surveillance capitalism is one of those manifestations that's useful to both the private sector and the state, so the public-private tension that is responsible for most real reform isn't present. For every politician or regulator who sides with the consumer on this, there are a thousand law-enforcement and intelligence types clamoring for more surveillance and supporting the businesses that provide it.
if the products were indeed as good as advertised, advertisement wouldn't be necessary in the first place
This is simply naïve. Maybe you belong to some cabal of product users who can evaluate all new products for merit and circulate a list of the best available, but here in the real world, there is no magical access to some merit-ranked list of what's for sale.
In 2013, over 275,000 books were published in the US. I can't keep track of that many new publications. I can't even keep track of publications by all of the authors I like — I probably could, if I spent a fair bit of time creating a system for that, but I have better things to do.
Thanks to Kindle advertisements, over the past few years I've discovered a number of authors whose books now rank among my favorites. There's no plausible way I would have found all of these otherwise. Yes, some other new-favorite authors I found in traditional bricks-and-mortar bookstores, for which I am eternally grateful; but bookstores can't carry everything, and when I browse in a bookstore (or library) I can't look at more than a small fraction of what they have available.
Some of the websites I enjoy, I learned about through advertisements on other sites. Again, it's unlikely I'd have been introduced to them in any other way.
I don't watch a lot of synchronous media, but I do occasionally watch something on YouTube. A couple of the creators I watch routinely were recommended by friends; a couple I knew of from other sources. Most are the results of YouTube recommendations occasionally getting it right. I have no idea what input vector resulted in YouTube's popping up a link to CPG Grey's history-of-Tiffany video a couple of years ago, but it did, and the result was a decent chunk of entertainment (across Grey's body of work) that I was also able to share with Granddaughter Major. Advertising FTW.
It's a whole wide world out there, and due to sheer volume it's not particularly discoverable. Maybe you don't like advertising, full stop; fine, that's your opinion. But to claim that consumers would find everything they might value without it is sophomoric rubbish.
As I've mentioned in the past, I have on a number of occasions been served advertisements that were clearly to some extent targeted, which informed me of products I was not aware of, which were of interest to me, which I purchased (or had purchased for me as gifts), and which I appreciate owning. Mostly books, and mostly on my Amazon Kindle. (Though, oddly, another example which comes immediately to mind is my Grip 6 belt, which I like very much and only learned of through a YouTube ad, of all things. There's treasure everywhere; it's just a question of how much shit you have to dig through to find it.)
So I can't claim targeted advertising has been of no benefit to me. Yes, I agree, 95% percent of it is woefully misdirected, and much of it is obnoxious. On YouTube most of the ads I see are for some horrendous game or for Grammerly, a software package I have despised since it first appeared and which has only succeeded in spurring my loathing of it since.
That said, I strongly support opt-in on a fine-grained basis (e.g. merchant by merchant, and for wide-ranging merchants like Amazon, category-by-category; and also device-by-device). And only collecting very limited data, such as prior purchases with that merchant — no demographics, no location, no other ancillary information.
I ended up dropping Brave and replacing it with Vivaldi on my phone, partly because Brave wasn't very stable, and partly because I was so tired of the damned cryptocurrency ads. I'd probably put up with one or the other if I had strong evidence that Brave makes a substantial difference; but I use my phone browser rarely, so it probably doesn't, in my case.
Virtual merchant-locked, tight-limit credit cards are a thing.
That seems a rather dubious theory. Physical geography is not usually an attribute that you see a lot of ransomware affiliates chattering about. Typically it's whatever low-hanging fruit the updated scanners being run by the bot-army-as-a-service has picked up today, ranked by depth of pockets.
It's hard to imagine why Mark Kaye or anyone else might think such photos would in some way convince anyone of anything. If Tim Scott's cringe-inducing ass-kissing hasn't done that job, nothing will.
The "Black vote" of course is in no way monolithic. Voters are often persuaded by irrational impulses and impressions, but I think it's highly probable that the number influenced simply by images — real or fake — of either candidate associating with people of a particular demographic is quite small.
Yeah, I've been reading through the back catalog of Tim Urban's WaitButWhy, which is often entertaining and sometimes thought-provoking, even if only in a just-a-blog-post manner. But whenever Urban mentions Musk I know I'm in for some breathless hagiography. True, these posts antedate Musk's Twitter disaster, "pedo guy", and some of his other more notorious failings; but, seriously, even in 2010 someone thoughtful like Urban couldn't tell Musk is an utter tool? Yet Urban literally called him a modern Galileo.
But that's the thing. People are bad at evaluating others, and they're bad at reassessing their own ideas in light of new evidence. We are, as a species, very vulnerable to cults of personality, and sometimes people who are socially awkward or anxious in particular ways are even more vulnerable than average. (Less-developed defenses? Perhaps, but I think it's more complicated than that.)
Really the only solution is to distrust everyone else and be correct about everything all the time, which is my preferred approach.
It's also possible the affiliate did get paid but is pulling some other sort of scam, or that a third party drained the wallet. Malware providers and users often have terrible OPSEC, and malware itself is often poorly written and full of vulnerabilities, as documented by "malvuln" on Full Disclosure.
You might think that for large cryptocurrency transactions users would use a fresh wallet and take it offline immediately after the transaction is complete, but (as anyone who reads Molly White's site knows) that's generally not the case. Things people wouldn't do with one-thousandth as much in cash they'll happily do with cryptocurrency. It's like even the trufans don't really believe cryptocurrency is money.
there are very good reasons why we don't all fly them to work every day
Yeah. For one thing, they're so strict with the rules.
(Joking aside, I agree with you. Seaplanes are an uncomfortable compromise between planes and boats, but they have their justifications. Car-copters not so much.)
One is that 'it will drive the problem underground.' Will company directors really knowingly break the criminal law?
I have to wonder if Mr Martin has ever followed the news.
Forbidding payments is a useless gesture. It's security theater as legislation.
It does not significantly alter the motivation to attack, because attacking is extremely cheap and largely conducted by affiliates who are strongly motivated. It does not significantly alter the motivation to pay, because the whole point of ransom payments is that they're difficult to trace.
And as the entire ransomware industry becomes increasingly automated — which is more or less inevitable because of the economic advantages — it won't matter even if all payments were prevented, because the bot armies are not sensitive to the rate of return.
As always, this particular line of argument only demonstrates which "security experts" are any good at security thinking.
You clearly don't know how ransomware organizations operate.
They're franchises. Infections are performed by "affiliates", most of whom are low-skilled skiddies. They'll attack anyone in their sights, even if the probability of a payoff is low. Infecting is cheap; it's profitable even with a very low rate of return. Increasingly the process is automated, making it even cheaper and less subject to the whims of attackers, defenders, or governments.
Meanwhile, it's entirely plausible that companies would find ways to pay ransoms under the table.
The idea that forbidding payments would have any significant effect is a pipe dream. And comparing it to kidnapping — a very difficult, expensive, and risky crime — as the article does is nonsense.
Well, the WWW can enlighten you on that one. From the first result from my search: "In 2011, Samoa switched time zones, skipping directly from Thursday to Friday."
Yes, the US Southwest, for example, has extracted a lot of its paleowater from sources such as the Ogallala. Texas, Arizona, and Nevada are likely to face drastic groundwater collapse in the relatively near future. California will be insulated somewhat by its economic and political power, and New Mexico by its low population density and widespread use of traditional water-management techniques. Colorado has water-management issues — the state water authority has had its power somewhat subverted by various backroom deals — but its mountains are the source of enough seasonal groundwater to see it through. Utah also has good mountain supply, and its state government is generally effective. And things aren't yet quite as bad in the high plains.
Texas's size won't help it as much as in California because Texas is historically rather less effective at wielding its political power (in part because of its isolationism), and because the Texas ranchers and other rural residents have much less political pull in state politics than agribusiness does in California.