Posts by Michael Wojcik

Re: @werdsmith - Erm....

Frankly, I think Red Hat adopted the Poettering philosophy of "my way or fuck you" long ago, and they have no intention of undoing any of his "innovations", or even changing course a bit.

Re: Musk for PM

Man, once in a while the Natural-Born Citizen clause actually does something other than annoy immigrants.

Re: Methinks it's lawyers all the way down on this one...

Two juries, not one. Two trials, with different defense counsel, different prosecutors, different judges, different evidence, different arguments. So they're not directly comparable anyway.

It is certainly possible that one jury found their defendant more sympathetic than the other jury did theirs. It is possible that affected their verdicts. It is possible some or all of age, sex, ethnicity, country of origin, and perceived physical attractiveness played a role, conscious or unconscious, in the calculations of some or all jurors.

It's fine, even probably wise, to be suspicious of these possibilities, human beings being what they are. It's unwise to be certain of them, because there are many confounding factors and because it's generally pretty foolish to indulge in generalizations about people.

Re: Sub-sea nukes

And there are plenty of critical-resource systems which aren't commercially viable.

Heath care isn't commercially viable; the US has been trying to pretend it is for decades, and it's become a horrible mess.

Here in the US Southwest, water isn't commercially viable, and hasn't been since the Bureau of Reclamation started trying to capture all of it. Right now water distribution is heavily subsidized (often in part by flagrantly violating the law) and people are busy ignoring the fact that they're depleting the aquifers and the rivers are over-allocated. When that crashes it's going to be really bad, and everyone will wake up to just how distorted that market is.

I, too, am in favor of government regulation in many spheres, where severe externalities need to be converted into direct costs to prevent disaster. Of course, regulation often fails to do that, for all the usual reasons – regulatory capture, the slow movement of legislatures and regulators, short-sightedness, and plain old corruption – but for now it's all we have.

Re: Amazon "Buy Box"

Yes, why ask that articles contain relevant information when some AC will just post the "Just Google it, bro!" response in the comments? Hell, why visit the Reg at all when we can just Google the answers to all of our questions? Who needs analysis?

Re: This should be...

Yes. Things like previewing MMS attachments is just asking for grief.

Re: While the prospect of toothpaste that DOESN'T taste like mint is appealing

Google 'boiron homeodent toothpaste anise' if you would like something else.

Or, y'know, just search for "non mint toothpaste", which is a bit easier to remember and type.

Re: So, quantum is basically the new fusion

I thought this stuff was supposed to be almost instantaneous.

Well, you thought wrong.

There are plenty of accessible introductions to QC available online, and many accessible discussions of it from people like Scott Aaronson. Why not actually learn something about it rather than complaining you don't understand it?

For problems where you need an exact solution rather than an approximation, if you're going to use general quantum computation to search for that solution, you'll need error correction. Error correction is the big stumbling block here (along with scaling up to a suitable number of qubits; Shor's algorithm requires on the order of (lg N)² qubits, where N is the size in bits of the input, so it's logarithmic in space but not directly).

Even then, Shor's runs in polynomial time on the length of the input, so it's not "instantaneous". And like all algorithms in BQP, testing the result is polynomial; in the case of factoring that's still very fast for a single candidate solution, but if your error correction is weak, you might be testing a lot of them.

Also, ignore the bit from the article about 5000 qubits. Adiabatic QC is utterly irrelevant for cryptography.

Re: The Library of Congress already has this in hand

Well, sort of. Normally the lawsuit has to wait until registration is granted.

In 2019's Fourth Estate Public Benefit Corp. v. Wall-Street.com SCOTUS resolved a circuit dispute over whether copyright was actionable when registration had been applied for, or only when it was granted. They came to the conclusion that 17 U.S.C. §411(a)'s language only makes sense if the intent of Congress was that a civil action could be pursued only if registration had been granted or refused. (Note that latter exception – you can sue for infringement if the LoC refuses to grant your registration, provided you inform the LoC, though winning such a suit would presumably be an uphill battle.)

So in the US, copyright attaches as soon as the work is completed (the Copyright Office has used the phrase "when the pen leaves the paper"), but civil action requires registration, which can be applied for at any time, but may take a while to complete (one way or the other).

I do wonder why the USA is so concerned about border security.

Two reasons.

One, it's a dog-whistle to the howling nitwits. "Border security" gets you Republican votes.

Two, it's one of the DHS's fiefdoms, and they'll seek to acquire more power in it regardless of any justification. DHS is a bureaucracy and it contains multiple police forces, and both of those types of institutions will try to increase their power just for the sake of power.

That's why ICE now has one of the biggest domestic-surveillance operations in the US. That's why CBP has jurisdiction over most of the US and eagerly exercises its powers of warrantless search. These are organizations that exist primarily to exercise power.

Re: Partners with existing delegated admin privileges (DAP) relationships

Agreed. I don't see how this changes the threat model. Existing administrators get to create accounts with fewer privileges for themselves.

As for the comment in the article about attackers: if those attackers already have control of a DAP account, you're hosed. This move by Microsoft appears to change nothing in that regard. It's simply to ease the transition to more narrowly scoped privileges, which is a Good Thing.

I may be missing something, but if so it's certainly not clear from the article or the whinging in comments below.

Re: Since google pretty much control the browser market

Yes, but most authentication these days happens in interactive HTTP user agents – browsers. Browsers refusing to support DID will likely slow adoption. In practice, there will be a thousand DID Javascript libraries in npm by the end of the year, only 998 of which will be either horribly insecure or actively malicious, so we'll be seeing DID support in lots of web apps; but browser resistance will still be a drag on adoption.

I haven't looked at DID closely yet, but it seems fairly stupid on casual inspection. And, of course, we already have technologies deployed for identities that aren't tied to a single vendor and can be decentralized. Those (OpenPGP keys, X.509 in non-hierarchical PKIX arrangements) are also terrible, but they're the terrible we know.

Identity is a hard problem, and "mumble mumble something plus half-assed baby Merkle graphs!" is not likely to be a good solution.

Re: Stating the obvious

In the US, there are plenty of people who voted for Trump even while acknowledging he was a dangerous idiot, because they wanted the Republicans in charge and they wanted conservative judges on the Supreme Court. That kind of realpolitik presumably happens in significant numbers in the UK as well.

In other words, many people are willing to support (in some sense) an embarrassing leader if they perceive the benefits to outweigh the costs. Perhaps things are different in Finland, but in the US, and I suspect the UK, voters are not, in the main, nearly so fastidious.

Re: The paradox of greed

Very true. My wife and I are comfortably upper-middle-class, in fact in the top 1% for household income of the states we've lived in (though not near it for the US as a whole) – which means we're quite wealthy indeed by global standards – and we follow the rules.

I have a good friend who's quite wealthy thanks to a lot of hard work by himself and by his father before him; he's in commercial real estate and he (and his father before him) has a longstanding practice of working with distressed clients to keep them afloat until they can start making rent payments again. It's all worked out quite well.

Another acquaintance who is bona fide rich (as in "owns several homes, some of which he's only been to once or twice, works by famous artists, etc") has not, to the best of my knowledge, broken any laws or been particularly nasty or underhanded. He just started with some family money, innate intelligence, and an excellent education, and then pursued becoming rich with considerable vigor. Yes, the family money is an important starting point, but it's not necessary to be vile in order to be rich. That's just a rationalization used by people who want an excuse to behave badly.

Probably not. Most users choose passwords that are too easy to crack, so even for salted cryptographic hashes the pre-image can be found for relatively small numbers of accounts quickly enough that it's not worth using specialized hardware. Just hashcat running on a vanilla PC is often plenty fast.

Good password verifiers use Argon2 (probably the best choice, when used with appropriate parameters), bcrypt, scrypt, or PBKDF2. An ASIC designed for Bitcoin-blockchain-hashing won't support any of those, and Argon2 in particular is memory-hard and so not amenable to compute-based hardware acceleration.

So the password-cracking use cases where a generic SHA1 or SHA2 hardware engine is useful are limited.

It breaks more than "some hacks". The query string is part of the HTTP specification, and stripping it will break some conforming sites. For some people that may be an acceptable trade-off. It isn't for me, not least because I have software I've written which makes use of query strings, and I'm not inclined to rewrite it to accommodate a user agent deliberately violating the specification.

But I haven't used Firefox since they broke my extensions, so I don't particularly care one way or the other. And since this is optional and off by default, I don't much care if Firebox gives it to the users and lets them make their own decision.

Re: Alternatively

It doesn't even need to be git. That's designed for a project on the scale of the Linux kernel, which relatively few of us are working at.

And more importantly, it's designed for a truly distributed use case. Most of the projects using GitHub are using it as a single central server, which is not where git has any significant advantages.

It'd make more sense to be using SourceForge and Subversion for that use case. Subversion's model is easier to understand (the vast majority of git users seem to have no idea of what its internal representation actually is) and better suited to the central-repository use case.

Most projects seem to be using git because most projects are using git.

Re: Others preferred

vim is my editor for all text-based files on all the platforms I work on that support it. (IBM mysteriously have not yet added vim to ISPF yet.)

I've been a professional software developer since '88, and had to use a lot of editors and IDEs before and since. I'm not saying I'd recommend anything in the vi family to anyone, but I've used vi, then vim (and gvim on Windows, due to some sort of occasional issue with running Windows vim under Cygwin bash that I can't be bothered to sort out) for too long to be inclined to switch to anything else.

Also, I hate every IDE I've ever used; none of them come close to the power of shell + my editor of choice + my debugger of choice + POSIX text tools + a decent build system and so forth. I really do not see the appeal of having a lot of not-really-very-good tools baked into the build system, when much better ones are available right there on the command line, and are trivially scriptable.

Re: Sell strike aircraft not spyware

Tu quoque fallacy. One bad act does not excuse another.

Re: "after two Walmart stores equipped with the panels caught fire"

Didn't the whistleblower's report say the installers were covering non-functioning cells with black electrical tape, leading to overheating? I know, I should look this up before posting, but, you know, Internet.

Re: Yay, we have finally reinvented the terminal

Yeah. And X11 was used properly in the days of X terminals, with mostly protocol messages flowing between the client and server, and let the ddx layer render. Very little of this QT-style "I'll do my own rendering into a bitmap and shove it over to the server" crap.

So you didn't need nearly as much network bandwidth. And since the primitives could compress a lot of information and rendering was slow compared to today's hardware, latency was less noticeable, too. If an xterm sent 800 characters in a single XDrawString to a server, it would have a little while before the next message needed to get there.

Oh, well.