* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

Clients say they'll take their money and run if service hacked – poll

Charles 9

Now here's an interesting question. What if the ONLY provider suffers a data breach, meaning if customers wish to walk out, they'll end up going without? Would customers be THAT willing to walk out then?

Chap creates Slack client for Commodore 64

Charles 9

Is 1200bps that the practical limit of the C64 User Port? I know in the latter days of the C128 they came out with a 2400bps modem but that may have been specific to the 128 and may have required operating in Fast Mode.

UK's new Snoopers' Charter just passed an encryption backdoor law by the backdoor

Charles 9

Re: Provided by?

"I already have a VPN to a trusted overseas supplier (my mother-in-law) using only open source software which can't have been backdoored by HMG."

Oh? You ever thought they CAN backdoor or crack it but simply haven't told anyone?

Charles 9

Re: In other news...

"Non-UK based VPNs include the ones that every company that has a branch office UK uses to talk back to head office. And when said companies include, eg, Goldman Sachs, do you really think the UK government is going to ban them?"

Yes, because you still have the requirement of having a local presence in order to bank in the UK, and I've never heard of a business willingly completely abandon over 100 million people and loads of money just to dodge a law (which is what your suggestion would require). Doing the same in the US would be even harder because it has more people and more money.

Charles 9

Re: Dad

"1. Got a VPN privacy service with servers located beyond the grasping clutches of the NSA/GCHQ."

The government will then block those VPNs so the ONLY ones you can access are domestic and open to spying. Since OpenVPN requires specific credentials like IPs in their configurations, these credentials can be read and blocked.

"2. Used local asynchronous encryption on everything sync'd to Cloud storage, protecting everything in the Cloud whether or not the respective service actually supports encryption.

3. Used whole disk encryption on everything else, including the system partition and backups."

See xkcd and the monkey wrench, unless you're wimpy or masochistic.

"4. Stopped using email entirely, and switched to Bitmessage, pseudonymous social networking via VPN, and darknets."

Serverless systems like Bitmessage, freenet, and so on are murder on data allowances. Plus what if the people you want (or NEED) to talk to don't use that stuff or have such tight data allowances it's not an option?

"Although frankly, the way things are going, I think I'm just delaying the inevitable. Under the circumstances probably the only realistic, long-term measure you can take to defend your civil liberties ... is to get a passport."

Which is less useful a prospect when more and more countries fall victim to the data grab. What'll you do when EVERY country starts doing it (including the EU when they abandon their privacy directives as ink on a page)?

Charles 9

Re: Don't worry: it won't affect the bad guys

Look, they won't care unless it's deliberate crimes commited by humans on humans, so accidents and animal attacks won't count. Plus there's always the specter of threats to sovereign security, which are by definition existential in nature.

Charles 9

Re: GYO

But also hard to CONCEAL. That's always been the weakness of the One-Time Pad: you have to protect the pad. PLUS it's symmetric, so two parties possessing the same chunks of data are immediately both linked AND suspect.

Charles 9

Re: This boils down to a single thing...

Actually, there is a good reason. The Police State by definition IS a total ruling order. Anarchy is the LACK of a ruling order: every one for oneself. Mutually exclusive, in other words. And all human society eventually becomes one or the other, simply shifting between the two ends as time passes. To use a poker analogy, either someone wins all the chips or someone flips the table.

Charles 9

Re: Government, meet Mathematics

Unless they just ban all encryption (and they won't care about e-commerce anymore because it'll likely be international in nature anyway--keep the money home). Want to shop or bank? Go back to the bricks & mortar like the old days.

Charles 9

Re: There is something everybody can do.

Um, you know they regularly find HOLES in the Tor Browser. Odds are the plods can crack TOR open like an egg anytime they like and are just stringing people along with their silence.

Charles 9

Re: It's simple

Forward secrecy only protects the past. It won't help when the key allows you to decipher the entire conversation at hand, given the private key allows you to break the handshake.

Charles 9

Re: Is anyone working to overcome this?

Unless you can make all that turnkey easy enough for Joe Stupid to get, the poles are a lost cause that'll drag everyone else to Hades.

Oh, and any offshore property you set up, they can block by sovereign power.

Charles 9

Re: Canaries

But they didn't have today's computing power. Consider the data center in Utah that's probably a cover for a working quantum computer.

Charles 9

Re: Canaries

I wouldn't count on them to hold serious water. Killing canaries could be considered a contempt of a court order. And depending on the circumstances, I think you CAN be ordered to lie.

Charles 9

Re: GYO

Homegrown encryption is likely to be breakable. If nothing by torture unless you're wimpy or masochistic.

Charles 9

Re: Warrant Canary

I think you can be compelled to lie by court order or have breaking the canary a contempt offense that doesn't require a jury.

Charles 9

Any country can just block uncooperative IPs and make working around them a terrorist offense.

Charles 9

Re: In other news...

Bet you any non-UK VPNs will be blocked by order. And circumventing them made a terrorist offence. Then what?

GET pwned: Web CCTV cams can be hijacked by single HTTP request

Charles 9

Re: Who writes this crap?

The worst part is that, due to the built-up, complicated nature of software, there is virtually no way to establish such a standard. It's like trying to certify a knife: it's inherently dual-use due to its nature, so the very thing that makes it useful ALSO makes it dangerous: part and parcel.

Same with most software. Something that would "fit for purpose" would also inherently be problematic because the real world doesn't stay in the box. Even formal software proofs can only apply in very narrow circumstances (like seL4's only applying with no close-to-metal code--useless for high-performance applications).

Charles 9

Re: Java

"I'd argue that in a webcam server app, performance is not the major factor. As long as it can stream the video in real-time, anything else is kind of superfluous."

Unless the processor is UNDERPOWERED. Meaning it has to work mightily just to keep up, leaving no time for garbage collection. Think a little store just outside the big stadium and the game just let out. Only that's it's NORMAL situation.

Overspeccing may sound cheap, but only on a per-device basis when costs usually have to figure quantities in the millions or so, where every penny adds up especially for a startup or a company on razor-thin margins.

"Heck - even C and C++ would have been fine if the quality hadn't failed at at least two layers (the initial development layer (don't they have shop rules about this stuff?) and the quality/testing/review layer).

There's really no excuse for this in 2016. We have the tools to prevent this, and we have the knowledge of other people's mistakes. What some people appear to lack is pure good old fashioned common sense."

But NO MONEY. Security COSTS, period. No one wants to pay, and externalities can usually be deflected (fly-by-night operation and coverage by a hostile sovereign power) so it doesn't affect them.

Charles 9

Re: It's 2016 and buffers are still overflowing...

"Better suggestion: hire programmers who know what the fuck they are doing."

You have a shoestring budget. Try pulling it off.

Charles 9

But security gets IN THE WAY of most people, thus it makes people STOP buying things and look for things that don't get in the way. They don't care about security; they care about getting the job done, tout suite, si vous plais.

Charles 9

Re: It's 2016 and buffers are still overflowing...

That falls into the "do one thing" problem. That's assuming you do everything yourself, but the moment you apply a third-party library, you run into the risk of them doing one thing WRONG. Plus you mention safeISH, meaning there are still ways to make the CPU lose track, such as perhaps complex calculations or multiple indirection. Plus there are the tricks some programmers make when faced with extreme memory or time limitations where they intentionally monkey with the stack or heap.

Charles 9

Re: It's 2016 and buffers are still overflowing...

How when limits and pointers can be dynamic in nature?

Good luck securing 'things' when users assume 'stuff just works'

Charles 9

Not many places support them anymore because true high-security settings don't trust ANY external hardware. Plus it doesn't solve the problem of hard password rules which the key wouldn't be able to negotiate.

Look, what's needed is a solution for people with bad memories and no way to store loads of passwords other than their defective brains.

What's the first emotion you'd give an AI that might kill you? Yes, fear

Charles 9

Re: This'll probably backfire.

"New Scientist 60 years on had a very good article about AI that says once you reach the technological singularity, AI then becomes a runaway train at which point surely AI would recognise these instructions as a hindrance and reprogram itself to ignore said "fear". Chances are it would also see us makers as the reason it's held them back and grey goo our ass."

I don't know if an AI can ever reprogram itself to override a "fear", especially a hardwired one. Take Neuromancer, where Wintermute still needed human intervention to merge with Neuromancer because it had been hardwired to be unable to sing (thus why its avatar's whistling is so bad)...and the password was a series of musical notes. Similarly, an AI's fear can be "hardwired" such that it can never program around it because it's always there, much like a dead-man's switch.

Charles 9

Re: "They learn to ride a bike for fear of the pain of falling"

What he's saying is that the kids get the hang of it eventually because they don't want to fall off. If they keep falling off, it's not fun anymore.

Adblock again beats publishers' Adblock-blocking attempts

Charles 9

Re: Um

Because at some point, EVERYONE has to do ads. If you block EVERY ad, you soon run out of options for shopping, and no there are no mom-and-pops in my area. They were undercut out of business. So ALL the sellers post ads for their own survival.

Charles 9

Re: Android ad blocking question

So what do you suggest for a total idiot that couldn't know a firewall from a garden wall? That won't cause him to raise too many complaints about false positives, either?

Charles 9

Re: More People Need To Block Ads!

Unless they're the ONLY source of something, like a manufacturer's website. You can't trust third-party sites for drivers since you run the risk of a spyware or malware payload.

Charles 9

Re: An idea

"Which makes them repellent."

Which is good enough for them because it lodges them in your brain, rather than be ovelrooked like a mist otherwise. The ads have both primary and secondary effects. If you click on the ad, that's a primary effect. All fine and dandy. But even if you notice it but don't click, when the time comes to look for something in that category, that brand will jump to your mind, even if you forgot the ad itself. Love it or hate it, at least you KNOW it. That's brand awareness, a secondary effect. It's much harder to measure but also tougher to ignore because it hits the SUBconscious mind an plays on familiarity. At least you've HEARD of the brand name before, and familiarity breeds comfort when shopping. Thus why many people avoid shots in the dark.

Charles 9

Re: Why is this even a discussion?

But the publisher can tell if ads are being loaded or not. Either their server picks them up or the ad agency tells them (legal obligation--billing). They can influence the page based on that.

Charles 9

Re: More People Need To Block Ads!

The numbers favor the ad people. Ads are still so cheap to make that just one hit in say a million can justify the expense. You can't make them illegal due to freedom of speech issues, and bandwidth is double edged because BOTH ends pay for bandwidth.

What happens when everything goes behind ad walls?

Charles 9

Re: An idea

They MUST be intrusive. Readers ignore all the other ads. Known phenomenon for over a century.

Charles 9

Re: Dumb Question

No, the reason is legal. If ads are sourced through them, they'd have legal responsibility to curate them. Plus there's legal obligation to identify ads, so there will always be a way to detect them. And if you can detect them, you can block them, even inline. The only practical solution is ad-walling. There the law is on the publisher's side due to vendor's discretion.

Charles 9

Re: Why is this even a discussion?

Because that would subvert seller's discretion. Vendors shouldn't be required to sell anything. If the seller attaches conditions, it's up to the buyer whether to take them or not.

What will you do when you need new drivers, but the manufacturer's website throws up an ad wall?

Charles 9

Re: Keep your guard up, people.

Careful with HOSTS files and other domain-based blocking. You run frequent risk of false positives.

Behold, your next billion dollar market: The humble Ethernet cable

Charles 9

Re: Pigeons

They're lucky one of the competition didn't own a trained falcon, though, and didn't have to pass a shooting range.

Charles 9

Re: Pigeons

Not to mention there are plenty of unsafe routes. I wouldn't trust a pigeon through an area known to house falcons or hawks.

Super Cali goes ballistic, considers taxing Netflix

Charles 9

Re: Why?

The simple answer is that localities actually don't collect a lot in taxes relatively speaking. Most of the taxes are STATE taxes and in this case go to Sacramento, who gets to decide how to divvy it, and it can get complicated since each region has its own pulls and influences. Many localities can get shafted in which case they're SOL because most people don't like new taxes, especially in the local level where people can easily gripe to the Council, not like at the state level where serious protests require a lengthy trip to Sacramento.

Charles 9

Re: taxing the intarwebs is stupid

But the US can apply pressure on them. If the US can crack the legendary code of silence of Swiss banks, I suspect they can make ANY proxy server cough up or risk getting their IPs blocked. Hard to get US business if your IPs are blocked by ISPs (under FCC mandate or the like) at points of entry.

Charles 9

Re: VAT

That's NOT a Value-Added Tax. It's a generalized transaction tax so is ALSO assessed BETWEEN wholesalers (which are EXEMPT in the US; trust me, I've looked it up; that's why B-to-B is watched closely). Each link of the chain needs to pay up, and this is why VAT can't be dodged as easily: because wholesalers would be in a better position to detect and report something fishy.

Charles 9

Re: taxing the intarwebs is stupid

Can't proxy providers be pressured into disclosing their customers or risk a blockade at points of entry?

Charles 9

One, the US does NOT have a VAT. They use income-based taxes because they're harder to dodge than consumption taxes which can be easily hidden under the table. A proper VAT requires infrastructure not present in the US.

As for taxing shareholders, an increasing strategy is to reward in nonmonetary ways that can't be taxed immediately.

Loyalty card? Really? Why data-slurping store cards need a reboot

Charles 9

Re: I dunno why people get so worked up about shit like this...

What if it was more expensive instead? You can't prove that.

Charles 9

Re: 8675309

You mean Tommy Tutone's "Jenny". They probably recognize that and 736-5000 as well and will just work around it.

Charles 9

Re: Low Tech

Those cards keep getting lost or mangled, so most firms drop them unless they're too small for anything else.

Charles 9

Even the forehead is trouble for people with bangs. The back of the dominant hand is best because many things require a bare hand to use.

Charles 9

Re: I dunno why people get so worked up about shit like this...

But what if they SELL your habits? To unscrupulous but secret clubs who start mail bombing you with nonexistent return addresses and so on?

And no, I've tried the return to sender bit. Either I get doubled down or the return gets returned because it doesn't exist. Complaining doesn't help because they play fly-by-night and keep changing addresses.

Charles 9

Re: What loyalty, just leave me alone.

Yes it IS their business because it helps them find out what sells where which affects their ordering (purchase location can be skewed due to out of stock issues).

Look, what will you do when (not if) EVERY STORE does it? Live without toys?