Posts by Michael Wojcik 12268 publicly visible posts • joined 21 Dec 2007
My guess is that Huawei is so far down Rosenworcel's list of priorities that she won't get around to reconsidering the ban anytime soon. She's much more interested in net neutrality; privacy; improving Internet access, particularly for people in lower income brackets; and clamping down on exploitative behavior by the big ISPs. Based on what I've read of her public statements, this just doesn't seem like a policy issue she's particularly invested in, so I don't expect her to spend a lot of political capital on it one way or another. If Congress or the State Department makes a big push either to continue the ban or (less likely) to overturn it, Rosenworcel's FCC probably won't put up much of a fuss.
I could be completely wrong about that, of course; it's just the sense I get.
elevate people and conversations in the system surfaces of the phone
Well that sounds just dreadful. I already have to disable all sorts of obnoxious notifications and other crap every time I get an update.
on-device intelligence determines the conversations that the user is most likely to be interested in
Here's an idea: how about letting the intelligence holding the phone make that decision?
The number one thing I want from my user experience is a minimum of surprise.
Not infallible, just cheap.
Reviewing machine decisions is expensive. Ignoring user complaints is cheap; it appears to have a statistically negligible effect on site popularity and profit. So why wouldn't the social-media companies use mechanical content moderation with no effective appeals policy? There's no profit motive to do anything else.
It's also worth noting that Derek Jones has studied the real-world use of programming languages at considerably length, as anyone who's read his The New C Standard knows. I'm not persuaded by this particular blog post, nor by his prediction for Rust (which I like) and Go (which I don't). But I wouldn't dismiss his opinion out of hand, either.
Once programming languages reach a certain saturation point, they stick around - apparently quite durably. We continue to sell a PL/I development and execution environment because there are still plenty of PL/I applications in production, and our COBOL sales are much larger yet. Jones mentions C#; that's still going strong. Languages become unpopular, but once they get into production it's hard for them to go extinct.
I wouldn't recommend someone become a "Rust developer", but then I wouldn't recommend someone become a "chisel carpenter" either. Identify with the techniques, not with the tools.
Right, which is why Seggelmann's mistake in his implementation of DTLS Heartbeat in OpenSSL was caught immediately.
Oh, wait.
Many eyes is a fine idea. In practice it hasn't done a damn thing for software security.
But maybe if we all just believe harder....
Of course, if you do go proprietary on Linux, then you have to go all the way and build your own library stack, because woes to the guy who uses open libraries to make his proprietary software.
No, you don't, as evidenced by the success of proprietary software that runs on Linux.
There's the LGPL. More importantly, there is a lot of proprietary, closed-source software running on Linux. You might claim that some or all of it is in violation of some license; but until that's established in a court, that's irrelevant. For it to be established in court, someone with standing has to sue, and it doesn't appear that anyone's inclined to do that.
* What is a "vulnerability database" and why do we need multiple ones? What's the difference between this and the list of vulnerabilities that CERT maintains?
CERT/CC maintains the CVE registry and database, and CVEs themselves are generally pretty short on technical information. The actual vulnerability database, in the US, is the NVD, maintained by NIST. Other organizations maintain their own mirrors, often with additional information.
I think most IT security professionals would agree that the CERT/CC CVE registry is not sufficient as a vulnerability database. It's useful, but it's far from the only one that I use, and the same is true of all the other IT security people I know.
* "A notification system for the actual discovery of vulnerabilities." - WTF? Isn't that CERT?
Vulnerabilities are often published well before they have a CVE assigned, or at least before it's updated with details. Many of the vulnerabilities in the NVD go for months or years without actionable information.
And because of the requirements of the CVE program (e.g. needing a CNA), some open-source projects don't use CVEs.
* "That no changes are made to critical open-source software" - who determines "critical software"?
Yeah, I don't see how this one is going to fly, for a number of reasons. Also, while I don't want to subscribe to tu quoque, the Google pot is talking some smack about the open-source kettle here.
* "an attested build system" means "a Google build system" right?
I haven't read the blog post, but no, not necessarily. There are some pretty clever proposals out there for attested build systems, such as CHAINIAC.
CHAINIAC isn't something a project could just drop into its existing build process; it's complicated even in theory (though if you're comfortable with things like general Nagle DAGs, not particularly complicated) and there are scalability problems, particularly around the code reviews (though I think that's solvable). And, of course, it's not perfect; there's no such thing as perfect security. But it's an example of how attested builds could be done, and how they'd prune a lot of the software-supply-chain attack tree.
Should this be at the top of the priority list for software-security issues we need to address? That's a separate question. Supply chain security is a big problem, but there are a lot of big problems in software security. Hell, if we could just get more of the prominent open-source projects to regularly run static and dynamic analysis I'd be a lot happier.
I have this sudden urge to hack bash so that if you enter a URL it starts a browser instance with it, and for any failed path search it starts a browser instance with the command line as the search query.
Address bar + search box + bash.
I mean, I wouldn't use it. But I'd enjoy inflicting it on my enemies.
Of course it's entirely likely someone has already done this. (I mean, people create readline plugins for filename completion that do network searches, so you know there's someone to add any daft thing to command-line processing.) I'd look but it would just depress me.
Exactly. Punters do not care about TLDs. Not a whit. Not the original gTLDs, not the new gTLDs, and for the most part, not the ccTLDs.
From the article:
It’s not hard to imagine how, in the era podcasts and streaming music, that the .audio internet registry could not be turn into a hugely profitable business given the right focus, effort and marketing.
I think it's quite hard to imagine anyone bothering to maintain a .audio domain name for long, and not sorely regretting purchasing one in the first place. How many potential audience members does anyone really think would say "oh, this URL ends in .audio, so it's definitely worth my time"? Or "I wish I could find that podcast1! If only it had a name that ended in .audio, because that would definitely make it easier to locate!".
There is no real use case here to sustain the novelty-gTLD business. It was always a scam and nothing more. ICANN sold a product with no real use-value to a bunch of speculators, who in turn tried to sell it on to smaller speculators and fools.
1Ugh. Such a stupid portmanteau.
Why was it interesting? What possible value do gTLDs have?
Users don't care. Most of them know little or nothing about the domain-registry system, and most find things by typing keywords into browser search bars. Few people pay attention to the TLD in a link's anchor URL or in an email address.
The new gTLDs never had any useful purpose, other than making ICANN money. They're like putting logos on the parts inside household appliances: advertising in a space most people never look at, and most of the ones who do will not be impressed.
"Viva brings together everything an employee needs to be successful ..."
Wow. It includes technical knowledge and practical experience? It provides well-defined requirements for every task and appropriate, properly-functioning tools? It removes bureaucratic obstacles? It addresses issues of worker capacity? Of physical and mental health? That is impressive.
Good to see the Microsoft marketing team isn't running low on their supply of absurd puffery.
Can anyone explain to me, in English, what this is
Viva Connections: Some kind of portal thing to direct you to corporate resources.
Viva Insights: Spies on how you spend your time, and what you say about your job.
Viva Learning: Some kind of portal thing to direct you to educational resources.
Viva Topics: Spies on what you write, and retrieves stuff from the corporate network that it thinks might be related.
and if I might find it useful?
Well, you do you. I wouldn't find it useful. (And it's not like all of this hasn't already been available in many other forms for decades.)
Yes, I've yet to see an internal company portal which isn't irritating and rarely useful. Running a stock open-source web-crawling search engine against the internal network, and sitting a stock MediaWiki installation next to it, would provide a much better return on investment.
Also, anything built on Sharepoint is automatically terrible. There have probably been worse technologies for organizing, storing, and retrieving information, but none come to mind. And I have a degree in that area.
HP-UX on Itanium is still one of our supported platforms. It would be nice to drop it for new releases, since its C++ implementation is woefully out of date.
Itanium has some other traps for the unwary. Its registers have a not-a-value state which can trip up poor code. One I spent some time investigating was an intermittent SIGILL (Illegal Instruction) which eventually turned out to be due to compiling some very old C code without the correct feature macro. That macro enabled ISO C function declarations, so the prototypes weren't being included, which meant that external functions were implicitly given "int" return type.
Some of those functions were actually defined as having "void" return type.
On Itanium, a void function does not move a value to the register used for the return value, since it doesn't return anything. So whatever's in that register stays.
Meanwhile, the K&R caller doesn't know anything about "void", so it tries to move the value out of the return-value register when the call returns.
If previous operations have left that register in the not-a-value state, then you'll get a CPU trap, which HP-UX translates to SIGILL (for lack of a more-appropriate signal).
This one baffled the folks on comp.unix.hp-ux. I didn't figure it out until someone with Itanium knowledge here mentioned this little quirk of the architecture, and it occurred to me to check whether the code in question was being built with C90 features enabled.
Having a trap state for a register isn't necessarily a bad idea, but the cause was really not obvious (particularly since triggering it was dependent on environmental factors).
Do "[a]ttorneys love it"? This is not at all representative, but I think every time I've seen a lawyer offer an opinion about PACER, it's been negative. Like, say, this one.
But maybe most are pretty much happy with it. And electronic filing has to be really bad to not be at least a little better than paper filing.
(Incidentally, if anyone wants a history of the rise of filing technology in general in the modern era, I can recommend Yates, Control through Communication. Seriously, it's pretty interesting stuff. Chapbooks to pigeonholes to flat filing to vertical filing, the introduction of the typewriter, and so on. Then of course Hollerith comes along with an idea for Jacquard's punched cards...)
I cannot understand why you can be anonymous to connect.
Because a regime without anonymity is authoritarian and oppressive, and further concentrates power in the hands of the powerful?
I would have though that would be obvious to anyone with a reasonable knowledge of history and human behavior.
Honestly, the number of people who comment on these stories by expressing their desire for a parental state imposing penalties to save everyone from painful speech is really worrisome. Help us to submit and obey, O glorious leaders!
I agree in general, though I'll note that I just had to replace a phone because the tongue snapped off in the micro-USB charging port on the old one, so when I inserted the cable (not having thought to peer into the port first) the pins bent. That's a hard one to repair without a bunch of tools I don't have readily to hand. I've soldered components onto PC boards by hand now and then, but phones are awfully small and my eyes are older.
That still didn't persuade me to get a new phone with wireless charging, though. I can't stomach the inefficiencies, and as you say extra complexity is asking for extra trouble. The new phone has USB-C, which looks like it might be a bit more mechanically durable. And it's a Moto G8 Power, with a great honking 5Wh battery, so I only have to charge it every few days anyway.
Still, I miss barrel connectors. I have a ten-year-old laptop with a barrel-connector charging plug that has never given me any trouble.
There was a time when the abolition of slavery in the US South was an "extremist" viewpoint. When extending the franchise to women was "extremist". When legal personhood for Native Americans was "extremist". When criticism of compulsory military service was "extremist".
Promoting those "extremist" views was often punished harshly. Not so long ago, in fact, for some of those things.
I can't think of anyone I'd trust to decide which speech can be suppressed. I know whom I don't want making those decisions: anyone who doesn't believe that all political speech, no matter how deplorable, should be protected. And that means protection as enumerated by the First Amendment, under the current interpretation by SCOTUS, or (better) a more generous one.
(And before anyone trots out that Holmes "fire in a crowded theater" cliche, or claims that the 1st doesn't apply to the States or to private civil actions, I would strongly recommend reading Ken White's posts on those topics on popehat.com. It's sad how many people get this subject so very wrong.)
Nothing to do with an unchecked size. It's an overrun due to a missing sentinel check in a special case in string traversal. See my other post above.
This sort of bug happens very frequently in C, because humans are bad at constant vigilance.
I admit I sneered about using Venomous Studio too. But if I'm honest, many people would look askance at my choice of tools.
That said, I anecdotally see more bad behavior by developers who use fancy IDEs like VS - such as running them with elevated privileges - than I do with folks who prefer the good ol' command line.
But then that said, anything that comes from someone I don't know personally gets a close look before I do anything with it. And if "security researcher" were my day job, I'd be doing everything in VM sandboxes. Even security issues aside, it would be a lot more convenient.
25 years ago you couldn’t write a document in a browser, have it auto save without human interaction, and have multiple collaborators.
Well, you could have, actually. HotJava was released 25 years ago, and it would have been entirely possible to implement this set of features in an applet.
For that matter, LiveScript was released 26 years ago, and while there was no XHR or WebSockets for background interaction with the server, it would have been possible to, for example, count keystrokes and do a foreground POST when a threshold was reached. The UX might have been a bit clunky - but then that's still true for most of the (horrible) web SPAs I deal with.
Of course, a better question is whether turning browsers into the dumb terminals of the 21st century is a good thing.
Loukides did not specify HTML in his "view source" comment, and I don't see any reason to interpret it that way. Back In The Day, it was quite common for people - professional developers and hobbyists alike - to copy snippets of Javascript and CSS, as well as of HTML, from pages they found.
I personally know a handful of people with no programming background who did that in the late 1990s and early 2000s.
It's a classic hackish approach to experimenting with and learning about the system. I found Loukides's comment completely appropriate.
Both of my houses are well below the 50th parallel, and neither has, nor needs, air conditioning.
In any case, none of our standby devices dissipate noticeable heat, so none of them are wasting noticeable amounts of energy. The amount they use is orders of magnitude less than even one of our "high-efficiency" appliances. There are many more-sensible targets.
I think "used as intended" is misconstruing the intentions of the Founders. Their explanation of the pardon power is pretty clear, and does not appear to anticipate mass pardons.
Personally, I think intentionality is a terrible basis for interpreting the Constitution, though, so I don't care. And I also agree with the pardons you mention, as well as Washington's pardon of the leaders of the Whiskey Rebellion and Johnson's of Confederates.
And while there are pardons I'm not so happy about, including Clinton's 140 last-day pardons, many of which were undeserving, or Trump's various pardons of deplorables, I agree with Hamilton's defense of the pardon power. I view it as akin to Blackstone's Ratio and other calls for mercy and restraint in the exercise of judicial punishment. As usual, cries to tamper with Constitutional law rarely display well-considered arguments.
teleconferences are simply not good enough
Not everyone is you.
I've worked remotely for more than two decades. There are many remote employees in my organization. I've worked on multiple projects, with multiple teams and changes in membership. One of those teams, and some of its members, have been around the whole time; others have come and gone. Just as with working in person.
We have daily scheduled meetings, other regular meetings, and ad hoc meetings - just as with working in person. We've used a variety of technologies for those, going back to POTS. Some have been better than others, but they all worked.
We have phone calls and chats. Those work too.
Not everyone is us, either, of course. There was a piece in the November 2020 CACM by someone from SourceForge who's worked remotely for a long time (I don't recall the author at the moment, and I'm too lazy to look it up). He offered six tips (the article says five but there's a coda) for remote working. Most of them I don't agree with; they don't fit my preferences and work habits. But they work for him and his team.
Certainly other people don't work so well remotely. That's because people are different. Sweeping claims about remote work will pretty much always be rubbish.
Yup. That's why my current Volvo will be my last (new) one. They got rid of separate physical controls for the stupid touchscreen.
I hate touchscreens. Having one on my phone is bad enough - and I put up with that simply because it's nearly impossible to get a phone with a physical keyboard at a price I'm willing to pay. I'm certainly not going to put out car money for one.
I've never had a problem with the SD Card connection in any of my phones or cameras, and those see more vibration than an SD Card socket in my car's irritainment system would. (Trivial proof: I almost always have the phone with me in the car, and it also gets kicked around while the car isn't being used.)
Agreed. I don't know why so many people here think that you have to accept an idiotic error in simple logic to show you disprove of the (notionally1) Communist regimes.
On the other hand, A Day in the Life of Ivan Denisovitch is an excellent novel.
1Which is not to suggest that I think an actual Communist regime, of whatever flavor, that actually operated along the principles articulated by Marx or Mao or any of the other promulgators of Communist political philosophy, would be a good idea. I am dubious of the prospects of any planned economy, even if it were wrapped in a coating of beneficent goodwill toward all with rainbow sprinkles. I'm just acknowledging that the self-ascribed Communist governments haven't made much progress at implementing most core Communist tenets.
It's not a false equivalence to equate two movements that established totalitarian dictatorships with cruel slave labor camps.
Of course it is. It's a naive, childish generalization that is almost entirely vacant of any useful insight.
It's like claiming the Hundred Years' War and World War II are equivalent, because they were both wars. Or jellyfish and gorillas are equivalent - hey, they're both animals.
Things can share attributes without being equivalent. That's why we say "attributes", plural.
Of course here in the Reg forums, as elsewhere on the Internet, many people feel the need to posture by tossing out strongly-worded sophomoric opinions as evidence of their trenchant reduction of complex phenomena to a soundbite. Well, congratulations; you and LDS can do it too. That only shows that you're not inclined to do any real thinking about the subject.
Nazism is a specific political movement, represented by a political party, its brief (if horrific and violent) time in power, and its remaining followers. Communism is a much broader term, covering a series of economic and political philosophies, an international political movement (or arguably multiple movements), and a series of national governments (which more or less failed to actually implement most of the tenets of their proclaimed ideologies).
Even in a most superficial comparison the equation LDS made is a category error, since Nazism is a species of Fascism, which would be the more appropriate point of comparison.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
