Posts by Charlie Clark

By all means go after Google for being a massive slurper of personal data but don't let this blind you to what it does get right. Google has a pretty good record on security and was proactive on it years before it became fashionable and it took a lot of flak for its project zero, which has, however, now become standard. This may all be good business including polishing its reputation but I also think they're aware of the potential financial risk when systems become compromised: these could be customers losing data but it could also apply to its own employees.

Re: Seriously, author?

Great additional explanation. I think the privacy concerns are related to other sites attempting to get the device's and hence user's public key for tracking purposes, so single use is reasonable.

I agree that better solutions might be possible but think we should welcome the idea and potential proof of concept: it's certainly an improvement on the current situation and the rising risk.

You might want the same profile but do you really want the same sessions? This would be handing over the session data to anyone else on the network.

http was traditionally stateless to save resources: connections were never intended to be persistent. However, as soon as logging in was required, persistence was required and we got sessions. These don't have to be secured by cookies, but the alternatives: session ids in the URL were even easier to steal, especially before everything was encrypted.

http/2 isn't really stateless any more as connections are often persistent (servers are much, much beefier and the protocol has been adapted to suit multiple requests from the same device) but the rest of the stack is still required and as more and more "important stuff" goes over http, the desire to obtain credentials for nefarious tasks rises.

Re: Seriously, author?

Edge is based on Chromium; Chrome itself contains all kinds of Google-specific stuff.

I'm not 100% confident but the implementation looks like a reasonable mitigation against session-stealing. I don't think that a single pair of keys is the idea: amongst other things, this would make tracking a lot easier. But also, if the validation is happening on the client then public keys are only exposed when the cookie is first set up. However, it might still be possible to cause trouble if the public key can be intercepted and, therefore, reused at the right moment.

And, if the implementation degrades reasonably, it can be provided when supported, dropping down to other mechanisms when its not.

Re: No surprise to anyone here

In other areas of industry, fines and even criminal procedures might be the result, but for software all you need to do is not look too smug in front of the cameras, as you pocket your bonus and promise to do better.

Musk might agree: "a serious annoyance for me! Who cares about the saps sitting in trains?"

Re: "it may shift investment from Italy to other European countries if the situation is not resolved

And it also has to comply with the spectrum rules of whichever country it wants to provide the services in. Compliance is something Musk and his ilk has never been keen on.

Good ones patch them, better ones wait to know whether the patches break anything. The clusterfuck of 2021 caused all kinds of supposedly unrelated problems.

Re: Apologies to Jim Croce

I didn't think much of the Christmas reboot. Doctor Who should lead by being itself rather than listening to the luvvies on the media pages, of which the Grauniad is probably the worst example: should never have left Manchester.

If he's not currently on a board, he's probably not interested in being on one.

The key thing is that he has decided to settle out of court and take the punishment rather than risk the consequences of a court judgement, including potential civil suits. As it is, this is done and dusted and he can get on with enjoying his hobbies.

Re: Python, eh?

It's obviously largely down to personal preference and experience but it was a design decision specifically to make it easier for non-programmers to learn how to structure their programs.

Python has long outgrown the "hobby" domain and has been used successfully in large systems for well over a decade. While there are attempts to backfill the language with "real" features of grown-up languages, these are often misapplied by over-enthusiastic novices. I'd argue Python does best when it sticks to its strength, which is focus on clarity of expression, and all lets all the memory critical stuff be done by C/C++ or increasingly Rust.

Re: my editor doesn't help me like it does with braces

You say the removing ambiguity is bad without qualification. In general, removing ambiguity is considered good because it reduces possible errors due to it.

Re: Python, eh?

The whole point about indentation for structuging is that it isn't subtle. It's not that you don't get errors but they're usually glaringly obvious, as opposed to those due to incorrectly nested brackets of whichever variety.

Re: Python, eh?

Old and new? I assume you're talking about going from Python 2 to Python 3: Python 3 has now been around longer than Python 2 was and it contained many major changes between 1.6/2.0 and 2.7.

The change I dislike the most was turning print into a function. Since Python 3.3 (when we got u"" back) I've had few complaints with the language itself.

Re: Python, eh?

We're all using code that is so complex that no single person could have written all of it, or do you think you could write your own modern OS or web browser?

And it's not as if the Python language is the risk or the source of exploits, these are all too often in C-libraries and C remains famously difficult to write safe code in, even for experts.

But this attack has nothing to do with either: as so often, it relies on getting people to install stuff without thinking. This is the same as the first PC viruses or even the jokers who got people to run scripts like rm -rfd /.

Re: Curved sausages

Savaloy

Re: First hit is always free-ish.

Word has always suffered from effectively embedding the printer driver in the document. I think this goes back to the GDI / printer mismatch and was an attempt at a quick WYSIWYG fix.

My first version of MS Word (version 2.0) came with a brilliant tutorial that emphasised the importance of using styles to format documents and was my introduction to this approach. The tutorial was missing in the next version (6.0) which had all kinds of additions that pandered to the ad hoc approach.

Re: First hit is always free-ish.

It (OnlyOffice) runs fine without the cloud. It's not perfect but for many it's nice, slimmed down version of MS Office. It's "free and open source" but it seems for some that there's only room for LibreOffice in this space.

Microsoft has an expensive subscription package to help you do that badly…

Re: First hit is always free-ish.

Writer was always the, ahem, star of StarOffice, as it was originally called. MS Word does some things well but has never got over some of its original limitations.

Re: First hit is always free-ish.

You might want to look at OnlyOffice for a slimmed down Excel clone that does most of what you need.

Could make proving someone else is using it a bit difficult.

In one of my current projects I've started getting notices from Microsoft that our Power Crapp Environment is running out of disk space. Not sure what it does, though it looks CRMy but it also looks like a solution looking for a problem, like so much of Microsoft's stack. I think the aim is to tick enough boxes so that people think they can use it instead of another solution and thereby put another nail in the lock-in coffin.

Whatever the problem, Sharepoint isn't the solution™.