Re: OK now this is something
Heh. UN and a useful action in the same sentence? Don't give up your day job just yet, but a bit of working the open mic circuit & you'll be ready to turn pro!
2976 publicly visible posts • joined 23 Jan 2015
So all those claims about the 2016 elections being influenced by foreign actors...what about them?
Seriously, it's MUCH harder for a foreign actor to throw an election than it is to make it LOOK like it's being thrown. In 2016, the FSB provided the Clinton campaign with a ridiculous dossier on her opponent--so that her victory would be tainted. That same FSB ran a bunch of web sites attacking her--so that her loss would be tainted.
Actually stealing an election? Leave that one to the locals.
It's far from clear to me that this is a "just like we've been doing, but with software" patent. Take the phone system. Originally, you DID have to wait for the other party to stop talking. Then, they create the four-wire system, so you got full duplex. In analogue. Those analogue signals got stacked into a T1, and those T1s into a T3. It was a COMPLETELY different network than the Internet, and, "hey, why don't we do here what they do there" was not something that could be whipped up over a weekend. If it could, believe me, it would have been done.
It really depends on what the details of the claim boil down to. If its, "Hey lets put some control software across, not a TCP connection, but a PAIR of UDPs", then yes. This fails "obviousness", and should never have been granted. But there is a reason that the original systems did not support full duplex, and whatever it was, that implies that there was real IP involved in implementing it. It may well be that this one is legit.
This.
When Google bought itself out & created Alphabet, it moved all of the non-core stuff to separate divisions. You know how Sergi referred to those divisions? "Other bets". He wasn't being flippant. He was making clear that these were, by design, high-risk, (hopefully) high-reward ventures. The brass expected most to fail.
Of course, some of Google's ventures have been particularly dubious. Whether this was (at the time) properly one of those, I leave to experts.
I realize that it's the 20's, so no one is allowed to take a position that isn't 100% on one side or another, but here I am.
I still remember 15 years ago when I was experimenting with a multidrive system and having CentOS blow up because the .spec files did the "../../../whatnot" garbage. This. Is. POSIX. I can set a mount a however I deem it appropriate, and YOU DO NOT KNOW where ".." goes.
I don't care that POSIX requires tar to support '..'. On a POSIX system, '..' is not well-defined between systems. Tarballs that use '..' are at best fragile. For that reason alone, use of tar requires care.
--
But these "researchers" are being more obnoxious than tar is. Unless you carefully examine the use of the library, you cannot know if it is actually "Insecure" or not. Are there really 350,000 open source packages out there using this library that are intended to run as root? I seriously doubt it. So the security implications are no where near what this group is implying.
--
Of course, root or not, directory traversal is a problem. If the proposal were to add a "safe mode" that prevented root or .. components, that would be great. But we're unfortunately 30 years too late to change the default behavior.
FINALLY, a legislative move to limit the have-it-our-way rule of Big Social looks like it might bite. The fact that the plaintiffs are trying to claim first amendment rights to muzzle speech that they don't like as opposed to the interstate commerce clause (which should be a no-brainer) tells you just what kind of funhouse dystopia they want us to live in.
Newspapers don't get section 230--they get the 1st amendment. Choose one.
If you were one of the ones (like me) who foolishly thought that insurance might be the white knight to fix the software industry, then it is YOU who are wanting it both ways, as demonstrated by your current complaint.
Insurance has very rarely covered acts of war, and I'm surprised that cyber was covering it in the first place.
In practice, this is going to gut the cyber insurance market, but it's not the insurance company's fault. As an industry, our posture is so shoddy that ANY determined actor can acquire the capability to wreak server havoc (heh). Which means that nation-states are going to completely p0wn any target that they really want.
The problem is that our industry is simply too sloppy for insurance. The insurance companies are figuring this out, and the results are inevitable.
This is NOT a bug.
T.H.I.S. N.O.T. A. B.U.G.
A "bug" is when the published specs are violated. The specs have not been violated.
Consult the front matter for a manual of one of these parts--specifically, the page that says "This product is NOT rated for use with government information classified CONFIDENTIAL or higher."
So...someone buys a plastic shield. They take it into battle with an opponent who has a steel lance. You blame the shield maker?
That's the hell of these vulnerabilities (not "bugs"). It isn't clear (NOT a security researcher here, but with background in hardware validation) how to attack a home users with these. This looks like a much more serious threat for the cloud providers.
Nope. I was there. EVERYONE knew about the attack path. Many tried--AND FAILED--to realize the attack. And that's where things stood for 20 years.
In the front of the manual of these parts is a full-page warning that the part is not certified for use with government information classified CONFIDENTIAL or higher. If you consider your credit card information to be confidential, you might take than into account before using such a processor to handle credit card information.
Nothing curious about it. While the CCP might not have been nearly as forthright about its goals 57 years ago as it is today, it was been completely clear for the last 40+ that I've been old enough to pay attention. Given that Project 596 was completed the year before, however, it's probably just an obvious reference to the arms race.
I had not had to endure 13 1/2 years (Summer 2002-Jan 2016) of "Bush = Hitler", followed by (Feb 2016 - present) of Trump being the new Hitler, I might be willing to listen to these claims. This is not the only data point. I'm too exhausted to even really be bothered much, other than to morn the Republic, when the next one happens.
If you want to drive modern Nazi's from the public internet, I ask that you first give a definition of Nazi that doesn't boil down to "whomever I say it is".
Because I believe I have ample cause to fear that I'm on the list of people to be driven off the internet.
As an X-Googler, employees are encouraged to "bring their whole selves" to work--so long as that self is well-accepted by dominant clique. It's been a few years, but it seems pretty likely that this hard-left clique is getting increasingly demanding. Expect more "outrage" when outrageous behavior is not being tolerated.
Because, eventually, the revolution always eats its own.
Do a bit of research on the environmental record of the Soviet Union if you want to see how things went down in the great worker's paradise.
It was the same story in the Eastern Block, and, when the data comes out, China.
Capitalism is MUCH better for then environment than any other system in practice.
You broke Postgres restore functionality on 8/1 to deal with a minor security issue. TO THIS DAY, the issue is neither fixed nor acknowledged on status.heroku.com. So my choices are free, which doesn't do restores, or paid, which doesn't do restores. Except free is going away...
A third option is coming to mind...
I worked for Google as an SRE when it became Alphabet.
Our systems were designed so that something like this would not cause disruption to the customer. One data center unexpectedly going offline was a core scenario, and one that we regularly exercised. (And by "regularly", I mean "more than once a month".)
Three options come to mind. The first is that this outage was deemed to be non-transient, which means that additional capacity for the affected services needs to be brought online. If someone fat-fingered the change, you might see an outage.
The next option is that the bean counters might have pushed to reduce the resilience of the systems. Of course, they don't admit that's what happens, but it does. Our PM's response to one such initiative was brilliant, "It is in Google's best interest that you pretend to believe these calculations."
Third is, just a coincidental fat-fingering of an unrelated change that happened to be on that day.