Posts by Charles 9 16605 publicly visible posts • joined 10 Jun 2009
"Youtube does it now."
EXCEPT, like I said earlier, Internet watchers are more ad-averse. More of them see the ads as a deal-breaker and install ad blockers. That's why things like AdBlock and NoScript are so popular.
As for regional deals, that's because economic models break down when you go international, and for the content providers it means less money in the long run. And since it's their content, it's their rules. If the money doesn't match up, they can always lock it up so no one gets to see it.
The free-to-air stations are paid for by the advertisers (one problem Internet TV has is that its customers are more ad-averse than others). If a show doesn't draw people, it gets cancelled. Many cable networks take a cut from the providers, who in turn charge their subscribers. And the BBC has their television tax. Pirates, as the name imply, simply don't care.
As for the content creators, they're the ones stumping down. Their natural first question will thus be, "Where's the money, sonny?"
No, it can't be sniffed or they'd be able to break or alter the hash to make it look legitimate. Like with SSH, you need the whole conversation to be sniff-resistant or someone can find a way to inject into the session. IOW, an authenticated connection can't easily stay authenticated if stuff is transmitted in the clear.
"I'd rather see an extension to http/https that just provided signed digests of such blobs. The problem is the browser knowing two things:"
I made such a proposal earlier. I say make this an extension of HTTPS itself to request a hash/hashes of a page using current best practice algorithms (and allowing for better ones down the road). For static content, these hashes can be computed when they're uploaded (dynamic content by nature can't be cached anyway). Existing caches can be hashed client-side for a quick transition. Anyway, make the request by HTTPS itself to ensure at least a channel mostly safe from MITM (if this can be intercepted, so can the page itself, meaning you're screwed anyway). If the hash provided by HTTPS matches an existing hash, use the cached copy; otherwise, serve it and update the local copy. Simple enough to implement, I think, and it wouldn't have to interfere with the existing spec since it can work on top of it.
Dynamically-served data by nature can't be cached anyway. As for static data, perhaps a new convention will be to request a page's hash first (which can be done by a server as a page is uploaded--only needs to be done once per update) to compare against the local copy. If the hashes match, you don't need to get the whole page. If no match or no hash, you just proceed as you normally would.
Got any better ideas, then? Guaranteed any other method you can think up can be subverted just as easily by a resourceful adversary. That includes the Web of Trust.
Anyway, we're not thinking in terms of state adversaries but protecting against alteration mid-transmission, as Verizon and the Chinese Cannon have demonstrated.
"Too bad you could only give reasons why a website that you're handing over sensitive data should possibly use HTTPS. Too bad you didn't give any compelling reason why ALL websites should be forced to use HTTPS."
I thought we pointed out that ANY unencrypted communications can be MITM'd and altered to whatever ends (like Verizon's customer tags or the Chinese Cannon). At least with an encrypted channel like SSL/TLS (which HTTPS uses) it's a lot harder to achieve this.
"Why the hell does any of that need to be secure?"
It's WAY TOO EASY for someone in the chain to perform a Man-In-The-Middle attack on you, and before you say the information you serve isn't important, that wouldn't matter if it's the CONNECTION they want to hijack (which they would for something like a malware injection).
Then think about ISPs like Verizon that (whether you want them to or not) inject unique session cookies into all your web traffic that ad agencies can use to identify you. You'd have to think the practice will eventually become universal, leaving the only alternative to bail out of the 'Net altogether.
Put it this way. Do you leave your doors unlocked? That's what the HTTPS Everywhere approach represents.
"Driving is more than yaw computations. Sorry, was that a packet of crisps that can be safely run over or a rock that must be avoided by an aggressive manoeuvre. No time to get a response from Watson in this crappy 4G zone."
A packet of crisps would probably return a different infrared signature than a rock, Plus there's the matter of motion (a packets of crisps will react to the wind differently than a rock due to weight and aerodynamics). And if it's a rock IN a packet of crisps, that's pretty much sabotage at this point.
Put it this way. A LOT of thought has gone into the various scenarios that the average driver faces as well as how we as drivers identify and react to these. The bulk of that knowledge is probably in the prototype cars, already at hand no Internet necessary. Same for the maps.
Sidetone is most definitely not intentional and in fact has been a natural artifact of the telephone system from its inception...because of the single pair of communication lines involved. Two lines limits you to one conversation line due to the limits of electricity. Put it this way: without sidetone, you couldn't properly record a telephone conversation using an acoustic coupler.
There are two things which are intentional concerning sidetone. One is the attenuation of sidetone in traditional phones. This was because raw sidetone (at least since the introduction of the Edison carbon microphone) was too loud and made people speak too softly. The other is the introduction of sidetone in cell phones (which normally don't feature this because they can normally separate the two parties of the conversation) because otherwise people thought the signal was too soft and started to talk too loudly.
But if that were true, they'd have never implemented it in the first place, rather than implement it one time then drop it the next.
Anyway, a non-replaceable battery is a deal-breaker for me. I actually take care of my phones so they stand a passing fair chance of outlasting the battery, plus I've had incidences of batteries wearing out prematurely.
"Well, don't look at the majority of Linux distros if you decide to jump ship. With the advent of systemd, they'll all be rebooting at the drop of a hat."
Given that you can supposedly stop and restart init (which systemd is supposed to replace) without rebooting, how does systemd make things any different, unless you're saying systemd ties itself to the kernel, which I've yet to see. Why don't you PROVE that systemd forces more reboots.
But now with Android the dominant phone platform, you'd think Google would have the muscle to push back and INSIST on them being able to update Android themselves, regardless of manufacturer, as a matter of security. Make it a condition of carrying the Play Store and all of Google's special Android sauce. What manufacturer (apart from those like Amazon who have their own infrastructure) would refuse to carry that and hamstring their phones? Why wasn't this forced with Lollipop?
The WMC logo was primarily centered around PlaysForSure, the means by which a portable device can be given the capability to play otherwise-DRM-restricted WMV files. When .wmv fell by the wayside (mostly because Apple won that round of the portable player wars, meaning MP4 became the dominant format), so did PlaysForSure and the logo program.
Things like CableCARD receivers are the reason for the .wtv format. It allowed for the CableCARD to encrypt the recordings, enforcing DRM. If you use a FTA antenna (meaning no DRM), then the recordings are not significantly encrypted and can be converted (say to .dvr-ms) or used with a video editor like avidemux with only moderate effort.
I personally like the layout of Windows Media Center, but after the cable companies encrypted all the FTA channels (on the basis that satellite companies do it to enforce locality restriction), it just wasn't really fun anymore. I now record with a USB-based Happauge box that can accept HD component inputs that allow me to record HDTV footage. It's a bit clunky to use, but I can't knock the results.
The trouble is, as BOTH sides of the water proved hundreds of years ago, is that people NATURALLY form cliques or blocs. George Washington himself expressed it AND was right about the whole thing (he was against parties, too). BUT the behaviour is basically human nature and practically inevitable because parties represent strength in numbers: gangs for lack of a better term. George ended up being labeled a Federalist against his wishes.
"The check should stop at the first half of step 3. Any company with global revenue above XBn should be taxed locally in all countries it operates unconditionally. "Case closed". A number between 1 and 5 Bn is about right for that. Any bitching and moaning about the "adverse effects" is baseless as the entry cost of taxation at standard rate in a country is the cost of employing one measly account clerk. As you are no longer avoiding tax, you do not need to contract KPMG for 50mil to do your tax bill in all but a handful of countries."
Ever heard of "Smurfing"? The company will just splinter off into multiple smaller ones, each apparently independent and keeping their revenues under the trigger value. Plus they can argue what constitutes "doing business" until the sun stops.
"At least one LEO has been sanctioned for this and another came perilously close to being jailed for contempt late last year - in the latter case the entire body of evidence relating to the Stingray intercepts was withdrawn from the prosecution case with the judge's assent.
In other cases, the prosecution has withdrawn cases entirely rather than face being compelled to explain how the devices work."
Makes me wonder what happens when Stingray is used and they discover that they've cuffed a high-profile criminal like a serial killer. The high profile will mean they'll be under tremendous public pressure to get a conviction unless they're prepared for a riot (and recent riots have shown things aren't getting much better there with public relations).
For the record, there are different models of MK802, and the earlier ones used the infamous Allwinner A10 (newer models use Rockchips, which appear to be more open). The model IV looks pretty potent with a quad-core CPU and Android 4.2 onboard (there's a variant model IIRC that can run Ubuntu or a variant thereof).
"A well setup network will presumably use mac address checking and the like to prevent rouge devices connecting but I don't know how easy those are to be defeated."
And what's to stop a bad boy from pretending to be (or hiding itself in) a new device being sent in to replace an old one? Since it's coming in at the critical "first contact" phase, it's more likely to slip in unnoticed as it's thought to just be a new member of the team.
Then consider humble little potassium. We NEED small doses of it regularly because it helps regulate the heart, but one quick injection of KCl and your heart (and you) is not waking up (that's why it's usually the coup de grace of lethal injection).
Not to mention the average plugs take the better part of a decade to start wearing down and they're designed to not be that difficult to replace if you need to. I replaced all the sockets in the house I moved into (some 25 sockets, including three bathroom ones that required GFCIs) in a day and a half (would've been a day but some rooms couldn't be done right away due to being in use).
"I was in a rented flat for a few years with a landlord who would not allow me to put in any network cables or even put picture hooks up etc and with the amount of wifi networks in the area (counted 12 networks one day) i literally had zero signal in half the flat even with a buffalo airstation g54 high power."
No network cables at all, not even run along the floors and ceilings (which can be held in place with nondestructive hooks)?
"Q: If Achilles covers half the distance to his destination every day, when does he arrive?"
Question needs to be qualified. If "half the distance" is measured as of the start of his journey (which would make sense since most people travel relatively uniform distances), then the answer is obviously "two days". Your answer assumes "half the distance" is measured as of the start of each day.
True, but that requires the cooperation of other sovereign nations. And if the tax haven has sovereign power as well and doesn't want to play? Short of complete isolation (unlikely due to natural competing interests between nations), companies WILL find a way to funnel through the tax haven.
But if it's a company like Apple who produces products your citizens crave (nay, DEMAND), then you're in a bind. If you don't let them in, they'll probably start engaging in economic tourism to get it outside your borders (and your tax rolls).
So as the saying goes, what do you take: 10% of something or 100% of nothing?
"Despite what you may have been led to believe by the nearly unending presidential election cycle, there won't be any major US elections for another year and a half."
Doesn't matter. ANY politician sees 18 months as the beginning of the campaign season. They don't consider the next election "far enough" off until around 24 months or so. And that's why Representatives NEVER stop campaigning.
One-time pads are impractical, even today, and especially in areas where computers are unavailable. There's just too much upkeep involved, and that upkeep raises the possibility of the pad being intercepted.
As for how they found bin Laden, I recall the method was sleuthing and a bit of luck (they got a lead on a trusted lieutenant and carefully tracked him).
"Given the undeniable skills available to agencies like the NSA and in the private sector, it is quite likely that they could produce a system that would be secure far longer than the lifetime of any device that exists or is contemplated."
I don't think you can. This becomes similar to the Siege Problem. Basically, ANY system you come up with becomes a moving target much like a castle is. In a siege situation, time dictates that the besiegers will win out over the besieged because the besiegers are more flexible. And given that many of the NSA's adversaries are states themselves who would be even more motivated than the NSA to break through, and given that in most security, the intruder only has to be lucky ONCE...
"20 years? I already have 20 year old data that has survived the test of time by being always online."
How can you be SURE your online storage solution will remain viable 20 years down the road? Not just against an accident at the storage site but also a situation where the storage firm may no longer be in business?
That's one thing about local storage. At least you KNOW where to look to find the stuff, and if something starts happening you can take steps because you know where it located.
As for degredation, you take that into consideration with a planned level of redundancy as well as a rigorous rotation and inspection cycle to make sure your data stays fresh and to make any corrections should corruption be detected.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
