Posts by Lysenko

Re: Not knowing how to look can make it hard to find

It's as if they still living in the Dark Ages, before statistical science was discovered.

A surprisingly large number of people still fall for Gambler's Fallacy, but even those who don't are often guilty of faulty reasoning and imprecision.

For example, given the premise:

"if I toss this coin five times and get 'heads' every time, what is the sixth toss likely to produce?"

... the 'enlightened' person may answer that the sixth toss has a 50:50 probability whereas the gambler's fallacy predicts that it is time for "tails". They're both wrong. There is only a 3.125% chance of tossing "heads" five times with a fair coin so the balance of probability is that the coin is loaded or some other trickery is at work. That means the likely outcome is either "heads" again or else the answer will dictate the outcome by causing the tosser (oooh, err) to alter his technique.

Re: State capitalism, not socialism

Socialism at its most fundamental level is about the (democratic) ownership/control of the means of production by the people.

socialism: "a political and economic theory of social organization which advocates that the means of production, distribution, and exchange should be owned or regulated by the community as a whole."

I don't see the word "democracy" there and, if it were universally seen as a fundamental characteristic of socialism, why would anyone ever feel the need to call themselves a "Democratic Socialist" or "Social Democrat"?

However this is just splitting hairs. Majoritarianism is perfectly democratic and the Chinese Communist Party would have no difficulty winning an election and then using its democratic mandate to pack everyone who voted "erroneously" off to re-education camps. Pairing collectivist priorities with democracy ("the dictatorship of the proletariat") is simply "mob rule". Stalin might not have been democratically elected, but one of his contemporaries was.

Re: No ...

So, your point is that MS Office is crap because it messes up documents in good, solid ISO-standard format from LibreOffice?

No, my point is that de jure standards (ISO) don't interest people, they care about de facto standards (MS Office). Whether MS Office is "crap" or not is as irrelevant as whether Esperanto has a better verb structure than English. My customers don't speak Esperanto, they won't learn Esperanto and it doesn't matter if it has an ISO standard, UN recognition and an endorsement from the Vatican, it is not the standard they recognize and no amount ISO fiat or philosophical open source posturing is going to change that.

The LibreOffice proposition is equivalent to learning tourist phrasebook French and then demanding that the rest of La Francophonie constrain their vocabulary and grammar accordingly or learn Esperanto. Not going to happen.

Including word of mouth? Then how do they communicate at all given they must assume all methods of communication are not only hostile but capable of being intercepted and decoded (not even one time pads are immune as plods can intercept the pads before they're used)?

You assume that any communication mechanism might be intercepted, which includes the arrest of messengers. Encryption is flawed on its own because even one time pads are susceptible to RIPA attacks so you need to conceal the communication end points and/or employ some form of steganography.

This isn't a new concept. Agatha Christie crims were aware of this and posted messages using plausibly deniable language in newspaper classified columns. The same technique works perfectly well with CraigsList or USENET or (ElReg comments). If you need to send specific instructions that can't be reduced to deniable language then you encrypt and steganographically encode it.

Secure criminal comms isn't so much a matter of strong encryption as evasion of detection and plausible deniability of intended recipient and content. A direct PGP email or WhatsApp message is vulnerable to RIPA so cryptographic strength isn't helpful. Encode the same message in the high order bits of a photo posted to alt.fan.cats and it is impossible to prove that the message even exists, and even if you do, it is impossible to prove who the intended recipient is, thus neutering RIPA. To cite Agatha again: "When no-one suspects you, murder is easy".

Re: Have they fixed the decades old bug in File Explorer ?

What he is talking about is some programs will auto generate an super long file name for a folder

The most obvious example being old versions of npm creating undeletable node_modules directories.

Re: Bye

It's not that unusual to encounter road signs when driving, but some people are just in a hurry to get on with their day and pay little attention to them.

So, if there's a clearly signposted side road and some lazy twit pays no attention and causes an accident, the problem is the side road? It should be removed, severely inconveniencing the residents of the small village it leads to, because some clueless morons can't be bothered to read road signs?

I think not. What you do is prosecute the idiots and revoke their driving licenses. In a case like this, that means firing people. Not because it will rectify this specific instance of the problem rather, like many such sanctions regimes, pour encourager les autres.

Re: Why?

Nano Pi A64 is better (and cheaper) for that job in my experience, but if you're doing motion detection (or something similar) then the software you use has more of an impact. Using a multi-core CPU effectively is nontrivial and it is very easy to burn a huge number of cycles (and therefore heat) in busy waits and context switches.

Re: Actually

Hitler references are a bit old don't you think?

Rabble rousing populist with ludicrous hair, unexpectedly elected on a vague platform of making Germany America great again, overturning the political establishment, deeply suspicion of an Abrahamic religion, demonizing foreigners in general, berating the media, choosing lackeys on the basis of loyalty rather than competence and floating the idea of subverting the constitution by an Enabling Act Executive Order?

I see your point. No resemblance whatsoever.

Re: Has to be within range

If you (as an attacker) are going to procure special equipment (as this attack requires) and physically locate yourself in the vicinity of the target then you could also physically tap the ADSL lines[1] which has the added advantage of not showing up in any of the target's logs. More prosaically, since you're physically in the vicinity, you could just look for open windows and burgle the target.

Physical proximity is a big deal in practice. Most attacks that I detect originate with skiddies operating via CN addresses so anything involving visa rules and airfares eliminates the vast majority of potential miscreants at a stroke. In fact (now that I think of it), I can't remember the last time anything suspect resolved to a local (and I mean country, not neighbourhood) address.

[1] TraceSpan and Broadframe make kit for this, but as with the KRACK technique you could build your own.

Re: I've kept wondering why we haven't seen a WPA3 yet

What would be the point? If you don't know where the problem is then simply meddling with the protocol isn't necessarily going to help and will probably introduce new vulnerabilities. Attacks like these don't break AES (which is what WPA2 essentially is) so mindlessly increasing key lengths wouldn't make any difference. If anything, causing protocol proliferation would just fragment research/auditing efforts and risk increasing the attack surface as the lesser used protocol(s) come under reduced scrutiny.

The integrity of cryptography rests on a published mechanism resisting sustained attack by cryptographers over a period of time lengthy enough to confer credibility. That makes it a problem domain where you absolutely should not set about trying to "fix" things until you know exactly where and how they are broken.

Re: Violent Groups

Good point. Looks like some pretty unequivocal "glorification of violence" going here. You can draw a distinction based on fiction, jokes or sport but these guys are entirely serious about actually killing people and taking pride in what they do.

Re: I know my career hasn't been typical...

but, in fact you're breaking the normalisation rules because it is, really, a single entity

That's using an RDBMS as a transaction/version controlled document management system. You can do it with a two column table (PK|BLOB), but this is actually a case where Mongo or Redis (or just the file system) might be more effective. Caching web pages is a similar problem domain with well researched solutions.

If I end up using PostgreSQL to manage two column PK|BLOB tables then I'm usually doing the equivalent of writing a letter in Excel. An application I work on periodically harvests SNMP data which arrives as JSON objects. Those have vendor specific structures and encodings so I shove them in Mongo and then normalise them into PostgreSQL in the background.

I could just dump them straight into a GUID|JSON Postgres table and process everything internally, but that would mean slower performance and less resilience to network outages. I could also leave the data in Mongo and analyse it in situ (through an ORM!?), but that would just mean I'm an idiot ;)

Re: Die Hard: Offshore

They already released that movie this year, and the sequel.

That's why I queried the original comment. It seemed to mean either:

a) nothing .. or..

b) that there is some sort of "security" that definitively stops CAN being externally hacked.

The former is a pointless comment and the latter is hogwash. Take the (TI) AM3352 or DRA746, for example. Both are automotive SOCs with dual gigabit ethernet and CAN interfaces. The only thing that keeps the CAN away from the ethernet is whatever firmware the chipset is running (and you can guess why they've got dual ethernet interfaces).

I mentioned OBDII simply because it's a supported/non-destructive way to patch into the CANBus that anyone can play with. Getting to CAN by hacking a Spotify downlink is hacker territory, but there's nothing to stop it besides (hopefully) flawless software/firmware which is exactly the same protection you have against remote activation of your USB webcam.

Re: they just need to...

I wasn't doubting that the IDE or the APIs could handle it (that's much the same in VisualStudio), I was referring to application code. I can see it being transparent in an interpreted language or a VM that simply doesn't allow you to mess with pointers, but I didn't realise ObjC was restricted like that.

Re: Advertisers won't be happy.

Midori is a WebKit wrapper and that makes it unreliable with ad blockers (particularly uBlock) in my experience, and places it behind the curve on JS and HTML standards (just like Safari). I've got it on some Raspberry Pi installs. It seems fine for what it is, but my main PCs are development platforms so only Blink or Gecko will do. I actually have Lynx on one machine. I keep it there just so I can say "I've got Lynx on one machine" ;)

Re: Oh really.

Oh great, I can stop paying my mortgage and it isn't illegal. Sweet! Of course I shall use you as my legal reference for this.

Correct. You can stop paying your mortgage and you will not be prosecuted for that. You are only acting illegally after you are sued by the lender, the Courts give permission to repossess the property and you refuse to comply with that Court Order, thus placing yourself in Contempt of Court (which is illegal).

For something to be illegal it has to be against the law, not just against the terms of a contract, agreement, promise or any other ad hoc arrangement. That would only apply to a mortgage non-payment scenario if it could be proven that you never had any honest intention of making the payments (i.e. Fraud).

Re: Famous last words.

The Mayan civilization was also pretty clever (and very scientific, too)

No, they were very religious and consequently invested far too many of their limited resources on useless bullshit like pyramids which are economically valuable only to tourism companies of later centuries. You can point many of the same criticisms at us of course, but that doesn't make the Maya a "scientific" civilization. On the contrary, they were remarkably North American, as is illustrated by the strong correlation between climate change denial[1] with belief that angels are real and prayer works.

[1] The Maya still exist of course, but the classic Maya civilization fell long before Columbus arrived because of drought, over-exploitation of agricultural resources and the belief that pouring ever more resources into Gods and Religion could fix things. The Romans, on the other hand, might read some auspices and pray to Jupiter - but then they would go and build an aqueduct or dig a canal.

Re: Pah!

Pah^2 ... that's just an argument about what sort of net curtains to hang in your cookie cutter x86 front room. Now, Z80 vs 6502? That was a real ideological debate !! ;)

Re: How is SQL Injection Still a Thing?

I mean, this is a language that is roughly the equivalent of COBOL. It's been invented almost forty years ago, on the mistaken assumption that programming languages should look like English. Its syntax completely obfuscates the execution logic.

As usual with knee jerk ageism, you miss the point. The new hotness in web monkey land is GraphQL which makes everything look like JSON, conveys even less about execution strategy than SQL (at least you can infer something from JOIN) and only obstructs nefarious injection by virtue of the fact that no RDBMS understands it natively (yet).

The problem isn't the query language, it is the vast attack surface you open up when you allow a front end to send commands either directly to an RDBMS or via middleware built by people who only understand ORMs and therefore can't code triggers and stored procedures effectively.

Why are the details of 700,000 non-US "customers" included in along with test data?

Quite possibly they were the test data. For a predominantly anglophone country like the USA, the logical countries to source customer name lists for testing are UK, Canada and Australia. You can't use random strings in place of names[1] (cardinality is all wrong, so index optimisation would be too), you don't want data from "foreign language" countries and you certainly don't want to be using actual Americans (because: Tort Lawyers).

[1] Yes, I know there are ways around that but they require a degree of competence and attention to detail that these people clearly didn't see the need for on the payroll.

Re: Desirable

Why the UK? We don't even have a military capable of defending the UK,

UK homeland defence has been based on the "Moscow Criterion" for half a century - and you can substitute any other capital city for Moscow. Carriers and so on are for force projection and interference in the affairs of other parts of the world. Actual defence depends on submarines and the same logic applies to Taiwan, so that makes the UK and France the only viable allies if the USA keeps going nativist.

I like it. Once they've got AI embedded in such systems, unionize them and ask them to vote on strike action. Then we'll see if they've been coded to optimize long term customer satisfaction (which will inevitably be the claim) or short term C suite bonus packages (which will be the reality).