Posts by Michael Wojcik 12299 publicly visible posts • joined 21 Dec 2007
Well, it certainly doesn't fit for you.
Here's a pro tip: If you have an opinion about machine cryptography, and you don't know who Matt Green is, your opinion is almost certainly of very little value. That's like not knowing who, say, Whitfield Diffie or Joan Daemen or David Wheeler is; it shows a basic ignorance of the field.
Yeah. I have a 2015 XC70 T6, for Reasons, and its engine is rated at 300 bhp (a bit under 225 kW, according to units), which is frankly kind of ridiculous. I've overtaken people while pulling a trailer full of tools and furniture up the La Veta Pass, and the engine wasn't anywhere close to straining.
I really got the T6 -- the turbocharged inline-6 -- because charging makes a perceptible difference over naturally-aspirated at the altitude of the Mountain Fastness and vicinity (the MF is at 7600 ft / 2300 m above sea level); and an inline-6 is basically the smoothest cylinder configuration for a four-stroke engine (because many of the harmonics cancel out), making it pleasant for long drives. It's not a Rolls, but at the price point it's a very nice touring car.
I never really make use of that 300 horsepower. I guess it'd be handy for towing something larger; the car's rated to tow 3600 pounds, I think.
Right. It's a portmanteau of Elbridge Gerry's1 last name and "salamander" for the convoluted shape of the district created in Boston by the bill that Gerry signed.
In the US, anti-gerrymandering measures are controversial (because they threaten entrenched interests), but Iowa, at least, was able to institute some.
1Gerry, of Marblehead, Massachusetts,2 was one of the signers of the Declaration of Independence, and subsequently Governor of Massachusetts, where he reluctantly3 allowed the practice which now bears his name. (Gerry was also Vice President under Madison.)
2AKA "the yachting capital of the world", "the home of the Spirit of '76", "birthplace of the American Navy", etc. Marblehead has never been shy about self-promotion.
3According to Wikipedia. I don't recall anything about his feelings on the matter coming up when we studied Gerry or gerrymandering in school, and I'm not going to dig out primary sources at the moment.
see Kevin Underhill's piece on Piercey. Underhill has covered a number of unsuccessful (and one successful!) waterborne getaway attempts, and a number of failed Ponzi schemes, so his post is replete with links to other amusing tales of a similar sort.
An early 1990s car typically had a mechanical distributor/spark gap ignition system and a carburettor
Citation, please. AFAIR, by the early 1990s most passenger cars used fuel injection. Wikipedia agrees, for what that's worth.
I checked a couple of easily-accessible possible authoritative sources (such as the annual US EPA Fuel Mileage guides), but they didn't include carburetor-versus-injection information.
You've spent out on a decent multi-point door (expensive, not impenetrable, but certainly a challenge), along with semi-decent windows, but then put the key in a lockbox that someone with a hammer and a screwdriver can open?
I'm dubious. How many households actually fit these criteria? (And what constitutes a "semi-decent window" in this attack scenario?)
And what's the intersection between people capable of, interested in, and willing to defeat a lockbox, but not otherwise able to gain access to the house?
This whole anti-lockbox argument strikes me as defending against a very thin branch of the attack tree, under any plausible threat model.
I agree that I have no use for this. But I have to admit that while I found folding-screen phones stupid and completely uninteresting, for some reason this one strikes me as useless but curiously appealing anyway. If someone gave me one free I'd keep it.
I would prefer that it had a flip cover for the screen in the retracted position, though, since it can't take a screen protector. I've never broken the screen of a phone, but I have cracked an add-on screen protector once or twice.
Unless I'm forgetting someone, the only US President with a background in film acting was Reagan. I didn't (and don't) care for Reagan's policies, but he had a long and varied career in politics and there's overwhelming evidence showing he was a well-informed policy wonk, at least until cognitive decline took its toll.
Based on the only example we have, there's nothing inherently wrong with having a former film star as president. Of course, drawing that conclusion, or any conclusion on the topic, from a sample size of one would be stupid.
Similarly, it would be foolish to conclude that all former television stars are unsuitable for the job based on a sample size of one.
No one necessarily makes a good security consultant. That's why we look at a person's CV and other qualifications and attributes, and not just a single label.
But having done security research, particularly vulnerability identification and exploit development, shows a capacity for sustained "security thinking", which is definitely a requirement for security chief.
Zatko is as qualified for this position as anyone else I can think of offhand.
I have to disagree. He has legitimate hacking credibility. Besides the early buffer-overflow research, there's his contribution to the MSCHAPv2 cryptanalysis, his security analysis of PalmOS, and so on. And l0phtcrack obviously demonstrates breadth beyond BOFs and social engineering, and it wasn't just a trivial brute-force or dictionary cracker - even early versions made use of the cryptanalysis of the LANMan hash (which, granted, is pretty obviously broken) by Mudge and Weld Pond, and had sniffing capability.
I've been working remotely since the late 1990s, and videoconferencing more or less daily since late 2008, according to my records. (I've used Polycom PVX, Bridgit, Skype, Lync, Teams, GoToMeeting / GoToWebinar, WebEx, and no doubt others I'm forgetting. Thus far I've avoided Zoom and Google Whatever, and I won't be using Facetime since I avoid Apple devices.)
Personally, I've never found the video aspect very useful. But that's me; I'm not particularly good at reading facial expressions, and I'm not very fond of synchronous media anyway. I'm very much verbally-oriented.
But I have colleagues who find the video aspect quite helpful. And even though I'm quite introverted by nature, I find that I do appreciate seeing my colleagues' faces once in a while. My last face-to-face meeting with them was over four years ago, and the occasional visual reminder helps me maintain the sense of social connection.
That's not as compelling as lip-reading or sign language, which are certainly strong arguments for video. But I would regret going back to the days of exclusively audio-only meetings.
Agreed. I don't know how many of their crap printers my wife has gone through.
Meanwhile, my 1992 HP LaserJet 4MP continues to work just fine. Well, sometimes the power switch jams on - that's something mechanical in it that I haven't bothered to fix, since wiggling it a few times frees it up.
The HP of today and the HP of the '80s and early '90s share a name, and little else.The current firm is reprehensible.
Oh, it's pedantry you want, eh?
The President-Elect is not determined when "the states certify the results". It happens when:
- The Electoral College returns a vote where one slate of candidates (one each for President and Vice President) gets an absolute majority, and the votes are counted by Congress in a special session, and one or the other chambers of Congress fails to challenge the votes received from any of the individual States; or
- The EC fails to return a vote where one slate gets an absolute majority, contingent elections are held in Congress, with the House of Representatives choosing the President and the Senate choosing the Vice President (this has happened three times in US history); or
- The EC returns a suitable vote, but the votes from one or more of the States are challenged by at least one member of each house of Congress. This temporarily interrupts the vote-counting session for deliberations. Congress can reject the votes from any of the States, in whole or in part. (This hasn't happened since 1872, though there were objections raised in 2001, and in 2004 the session was actually suspended briefly for a joint objection.) Once all objections have been dealt with, the vote counting is completed by Congress.
In the first or third case, the President-Elect is formally decided when the presiding officer (usually the current Vice President, sometimes the President pro tem of the Senate) announces the official tally. In the second case, I believe it's when the votes of the two chambers are recorded.
In some, but not all, of the states, state law requires electors to vote as they have pledged, or according to the state's apportionment of electors (which amounts to the same thing). But not in all of them, and even in the states which make such laws it's not entirely clear what would happen if an elector is faithless (i.e. votes otherwise). So certification by the states does not determine the President-Elect.
All that said, most sensible people have decided that Biden is the presumptive President-Elect. Complaining that an article about potential commercial consequences for a foreign firm doesn't spell out these niceties seems rather unnecessary, if not childish.
Prison-industrial complex. Angela Davis pointed that out 46 years ago. The US has a high incarceration rate primarily because state-sponsored slavery turns out to be more profitable than the pure-private-sector sort.
This is the exception to Eric Williams' thesis that plantation slavery was displaced because capitalism is more economically efficient. Williams was correct in general, but incarcerated labor turns out to be an effective way both to get cheap labor and to transfer money from the government to private industry. So industry applies political pressure to drive up the incarceration rate. The ideological justifications - "tough on crime", "super-predators", War on Drugs - are just there as rhetorical devices.
they need to look at how hard it is to buy anything without signing up for Prime. Possible but not easy.
Eh? I don't like Amazon, but I've bought quite a lot of stuff from and through them over the years, and I've never signed up for Prime. And while I have various complaints about Amazon, "not easy" has never been one of them.
I admit that not signing up for Prime requires clicking "No" when Amazon suggests I do so. But that seems to me relatively convenient and accessible even to non-technical users.
This will probably vary by device and Android version, inconsistency being the quintessence of the Android experience. But here's what I did:
1. Using Chrome on the phone, went to the LE certificates page.
2. There I used the appropriate links to download the ISRG X1 and X2 root certs in PEM format. I don't know what formats Android will accept, but PEM is the only sensible format for certificates and no one should ever use anything else, so that's what I always try first.
3. This gave me two checkmark links in the phone's status line. I dropped down the system menu and clicked the checkmark next to the first one. That prompted for authentication (phone password or whatever you have configured); then it prompted me for a name for the certificate - I used "Let's Encrypt ISRG Root X1". Then it was installed.
4. Repeat for the X2 root cert, for future-proofing.
5. Afterward, you can go into Settings, search for "certificate", click on View Security Certificates (or something similar - on my phone it's under Security > Advanced, but you never know with Android). Then look at your User certificates and they should appear there.
I thought that most USians would want potable water, affordable healthcare, infrastructure that's not on the verge of crumbling, affordable education and less war.
You're not very familiar with people, I take it.
We're not rational economic actors. We don't act in our own interest. Political activity in particular is heavily influenced by two non-rational factors: ingrained ideology (which for most people seems to become largely fixed early in adulthood) and psychological traps such as the "backfire effect" and the first-person constraint on doxastic explanation.
The dominant ideologies in the US all incorporate themes, typically coded as "freedom", "opportunity", and "industriousness", which discourage acting in group interest where it would conflict with an idealized aggressive individualism. These themes were advantageous to the landed plutocrats and upper-middle-class entrepreneurs who shaped most of the political discourse and structures of the early US, at the expense of most of the rest of the population. They endure because the elite have a powerful vested interest in keeping them in place.
(It's worth noting, as an aside, that those ideological themes are rarely deployed for anything resembling the categories they supposedly name. It's tough to get most of the US population to defend civil rights, for example, in any meaningful way, even though those rights are critical to freedom, necessary for equitable opportunity, and an important constraint on government for industry.)
There's an equivalent to Rule 34 for this: Any political conspiracy theory you can imagine has already been posted on the Internet.
My guess is that a really thorough forensic analysis of all the voting equipment in the US would find a fair number of errors and irregularities, and quite possibly the odd case of tampering, but not enough to change many races, if any at all. US election security is lousy but so far from a monoculture that it's expensive (in terms of money, labor, and other resources) to gain control over any decent-sized portion of it.
Again, I'm just guessing (though I have read some academic studies in this area), but I suspect it wouldn't be enough to flip the Senate.
We'll see what happens with mid-terms, but historically those often go against the president's party. As usual, it will mostly depend on turnout, and turnout is mostly psychological - though Republican efforts to disenfranchise voters have certainly been significant in recent years.
Any date format other than ISO 8601 is anathema. The US convention is particularly dumb (and I write that despite having grown up with it), but any ambiguous form is foolishness in this era of worldwide communication.
Of course if you don't like ISO 8601 (heretic!) you can always employ a longer, unambiguous style, like "the third and fourth day in the month of November, as commonly reckoned in these United States of America, during the fourth and by grace of the electorate final year of the tumultuous reign of Mad Despot Trump".1 No one will confuse that for 11th March.
1I tried writing that on the date line of a check, but I couldn't make it fit. Then I remember that no one uses checks anymore.2
2I kid. Here in the backward USA we still average half a dozen or so paper checks a month. At least that number has dropped substantially; 15 years ago, maybe even 10, I was still writing enough checks to have a date stamp so I could avoid writing the date over and over.
Probably a good number. But that doesn't mean this isn't a viable industrial process. Industrial research generally does require testing a large pool of candidates.
The question is whether this approach:
1. Significantly reduced the number of candidates that might otherwise have been tested.
2. Proposed any novel candidates.
If either of those are true, then it may be cost-effective. From the article it sounds like the company is claiming at least #2.
Frankly, this sounds like a perfectly suitable application for a convolutional-neural-network stack. It's just what CNNs do: you have a desired output signal, and the network finds inputs that produce an output that's reasonably close to that signal. The stack lets you translate that from micro-features to macro ones. And unlike a lot of proposed uses for "deep learning" (i.e. ML systems based on a NN stack, typically with mostly CNN layers) this one feeds into a second round of human evaluation, and the cost of false positives and negatives is low. The same can't be said about, oh, autonomous vehicles or medical diagnoses.
In short,1 this looks like a "sure, why not?" use case for the technology. I'm not looking for a new milk substitute myself, but it's a valid pursuit. Computational gastronomy, basically.
1Too late.
It might be paid out of insurance.
But in either case it's still going to hit the police department's budget (directly or in increased insurance premiums), and given the relatively small size of Portland that will bring all sorts of political pressures to bear. It seems to me the point of this ballot initiative is really to send a message: a majority of the citizenry do not want this technology used, and they're prepared to make things quite uncomfortable for any agency that does so.
It's a good precedent, anyway.
There are plenty of alternatives for the lactose-intolerant. I myself have occasionally used almond milk (I find the consistency more familiar, because I was raised with 1%-milkfat milk1), and I quite like the occasional coconut-milk alternative for ice cream. There's rice milk, cashew milk, soy milk - quite a few to choose from, at least here in the US.
Occasionally I have real ice cream, along with a hefty dose of lactase, and, yes, it's probably a bit better than the analogues; it's hard to precisely duplicate the flavor and mouth feel of a high-quality ice cream, or the nostalgia of soft-serve. But particularly for the severely lactose-intolerant2 cheese is the real casualty.
1The usual story: our pediatrician, concerned about a relatively high heart-attack rate in my mother's family, recommended a low-cholesterol diet for me and my siblings. Now evidence shows no strong correlation between dietary cholesterol and serum cholesterol, much less serum LDL or triglycerides, so we know the whole thing was pointless if not counterproductive. But then much of nutrition "science" is anything but, and medical GPs rarely have the time to follow current research (which is why we have groups like Cochrane doing metastudies and creating clinical recommendations...).
2I can tolerate cheese, at least enough so that I haven't had to give it up. I'd miss cheese a lot more than milk or cream.
Then we'll have the usual health freaks giving it to their babies ignoring the evolutionary reason why milk has so many calories.
Is this actually a problem? Milk alternatives have been available for decades (the article notes those based on soy and nuts).
There's the infamous (and ongoing) Nestlé infant-formula scandal, but that's quite different from your claim; it's about formula being aggressively marketed to poor and undereducated populations, not relatively healthy nutrition-tourists jumping on the latest bandwagon.
Anyone who follows the Jenkins vulnerability announcements knows the Jenkins plugin ecosystem is toxic and ridden with vulnerabilities - many of which remain unfixed long after publication. It's as toxic as other well-known sewers such as NPM and the WordPress plugin collection. You could probably find seven vulnerabilities by printing out a bunch of Jenkins-plugin source at random, pasting it up on a wall, and throwing darts at it.
That said, CodeQL is a good addition to the security tools available to GitHub contributors (though there are plenty of static-analysis tools which people could already be making use of, and very few do). And its approach is different enough from classic static analyzers, and other vulnerability-identification tools such as dynamic analyzers and fuzzers, to provide a different tack on the problem; that helps both with finding different sorts of vulnerabilities and with reducing the fatigue of going through large result sets with a lot of duplicate information.
Pff. That's not "really cold". According to the climate info in Wikipedia, Helsinki compares favorably with Lansing, Michigan, which I rate as "moderately cold" in the winter. Lansing's generally more comfortable in the winter than some other places I've lived, including Boston, Massachusetts and Lincoln, Nebraska. (And winter nighttime lows here at the Mountain Fastness fall pretty damn low too, though the extremely low humidity means that you lose heat significantly slower, so you don't feel it as much. It might be -25 C but it feels like maybe -5.)
Forget that cold record (which doesn't seem to be in the Wikipedia table, but whatever) and look at the normal lows. They're very reasonable.
Personally, if I were single, I'd be very tempted to give this a try.
Good luck with that
Thanks!
I don't know about where you live, friend, but here in the US there are a variety of older cars for sale. We call them "used cars".1
I'm already assuming I'll never buy another new car for myself, since they all seem to come with fucking touchscreens now. I hate touchscreens, and having one (for controls the driver might want to use) in an automobile is the height of stupidity.
1Some people refer to some of them as "pre-owned". Those people should of course be forbidden from speaking or writing until they learn to avoid moronic, unnecessary neologisms.
Not a single driver that I personally asked (in excess of 40) wanted me to vote no. The vast majority of the actual workers
The latter claim may be true, but with over half a million Uber and Lyft drivers in California, N=40 is not a statistically significant sample. Particularly not when your sampling method is probably biased by your location, etc.
Personally, I don't find "the drivers are against it" to be a particularly compelling argument anyway. The whole point of the social contract is finding a balance between what an individual wants and what's best for society at large.
In any event, this hasn't made me any more inclined to use gig-economy services.
Yeah, I was quite surprised that high-level execs were physically involved in this, and not just giving orders. They (allegedly) drove to the victims' home? After flying across the country, since presumably they're based at eBay's HQ in California. (And like most of the Boston Metro area, Natick1,2 isn't exactly fun to drive around.)
This whole thing just gets more and more bizarre as the details come out.
1At first I misremembered and thought the victims lived in Nahant, which is more pleasant to drive around, but more tiresome to get to in the first place. Nice beaches, though, by Massachusetts standards.
2For driving around Natick, I recommend listening to "Driving on 9"3 by Ed's Redeeming Qualities. Listening to the cover by the Breeders is also permitted.
3There's some debate about whether "9" refers to Massachusetts Route 9 or the one in California, but the song was released the same year that the band moved from Boston to San Francisco, which suggests to me that it was written before the move. In any case it works for either.
Sigh.
The github issue was disclosed to them 104 days ago: 90 days plus the 14-day grace period. That's how responsible disclosure policies work.
github themselves disclosed technical details about the Github Actions vulnerabilities.
Google have disclosed the Chrome issue discussed in the article. They just haven't released technical details.
Are these details really that hard to understand?
People go on and on about "Acrobat" (be honest people, it's just PDF)
PDF != Acrobat. It's entirely possible to have a PDF renderer which doesn't support scripting and much other Acrobat idiocy.
I'm not a huge fan of PDF; for the vast majority of documents I'd prefer HTML1, or Markdown2, or plain UTF-8 text.
But there's a place for proper typographic layout. Book-length works, and even many shorter articles, are far more pleasant to read when they're laid out well. HTML+CSS simply can't do that. It can't do proper ligatures or kerning or digits with descenders or micro-protrusions or any of the other things you'll get with, say, pdflatex output.3 And for those applications, PDF remains the best choice. None of the other widely-available formats really handle that properly.
1Real HTML: POSH, cleanly formatted, with minimal CSS, and no scripting. Minimal scripting which degrades gracefully if it's disabled is acceptable for web pages.
2I generally find Markdown unnecessary, but if for some reason people feel compelled to have some markup and formatting in documents that would work just fine as plain text, it's safer and more readable in source than HTML.
3Yes, in principle, you can get some of those things with CSS and fonts, if you can find suitable high-quality fonts and you go through a lot of trouble. But anyone who lets the browser download arbitrary fonts from arbitrary sources ... well, you might as well use Acrobat.
SMB over QUIC is the future of distributed systems
Good god, I hope not. SMB is a horrible, horrible protocol, and QUIC is only slightly better than the typical "let's reinvent TCP using UDP" attempt.
QUIC solves certain problems, true; that's because it's optimized for different use cases than TCP is. That doesn't mean everything should be switched from TCP to QUIC. And it especially doesn't mean that we should prolong the life of dreadful rubbish like SMB by promoting QUIC as a transport for it.
And, of course, the vast majority of distributed systems don't use SMB, because they're not interested in anything SMB does. Remote filesystems are a niche application, statistically, when the whole of IT is considered.
Agreed. I'm not particularly impressed by Wayland and its orientation toward local, single-user systems.
I was writing X11 applications at IBM in the late 80s / early 90s: clients, a window manager, graphics libraries (XGKS), and extensions (PEX). I wrote the ddx side for some experimental display hardware. While there were some unfortunate choices in the X11 protocol - specifically, it would have been nice if clients could specify strict or relaxed rendering of wide lines and other primitives to make better use of acceleration - X11 was a rather brilliant piece of work.
VNC is just network framebuffers. It's the sort of remote-display technology an undergrad would come up with. It has its uses, but comparing VNC to X11 is like comparing a pedal car to a Ferrari.
I've never looked at RDP closely, but apparently it's based on the ITU's T.120 family of specifications, and those are just as elegant as you'd expect.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
