Posts by Michael Wojcik

I wouldn't put in a proprietary network-connected speaker system even if I had more money than I knew what to do with.

Re: Slow on the uptake,

General purpose and internet connected computers get out of date

And even they can often be used much longer than they generally are. My personal machine is 11 years old, and it's still perfectly functional.

Re: Graphene

Nuclear fusion is only about 8 minutes away.

Carbon fiber is widely used, and has penetrated various markets at rates that seem plausible to me, given basic economics. I don't see how that example supports your premise, particularly in areas such as home construction, which tend to be very conservative and largely driven by regulation. We've had concrete homes, rammed-earth homes, Earthships, steel-framed conventional homes, manufactured-and-assembled-on-site homes, etc for decades, but on-site stick framing is still dominant here in the US. Why? Economies of scale, for materials and for expertise; and familiarity.

Yes, the Android ecosystem patch mechanism is well and truly broken, and this is at least as much Google's fault as anyone else's. AOSP aside, Google is forcing various conditions on Android device vendors to include Google crap; they could certainly force them to do a better job of distributing updates.

Though having said that, getting patches isn't all roses either. I finally have a phone that receives regular updates, and each one either breaks existing functionality (fortunately, generally something I don't care about, though a recent one removed the global disable-sync option) or adds some new horrible annoyance.

After I installed the one before this latest, the phone started pestering me periodically to enable VoLTE, despite the fact that 1) I don't fucking want it, and 2) it can't be enabled anyway, because I'm in a microcell that doesn't support it. A bit of online research turned up hundreds of complaints about this behavior over the past few years. This sort of thing makes me want to find the person who made the decision to add this irritant and commit a few acts of violence.

This sort of thing is one reason I refuse to buy new phones; the manufacturers haven't earned that kind of money from me.

After the looming apocalypse they'll be worth their weight in gold!

(That is, not very much, and only to people who already have their basic needs satisfied.)

Re: "...could I borrow $60 (US) via PayPal..."

Heh. I was thinking of this just a couple of days ago as I was planning the site for Shed 2 at the Mountain Fastness. The Stately Manor already has two sheds.¹

I've heard that the Arthur "Two Sheds" Jackson sketch was inspired by an interview with Roald Dahl where he was asked about his "writing hut". A quick search didn't turn up anything to confirm that, though.

¹Neither home has a garage, which is unusual for the US. Which is just as well, because cleaning snow off your cars Builds Character. Also, I hate the idea of leaving the house only to walk into an attached garage and get into a car, never having actually been outside.

Re: "...could I borrow $60 (US) via PayPal..."

explain how you are using Skype at a hotel. They don't provide laptops now, do they ?

Better hotels used to routinely provide "business services" rooms with desktop computers, printers, and the like. They're still fairly common in my experience. Even lower-tier hotels often have some elderly Dell desktop machine available for guests.

I dare say a dedicated attacker could have created a convincing fraud, if your friends are like most people in the wealthy world.

What mostly spares us from that sort of thing is that the effort involved means the return isn't as good as for simpler scams, which continue to be profitable for the scammers. So usually even off-the-cuff specific social-engineering attacks like this famous example from DEFCON are reserved for special cases, where some target has aroused the attacker's interest or ire.

Of course there are the regular "grandchild emergency" telephone scams, but those generally involve very little preparation, at least in the cases I've read about. Sometimes the attackers don't even know the child's name; as with other low-level scams, they rely on volume and very low costs to find enough victims to make the schemes worth their while.

I'm not sure I believe that you don't believe that.

Re: Security Controls.

Or to use that information for spearphishing, or to apply pressure to coopt an employee into turning over more-valuable information. And so on.

Pivot-and-escalate works with data, just as it does with systems.

Re: Cell phones in prison

I've had Internet access for decades. This is one of several topics for which I'm no longer capable of feeling surprise.

Re: "intensely embarrassed by the loss of some of its most valuable weapons"

There are any number of explanations, ranging from "Corso just made the whole thing up to sell his book" to "it actually was stolen foreign technology, but Corso wasn't told the real origin because he didn't Need to Know".

I mean, if I were running a spy program that stole interesting technological developments and other research from foreign powers, I'd want a way to quietly funnel it into my own nation's R&D stream, and leaking it to university and commercial researchers to reverse-engineer and claim as their own seems like a reasonable way to do it. And I'd want some dupe in the middle who didn't know where it came from so I'd have some deniability in case the program came to light.

Re: "intensely embarrassed by the loss of some of its most valuable weapons"

I can't think of any technology from the second half of the twentieth century which can't be fully traced along its research and development path from bright idea to mature technology

Duh, they used the Roswell time-travel tech to go back and retcon it.

Re: Schulte = Dark Milton

They really should have given him a piece of cake.

Re: Guilty? Possibly. Beyond a doubt? No Way!

Yes, based on what's in the article - it might be different if I'd actually heard all the evidence firsthand - if I were on the jury I'd have to vote to acquit.

But to be honest, even if I felt he were guilty beyond a reasonable doubt, I'd really have to consider nullification in this case.

Re: It's just flaky news

What do we "know" about the virus? Virtually nothing

True, but only for certain values of "we".

Re: Well I guess this just goes to prove .....

Oh, I don't know. None of my computers are showing COVID-19 symptoms.

Re: Government Guidance

Bah. Points for etymology, but minus several million for unjustified prescriptivism.

There are an infinite number of ways to form a plural of "virus" in English. Here's one: slaijhviels. Unlikely to catch on, I know; but that doesn't mean it's not "a way to make the noun 'virus' plural". Nothing in the conventions of English as a spoken or written language forbids it, and there is no authority for the language generally recognized by a majority of Anglophones.

And that, of course, is the usual problem with prescriptivists. They can formulate a learned argument, but then they try to build it on a foundation of appeal to some imaginary authority, because they can't bear to simply be descriptive and argue a preference.

Re: Government Guidance

Pandemics are difficult to predict. Sometimes they are severe. The fact that they are often not severe - and citing instances when they are not - is a poor argument against preparing for a possibly severe one in this instance.

Certainly some people are overreacting, but mocking them doesn't help either.

Re: In the future...

I haven't gone to a conference or convention for a few years now, but for me at least the virtual events are never particularly productive, and certainly much, much less productive than in-person attendance. I do several videoconferences and group phone meetings every week, so it's not like I'm not used to that format; but I have a terrible time staying focused on online presentations and the like when it's not with people I already know. And I don't see how virtual conferences can offer the same (interpersonal) networking opportunities that F2F ones do.

Re: "This is not a science project"

There are a number of good applications for general QC. There are practical problems in BQP (and probably not in P), such as some applications of Grover's algorithm - satisfiability and other Boolean evaluation problems in particular. Intelligence agencies wouldn't mind using a fast implementation of Grover's to find the relatively short keys¹ used to symmetrically-encrypt some of the vast corpora of data they've stolen. And there's quantum simulation, which many physicists would certainly like to have.

For that matter, Merkle trees ("blockchain" by its proper name) have practical applications, such as in filesystems. BTRFS and ZFS use Merkle trees, for example. So does git.

¹The speedup of Grover's algorithm over conventional brute-force search is \sqrt{N}, so for this application it effectively cuts the key size in half. That makes it potentially useful for breaking, say, AES-128, but much less useful for breaking AES-192.

Re: So...

Which is nice for those of us who don't want to pay much for a phone, don't mind a refurbished one, and don't give a shit about 5G. The grey market will probably also be flooded with cheap remaindered 4G carrier-branded units, which (IME) generally come already unlocked.

Re: Costs

Personally, I think the only rational choice is "ignore 5G forever". I'll have a 5G phone when nothing else is available.

This makes you wonder how other PKI providers automate requests and how they are audited.

Well, no, it doesn't, because there's a ton of material readily available regarding the state and history of PKIX and the public X.509 CAs. So anyone who's interested in this question can easily find an answer.

Ivan Ristić's Bulletproof SSL and TLS has some good historical material, for example; and you can stay up to date with Hanno Böck's Bulletproof TLS email newsletter. For background there are the PKIX and HTTP-over-SSL RFCs (5280 and 2818 in particular). The CA/BF makes all sorts of stuff available on their website. And so on.

Anyone who's paying attention knows PKIX and other aspects of the public X.509 PKI such as code signing are a mess. Arguably they're less of a mess than they were, say, a decade ago; Certificate Transparency and the increasing willingness of browser manufacturers to shut out bad CAs have helped. But it's still a sausage factory.

Re: TDD still a thing?

Yes, it could be caught by a very simple unit test. The problem, as always, is combinatorial explosion: There are a huge number of potential problems that could be caught by a similarly huge number of trivial unit tests. Someone or something¹ has to create those unit tests.

Per a comment above, there was a unit test which exercised the code path in question, but its verification logic didn't check all aspects of the output, and so missed this error.

¹There's a fair bit of interesting research into automating test creation.

Re: Easy-peasy

Not doing it isn't an option. Basic Requirements.

Re: What's this, a bug caused by a language quirk?

One word: Deserialization.

Re: What's this, a bug caused by a language quirk?

The cause of Heartbleed was a missing length check. It was a trivial error, even if it had non-trivial consequences. Variants of it could have happened even in languages with array boundary checking, for example if the heartbeat code reused sufficiently-large buffers.

Goto-fail wasn't in OpenSSL at all, but in Apple's TLS stack. And it happened because of poor code style and a failure to use an adequate static-code analyzer. (Some C compilers, run with appropriate options, are sufficiently good linters to catch the goto-fail bug, because it leaves dead code; any decent standalone linter or general static-code analyzer should catch it.)

Both are in C, so say nothing about C++.

In any case, there are much more prominent dangers in C, particularly unsafe functions in the standard library (which should be avoided or wrapped in safer abstractions, not used directly in application logic); the use of in-band signaling in strings, stdio formatting, etc; relatively weak typing; and a cumbersome error-handling model.

I agree with your general point - all programming languages have pitfalls, and some are more difficult to use properly than others. But your supporting argument leaves much to be desired.

Re: What's this, a bug caused by a language quirk?

Rust is significantly innovative, thanks to borrow checking.

I'm not particularly impressed with Go.

(And I'd do my scientific programming in Julia, probably. Python may have the libraries and community these days, but I find Julia much more to my taste.)

I'm not particularly fond of Let's Encrypt or the HTTPS Everywhere movement, because of increased threats such as typosquatting and IDN homographs, and because they're an excuse to avoid fixing the real problems. But even as conspiracy theories go this is impressively feeble.

Let's Encrypt is primarily a free service achieved by maximizing automation to reduce costs, and funded by premium packages and donations. There are plenty of commercial CAs already, and anyone who's interested can learn as much about the CA business as they like - including what sort of power CAs wield.

Your hypothetical "potential investors" either already understand the CA business, or won't notice this glitch.

If Alphabet (or Apple, or Amazon) wanted to buy up the major CAs, they would have. They haven't because the CA business sucks, frankly. Margins are lousy and no one likes CAs - they're a hassle when they work and a danger when they fail. The CA/BF slaps one band-aid after another onto a fundamentally broken PKI so it can just manage to make the work factor too high for non-targeted attacks. The whole thing is dreary.