Re: The usual exaggeration
> This would be like trying to find a needle in a haystack, in the dark, with a laser for a flashlight.
So you're saying there's a chance?
2545 publicly visible posts • joined 7 May 2012
Another take on this problem was pointed out by "uncle Bob" in a lecture I saw but am now too lazy to find the link.
The number of people that you would loosely define as "computer programmers" has roughly doubled every five years since the 1960's. Or to put it in a more frightening way. About half the code warriors involved in every piece of software you might buy today have less than 5 years experience. Many haven't yet been burned by the shortcuts they think they can get away with, and many in that bracket aren't yet at the levels where they can push back against the PHBs demanding dangerous processes (or more usually lack thereof)
And at the risk of defending the indefensible, also don't forget to take notice about the KPI structure such employees are working under. Do they need to close X tickets per day? Do they need to maintain an awaiting investigating queue below Y? Does the employee who closes the most tickets get singled out for either praise or even a bonus? Does the employee who takes the longest suffer poor performance reviews or have to sit with some stuffed toy sloth on their desk that week?
If any of these or like minded hare brained schemes are in place, anticipate, no actually expect employees to play their own games to protect their own wellbeing. So if you come along with one of those "it's annoyingly slow but still technically working" style tickets, expect the incentives to influence the behaviour. Having an efficient payroll department isn't only never directly incentivised but also in this case would almost certainly hurt their measured KPI.
If manager types spent more time reflecting on KPI side effects and less on other reports, they would objectively run a better operation. Of course, managers have their own KPIs which they're themselves playing their own games, so it's turtles all the way down.
I have no doubt that they can throw down 4K at a pretty impressive frame rate using what we used to call powerful servers with lots of GPUs in a data center, but now must call cloud.
The real question for most gaming is how long it takes for a player action to be noticed by the game, and for this you are likely north of 5-10ms because physics.
The second group churns through the advice from as many as required of the first group until they get advice that, when held at a distance and eyes squinting in just the right way, can form a set of words that doesn't entirely rule out the position already held by the second.
A human who was also tasked with capturing information about the vehicle's performance on a device as it drove. If they had her in the car solely as "your job is to monitor the decisions being made by the car and intervene if necessary", your comment would be reasonable. But her job required her to also be a data entry clerk. As such, it was perfectly foreseeable that her attention would from time to time be averted. If the car cannot operate safely workout a human supervisor, then they were negligent in not having a human supervising it at all times.
WARNING, THE FOLLOWING LINKS HAVE IMAGES DEPICTING THE AFTERMATH OF A DROP BEAR ATTACK:
Drone technology is being pushed down under because it is just too risky to hold these beasts in a cage with a living pilot in the same aircraft.
> You keep it at least hashed
A hash is a cryptographic one way function. Knowing the hash, it is mathematically impossible to recovery the original string without brute forcing all possible strings and looking for one that gives the same hashed value. Being able to vomit back the original password into a password box is kinda a big thing for a password manager.
> or XOR-ed with some other binary
So where do you put that binary so the attacker can't do the same? Why don't you just put the passwords there instead.
Also, what would happen if you xor'd the obfuscated passwords together with other obfuscated passwords from that same secret binary? What can you learn about the key? What if you discover just one of those passwords in a paste bin dump then xor the obfuscated password with the known one? Oh look, secret binary in clear. Now we can read any others too.
Fun isn't it?
Even something as "simple" as clearing the secret out of memory is much harder than you might think. Depending on the runtime involved, you be relying on a garbage collector to actually overwrite the memory and you control over that process is limited. And that's before you consider whether it might be in the CPU caches which might as recent vulnerabilities show, be an oracle.
I should add, there at least used to be a Firefox and Chrome extension that could open up specific sites using a tab with embedded IE (IETab or something like that). That was really useful at the time. I'd be surprised if it or something similar isn't still available.
I believe the accountants know the game and to be frank, are playing it brilliantly.
Through a couple of decades, hardware advances themselves justified a new shiny every couple of years. Experientially faster, better screens, new gimmicks. But for most consumer workloads, tell me what a 2014 spec'd i7 couldn't do if you swapped out its HDD and put an SSD in when compared to a modern machine at a similar price point? There's only so much compute power needed to run office 365. This literally freaks out these companies (no need to single out Apple) as their business model relies on repeat customers. It is an existential threat to their profitability. Of course, if you can engineer the parts so that they'll definitely last 3 years, but after 5 it needs to be facing west when you power it on, they can strut out someone to say "that old thing, wow, haven't seen that model in ages*, you need a new shiny, I'm afraid warranty blah blah" without destroying their reputation. It is no accident that more and more components are glued in place.
*at least a three days ago
... except actually ironic.
One of the following statements explains why Huawei is banned from the Australian 5G networks. The other is part of the Assistance And Access Bill 2018 written by the same collection of muppets. To hold both positions simultaneously is an incredible feat of intellectual contortion. To holda straight face expousing it is nothing short of incredible.
"the government considers that the involvement of vendors who are likely to be subject to extrajudicial directions from a foreign government that conflict with Australian law, may risk failure by the carrier to adequately protect a 5G network from unauthorised access or interference."
"a notice may require a provider to facilitate access to information prior to or after an encryption method is employed"
Unfortunately, they also collect your outgoing messages courtesy of your keyboard app, and display outputs courtesy of your video drivers. But I'm totally confident that these parts of the operating system and apps don't have debug modes that log to disk.
@DougS, this remains at least technically possible even if you don't buy a new shiny. Your current handset will be vomiting out your IMEI regularly, which the operator could intercept on their microcells to gain your location with much higher precision.
> Self-driving cars won’t learn to drive well if they only copy human behaviour, according to Waymo
I hope it didn't take a PhD for someone there to figure that out. Meatsacks too often drive without reference to prevailing conditions, without anticipating what other meatsacks might be about to do, without a good night's sleep, with screaming kids in the back, paying attention to the radio/GPS/SMS/air conditioning knobs rather than the task at hand, with their seating position and mirrors just wrong, with boredom and wandering minds, without indicating, at inconsistent speeds, in the wrong lanes, towing too much for the rating of the vehicle, without maintaining their vehicles properly, often trained by other incompetent meatsacks who propagate the same bad habits.
As good as a human driver most definitely should not be considered the high watermark.
WhatsApp is a closed source app that implements an open source protocol (signal).
If they add the capability to generate a new group key-pair whenever requested by the server without authorisation within the app, then a systemic weakness had just been included that anyone who manages to pwn WhatsApp servers can now exploit.
You might as well just let the server manage the session keys.
And if you have ever run a Java decompiler (I have but for the record, not on WhatsApp or any other application for which I did not have permission to do so), you would struggle to hide "if (request.Guid==magicGuid) return true;" inside the method responsible for collecting user's consent. The bad guys would have that line NO-OPd within minutes of it being discovered, or they will just move onto whatever other app that implements the signal protocol but is based in whoknowswhere.
They can update the app, but egress traffic from each participant cannot be avoided without fundamentally changing the protocol.
And I'm not sure what you mean by ignore the keys. These are public keys of each participant for the new participant that allow them to decrypt the messages you send and allow you to decrypt messages that they are trying to send you. Ignore them, and they cannot understand you or vice versa.
@Mark, the signal protocol used by WhatsApp requires each participant to push their group key to the new user. Whilst Signal/WhatsApp can BCC all comms to 5eyes, they are not in possession of the encryption keys used by the group conversation. If they tried to push an invite out to 5eyes, then each device could notice that the administrator has pushed an invitation to a new member.
Without weakening the security by adding a vulnerability to permit the servers to manage the session key, they cannot comply. They must either weaken security for all or refuse to comply.
Thanks very much Labor for supporting the laws of fairy math. I had held hope that you had understood what the experts were all, without exception, telling you. History will judge you poorly for supporting such a dangerous law.
I once had to handle a complaint about system responsiveness. The client application had to wait for a bunch of data from the server, but given that the penny pinchers had, er, purchased network kit and internet connections that one could make a case were more suited to a small household than a business, occasionally these responses would time-out/retry or just take absurdly long to complete.
For reasons that largely boil down to historic cries of "just push it out, we promised it two weeks ago" from the PHB, the calls themselves locked up the UI thread which as anyone with an ounce of foresight can see was going to make the application appear unresponsive.
I couldn't magic up better performance given the data required and network conditions, but it's amazing how the complaint disappeared as soon as I included an animated gif progress bar and demonstrated how much faster the new version was.
[Company Logo]
Memo
Directive to all service staff - Beer O'clock Super Special Tuesday
From this Tuesday afternoon, we will be commencing our new Super Tuesday initiative. We value our regular patrons, so whenever an order is placed for a craft beer, the first one is on the house.
Cheers
Management
> Who uses a pencil to cast their vote? Use a pen!!!! You can't rub out a pen.
If you are planning to subvert an election by changing the votes, do you:
(A) Open up the ballot box, pull out an eraser, carefully rub off all the marks, then renumber them according to your evil plans; or
(B) Print out new ballot forms and then number them according to your evil plans;
(In both cases you need to figure out how to stuff those faked ballots into the box).
As someone who strongly advocated against the government's mathematically illiterate magic fairy unbreakable but yet somehow still possible to assist in breaking when receiving a magical signed order, can I express relief that at least on this proposal they managed to see what a stupid idea it is.
I saw a lecture by "Uncle Bob" once, and he made an interesting observation about the rate of growth of programmers. Broadly speaking, since about the '60s, the number of programmers has doubled every 5 years. Or another way to word that is that half the monkeys bashing keyboards today have had less than 5 years experience in the profession. I personally think that this explains quite a lot.
> Er, so this TypeScript is not a language just a C-stylee preprocessor ?
Only in the sense that c# is an MSIL preprocessor, or that c is an assembler preprocessor.
It is perhaps more helpful to think of JavaScript the way that you think about MSIL; a set of instructions that the runtime can execute.
The example of the + meaning between string concatenation and addition depending on data is right but on its own really doesn't explain the problem in a significant enough way to get why you'd bother. It becomes a lot more helpful when you can't accidentally pass a complex model in error and allows intellisence to better guess what you're trying to pass. It's the benefits that any typed language provides.