Posts by Michael Wojcik

Re: Change? No way.

"Useful"? He's made Mitch McConnell the most powerful man in the US. It's probably the most significant (and destructive) accomplishment in Trump's entire life.

Indeed. The article says "whether it proved useful or led to a prosecution", but I think "led to a persecution is at least as likely".

Re: Tendentious again, Kieren

What precisely is a "concrete complaint"? One that Yes Me thinks is valid?

And how is promising to restrict price increases to a mere 215% over 8 years "constructive"? Well, it's constructive for Ethos, I suppose.

I hear if you stand before a mirror and say "Fadi Chehade" three times, he appears and steals your domain registry.

Re: None of the 'concessions' address the real problem:

Nobody, apart from those who would profiteer [sic], sees any benefit in the deal.

I don't believe that's true. While I think this deal is complete crap, I believe that at least some of the ISOC board members are sincere in their belief that it's a good idea. As I've noted in other threads about this, John Levine defended the decision on RISKS, and I don't believe he'll profit from it.

It's possible for well-meaning people to be misled. Happens all the time, in fact.

Re: Opens window

Oh, I wouldn't call the concessions feeble. I think they're pretty strong. It's just that they're concessions the objectors are being asked to make to Ethos, not the other way around.

"Look, if you approve this, we'll give ourselves the right to double the price over eight years, give the PIR board direct control over executive decisions, and give away $10M to whomever we like. Sound good?"

Indeed. What business wouldn't like to more than double its prices over the next 8 years? This isn't a sop to the objectors; it's a promise to gouge the customers.

The Stewardship Council - which obviously is just a proxy for the PIR board - and the promise to give $10M to their friends are similarly bogus.

Re: What??!!

The patents are not "just NAT circumvention". They're mostly about a TOR-like random-routing-with-encrypted-source-and-destination anonymization network. The novelty of the patents could be questioned based on the resemblance to TOR and similar approaches; but these patents are not primarily about videoconferencing or circumventing NAT.

According to an earlier Reg story, the patents were overturned at one point, following a long campaign by Apple, but may have been reinstated. (I don't care enough to look into the question.)

Re: What??!!

Because their patent basically covers ANY point to point videoconferencing connection

Does it? Or rather, do they, since Apple is accused of infringing (at least) two VirnetX patents (US 7,418,504 and 7,921,211)? Can you cite the relevant text in either of the patents? I skimmed them, and I don't recall any primary claim that would "cover[] any point to point videoconferencing connection".

Re: DRIVER_IRQL_NOT_LESS_OR_EQUAL

Autorun should never have been enabled on any OS for anything. It's a perfect example of a UX misfeature.

Non-technical users already understood that when they used a CD player, they'd press a "Play" button after inserting a disk. It's not a hard concept for users to grasp, and applying it to other sorts of content on removable media is intuitive.

You can drive up Mount Washington. I've done that (well, ridden in the car of a friend who decided to do it; I'd rather walk, personally). It's a little shy of 2000m above sea level, and also features some of the most exciting weather in the US. Or, indeed, anywhere. Most places don't see straight-line winds of 230 mph (370 km/h).

You can drive up to about 3000m on Wheeler Peak, and then if you're in the mood walk up another km or so. It's mostly a pretty nice stroll, except for the scree fields near the peak - if you're not careful it'd be easy to twist an ankle there. But on most nice days in the summer you'll probably find a couple dozen people up there.

Observation Point in Zion National Park is nearly 2000m above sea level, and that's a doddle. I have a friend who's done the hike with his kids when the younger was 6 years old. Personally, taking a 6-year-old up that trail would make me nervous - it's not like there are guard rails or anything, and much of the time the drop is precipitous; but go there on a holiday weekend in the warmer months and there will be hundreds of people on the trail.

There are any number of ski resorts with lifts above 3000m.

Indeed. There's one that starts above 3000m only a short drive (or even a bike ride, if you're fit enough and acclimated to the altitude) of me here at the Mountain Fastness. Even here in the house I'm at about 2300m above sea level. (Earth does not look flat from here. Earth looks bumpy.)

Re: not linear but curved

Probable-possible, my black hen...

Re: 2012

The Great Disappointment is a more impressive example. According to Schultz in Being Wrong, the Millerite believers probably numbered in the hundreds of thousands. Many disposed of all their worldly goods before the expected Second Coming. The repercussions of the Disappointment continue to this day - some of the post-Millerite sects are still going strong.

What we need to do is charter a flight that goes from west to east (following the jet stream) around the world and then north to south to north crossing both poles. If doesn't convince them, nothing will.

I can't see why that would be convincing to a Flat Earther. Hell, I believe the earth is a spheroid,¹ but if you told me I was on a charter flight that was going to circle the globe twice, following orthogonal routes, I'd think it more likely it was faked. What am I going to do, stare out the window and look for the latitude and longitude lines? "Oh, it looks like we're over the ocean. Oh, now it looks white - maybe we're over a polar ice cap?" Not wildly convincing.

We know from any number of psychological studies that firmly-held beliefs are rarely amenable to evidential challenge. Even beliefs in which people have little investment are hard to dislodge.

¹Or more precisely, in attempting to base my model of the world on Perfect Bayesian Reasoning, even while acknowledging the many limitations of the human faculty for reason, I view this postulate about the shape of the earth as the most probable, by a large margin. Indeed, the second most probable would seem to be the solipsistic reduction (there is no world, it's all in my mind).

Re: Super slowmo

Revocation is broken.

Revocation only helps if the CA enforces a new key pair for the new certificate. Considering how many CAs can get other basic requirements right, I'm not going to bet on all of them managing this one, either.

CRLs are a delayed mechanism, and they expire, which when combined with timestamped signatures make CRLs largely useless for some purposes (e.g. code signing). CRLs require the user agent (or whatever in the stack is responsible for fetching CRLs) periodically contact the CA to get the current list or a delta; that process is fragile. CRLs can be attacked out-of-band as part of an exploit chain.

OCSP is fundamentally broken - it fails unsafe. So an active attacker who can interfere with OCSP traffic can nullify it. OCSP adds significant latency, which makes client developers and users reluctant to enable it.

Forcing shorter renewal cycles is only useful if the CA verifies the key pair has been changed, too. And that the customer isn't just cycling between a couple of key pairs, and so on.

The PKIX revocation mechanisms (CRLs and OCSP) are hopelessly broken, so that's no help either.

The fact is PKIX, and X.509 PKIs in general, are a best-effort authentication mechanism, and "best" in this case is not very good. CT has helped somewhat. Google has actually helped somewhat, by using their market position to punish bad CAs. But we're still looking at a system that fails often enough that it's not even particularly remarkable when it does.

Personally, I'd really like to see Chrome and Firefox hold the line on this one, leaving Apple the odd vendor out. I'm not holding my breath, though.

Re: It's optional

Which is fine if you don't want customers who have ipads and iphones to access your content.

Eh, I'm OK with that.

The CA/BF doesn't use the RFC process. The cabal periodically gathers to moot new requirements, and sometimes members make changes unilaterally, as in this case.

Re: I understand

Personally, I'm not concerned if Safari rejects my certificates. Safari can fuck right off.

Where this sort of thing (like much of what the CA/BF does) is really a hassle is with certificates issued by private, intra-organizational CAs, for internal systems and testing and so on. It's just one more unnecessary failure mode.

I guess you don't read software-security mailing lists, then. Things like jackson-databind and Apache Commons have a rich history of vulnerabilities.

Jackson-databind just had a fresh one - CVE-2020-8840. It's only a CVSS 9.8 ("you're already dead"), though.

Re: Wasn't this done already years ago?

The article provides a link to the WICG Github repository for the STTF proposal, which has a README.md that explains their rationale, including how STTF differs from fragments and user-initiated searches.

Essentially, it comes down to "we didn't like either of the wheels we already have, so we invented another wheel".

I used to be annoyed by WHAT-WG, but WICG is far worse.

STTF isn't an API. It's a user-agent (browser) behavior initiated by an extension to the URI syntax.

Personally, I think it's crap; though as WICG ideas go, it's somewhere around median crappiness. I'm hoping Dragon (my choice of Chromium-based browser when I really, really have to use a Chromium-based browser) either doesn't adopt it, or lets me disable it.

(WICG notes that users can just use the browser's find feature to achieve the same result, but that "Fewer than 1% of clients use the 'Find in Page' feature in Chrome on Android". What does that tell me? It tells me there's no great desire in the user base for STTF.)

Re: Mapped Home key!

I couldn't say, since images don't appear unless you enable scripting, and I'm not going to do that for some keyboard hawker.

Re: Mapped Home key!

Yes. Especially for a task like clear-to-EOL, where you have to do Shift-Fn-Right and hope you haven't hit Ctrl or something by mistake.

My old Dell Lassitude has Home and End stuck up next to the function keys, for some reason, but at least it has them, and Page Up / Page Down. My newer Dell Derision has those stupid overloaded cursor keys, and I loathe them. (But at least it's in keeping with Dell's tradition of horrible design errors, something they've managed to achieve with every single one of the Dell machines my employer has ever saddled me with.)

Re: So what?

Certificates are not keys.

Re: So what?

Having the "signing certificate" wouldn't do you any good. Certificates contain public keys. You need the corresponding private key.

Giving that out to customers would be idiotic; a private key isn't any good if it's not private.

In order to make it possible for users to install their own firmware, vendors would need to provide some secure mechanism for authorized users (i.e. equipment owners) to disable firmware signature checks; or to add additional public keys to the collection of verification keys; or, if the device implements a full hierarchical PKI, to add root certificates.

At that point, we're likely back to putting the responsibility on the OS.

Re: flame on

Do you mean Mike Muuss?