* Posts by GordonD

27 publicly visible posts • joined 12 Sep 2012

FCC plans to restore net neutrality rules tossed out under Trump

GordonD

Why make new rules?

IANAL, but it seems to me that writing new rules requires all kind of public comment and procedure, followed by years of legal challenges by red states and companies.

In this case, since the Ijit(sic) Pal commission public comment process was so clearly flawed, could not the current commission find their own process flawed and hence revoke their own (2017) rule changes.

That leaves any challengers trying to prove that the 2017 decision and everything leading up to it was spotless, and the adminstration just saying mea culpa ( on behalf of the Trump administration).

US appeals court ruling could 'eliminate internet privacy'

GordonD

Re: Wrong Yet Again

Statistics without context are worthless.

The 9th Circuit makes lots of decisions.

Some percentage of these are appealed.

At this point, the USC skims through these, and decides which of these are worthy of scrutiny, based on how solid the decision was, and whether it conflicts with other circuits, or existing precedents.

So the 80% figure is of the decisions the USC decided to review, and is mostly an artefact of the system. It certainly can't be taken as how likely a particular appeal is going to be overturned.

IANAL

Apple warns of arbitrary code execution zero-day being actively exploited on Macs

GordonD

Feels a bit click-baity

to build a story from a release note for an update to an older OS version, and not call that out.

MacOS usage by version is hard to come by, but I'm sure Simon knows that Catalina is not the most recent, soon to be current - 2, and probably represents less than 25% of active MacOS installations; so one has to wonder why this most pertinent of facts was not highlighted.

Similarly, as noted in previous comments, iOS 12 is far from recent, so this story should mention that iOS 12 and earlier represents maybe 7% of the installed base.

Kaspersky Lab autopsies evidence on SolarWinds hack

GordonD

What is going on

First possibility: Just what it looks like, FSB hacking the world, Kaspersky calling them on it. Plausible ( and gutsy by Kaspersky).

Second Possibility: FSB hacking the world, Kaspersky arm of Russian state, Tramp administration correctly points finger at Kaspersky, Russian state, knowing the FSB operation will be identified shortly, uses Kaspersky to out itself, making Kaspersky look good, and Tramp administration bad. Plausible until you consider the Tramp administration doing something right.

Third Possibility: FSB hacks world; knowing that it won't stay secret forever, Russia lines up Kaspersky to out themselves. They then tell their komprimised lackey (who they know will soon be no longer a useful idiot, just an idiot) to accuse Kaspersky of working for Russia, so that they can later discredit the NSA et al.

I think it is one, but three would make a better spy novel, and also fits the facts.

Australia's contact-tracing app regulation avoids 'woolly' principles in comparable cyber-laws, say lawyers

GordonD

Re: Assuming that were not the case. And what happes to people who don't own phones?

Rob, you need to step back and think how diseases spread

The people who don't own phones will benefit almost as much as those who do.

This is about limiting the spread, not saving individuals.

CoVid 19 seems to spread to between two and three people on average, often less, occasionally much more. Like all the other epidemic tools, contact tracing is about lowering the average. Lets pretend that the R number is 2.3, maybe social distancing reduces that by a bit, say 0.7. All of a sudden, the outbreak is doubling in weeks, instead of every three days, then add in a bit of contact tracing, and you're down to a bit over one. Extreme contact tracing will go further, but every time you let someone know they should maybe self isolate for a few days, it shaves a bit off the average.

Maybe the guy without a mobile phone doesn't meet that infected guy who is self isolating, maybe the guy without the phone gets infected, but then doesn't infect someone who is social distancing. Without vaccine or herd immunity, it is all about reducing *average* transmission.

Lockdown endgame? There won't be one until the West figures out its approach to contact-tracing apps

GordonD

Re: Why do Google and Apple develop new API?

No mystery at all.

1. iOS and now droid have significant restrictions on what you can do in a background app.

2. Getting iOS and droid devices to work together at a bluetooth LE level requires a common design.

3. Market penetration, at least on iOS, an OS level system will reach 70-80% very easily, and for a point release, very quickly.

4. Energy efficiency. The OS can do this without trashing the battery.

5. Privacy. The Apple/Google concept is privacy preserving. When an infected users authorises disclosure of his keys for the infectious period, they get mixed with any other keys for infected periods. Individual devices download a list of anonymous keys and see if they have a match. Zero central deanonymised data collection, and very small chance of governmental abuse.

6. Permissions. Apps have pretty big warnings on all kinds of tracking usage, a privacy preserving framework that is only available to certain apps could be far less imposing.

So, the only strange thing going on is big brother potentially being stymied by tech. Except in the UK maybe :)

Don't worry, Big Brother still has terrorists and Paedophiles as excuses for mass surveillance.

Wanted: An exit strategy from the overt surveillance of smartphone contact tracing

GordonD

This needs lots of upvotes.

So many people either haven't read the Google/Apple scheme, or haven't understood it.

This scheme doesn't need a kill switch, because it does not support tracking, only a yes/no have I met an infected person.

But don't believe me, believe Bruce Schneier. "It is privacy preserving... and well thought out."

https://www.schneier.com/blog/archives/2020/04/contact_tracing.html

https://www.schneierfacts.com/facts/top

As anonymous coward writes, the risk isn't that the Apple/Google scheme is abused, it is that it is ignored by those wishing to use Covid 19 as an excuse for wider surveillance.

Ex-Capita accountant who claimed £10k bung to leave was blackmail has appeal thrown out

GordonD

It probably did, and it wasn't accidental.

Just ask Facebook for the transcript/video that they didn't record, and don't have a copy of.

Sure, we made your Wi-Fi routers phone home with telemetry, says Ubiquiti. What of it?

GordonD

Re: GDPR compliant?

Informed consent only applies before their personal data is collected, so that doesn't rule out GDPR compliance.

Doesn't matter though, GDPR compliance is a red herring. The problem is that "trust me" isn't a valid approach to any network security issue.

The main problem is that Ubiquiti management doesn't see (or is being paid/told not to see) how wrong this is.

Bad news, developers: Apple Mac App Store tells cross-platform Electron apps to get lost

GordonD

Bad News, Developers

Great News, Users...

Actually, this is really great news, because now Slack have a great motivation to push ahead with their Catalyst build. That means it will have a differently weird UI, but at least it won't slug the machine.

And some m$ stuff won't work, years ago I would have said yippee, but nowadays it is more of a meh.

You'e yping i wong: macOS Catalina stops Twitter desktop app from accepting B, L, M, R, and T in passwords

GordonD

Who to believe, twitter dev or every other MacOS App.

The real story here is the press parroting a twitter dev blaming his problems on Apple, when no-one else has the problem.

Evidence.

1. twitter, multi-billion dollar company has for a long time claimed they couldn't afford to make a Mac App, so they probably don't have much of a Mac dev department.

2. No-one else reporting these problems.

3. UIKeyCommand documentation explicitly says it is for key combos, not single letters. (Quoted at the end of the comment), so this is explicitly not a bug.

4. Oh, UIKeyCommand, so this is a Catalyst App, which is new in Catalina, so when they say regression, they mean Apple did a bug fix from an early Beta. Bet they didn't enable those single key shortcuts in the iOS App.

Supporting quote from UIKeyCommand documentation :-

"Hardware keyboards allow a user to hold down the Control, Option, Command, or other modifier key and press another key in combination to initiate commands such as Cut, Copy, or Paste. You can use instances of this class to define custom command sequences that your app recognizes and then provide an appropriate response."

A decade on, Apple and Google's 30% app store cut looks pretty cheesy

GordonD

Apples and Oranges

Always interesting to see the app stores compared as if they do the same thing.

One does meaningful human audits of every app uploaded ( sometimes to the chagrin of us developers), spending a ton of money on checking there aren't a sea of trojans and other malware infecting the platform. The other does pretty much nothing for the same markup.

I'm sure that both Apple and Google make a ton of money from their app stores, but only one has a plausible security justification for it's monopoly.

Also a bit disgusting to see the proposal that successful businesses should get a discount. The cost of entry and failure rate among mobile apps punish the small players, so further rewarding the most successful players might seem a natural consequence of a competitive app store market place, but the effect on the general app development market place would be extremely pro-monopolistic.

Full Disclosure: I am not an Economist :)

USA! USA! We're No.1! And we want to keep it that way – in spaaaace

GordonD

Shouldn't that be

The Piew piew research centre?

LLVM contributor hits breakpoint, quits citing inclusivity intolerance

GordonD

What if Linux...,

After reading Alain's post, I clicked on his list and yes, it is a nice friendly code of conduct, but that did raise a one big question.

What would have happened if Linux had this code of practise?

I'm sorry Linus, you can't come to the conference, because you are rude to people.

Open source technical projects, and especially stupidly complex projects are probably not the best place to fight gender equality battles. Judge people on the basis of the diffs they submit. Anyone suitably competent will have a solid reputation before anyone actually knows their racial background, gender preferences etc. This is true equality.

Bitcoin outfit 'Tether' reveals US$31m BitBuck BitHeist

GordonD

Tether is not Bitcoin

There is a lot of confusion here. Tether is not Bitcoin. Lots of journalists are putting 'Bitcoin' into their headlines to get ratings, but they are not the same, or even strongly linked.

Tether is a crypto-currency, using similar technology to Bitcoin, but they are not the same, and this is obvious since one tether is worth 1/8000 the value of a bitcoin at the time of writing.

There are Bitcoin ATMs around the world, but last time I checked, most exchanges need a validated account before they will even let you trade Tether. Not very anonymous at all.

Atlassian kills God, rebrands as a mountain, a structurally unsound 'A' or a high five

GordonD

Re: Right

My favourite Atlassian stupidities :-

I press ctrl-f for forward character, Atlassian pretend I'm on a PC and do find instead.

I press ctrl-e for end of line, Atlassian does bold instead, but only in some places, other places it does the right thing (D'Oh).

No, Apple. A 4G Watch is a really bad idea

GordonD

Most used function

"Set a three minute timer"

Saving me from stewed tea: priceless.

After that, swimming stroke counts and times.

Both of these work just fine with my cheapskate 38mm.

His Muskiness wheels out the Tesla Model 3

GordonD

Surely All Electric Cars Need Plugs

I'll get my coat.

Redmond's on fire, your 365 is terrified: Microsoft email outage en masse

GordonD

M$ reliably locks me out of IMAP/SMTP about 30 days after I reset the password. Still works through the cloud, so I'm pretty sure it is their stupidity, not mine. Best guess is they think anyone using public VPNs are terrorists or even worse, spammers.

After this stupidity recurred a few times, I did the sensible thing and forwarded my incoming mail to an actually reliable email provider. Not sure why my employer is paying for this sorry PoS.

As an aside, five nines is supposed to be a reasonable uptime target; at least M$ limited their goals to the two nines they were likely to achieve.

We're going to have to start making changes or the adults will do it for us

GordonD

Problem with M-x tabify is that it blows out version control, especially when I revert it on next commit (mwahahahaha).

tabs vs spaces and new line endings are great feuds, and since they can be handled by any decent version control system on checkout and commit, they're refreshingly pointless.

A proper feud like ICantReadThis vs sensible_naming resists machine sabotage, although there are worrying signs that the poor handling of CamelCase by speech synthesis might result in sanity being restored by the accessibility red card route.

Sex is bad for older men, and even worse when it's good

GordonD

Surely this article should have been titled

"Men with heart disease more likely to lie about sex"

Honor 8: Huawei targets millennials with high-spec cheapie. 3 words – Food pic mode

GordonD

I hope they fix the spelling before they release it in the English speaking world :p

Safari URL-spoofing vuln reveals how fanbois can be led astray

GordonD

A few clues this is a phish

For anyone who can't try this, at first sight, there are a few visible clues.

Firstly, the correct URL is show before the spoofed one. Quite obvious when loaded direction, but probably not noticeable if loaded in background or background tab.

Secondly, there is no icon. I don't know if this is an intrinsic issue with the spoof.

Thirdly, there is a consistent flicker at the left of the address field where the icon would go, looks like maybe there is some script constantly overwriting the icon.

It would be interesting to know if this worked with HTTPS sites.

Iranian CLEAVER hacks through airport security, Cisco boxen

GordonD

I'm also unimpressed by the lack of detail on who CyLance are, both here and on Ars. Both stories seem little more than an uncritical precise of CyLance's allegations.

We're supposed to believe that this white hat organisation can follow everything that these hackers are doing, including acquiring the source they use at their home base. I can see backtracking an individual intrusion is possible with cooperation from the targeted organisation, but to trace all these intrusions they would need either global network access or to have owned 'Cleaver's network.

Similarly, how can CyLance by manipulating DNS on third party networks unless they're pretty black themselves, or did all these hacked organisations around the world happen to pick the same obscure company to investigate these intrusions they didn't know about.

The only organisations I would suspect of being able to do this level of monitoring, are exactly the ones mostly likely to be doing a false flag operation with Iran as the target.

EFF: VPNs will crumble Verizon's creepy supercookie stalkers

GordonD

Treat it like the disease it is

This kind of privacy invasion is like a disease.

To take the analogy a little further, the best solution is to not go near the source of infection ( quit Verizon).

If you have to expose yourself, for whatever reason, a VPN is the Sanyo biohazard suit; protects against pretty much all injection attacks of this kind; pretty good against related diseases like NSA, FBI, etc.

There are other defences, an anonymising proxy for example might help; some are like general spectrum antibiotics, they strip out all unknown evil headers and maybe even some evil cookies; others are disease specific so they only provide protection once the disease has been recognised. SSL proxies are almost as good as a VPN in this context.

TOR, while of great value generally, is pretty much useless in this context.

Happiness economics is bollocks. Oh, UK.gov just adopted it? Er ...

GordonD

Credit Where Credit is Due

It seems you're being a little hard on David.

You've made a good case that the way to increase happiness is to reduce choice, and DC has just stated that the tories are going to prioritise happiness.

Surely the story here is 'Politician tells truth about fascist dictatorship manifesto'?

Thomas-Rasset faces $220,000 file-sharing bill after losing appeal

GordonD

Of Course she should appeal

The moment that the damages + costs exceeded Jammie's net worth, She has nothing to lose by appealing. She will be bankrupt anyway, and fighting on is good for her, and for the rest of us.

IANAL ( thank god), but this is a civil case, so I don't believe imprisonment is an option. By fighting to the top, she maximises the cost to the music cartel. She is bound to find pro-bono lawyers eager for name recognition, and I don't believe there is a risk of setting really bad case law, since there is the amicus curae option for big names to add arguments as required.

This action is basically the music cartels trying to scare the little people by hanging a random victim, but since she is already set to hang, she should at least make it expensive for her persecutors.

On doing some background reading on US bankruptcy law, I am a bit scared for her. It seems that 2005 changes allow the victim to be tortured for a while before being executed, but my non-legal reading suggests that this shouldn't be so in Jammie's case should she be forced into bankruptcy.