Re: Norton
What about Norton Antivirus is worth even £20 / year?
12299 publicly visible posts • joined 21 Dec 2007
Hell, even on Windows, Microsoft Windows Defender is at least as good as most of the commercial offerings for most users. The value proposition for McAfee appears to be corporate central control (which, I can say from experience, is primarily used by IT departments to make work impossible). I assume the value proposition for Norton is "hey, we use the name of this guy who used to have a good reputation for PC stuff about a million years ago".
Virtual cards from a service such as privacy.com (which I use) also work well for this. One click and the card is closed. Privacy cards are also locked to a single merchant, so card-information thefts have much smaller risk, and it's easy to set and change spending limits.
Ugh, those Prime Student pushes are so damn annoying. I try to avoid Amazon, but Every. Time. I. Order. Something. they bug me to sign up for Prime Student (as well as bugging me to sign up for regular Prime, which ain't happening, Amazon).
If only other online bookstores (B&N, etc) could sort out their ordering and fulfillment systems. I had a minor holiday crisis with B&N some years ago where they held up an entire order of gifts for several people because they'd cheerfully let me order one book which was not in stock, and indeed has never been in stock since. If I hadn't called, discovered the problem, and browbeaten them into sending the rest of the order at the last minute I'd have been out of luck.
(I shop in local stores when I can, but often people want things which aren't available locally.)
Yes, there are no privacy implications whatsoever from our infallible police forces, ever-fair guardians of justice, combing through photographs to extract palm- and fingerprints. I have the utmost confidence they will use this technique only to find those they know are Bad People, or are pretty sure about, or figure might be more or less Bad People, or would maybe do some Bad Stuff at some point in the future, or might annoy them at some time, or might annoy someone in a position of influence, or ...
But, I mean, an alleged drug dealer was caught,1 so that excuses anything. Mustn't have drugs. Except alcohol, obviously. What good are my civil rights if someone else somewhere is getting high?
1We're told he confessed, and that's indisputable proof, right?
AFAIK the police infiltrated EncroChat simply by joining
According to reports, by getting a mole hired as an employee and compromising the software. End-to-end doesn't help in that case, as long as the client (on either end) is compromised.
ObReference to "Reflections on Trusting Trust", etc, etc.
Just look at all the jobs in Task Scheduler that are triggered by boot or initial logon. Windows does an insane amount of stuff when it first comes up. Whether most or any of it is desirable is another question. (I disable most of what Microsoft crams into Task Scheduler whenever I get a new work machine.)
Then, of course, there are all those oh-so-necessary services that start up at boot. Why, you wouldn't want your attack surface to be missing UPnP, would you?
Or sorting the Teams list alphabetically. Currently you have to sort teams manually by dragging and dropping, which is onerous if you're on more than a handful of teams (I'm on 38 at the moment) and works poorly (as drag-and-drop often does, particularly in crap Electron apps). And if you don't sort them, finding the team you want is an enormous pain in the ass.
This would be trivial to implement. It's something an intern could do.
But yes, Microsoft, continue to give us eye candy no one asked for.
Teams is awful. The underlying technology is awful (SharePoint – the worst way to make data available since clay tablets were invented), the UI is awful, performance is miserable.We used to use RocketChat for the chat / message-board functions; it was far from perfect, but it was much better.
I'll admit that for internal videoconferencing Teams is actually no worse than the many other products we've used (PVX, Bridgit, Skype, Lync/SfB, etc), and better than some (such as Go To Meeting or WebEx), in my experience. But its other functions are pretty much rubbish.
It's not compatibility with the Win 3.x line which harms the security architecture of the NT line; it's user habits. That's why Vista introduced the split token and UAC – because Microsoft had given up on trying to wean people off doing everything with administrative access, and figured they'd just try throwing a half-height security barrier in the way.
Users, even technical ones, are notoriously resistant to security measures that affect their workflows.
That said, there are some problems with NT's security architecture, like the excess authority required to monitor processes (owned by other tokens) for termination. And the biggest issue with Windows security remains its enormous and crufty attack surface. Even without excess permissions, if you can drop a keylogger through an RCE you can eventually capture the current user's credentials, and pivoting and escalation will almost certainly be possible.
James Mickens is hilarious. Watch some of his recorded presentations sometime – he has a great one on Byzantine consensus protocols, for example. You're not supposed to take that stuff seriously.
Honestly, the ability of some people in IT to utterly fail to understand jokes remains impressive even after decades of observing it.
To be fair, I didn't know that was his plan either. But then I also don't particularly care whether he goes or not.
It's nice that we have multiple private firms innovating in this area, and I think it's fine that Branson is trying to use tourism to subsidize and advertise a bit. Not a personal priority for me – research is better done by machines, the long-term survival of H. sapiens is not something I'm invested in, and space travel will never be practical for all but the tiniest fraction of the population – but improving the technology is good.
They could have gotten a bit closer. White Sands is at an elevation of about 1900m above sea level. Wheeler Peak, the highest point in New Mexico (which I can see from the Mountain Fastness), is at 4000m. Just launch from there and you've made up nearly 20% of the difference!
(No, I'm not seriously suggesting this.)
EVs are the future, even if they come with a fuel cell, or a thorium reactor, on board
Or one of those fancy internal-combustion engines I keep hearing about.
Diesel-electric works for locomotives. Why aren't the EV fans pushing for a hybrid pure-electric powertrain with ICE onboard generation? (Hybrid drivetrains are idiotic.) Solves the range and refueling problems, and if you want to charge it from the grid when it's parked for long periods, you're free to do so.
The only passenger cars of this sort that I've seen are exotics. It would make more sense than an electric-battery design for a pickup, or for anyone who needs to drive long distances.
That will not work.
There's already a strong incentive not to pay: it costs money, it's risky, it's bad PR, it looks bad to investors. Yet companies pay anyway, because the alternative is worse for them.
Executives can always find a proxy and construct plausible deniability for making payments. Prosecution would be very difficult, and prosecutors hate difficult prosecutions. (See Eisinger, The Chickenshit Club.)
And (as I keep pointing out) even reducing payments by orders of magnitude won't eliminate ransomware attacks, because the cost of mounting those attacks is extremely low.
Governments already promulgate all sorts of IT-security requirements. The Biden White House just issued a new batch. They haven't helped much yet, and there's no reason to believe they will in the foreseeable future.
That's not generally the way it works. The attacking organization has a botnet probing for known vulnerabilities it can exploit to drop a ransomware package, which will then encrypt files and notify a C&C server. The humans only find out about it after a victim has been compromised. There aren't a bunch of pasty-faced yoots in hoodies hunched over keyboards manually encrypting a file at a time.
Some ransomware includes exfiltration of data; some doesn't. A given crew might, at some point, upgrade their botnet to deliver a package that includes exfiltration capability, but while the money's still rolling in there's no great incentive to do so quickly.
There are probably ransomware operators who still work manually, but the smart ones will be automating the process as much as possible. And aside from developing packages with novel capabilities, it can all be automated.
That's one reason why outlawing payments won't stop ransomware attacks.
I-Ds (Internet Drafts) are drafts of some sort, rough or otherwise, and that's what we have in this case.
Frankly, while Kumari's draft might be amusing (I haven't read it, and the excerpts quoted in the article didn't inspire me to do so), I don't have much sympathy for his complaint. Some people will cite I-Ds as authoritive. So what; people will cite all sorts of things. Those who understand the IETF know that I-Ds are not normative and neither are many RFCs, only some of which are even on the Standards Track.
The archive that the IETF maintains of I-Ds is nonetheless useful, because some I-Ds never make it further but nonetheless become de facto standards, or at least a guideline for implementation, where no other standard exists. draft-ietf-tn3270e-extensions-04.txt (which I don't think made it to an RFC) is one example.
There are others of historical or theoretical interest, such as draft-ietf-usefor-useage-00.txt.
Frankly, if you're serious about cryptography, you almost certainly shouldn't be devising new ciphers, except for your own amusement and practice. Anyone serious about cryptography should understand the state of the art, and that state is "we don't need new generic symmetric ciphers". Barring a historic event in cryptanalysis, no one who knows what they're doing is going to go through the huge cost of rolling out a new symmetric cipher that isn't PQ1.
And someone who's serious about (machine, production) cryptography ought to know that. That's a basic fact of the market. You don't even need to understand things like linear cryptanalysis and the Random Oracle Model to understand that replacing the AES infrastructure would be enormously expensive, and doing it with a cipher that hasn't received many years of scrutiny would be enormously risky.
1That is, resistant to algorithms in BQP.
We don't need new generic symmetric-encryption algorithms.
No new block cipher is going to have compelling advantages against AES unless a practical novel attack is found against AES; after decades of cryptanalysis by a wide range of experts, that seems very unlikely. A new algorithm, on the other hand, isn't going to have decades of cryptanalysis by a wide range of experts.
Meanwhile, we have widespread hardware acceleration of AES. No new cipher is going to have that advantage.
No new stream cipher is going to out-compete AES in a streaming mode for the same reason.
Simplicity isn't automatically a virtue. RC4 is extremely simple. It turns out to have high-order correlations which are not at all obvious and make it too dangerous to use in the modern world.
Development these days is focused on other areas. Post-quantum cryptography, for one (though it's too late to get into that game unless you have a major breakthrough). Homeomorphic encryption for another. Partial-information-preserving encryption. Integrating encryption with differential privacy.
But new generic symmetric ciphers? They're a dime a dozen, frankly, and they're all risk with no return.
Known to have been compromised. And I would call that a "very small" consolation.
Considering that in the same sentence he managed to jam in the patent untruths that the attack was "unique" and "very novel", I think it's safe to dismiss the entire speech as utter bombast and bullshit.
Making excuses to avoid making amends.
They don't need to.
These systems are publicly-facing, so they're already "open" to state-sponsored actors and other professionals. "Opening" these systems in a case like this just means "we won't hassle you if you look for vulnerabilities".
Since publicly-facing systems are already under attack (all of them, constantly), there's nothing new here as far as the professionals are concerned. And, of course, by logging attacks and feeding those logs into SIEM / UEBA systems, you learn some information about your attackers.
I'd enjoy having a Sun-3 for the same reason. I think that was my first UNIX workstation. Used it at university for C, LISP, and Scheme coursework.
Or an IBM RT PC, which was the first workstation I used at work, and consequently wrote considerable non-trivial software for. Mine ran AOS (IBM's BSD port), not AIX. Unlike the SGI machines there was nothing sexy about the RT PC, but I have a perverse fondness for the ol' boat anchor.
I think you mistake the point of the exercise.
Pai already knew what he was going to do – he had his instructions from his bosses at Verizon. The whole public-comment process was just a show to make it appear some sort of deliberation had taken place. As such, it was useful to have a large volume of comments, but not at all important that they be genuine.
It's possible to put windows side-by-side, so you can change the focus by moving your mouse. Or to run msbuild from within vim.
But, yeah, there's really no good debugger for .NET / CLR programs on Windows. WinDbg with SOS (or whatever they're calling the managed-code debugging extensions these days) really isn't viable; I use WinDbg for native-code debugging on Windows but it's largely useless for managed code. I don't think mdb is even supported anymore and it was always only marginally usable at best.
When I have to debug, I use Venomous Studio, much as I loathe it. It's uniformly terrible, but it's the only thing I've found that works, at least for the sorts of things I have to debug.
Of course, a lot of the managed code I'm debugging is written in managed modern-syntax OO COBOL, which source-language-sensitive debuggers will have trouble figuring out. (Visual Studio can because of our extensions, obviously.)
There are a lot of people in China, and it's wildly improbable that none of them have access to a botnet. This attack could have originated in China without having been requested or sanctioned by the Chinese government.
It's foolish to simply declare "it was China" with no evidence, because as you say there's little incentive for this sort of thing as a matter of foreign policy. It's equally foolish to eliminate all of China – government and private citizens – from consideration.
The position the Reg took in the article is the sensible one. We don't know. And, really, it doesn't much matter.
You'd have to be brainless not to figure that a healthy, literate (and armed) population will not tolerate much abuse.
Or have a competent understanding of psychology or history.
Healthy, literate people not only tolerate abuse, they actively participate in it. Being healthy and literate is better than the alternative, but it is by no means a magical prescription for freedom – and the capability (which is dubious however many personal weapons might be spread among the populace) to subvert the government's monopoly on violence doesn't change that, because the participation in abuse is almost entirely an effect of ideology, not repression.
I have to admit it sounds interesting to me, in much the same way that SaGa Frontier's "Free Scenario System" was. (SaGa Frontier is actually in the same family as the Final Fantasy games – the "SaGa" brand was used for the latter in Japan.)
In SaGa Frontier, you have your choice of seven protagonists, and with each one you can eventually assemble a party containing the other six. Then when you finish a protagonist's story, you go back and pick another one. So the entire game consists of taking the same seven characters through seven interrelated stories in the same setting, from seven points of view.
Based on the article I understand Octopath's approach is different, but I still like the idea of assembling a narrative from pieces rather than having it just supplied by the game, as with most of the Final Fantasy titles. Not that I haven't enjoyed several of the latter. (I haven't played them all because I'm a very late adopter and I generally only play video games while running on my treadmill, so it takes me years to get through a typical RPG.)
Looks like a Poe factor of 0.8 on that comment.
Of course, meta-Poe says we can't tell whether you're trying for a high Poe factor (a deliberately ambiguous post intended to elicit a maximally-mixed reaction), or for a low one and you just aren't making your tone clear.
If it's the latter, name checks out.
The reason white collar crime is so prevalent is because its mostly unpunished. Fix that and you fix white collar crime.
I find your abundance of faith disturbing.
Pretty much everything we know about human beings, particularly from psychology and behavioral economics, tells us that people are not rational economic agents. The credible threat of punishment may deter some crime; it does not, and never will, eliminate it.
I knew people who hung them in windows to warn birds away. (There was a popular notion this would discourage birds from flying into the glass; I have no idea if this has been tested in any methodologically-sound fashion.)
For a while it was popular in some circles1 to hang one from the rear-view mirror of one's car, which would occasionally reflect the sun right into the driver's eyes.
And, of course, they were commonly used as coasters.
1Heh.
Apparently many people find the word "moist" cacophonous or have unpleasant associations for it. It shows up regularly in lists of most-disliked words. ("Panties" is another frequent flyer.) It doesn't bother me, personally, and alternatives like "slightly damp" are usually awkward.
Ah, some fine kookery from one of our resident kooks to liven up Monday.
"As soon as I find a HOLLOWED-OUT VOLCANO for lease in BRITISH COLUMBIA you will all be forced to RECOGNIZE MY GENIUS."
On the other hand, it's hard to pick between SSg7's 20 bazilliawatt laser and the coming flood of 3D-printed assault rifles being mass-manufactured by terr'ists and gangbangers for Fake Threat to Ignore o' the Day.
I'm not a fan of guns, any more than I'm a fan of chainsaws; they're both tools, and dangerous ones,1 and it would be good to keep them away from idiots and assholes but that's largely infeasible. But 3D printing does not seem likely to greatly aggravate the gun problem in the US, and forbidding it will almost certainly not help anything in any significant way. Regulations controlling the sale of such guns might help somewhat, at least in making them even less economically attractive than they already are.
1JFTR, at this time I own one chainsaw and zero guns. That could change; there are critters about the Mountain Fastness, including some rabies and plague vectors, among other possible reasons for wanting a firearm.