* Posts by Charles 9

16605 publicly visible posts • joined 10 Jun 2009

The age of hard drives is over as Samsung cranks out consumer QLC SSDs

Charles 9

Re: Maybe, maybe not.

"Already has with MDISC - a bit pricey but worth it imo."

Meh...pricey AND the capacity sucks. We need something like M-DISC but with capacities in the multi-TB range. I don't mind if it's slow (I once used a floppy-bus QIC tape drive), just to be able to reliably archive lots of stuff, and there isn't one in the consumer sphere at this time.

Charles 9

"It will be a VERY long time before the durability and price of SSDs even comes close to that of a mechanical hard drive."

Price I'll give you, but didn't MTBF ratings for SSDs leapfrog rust drives a few years back because of the lack of moving parts?

Charles 9

"Then you aren't buying the right laptops or desktops."

OR we're using older, "good enough" kit that was bought in an era when M.2 didn't exist yet.

Charles 9

Or compensate for theme with things like error codes. This isn't cutting edge stuff.

Charles 9

Re: QLC? It's not the one for me

Another issue with SSDs right now is sudden catastrophic controller failure. Has this been addressed, also?

Charles 9

Re: 4Tb ... of what?

Tell that to someone with a serious media or Steam collection.

Charles 9

Fat lot of good when your laptop ONLY takes SATA (M2 pretty much has to be built into laptops). And desktops will have a hard time using an add on when the only slot that can carry it runs the GPU.

Charles 9

Re: A SSD on a Sata III...

But for many of us, that's all we have to work with...

For all the excitement, Pie may be Android's most minimal makeover yet – thankfully

Charles 9

And is there any reason the Android system STILL doesn't have a local backup facility, to include application data, in case of problems? It would remove one reason I wish for a root but can't due to root-aware apps I use (that and Knox).

Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher

Charles 9

Re: I tend to agree this is less than a good idea

"If it is reasonable to do a portscan at all it should be part of the login process. The Halifax comment saying that they want to protect customers is fine, except you are not just protecting customers."

The can MUST be done BEFORE the login. Any point after is Too Damn Late; the malware can already read your credentials.

Charles 9

That can easily backfire. The key about loopback is that it's always there. No other interface is guaranteed, especially if it's transitory like a WiFi connection.

Charles 9

Re: "the scanning is done with Javascript running locally"

But what if the port scan script IS the login script: part and parcel?

Charles 9

Re: Where does it end?

Cleartext FTP is port 21. Secure Shell (encrypted Telnet) is port 22. Cleartext Telnet is port 23.

Cracking the passwords of some WPA2 Wi-Fi networks just got easier

Charles 9

Re: Quick Countermeasure

Just impersonate one of the whitelisted MACs. Plenty of network devices out there allow you to set a custom MAC.

BlackBerry claims it can do to ransomware what Apple did to its phones

Charles 9

Sounds a bit like file versioning, something tried in various older file systems but noted to have overhead issues. It would have to be root-proof, though, or a privilege-escalating malware will simply find a way to wipe the versions as well.

Game over for Google: Fortnite snubs Play Store, keeps its 30%, sparks security fears

Charles 9

"Instead of putting safety tape and bandaids on a razor blade, how about don't give the kids the razor blade in the first place ?"

And what's to stop the kid from FINDING the razor blade on his own? Or the loose porno mag tossed over the fence? It's not like yours is the only one in existence. And I can speak from firsthand experience about chance encounters outside of any parents' possible purview (albeit the chance find for me was a perfectly ordinary fantasy novel that drew my interest in the author).

Charles 9

Step 4: Kid learns parents' credentials, adds cards back, spends a fortune, then removes them again. That's always been the catch with these things: the assumption the kid isn't smarter than the parent.

Charles 9

Re: A free to play game

Like I said, if you're on Marshmallow, you have the ability to call this up as part of an install, and if you do it this way, it will ask if you want to turn the Untrusted Sources on just for that one install. It's halfway, but it still doesn't really sound fair that you have no way to change who is trusted and who is not on the phone...and as I recall, this is true even on AOSP.

Charles 9

F-Droid only allows source code submissions. The repo server expects to be able to compile the app itself, plus the app must be FOSS, and since Epic's code would be considered a Trade Secret, that rules out F-Driod.

Charles 9

Re: A free to play game

As I recall, the "one-time release" has been in place since 6.0 Marshmallow, but there's still no way to declare anything other than Google trusted...or to declare Google UNtrusted.

Charles 9

Well, to an extent, Epic would have a point calling out parents and so on for lack of oversight, and if adults overspend, at some point you'll just have to say, "Your funeral."

Charles 9

It should be relatively easy to counter with notes to go straight to epic.com to get the game along with sanctioned ads. After all, as noted, fake apps HAVE hit the Play Store, too, and a determined campaign is likely to be able to add more bad apps than Google can scrub (the ol' whack-a-mole problem).

Charles 9

Re: Will Epic launch their own 'Games Marketplace' now?

How will they do that without ticking off enterprise users with their homebuilt apps?

Charles 9

Re: A free to play game

Where in the article does it show how to add F-Droid or Epic as a trusted source so you can install from them without the Unknown Sources checked like you can with Google Play? Smacks unfair to me that Google can be listed as a trusted source when no one else can.

Charles 9

Re: I can't blame Epic for doing this...

Why can'take Google counter with Apple's walled garden: contending that Apple keeps its own ecosystem with it as sole proprietor? What nailed Google wasn't Google Play Services itself but the way it beat OEMs over the head with it.

Charles 9

Re: Will Epic launch their own 'Games Marketplace' now?

Not really, given the usual condition of being published on F-Droid is being required to post the source and let F-Droid compile the app itself. Yes, I know there are exceptions, but IINM not for the baseline source code requirement.

Charles 9

Re: this is only news because fortnite

Then hoe come you don't have to go through this for the Play Store? Why is it the ONLY repo that gets trusted this way? Why is there no way to add or remove trusted sources?

Charles 9

Re: A free to play game

Still, it raises questions. Why is it that there's no way to change that Google is the only source that can be trusted in Android almost all the time? Why isn't there a way to add or remove trusted sources in some hidden setting?

OpenAI bots thrash team of Dota 2 semi-pros, set eyes on mega-tourney

Charles 9

Removing what you describe removes the real-time aspect of the game (it's a derivative of RTS), meaning you'd need to consider another genre altogether. Removing the reaction time handicap pretty much means the game has to have a controlled pace, such as a turn-based system like 4X.

Charles 9

Re: How about

"Watch the screen, use a controller ..far easier for bot to know what is going on when data presented to it digitally - give it the much harder task of decoding the visual data as presented on a screen."

Based on what I've read, they're working their way towards a reasonable facsimile (having no more information than would be visible on an average player's screen). There's no need for the computer to have to read the information in the same way as humans can (as humans carry evolutionary advantages of their own re: processing visual information), just limit the amount of information available at hand and you're already a lot closer to information parity. As for input methods and so on, the reaction time helps in this regard. Professional players use dedicated hardware of their own for maximum throughout and are well-coached in team communication so that offsets the inherent efficiencies of the computer team.

I think the article itself comes off as very fair in its assessment. It won, but there were still conditions. It'll be interesting to see what happens at The International. And then we'll see what happens going forward.

DEF CON plans to show US election hacking is so easy kids can do it

Charles 9

Re: As an outsider to the US election system...

How do they control, though, for rich rogue outsiders like Ross Perot who can finance a campaign single-handedly, even to the point of outbidding parties for airtime?

Charles 9

Re: All bull until real voter ID

It's simple. The anti-ID people counter with two words: "Papers, Please!" The basic problem is that it's a dual-use part-and-parcel problem. The very thing you need to prove your identity for such things as voting and benefits can also (and inseparably) be used to prove your identity against your will when (not if) the State should turn against you.

IOW, the biggest risk about the ability to be identified...is the ability to be identified.

Charles 9

Re: The Solution

They don't scale except when it comes to national-scale political parties. They're the only groups large enough to go everywhere.

Charles 9

So it presents a dilemma. How do you clean up an election process that requires elections to clean up?

Never-never chip tech Memristor shuffles closer to death row

Charles 9

Let's wait until a serious firm actually employs the process to produce actual large-capacity memristor chips and puts them through the wringer.

Password strength meters promote piss-poor paswords

Charles 9

"and no, no way you could install cameras to catch it either"

Really? You know how small they're getting. How do you keep a camera being hidden IN something (including something already there like the computer case or monitor)? Is the room TEMPEST-rated?

'Unhackable' Bitfi crypto-currency wallet maker will be shocked to find fingernails exist

Charles 9

Re: Duress codes

I'm pretty sure it happened in China and Russia at some point in the past, although of course they'll never admit it. Put it this way. The enemy isn't stupid, and "we have ways of making you talk."

Charles 9

Re: Duress codes

"It doesn't have one, but if you insist". Enters the access code backwards, which wipes the unit (at that point you should consider the device irretrievably lost/inaccessible to you anyway)."

At which point you'really shot for being expendable and a prick since you'd be doing something he'd ALSO know about and warn against.

Charles 9

Re: The universal law

He's not. He's asserting if ONE person can access, ANOTHER can by impersonating the first, and that there is no real way to prevent this physically.

Charles 9

Re: Perfect vs Trade-offs

True, plenty of data is ephemeral, but a lot isn't as ephemeral as you think and can easily become Six Lines. And the enemy, like I said, is either patient enough to wait you out or resourceful enough to beat the clock.

Charles 9

At least if you're mugged, they can be sure by stripping you of your clothes. Also makes it harder for you to call for help since a cop's first reaction may be to arrest you for Indecent Exposure.

No such equivalent exists in the digital world because of lossless copies.

Charles 9

Re: Perfect vs Trade-offs

"In fact, all security is like this. There is no absolute unbreakability, but we can invest in a level of difficulty which is appropriate to the value of the asset and the capability and intent of adversaries. If you're using an encryption scheme with larger key sizes, for example, you are not guaranteeing that your messages will never be broken, but you are ensuring that they'll remain secret for, say, 50 years. (Notwithstanding quantum possibilities, which are driving some paranoid agencies to deploy high-tech one-time pads again.)"

But the problem with your idea is that cryptographic warfare can easily get VERY asymmetric. Like you said, what if the US actually has a working quantum computer hidden under its data center in Utah? Then most every encryption out there is already broken wider than open, and practically all the post-quantum algorithms out there have weaknesses that can be exploited to break them. Even the one-time pad is not immune. You simply have to take your quarry by surprise and they won't have a chance to destroy the pad before it's used up, Even if they do, you've disrupted their communication channel, meaning they have to get another, opening up avenues for interception and doubling.

In the end, cryptographic warfare is a lot like a siege. You can only hold out for so long. Problem is, many of your adversaries are either patient enough to wait you out or resourceful enough to overwhelm you.

Sitting pretty in IPv4 land? Look, you're gonna have to talk to IPv6 at some stage

Charles 9

Re: It'll never work

OK. riddle me this, Batman. Since IPv4 has a hard-coded 32-bit address limit, with NO room for expansion anywhere (and no, you can't trust the option field like EzIP proposes, it's not considered trustworthy), how do you expand the address space AND keep your IPv4 compatibility? It's like trying to cram 13 eggs in an egg carton only built for 12. OR having more people than your building's fire rating allows. At some point, you MUST start fresh. That's what IPv6 represents; at which point it's either go with the flow or get off the Internet.

Charles 9

Re: Never!

Exploting an open connection is always an option, NAT or no. But if the internal device is purely internal (does not connect to the outside), then you basically have no way in if you're trying to connect from the outside, and you don't need the firewall for that; it's simply a matter of the basic rules causing incompatible routing. I originally said an unpublished number but it's more like a PBX: without a pre-existing route or help from the front desk, you can't just dial into any old extension in the system.

Put another way: why is Carrier-Grade NAT considered such a PITA if not for that catch?

FBI boss: We went to the Moon, so why can't we have crypto backdoors? – and more this week

Charles 9

Re: if we can put a man on the moon, we can...

It's not so much whether we can or not. It's that we don't want to. Against the costs, the reply is usually, "What's the bloody point?"

Charles 9

Re: Mr Wray

So like I said, he doesn't believe in math and should be dismissed, yet as another has said, people get voted in FOR not believing in math. Makes you wonder how we ever get things done outside of a crisis...

Charles 9

"Proof of having blackmail goods has to be more substantial than just a little taste."

For it to be an actual taste, it has to be a FRESH and PLAUSIBLE taste. They made the mistakes of (a) using stale data and (b) making a nonsense threat. A REAL blackmailer would actually have dirt and attach say one of the files they exfiltrated as proof.

Charles 9

It's not that we can't do it. It's that we don't want to do on the grounds of, "What's the bloody point?"

SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages

Charles 9

Re: Just add a VPN…

Yeah, they'll just pwn the entry point in an "outside the envelope" attack.

Trump 'not normal' FCC commish reveals amid Sinclair-Tribune mega-media-merger meltdown

Charles 9

Re: The Fake President is the epitome of Greed

"And he would have fared no better than his immediate predecessors in trying to maintain a government had he not done something that they didn't --> mount a military coup against the country he was supposed to be running."

Point was, it was by design IINM. A sufficiently-resourced adversary tossed the laws aside like ink on a page. Where have we seen that before...?