Posts by ckdizz

Re: Well even though my bank has an app

"So how do you respond to the fact fingerprints can be lifted (gummy fingers), and any security measure presented in Android seems to get bypassed routinely, even fingerprints and passwords/PINs? And that true paranoids run their banking runs on virtual machines?"

I'm not a true paranoid. I don't know of any open exploits with the fingerprint reader on Android or the phones I use. But it's still true that if you're targeted you can't do anything about it. Like locking your doors in your car and home, those measures can prevent casual or opportunistic crime, but you can't do shit if someone really wants to get that information. I do enough to prevent theft without everything becoming inconvenient and unworkable.

Re: I used to work for RACAL secure payments.

"When we found out they wanted Micro$oft in ATM we all giggled out loud."

Yeah, and you got Java instead. How's Oracl€ working out?

Two things. As a former auditor, I know that most accountants know way more about security and risk assessment than your average dev (who at the end of the day usually isn't a security specialist). It's a pillar of the CA qualification worldwide. I don't want to get fussy about this, but risk assessment is based on balancing risk, the fact that risk cannot ever be completely eliminated, and the cost of taking one route compared to another (cost measured in money, but also time, and social costs).

The other thing is that like your lawyer, accountants don't make technical policy decisions. They make decisions about their own department, but they don't make decisions for other departments. They present financial information and other people make decisions based on that.

But let's be honest here. Chip and pin has dramatically reduced fraud and is far more secure than the magnetic strip and signature. I don't know what went on during the development, but if it's like any other large interorganisational project I bet it was a mishmash of tradeoffs and bargaining between a whole bunch of different agents. That's never going to produce a perfect result, but it's certainly produced a result that's achieved a measurable drop in stolen card fraud.

Re: Well even though my bank has an app

Here's why I use it. I don't know about the generational thing; I'm in my late 30s, but I'm also an Android developer.

First, I can check my balance instantly on the login screen without having to log into the app (I also use the fingerprint reader on the phone so if I lose it, no one can access that information unless they have my finger, or, if they reboot the phone, the phone's pin). I use my cards a lot, far more than cash, so knowing how much is in there before I go to the checkout is really important.

Second, if I do want to make an impulse purchase, then I can transfer between accounts right there and then. In addition, if I want to send someone money I can do it right there and then. I could even - although I don't do this - bump phones for the NFC high five.

Third, the UX is far better than the website. They put a lot of work into the UX, and when it's in an app it's not browser dependent (so Chrome, Firefox, Opera, etc. which could all render in different ways are replaced by a uniform app).

Fourth, my sixteen character website password doesn't have to be typed in, because the device has a pin (up to six digits), and I don't need to enter my username/customer number. All I need to know and type in is my pin.

Fifth part one, it's far more secure than the browser - any browser. There's extra layers of security you can't have in the browser, even on the computer. The app doesn't depend on the security of other applications (like the browser, or plugins for the browser). It's sandboxed (and all others should be too) so no other applications can open it, and it can only connect to one site. It's never completely secure because you could still bypass it with (serious) user intervention, but it's far more secure than the browser.

Fifth part two, it's linked to my phone. So only that device can use it, and all devices have to be registered with online banking in the first place. My bank gives us a maximum of three devices, and if anything changes substantially in the device then the app needs to re-register. So you can only use it on that phone; you can only use new devices after you've done a couple of 2FA routines, so people can't just register new devices without having access to your online banking, your email and your phone.

tl;dr it's really fast, convenient, makes managing my money so much easier, looks pretty and more secure.

Strict liability means there is no defence except statutory exceptions. It doesn't mean that a naked photo of a child is indecent - it's not the definition of the image that matters, but the culpability of the offender. In other words, is there mens rea, or is there enough to prove a guilty mind.

Distribution of indecent images of a child is a strict liability offence with only a couple of statutory exceptions (from memory, it's good cause to distribute and lack of knowledge of the contents), but what constitutes an indecent image isn't defined by the fact that distribution is a strict liability offence.

Re: Diet Coke Ad

George Carlin was funny, but he's a comedian, and he made his living by saying offensive things in the right contexts. Unfortunately, he missed a massive part of why we have social norms, and why some of them need to change: sometimes you can say something, and it's fine, but in other contexts, it's not okay. I can watch Louis CK make a rape joke on stage, and that's fine, and it's actually funny. But you make the same rape joke in the office, and that's not okay. Of course, nothing is stopping you from dropping the n-bomb in the office, or referring to a woman by a vulgar name for her genitals, or making a rape joke. But you can't blame other people's sensitivity if you clearly did something that was going to offend, perpetuate a stereotype, or just plain piss them off. You can't run to free speech when you're merely facing the consequences of using your free speech: other people have the same right to tell you to shut up. And you can complain about social media pile-ons, sure. But that doesn't ever invalidate the two way nature of free speech.

People who tend to complain about things being too PC, or who complain about their freedom of speech being restricted, or who complain about how we just can't say anything these days, these are the people who are never the target of these things. These aren't the people who've spent the majority of human civilisation being marginalised and excluded, or sold into slavery, or told they have only one role to play, which involves squirting out babies. Or any combination of the above.

So Carlin was right, in a sense. Silencing people or forcing them to alter their speech isn't the best method for solving our inherent stupidity. But if we didn't do something, dropping the n-bomb in the office would still be the norm, because otherwise a minority of people wouldn't stop doing it. And we know that's the case, because it's been made perfectly clear that's not okay in the past, and people still do it. When you give them a cloak of quasi anonymity, they do it more.

It's a start. FWIW the Diet Coke ads aren't okay. The Lynx ads aren't okay. They are a simple example of the lowest common denominator in advertising. They're what you get when you strip creativity, and they're what you get when you try and create a target market of sex-starved middle aged women and sex-starved teenagers. I'm pretty sure there's more ways you could sell those two particular headaches in a can, but I don't watch broadcast TV, and I don't work in advertising.

It's not a similar argument at all. I can write a unit file without breaking systemd. If you can't, then the problem isn't with systemd, because I'm a veritable suckfest at my job. So if you're routinely breaking systemd, I'd look elsewhere for the source of the problem. Also, systemd is actually entirely modular. So if you build it from scratch, to a good extent you get to choose what you want to integrate. Arch's systemd is way different from Debian's, for example. Hell, it's even more advanced than Fedora's.

The difference is in the tools you use to do the job. My grandad's hatred of metric was based entirely on the fact that the Germans and Japanese used metric fasteners, and that he had to buy new tools to use the job - his AF were less used, and his Whitworth were almost entirely obsolete by the 80s. People's hatred of systemd is that Poettering is an author, Red Hat have championed it, they have to learn something new and their knowledge is becoming obsolete.

If some people had their way we'd be using a bicycle powered smoke signal generator instead of a phone.

(As an aside, plastic fastenings in engines are extremely uncommon, as the heat and vibration in an engine will destroy them fairly quickly. If plastics or resins are used, it's usually as an adjunct to metal, or in components where it's necessary for strength and security to replace the fastener after it's been taken apart. Your dad was, in a sense, right about things being glued or riveted more these days, but that's largely because the ability to service complicated parts that started appearing in cars in the 80s and 90s has meant that even experienced mechanics don't have the tools to work on them - the dual clutch solenoid units spring immediately to mind. Nevertheless, the source code for systemd is available for you to hack away at all you want.)

Re: you'd 'nohup' them to keep them running when you logged out

I think this is exactly the point. While it's not immediately desired behaviour, it's eminently sensible behaviour and should be expected if you're trying to run processes as an unprivileged user. After all, most systemd processes when started from unit files are daemonised, even those run as unprivileged users. And that's the way the (terrible) systemd manual says they should be run. I'm going to guess the problem is somewhere in the middle of Polkitd and systemd.

I can see there's a need for it, and I'm a Debian user, but personally if I have background processes to run that I need to stay running I make sure they're going to carry on running after I log out. That's probably why I haven't encountered it.

I'm on the fence as to whether or not this needs to be fixed or the requirement for a persistent process needs to be specified in some other way. Otherwise users could be left with a bunch of processes running simply because they didn't explicitly stop everything in logout.

BSD isn't a great example of how an OS should progress. It has neither the market share or manpower to even maintain the kernel for new hardware, let alone make a change as drastic as an init system. Let's face it, Linux rules the server market, Red Hat rules the Linux server market, and as much as you might dislike Poettering or systemd, Red Hat aren't going to start taking something as drastic from upstream as an init system change without it benefiting their core market. They know where the majority of their money comes from.

Most of the problems with systemd stem from not knowing or not caring about how to use it. I don't have issues with the amount of information I can get from journalctl. I haven't not been able to debug any issues with systemd. In fact, it's been a lot easier, because I only have to look in one place, and I get relevant targeted information.

There's actually about 70 Linux distros that don't use systemd. But they will all have key software in common to which there is no alternative. And even if a distro does use systemd, that's just the init system - and a lot of work has gone into backward and cross compatibility. Look at the way Debian has implemented it. It's actually awesome. It'll only be like Windows when a single company maintains a single solution incompatible with other distros that uses only its own closed source, proprietary software to do the job.