* Posts by Loyal Commenter

5761 publicly visible posts • joined 20 Jul 2010

Microsoft Exchange Autodiscover protocol found leaking hundreds of thousands of credentials

Loyal Commenter Silver badge

Well, "yes and no". A cryptolocker requires root access to encrypt things. It doesn't necessarily follow that it needs a user logged in with admin permissions. I'm sure there are plenty of 0-day privilege escalation exploits out there. Like, for instance, that recent one where you plugged in a Razer mouse and the installer got hijacked.

Escalation exploits don't only exist in Windows systems, for example, that SUDO flaw in *nix that was reported earlier this year.

Loyal Commenter Silver badge

Because everyone else is just as bad, and people have generally standardised on one OS for most office based work?

Loyal Commenter Silver badge

I always wondered...

...what the rather opaque "autodiscover" was doing when used in code to connect to an Exchange mailbox.

Now that I know, I have to say, I'm not very impressed at how shoddily it has been designed. Both with the "failing upward" to attempt to authenticate against a fixed TLD (I mean, just WHY?), and to being designed so that the initial connection attempt contains credentials...

I suppose I shouldn't be that surprised, given that the "protocol" if you can call it that, came about from the people who wrote MS Exchange.

Electron-to-joule conversion formulae? Cute. Welcome to the school of hard knocks

Loyal Commenter Silver badge
Facepalm

Re: "a multitude of fresh qualifications counted for naught"

...after writing that, I realised a simpler answer. Assuming the tank is metal, and in contact with the water at the bottom, there's no need to lower the first wire, just attach it to the tank by the inspection port!

Loyal Commenter Silver badge

Re: "a multitude of fresh qualifications counted for naught"

You are on an oil tanker. You have a ohmmeter, a weight and spool of wire. You are by the inspection port of one of the tanks (of which you know the dimensions). There is some oil in the tank. Under the oil is some amount of sea water. Determine how much oil there is in the tank.

Ok, I'll bite - I can think of a way that involves two weights...

Attach one weight to the wire and drop to the bottom of the tank. Cut the wire and attach the loose end to the ohmmeter. Attach the other end of the spool to the other side of the meter, attach a weight to the other end and slowly lower it into the oil. When the measured resistance suddenly drops, pull the second wire up, and measure how long the oily bit is. That gives the depth of the oil. Multiply by known cross-sectional area of the tank. Don't get blown up by any electrical discharge igniting the petrochemical fumes.

So I’ve scripted a life-saving routine. Pah. What really matters is the icon I give it

Loyal Commenter Silver badge

Re: Try living in a building...

Getting an address changed in the PAF may be pretty simple. Getting all the business and web sites that use the PAF to update to the latest version, not so much. I believe this is a "known problem" with people who move into properties which are on newly created roads, for instance.

Loyal Commenter Silver badge

Re: Try living in a building...

(assuming it's not listed)

Guess what...

When you live in an area that has a lot of Georgian buildings, some of them are, shock horror, listed buildings.

The building name is actually on the gate at the front (in a wall which is also listed, before you make any "suggestions"). It doesn't help if the courier doesn't bother to look for the building.

Loyal Commenter Silver badge

Re: Try living in a building...

Hardly posh, it's a flat in rented accommodation. It just happens to be in an old building, which predates all the numbered buildings in the same area.

If you want to get in touch with the building's management company (which consists of at least three different landlords and three property owners, as it covers the neighbouring houses as well) and get them to arrange with the Royal Mail to assign a number to the building, then be my guest. My life is too short to get entangled in that sort of bullshit.

Loyal Commenter Silver badge

Try living in a building...

...that has a name, and not a street number, and for which the postcode lands anyone using Google Maps 200m down the road by some shops.

Oh, and did I mention that there is another building, with exactly the same name, about half a mile away on a different road, and with a completely different postcode.

Most couriers manage to find the correct address with few problems. Sometimes they need to call and be given directions.

Certain couriers, who shall remain nameless, but whose name rhymes with "nodal", sometimes deliver to the other address with the same name, sometimes to a building with the same house number as our flat number, and, on one occasion, to a house on an adjacent street with the same number as our flat number, but so far, never to our actual address.

It's not like our building is even a recent one. It is a Georgian building converted into flats, which has stood here since before the time that houses were commonly given street numbers...

De-identify, re-identify: Anonymised data's dirty little secret

Loyal Commenter Silver badge

Re: how it works for US ZIP codes

UK postal codes are very similar. Aside from a couple of peculiar exceptions (Girobank, and Santa spring to mind), they are structured as an "in code", and "out code", and, the bit you don't normally see a "delivery point suffix" (DPS), so a full UK postcode might look something like SW1 1AA 1A. The "in code" corresponds to a postal area (usually a single sorting office AFAIK), the "out code" is the street area, down to 10-20 properties, or so (although it may be up to a couple of hundred flats, or just one house), and the DPS uniquely identifies the specific letter box. The DPS is only really used in mail sorting - those weird barcodes you sometime see printed on a letter contain the full post code, and the Royal Mail will give bulk senders a discount if the mail they send is pre-sorted with DPS barcodes printed on them. They provide something called the "Postcode Address File" (PAF) to businesses, at vast expense, which allows every single address to be looked up, and the DPS allocated. The PAF could certainly be useful to any crook trying to de-anonymise data if cross-referenced to other postcode data.

I know far too much about this subject due to a job I once held which was largely based around cleansing and sorting data and printing and sending mailshots for various organisations.

Loyal Commenter Silver badge

Re: "Control and accountability disappears when you hand it over."

Let's turn that round. Why shouldn't they be?

Because that would have a stifling effect on service providers.

Say, for example, that you are running a medium sized business with a few hundred employees, and you want to get another company to handle payroll for you. Should you be held responsible for a rogue employee of that payroll company stealing that data and attempting identity theft on one of your employees? You've given the payroll company the data they need (presumably, names, bank account details, NI Numbers, salaries, etc.) and they have agreed to use those data for the purposes of administering payroll for your employees. If they've failed to secure that data adequately, despite giving assurances that they have (which is part of the role of data processor), that is their responsibility.

If this is the case, where does the shift in responsibility end? Buy something from a supermarket, and an employee of another branch of that supermarket goes berserk and kills someone, are you to be held responsible for that? Why should there be special conditions on a business relationship, where responsibility for things outside of your direct control are transferred, just because data is involved?

On the other hand, if, as a data controller, you have failed to get a proper data processor agreement from that processor, detailing the scope, and purpose of their data processing, along with assurances that it will not be used for anything outside that scope, then you have failed your due diligence. "Barry downt eh pub can do your payroll, just send him a spreadsheet with all your employee deets".

The responsibilities of, and between controller and processor are pretty well defined.

Loyal Commenter Silver badge

Re: "Control and accountability disappears when you hand it over."

The two parties, in this situation, are the "data controller" and "data processor". If the controller has established that the processor has a legitimate reason for having and processing the data, that is all they need to do. The processor also has obligations, though, and that includes only using that data for the purposes that they specify. Anything that goes on "under the radar" is forbidden, and the processor is liable.

Yes, the controller is not responsible for this, but why should they? It's the processor that is acting illegally. If they don't get found out, of course they get away with it, but guess what? That applies to every single crime. If nobody finds out you did it, you get away with it, from the most trivial crime of shoplifting a penny sweet, to mass murder, if you don't get caught, nobody knows.

What GDPR does do is set out minimum penalties for those who do get caught, and specifies that data should only be processed for set purposes. It might not be perfect, and there may be the odd loophole, but it's a hell of a lot better than the US approach of "psst, wanna buy some data?"

Loyal Commenter Silver badge

That works when it's being de-anonymised for fairly innocuous purposes, such as advertising (yes, I know advertising isn't actually that innocuous). What it does nothing about is malign purpose.

What if someone de-anonymises that data so that they can use it to perform identity theft? They're criminals anyway, they're not going to care that it's illegal to do so.

What about state actors? The STASI don't exist any more, but don't for a second imagine that there are no other government level organisations that are exactly the same. If you don't know what the STASI were getting up to in the second half of the 20th century, then I suggest you visit the museum that is now housed in their former headquarters. Take a look at the "bread vans" used to abduct people, and the industrial scale steamers used to open pretty much everyone's mail.

More specifically, what about foreign state-run covert organisations, like Russia's GRB operatives who go round poisoning dissidents. Do you think they are going to care that what they are doing is illegal when they de-anonymise some publicly available data to track the movements of their target?

I think the actual answer lies in banning the commercial sale of such data sets at all, whilst retaining a fair-use policy for research, with the conditions that the researchers are responsible for the data they handle, and such research is registered and vetted in some way to prevent bad actors pretending to be researchers, or exfiltrating sensitive data from research establishments.

As noted by others here, "legitimate" uses for such data are pretty poor anyway. I don't need to see adverts for washing machines for two months after I've just bought a new washing machine, but this is the pattern that seem to be common for targeted ads - show you lots of them for variations on that one-off or infrequent purchase that you've just made. That, and "people who bought that item that you got as a Christmas present for your six-year-old niece also searched for these other Disney Princess items". And, of course the other favourite of targeted advertising, where there are too few data points. Just bought an out-of-print book on some obscure topic? Well, the last person who bought a copy of that six months ago, also bought a load of sex toys, and parts for a classic car, so does this dildo interest you, sir? What about this replacement head gasket for a mark 6 Cortina?

You want us to make a change? We can do it, but it'll cost you...

Loyal Commenter Silver badge

Re: Less than one character per week

The variant I have heard is "twice the length from the middle to the end".

Running on empty, out of battery, power draining... three things the UK government definitely isn't. Oh no

Loyal Commenter Silver badge

Re: Running on empty?

Downvote for link to the Murdoch press as well

Fortnite banana can appear in court naked says judge in Epic vs Apple legal footnote

Loyal Commenter Silver badge

Re: It's already clothed

Also, typing banana this much is really hard!

Are you starting to feel like Nanny Ogg, whereas she knew how to start spelling banana, but didn't know how you stopped.

Hey – how did you get in here? Number one app security weakness of 2021 was borked access control, says OWASP

Loyal Commenter Silver badge

Re: with other common weaknesses...

It's not necessarily reactionary [sic]. Any org that is serious about securing software will at least have made sure their devs have ticked off this list before handing over their software to external pen testers, prior to releasing it. That's a proactive approach, not a reactive one. You can't expect devs to be security experts, but OWASP does give them useful pointers, and thus instructions, in what to do to make software moderately secure against common threats.

Security is hard, and a proper approach is multi-layered. Just because one layer doesn't catch everything doesn't make it a futile effort. If that were the case, you'd not have a front door on your house, on the grounds that a determined enough attacker could kick it down with enough effort.

Council culture: Software test leads to absurd local planning SNAFU

Loyal Commenter Silver badge

Re: Early doors

'twas ever thus.

Ee, when I were a lad, etc. etc. people didn't buy drinks in the clubs. Not because of the price, you understand, but because alcohol and certain amphetamines don't mix that well. I doubt much has changed in the intervening *mumblemumble* years.

Loyal Commenter Silver badge

Re: This seems like a real legal loophole

It sounds to me like that planning committee have offloaded the work of actually checking and approving applications to the users of the back-end IT system and are then just rubber-stamping the decisions.

IANAL, but I would have thought that legally the responsibility for that decision still rests with the one wielding the rubber stamp. This smells of typical corner-cutting of a local council under pressure from central government to make excessive cost savings.

More fool them if they don't read what they're signing though.

British data watchdog brings cookies to G7 meeting – pop-up consent requests, not the delicious baked treats

Loyal Commenter Silver badge

Re: It's simply back to data collection, or not?

In that case, surely the simplest thing would be to legislate to get rid of the pop-ups entirely, and assume "do not consent". If you think our government would do that, I've got a bridge you might like to buy.

Loyal Commenter Silver badge

Re: Realism please

I for one can't see how the distinction between such cookies and all others could possibly be made by a web browser or client side app as it can have no insight into the provider's service architecture or corporate purposes.

This is not the point. It's not for the browser to work out whether a cookie is required, it is a legal requirement (under GDPR) that a web site not track users without their consent. Of course, this is a paper tiger if the web site operator is outside the reach of the EU* (although breaching parties could find themselves in trouble if visiting the EU, or if they have business interests there). However, it does mean that trying to track users in this way, without their consent, within the purview of the member states can be a very costly mistake.

*and UK, kind of, as long as we want to keep our data-equivalency with the EU, which our current government seems keen on throwing away.

Loyal Commenter Silver badge

There's an easy way for web sites to avoid having to have those "un-user friendly" banners

...and that is to not try to do things that require a user's explicit consent, such as spewing their adverjism* in the user's face, or tracking and profiling the user in an attempt to monetise the user's visit to their site. Note that it there's nothing to stop a site from showing adverts that don't require tracking of the user.

*You're welcome.

Banned: The 1,170 words you can't use with GitHub Copilot

Loyal Commenter Silver badge

Re: At least a software that will block Postel famous principle...

Indeed. What this really means, is that the output of your code should be well define and meet the specification (conservative in what you do), but should handle unexpected input with an appropriate response (be liberal in what you accept).

In practise, that means responding with an appropriate error, rather than assuming the input was correct and continuing anyway. In effect you shouldn't trust any data that you didn't create yourself (and because no software is ever 100% bug free*, you probably shouldn't trust your own data either until you've validated it).

For example, if you have a web service with an API endpoint that is expecting some well formed JSON, and the consumer posts a gif of a dancing monkey to it instead, it should return a 400 response, and try to deserialise the monkey and carry on like it was all fine. Otherwise, such handling of unexpected input could result in an unpredictable error later on in your process, and potentially result in an exploitable vulnerability, such as a buffer overflow, or SQL injection attack.

In other words, the Postel principle could be read as "expect other systems to pass all sorts of crap to you, and handle it appropriately." Appropriately, in almost all cases, being to reply with "unexpected input" or similar. After all, if the input is outside of what has been specified, then the behaviour that should be exhibited is also unspecified.

*allegedly.

Facebook: Let us tell you WhatsApp – we don't want to pay that €225m GDPR fine

Loyal Commenter Silver badge

Re: "We will appeal this decision"

I think there are various grounds for appeal, other than new evidence becoming apparent, such as a strong argument that the verdict of a previous trial was flawed, or obviously wrong, procedural errors, jury tampering, having some right-wing arsehole with a double-barrelled name, but who likes to use a "blokey" name to pretend he's a "man of the people"* prejudicing a trial by making details public outside the court, etc. etc.

There are also various things that won't make your verdict eligible for appeal, such as a change in the law after a conviction, which is why gay men convicted of "gross indecency" had to be pardoned rather than having their unfair convictions overturned.

*Bet you can't guess who I'm referring to here, whose name rhymes with "waxy lemon"

Loyal Commenter Silver badge

Re: "We will appeal this decision"

D'oh. You, are, of course, correct.

Loyal Commenter Silver badge

Re: "We will appeal this decision"

this is fortunately not how courts work

With many courts, it is exactly how appeals work, often to the unexpected detriment of those appealing.

It is quite possible for someone convicted of a crime to appeal it, hoping to get it overturned, or the sentence reduced, and then be stung with a harsher sentence, because the whole lot gets reviewed - the verdict and the sentence, and the higher court might decide that the lower court had been unduly lenient. In fact, the apellant (a word my spellchecker doesn't like, but does exist) doesn't even have to be the defendant, or their counsel, it could be any interested party as far as I am aware.

(IANAL, etc. etc. but my wife does have to deal with such things in the course of her work)

Loyal Commenter Silver badge

Re: Law enforcement

I guess you've never actually been to Ireland, have you? Or if you have, not to anywhere beyond short walking distance of Temple Bar, and not on any trip that isn't a stag do?

When everyone else is on vacation, it's time to whip out the tiny screwdrivers

Loyal Commenter Silver badge

Re: Two observations:

That actually looks like a pretty useful gadget.

I might invest in one, and put it in the drawer with the digital calliper, multimeter and soldering iron...

Loyal Commenter Silver badge

Two observations:

1) Get some magnetic parts trays to hold and arrange those screws as you remove them. Or just a couple of small neodymium magnets. These are also handy if your screwdriver is not magnetic, when trying to reinsert a tiny screw into a tiny gap without dropping it. Just stick a magnet to the side of the screwdriver's shaft. Probably best to keep them away from your hard disk though...

2) Robert Rankin explained where those small screws come from in his 1993 Book of Ultimate Truths. The Small Screw Phenomenon is explained thusly.

Oh the humanity: McDonald's out of milkshakes across Great Britain

Loyal Commenter Silver badge

Re: A number of sound decisions?

I very much hope you weren't working more than 20 hours a week during your degree, or HRMC might want to have a word with you.

Most reputable universities will have a much stricter policy of how many hours a student can work, to prevent burnout / stop students pretending to do a degree whilst working.

Of course, I'm pretty sure you are old enough to have been at university at a time before fees, and potentially to be of an age when grants were still given, so I strongly doubt you left university encumbered with tens of thousands of pounds worth of debt, and that "3 jobs" you were doing were largely cushy ones for extra beer money.

Loyal Commenter Silver badge

Re: A number of sound decisions?

Sounding very much like someone who has never had to work there, or at the very least never had to start at the bottom.

It doesn't take a genius to see that the "gig economy" traps people in low-paid, unskilled work with no means to fund the training to get a better job. Take a look at where the job shortages are: Care staff, nursing, transport, and so on. All jobs which require a good deal of (expensive and time-consuming) training. It's all very well to say we should be training more British people to do those jobs, but without recognising that this takes time and money, it's just glibness.

Loyal Commenter Silver badge

Re: A number of sound decisions?

However it came about it did give a reason to vote leave.

So, one of your reasons for voting to quit the EU was that dishonest traders can be prosecuted for their dishonesty, and you object to that? The only possible reason I can think of to do so would be to protect yourself if you are a dishonest trader. Otherwise, it's a reason to vote to remain.

Loyal Commenter Silver badge

Re: A number of sound decisions?

even direct links, direct quotes or reality has no acceptance in your mind

Okay, so let's break this downs:

1) Direct links - correct, these are not acceptable as evidence. Links are not facts. Links are just that, a link to something else. In this case, a link to a comment on a forum. Not a fact. Certainly not what I asked you to provide, any details at all of anyone being prosecuted and imprisoned for selling straight and/or bent bananas as per your claim.

2) Direct quotes. A quote is not evidence. All your quotes also seem to be from one person. I'm sorry if it offends, but Tm Worstall's opinion pieces are not a source of facts.

3) "Acceptance in my mind". Ouch.

Let me make this perfectly clear for you, mister twisty-turny: I have asked for a simple example of somebody being prosecuted and imprisoned, as you claimed, for selling sub-standard bananas, under this EU regulation that you and your ilk are so het-up about. You made that claim, the onus is on you to prove it, not on anyone else to go away and disprove it. At this stage, I'm considering whether it is worthwhile making a large monetary bet on the premise that you cannot, and never will be able to.

There is a long-standing convention in the House of Commons that a member cannot call another member a liar, even when they are clearly not telling the truth. This is on the premise that the members are honourable, and would not intentionally lie. If you are unable to back up your somewhat outlandish claims, then you are lying. The very fact that there are no articles in the right-wing EU-hating press shouting loudly about it happening is probably proof enough that it has never happened, but I'm willing to give you one last chance to dig yourself out of the hole you have dug for yourself:

Prove your claim, or retract it. The onus ins on you to do so, not any anyone else to disprove it.

Loyal Commenter Silver badge

Re: A number of sound decisions?

Do you have any "sources" that aren't articles written by, or comments made by a senior member of UKIP?

Actually, are you Tim Worstall, just recycling your own comments as "proof" like some sort of expert sophist?

There are 7+ billion other people on the planet. Do you base your opinions on anything any of those people say or do, or just Tim?

Loyal Commenter Silver badge

Re: A number of sound decisions?

Yet was a criminal law with penalty of fine and/or jail. I am amused how some remainers still try to dispute this.

EU regulations are not criminal laws. I don't know how many times you need to have this explained to you before you understand the difference.

Member states signed a treaty that means that they implement regulations as laws in their own nations. If the UK implemented the regulation in a law and gave it criminal sanctions, then that was the UK that did that, not the EU.

The ECJ (European Court of Justice, to be clear) is the body that makes sure member states implement regulations properly and handles disputes. It is not a criminal court, and does not judge individuals with criminal sanctions.

So in summary, EU regulations != criminal laws.

Your claim != true.

Loyal Commenter Silver badge

Re: A number of sound decisions?

So in short. no, you don't have an example. You have, of all things, a comment made on this forum by Tim Worstall. A well-known, and obviously biased, commentator. It is not the job of me, or any other reader, to go down the rabbit-hole to find the "sources" he quotes, and the sources of those sources, etcetera. When I have done so in the past, where he has posted anti anthropogenic-global-warming articles, I have spent the time to follow the sources only to find that they actually indicate the exact opposite of what he has posited. I'll give it to him, he is pretty good at taking a single sentence and using it out of context to indicate the opposite of what it actually means.

This is not a primary source.

Try again.

If you can.

Come to think of it, when I have asked you for sources for the things you claim as facts in the past, you have never actually managed to come up with a proper primary source. You need to brush up on your debating skills if you think hearsay is such a thing.

Loyal Commenter Silver badge

Re: A number of sound decisions?

There's an old adage that you get more right-wing as you get older. The cynical might observe that dementia happens as you get older as well.

Right-wing "solutions" to problems are often simplistic (and to be fair, far-left ones are too). Intelligent people recognise that most things in life are complicated, and require complicated solutions. Cooperation across 27 countries to better the lives of the people within is a complicated solution. The three-word slogans and lack of detail from the Vote Leave lot is the very antithesis of this.

However, our "fast news" culture with its 5-second sound-bites, and billionaire-owned press skews things a little towards the propagandists, and away from thoughtful consideration.

Loyal Commenter Silver badge

Re: A number of sound decisions?

"full employment only dreamed of"

Ok, I've stopped laughing now. Do you dream of working a zero hours contract in the "gig economy"? Of having to claim benefits while working to make ends (almost) meet, like 2.3 million people have to in the UK? What about the 2.5 million people forced to use food banks? Crowing about "full employment" is disingenuous at best, when so many people are in escapable poverty, due in large part to work that doesn't pay enough to live.

As for blaming The Virus on the problems caused by brexit, you only have to remove the blinkers and look to see if other countries that haven't imposed foolish constitutional change on themselves are experiencing the same problems. Oh look, they're not.

The cynical amongst us might almost think that the reason the British government has handled the COVID crisis so badly is so that they have a convenient cover story for the clusterfuck that is brexit.

Loyal Commenter Silver badge

Re: A number of sound decisions?

It was the stupidity of making a criminal law of fine and or jail time for the shape of a banana.

Oh-ho, there's goes CJ again misrepresenting the facts!

It is a criminal law for the mis-selling of goods. As for jail time, can you actually furnish anyone with one single example of someone being jailed for mislabelling bananas, let alone even prosecuted?

The EU directive that the xenophobes like to rail on about, in case anyone is in doubt, refers to classification of fresh produce, where fruit and veg with defects, such as "abnormal curvature in bananas" must be labelled as "class II", rather than "class I". Apparently requiring people to accurately classify the goods they are selling is now some sort of fascism.

Of course, back in the land of reality, the only people who object to such regulations are those who want to be able to mis-sell you things. The sort of shysters who'd like to be able to get away of selling you a bag of potatoes with stones in and then walk away saying "caveat emptor" without fear of prosecution.

Loyal Commenter Silver badge

Re: A number of sound decisions?

Workers who left didn't leave because they couldn't work. They all have settled status...

I guess you don't actually know many people who have had to apply for "settled status" then? It's certainly not magically just given, and the whole bureaucratic system is riddled with mistakes. A German friend of mine, who has been living in the UK for 20 years, is married to a Brit, and has residency here erroneously got a letter telling her that she had failed to apply, and had to leave the country.

Such "hostile environment" bullshit, driven not only by Brexit, but by the general "nasty party" attitude of the tories is what has driven European workers away from our shores, alongside the increased requirements for them to jump through hoops when entering and leaving the country, because (shock horror), previously they could seamlessly drive between the UK and mainland Europe delivering things where they were needed, rather than being restricted to looking for work in one country. Oddly enough, they have all chosen to go and work in the other 26 countries instead, and screw the little xenophobic island with delusions of grandeur.

Loyal Commenter Silver badge

Re: A number of sound decisions?

Well, not the pandemic, since apparently the US was already short 60,000 drivers in 2019.

At a guess, I'd say it's probably down to one policy or another put in place by Trumpkin.

Poly Network says it's got pretty much all of that $610m in stolen crypto-coins back

Loyal Commenter Silver badge

Re: Frozen by Tether

Most of your (perfectly valid) criticisms are not unique to cryptocurrencies.

For example, ask Northern Rock about "It collapses as soon as more people want out than in"

...and any central bank that practices "quantitative easing" about "It is constantly being inflated"

Actually, on that second point, you are aware that the "supply" for cryptocurrencies such as Bitcoin is finite, aren't you? And that, of those that don't have infinite supplies, the principle one, Ether, has recently implemented transaction fee "burning" to counter that very problem.

What I don't agree with is the name "cryptocurrency". They aren't currencies, and the name just leads to people erroneously drawing parallels between them and fiat currency.

Really, they are a store of "value" based upon the scarcity of some resource (like gold, or shares in Apple or a stamp collection). The resource in most cases is "proof of work", which is problematic when that work translates into power consumption. The snidey "why crypto is worthless", and "why crypto is a scam", or "why crypto is a bubble" comments are getting a bit tiresome though, especially when they seem to keep getting proven wrong. That last one I've heard reliably several times over the last 5 years, usually just before the price of Bitcoin jumps again.

I'm not foolish enough to put any significant money into crypto, of course. If I had done five years ago when I dabbled with mining (and it was still achievable without spending vast sums), I'd have multiplied my money many times over. Comments like yours, though, sound like sour grapes from people who wished they had. As it is, I'm now sat on a couple of grand's worth of "crypto assets" in return for a modest investment of about £150 in what was then a curiosity.

BOFH: 'What's an NFT?' the Boss asks. In this case, 'not financially thoughtful'

Loyal Commenter Silver badge

Re: Thank you

If I lent you my car, I'd be perfectly happy to get a Bugatti Veyron back a week later (assuming in one piece), which I could then sell and buy a coupe of houses and a new sensible car.

So, my car is quite fungible, as long is it gets exchanged for one of significantly greater value.

Microsoft emits last preview of .NET 6 and C# 10, but is C# becoming as complex as C++?

Loyal Commenter Silver badge
Trollface

Re: Cross-platform UI?

This UI looks funny on Lynx...

Loyal Commenter Silver badge
FAIL

Re: "the ability to use operators on generic types."

Using List<object> erodes type safety in a pretty disastrous way.

Sure, "ListOfObject" can be sued for a list of ints, but apart from the boxing/unboxing you'd need to do to add and iterate those ints in the list, there's also nothing to stop you chucking a string, or any arbitray object into the middle of that list and then getting a nasty surprise when you try to cast it to an int.

European Commission airs out new IoT device security draft law – interested parties have a week to weigh in

Loyal Commenter Silver badge

Re: @Gene Cash

And that imported tat would not get a CE mark*, and thus be illegal to sell in the EU. I don't see most consumers suddenly buying grey-market imports to get around measures put in place for their own safety.

It's akin to people buying cheap Chinese phone chargers on eBay and then being shocked when their house burns down. I think most people have figured out by now not to do that.

*Yes, I know this won't stop Chinese sweat-shops putting CE marks on them, but plus ça change, n'est-ce pas?

Loyal Commenter Silver badge

I can see the flip side of this though.

Electronic devices these days are modular. They comprise components made by many different manufacturers. Think of a laptop. It will contain, at minimum, a motherboard, a processor, a screen, keyboard and touchpad, some memory, and some storage. The motherboard will itself contain several built-in components from different manufacturers. BIOS, A USB controller, PCIE and SATA buses, and so on. Any one of these components could be found to have a security flaw several years down the line.

Should the maker of the laptop be responsible, for instance, for fixing a security flaw discovered in the processor (e.g. Heartbleed)? Surely that responsibility lies with the maker of the processor, but is there also a responsibility for the company that assembled the laptop to pass on a fix to mitigate such flaws? What if such flaws render the whole device irreparably insecure? Who is liable? Is the customer entitled to a RTM replacement or hardware fix? At whose cost? What if this happens after 1 year? 5 years? 25 years?

I'm not saying there aren't answers to these questions, but I don't think they will be simple ones, and they do raise questions about chain-of-trust when modern devices are built from many heterogeneous components.

Horizon Workrooms promises a virtual future of teal despair

Loyal Commenter Silver badge

Re: My experience is different

Presumably, you're attending those conferences because they are related to something you have an interest in.

I challenge you to sit through a 90 minute meeting, 89:30 of which is your manager talking in detail about other people's projects, and keeping your attention on everything that is being said, for those 30 seconds where your input is needed, without becoming distracted, all the time overcoming the urge to open a wrist just to test that reality still exists. Too many of those, and your brain is going to end up like some sort of blancmange.

Razer ponders how to fix installer that grants admin powers if you plug in a mouse

Loyal Commenter Silver badge

Re: Razer went full evil back in about 2013 or so

Yup, that's why I bought a Corsair mouse instead.

Admittedly, their "configuration" software is just as nasty as Razer's, but at least their mice and keyboards work without it running. And continue to work after it crashes.Of course, most importantly, it doesn't require you to create an account and sign in.

Now, Nvidia, can we have a word about your driver-update crapware...

Loyal Commenter Silver badge

Re: WTF?

Merely plugging something in will run an installer, with elevated permissions? There's your security problem, right there. It doesn't matter whether Razer screwed this one up, having Windows allow a user action to trigger code that downloads and executes other code with elevated permissions is a generic security hole.

Device driver installation, which by its nature is modifying part of the OS that is shared between users, should not be runnable by a user at all if they do not have the required permissions to do so. The fact that this "leaks" and allows the user to spawn a PowerShell instance is moot. There should at the very least be a prompt along the lines of "allow the installer to run?" and a further one to authenticate and authorise if the user does not have permissions.

This looks like yet another example of how easy it is to get security wrong. I am a little surprised that Windows allows it in this day and age!