Posts by bombastic bob 10283 publicly visible posts • joined 1 May 2015
ack on the "tollbooth" part - of COURSE the IANA and ICANN "recommend" using ONLY registered TLDs, even for your LAN's RFC1918 address space, and (apparently) no self-signed certs for HTTPS, either.
(next they'll somehow invalidate 'letsencrypt.org' if they get a chance, and follow the money on why)
*SCAM* and *TOLLBOOTH* indeed...
'.crap' - you hit on a good idea for "guaranteed will never be a TLD" TLDs.
Now which one should I pick... (run it in parallel with my LAN's DNS, which has used '.local' for nearly 2 decades on Micro-shaft's recommendation, at least until I decide to switch it over for realz)
basically, pick the one thing that political correctness will ALWAYS demand not be used. well, you'd think ".local" would be like that 20 years ago, right?
/me calls for an RFC that explicitly stats which TLDs will NEVER be used, and declare them usable by private address spaces.
there REALLY DOES need to be a designated TLD for LANs. '.local" used to be the one to use until it was taken over by mDNS [without a lot of warning, in fact]. ".localhost" is by definition a 127/8 domain.
As for '.dev' as long as it works with 'letsencrypt.org' and self-signed certs, should be fine, right?
/me points out that back in the late 90's, Microsoft was RECOMMENDING that you use '.local' with windows domains... and my FreeBSD-based DNS has been using a '.local' domain for the LAN since I moved my server to a FreeBSD server, back in the early noughties...
/me still uses '.local' as I don't give a rip about mDNS and just disable it for certain linux distros so it won't cause me trouble
post-note - did a tiny bit of digging, found this 'unofficial' list that's not generally recognized...
https://tools.ietf.org/html/rfc6762#appendix-G
yeah, proving racism, or any OTHER kind of discrimination, is difficult. At best you can show "being treated unfairly" which is difficult to show as racism unless there are many others treated like that.
Maybe the bosses just didn't like THAT guy. Assuming he wasn't an irritating activist that went around with the proverbial chip on shoulder, and an attitude of "you're discriminating" at every opportunity (there ARE people like that, "quota hires" they're often jokingly referred to as), then it's unfortunate that reasonable doubt works against you.
On the other hand, I've been discriminated against also, for different reasons (and in one specific case, it was resolved when I went through proper channels). All it takes is "that one person" who wields power and does NOT like you. Or maybe it's just some jerk in the office that's easily irritated (by you) who CONSTANTLY complains to the boss, about YOU. And if that jerk happens to schmooze with the bosses all of the time... that's the kind of interoffice politics that makes me NOT want to work for large companies at any rate.
There are SO many ways to discriminate, some of them "soft". Age. Sex. Politics. Race. Lifestyle. Whatever. The good looking or even the ugly one. Someone who's perceived as fat, or skinny, or sweats too much, or eats too many onions. And there's the really smart guy who keeps saying 'no' all the time, instead of going with the flow and jumping when the boss says jump, and letting bad things happen with a shoulder shrug and "not my fault" attitude (the 'no' guy usually gets enemies, the 'shrug' guy keeps his job...). And so on.
Discrimination takes many forms, but if there's a racist/sexist/bigot/whatever in the building, there will be more than one observer, and not just at the work place. It'll be hard to prove, but still possible. Bigotry is kind of like a lifestyle. It'll show up in LOTS of places.
All I want to happen out of this is for the truth to be known.
even when you encrypt with SSL, if you can sniff the opening sequence (DH key exchange specifically) you can decrypt the traffic. It would still take a little bit of work, but you can see examples of this happening in Wireshark, when you view an https stream [for example].
So yeah, a router that can capture the entire stream could render encryption useless. The only way around this would be to have a secure tunnel using known certificates on both ends, along with some kind of randomly generated salt, and no decryptable key exchange up front [PGP actually does something like this already, as a good example]. But that would be subject to a form of crypto analysis where you study a large amount of traffic to crack the certs. So nothing is perfect if you don't rotate the keys every time, and so on.
that being said, a possibly 'more secure' PGP for long distance traffic would be a good way to ensure good encryption, across 'teh intarwebs' and various network backbones and so forth, but once it gets on the LAN at its destination, it's probably gonna get hoovered up if spyware [soft, firm, or hard] exists in the routers and PCs.
from article: "less than convinced there is a threat to national security"
from post: "As the NSA is known to be bugging US-bult servers and routers before delivery for years now"
I'm a bit skeptical of both claims, that either the USA or Huawei are adding spy-hardware [or firmware] to things being sold to governments. And I would guess that governments should consider an anti-"Not Invented Here" policy if they want REAL security.
So i totally get it if the US gummint wants ONLY U.S. gear and software/firmware from approved vendors in government information roles. That's just prudent.
The jury is still out on the Bloomberg article, though. Why has there been SILENCE on that?
"people can put as much detail on there as they wish"
There are already marketing-related web sites that offer discounts for stuff if you participate according to their rules, and so it's not a new idea. A lot of people would complete marketing surveys and allow their purchases to be tracked in order to get the discounts. But it should ALWAYS be voluntary, above board, and in compliance with laws SUCH AS the GDPR.
And if they're being sneaky about it, they have something to hide.
in THIS case, the applications had 'infected' code within them that downloaded ads without the end user's knowledge in order to (apparently) prop up ad revenue. So ad blockers would not stop it.
As for ads in general, just block script and 3rd party cookies, and let the non-scripty non-video non-audio ones just display as-is and you can just ignore them.
yeah as fun as it is to point a finger and demand DEATH TO ADVERTISERS I think it's just the *EVIL* advertisers who deserve it... trackers in particular.
(simple non-moving no-audio ads without tracking, scripting, web bugs, or other nefarious practices, are just fine with me. the rest need to be KILLED to DEATH by BURNING with FIRE)
I was looking to snark all over it, but after reading the article, it's like "meh".
Glad it's fixed, anyway.
It's not like that 'Code Red' thing was, from (nearly) a couple o' decades ago, at any rate. That thing went unpatched for YEARS by end-users and created a LOT of intarweb traffic...
yeah, the whole "ads in apps" thing _IS_ pretty nauseating...
The 'droid sandbox is imperfect, people allow permissions for things they don't need "that" for, and so on.
Recently a relative got a 'droid phone. I went over the settings and SPECIFICALLY disabled location data for this one art application. Why did an ART application need LOCATION DATA??? yeah. It works fine without it, but it nagged to re-enable it the first time it was loaded after changing the settings...
your calculations are correct. the only problem is getting the density of the incoming hydrogen to be high enough. I think they'd have much better luck if they a) used solar wind capture thingies to make hydrogen gas, and b) did the reaction with the oxygen in the rocks separately.
So you grind the silicon dioxide or other oxygen-bearing rock into powder, and with the right conditions, a proper catalyst, and maybe some electricity...
Otherwise simply exposing rock to solar wind won't have enough surface area to provide a decent reaction rate, AND you'd just lose all of the generated water vapor out into the vacuum of space.
Capturing hydrogen, however, might be possible with a large enough collector, electrostatic and electromagnetic containment, etc. and would be useful for a LOT of things besides 'making water'.
[Look mom, I made water on the moon!]
experienced employees can't really be forced to get a pay cut "just to stay", yet inexperienced 'fresh meat' can be exploited more easily than those who are experienced. Or at least, I hope that's NOT what's really happening...
[it wouldn't be the first time if a large company lays off its experienced staff, then hires all new people with less experience at significantly lower wages]
But yeah, if this is the case of "they have the WRONG experience for the new position" then I'd also question why they don't just do internal training and retain existing employees for "the new thing"...
Probably the best example...
When I was at U.S. Navy Nuclear Power School (Orlando, FL) back in the early 80's, there were a lot of officers (as well as us enlisted types) at the school, in 2 different buildings. Between the officer's and enlisted buildings, there was a large circular sidewalk. One day the entire officer class was walking on the circle, and they deliberately went "the other way" so they wouldn't have to salute anyone. Now the military REQUIRES enlisted people to salute officers, and the officers are supposed to salute back.
Well, I was walking 'that way' and needed to walk around the circle to get to where I was going. So I went along the same path as the entire officer class, and basically SALUTED THEM ALL, with a nice fat grin on my face. Yeah, it was kind of a joke.
A couple of years later one of the officers (being Engineering Officer of the Watch) was telling a story in the maneuvering area (where the engine room control panels are, including reactor control) and I was the reactor operator, and he was telling this story about how "some enlisted guy" [or similar] caused his entire class to have to free up their saluting arm and salute him.
"Hey that was me!"
In any case he didn't appreciate the joke, even a couple of years later. Nothing ever came of it, of course, since I didn't do anything "wrong" but it was typical of me to be "overly military" as a form of humor.
Related, whenever I spoke over the P.A. system (the shutdown reactor operator had supervisory authority over the engine room most of the time while in port) I always used a 'near gravel' voice, spoken close to the microphone, in a manner similar to Officer Jack Friday from Dragnet. One officer commented that it sounded "overly official". And of course, it did. But then again, who's gonna get you in trouble for being "too military" ??? [and it was always clear and easy to understand]
icon, because, devilish humor
usually, I prefer something that lacks "feature creep", i.e. the developers focus on PERFORMANCE instead of "new, new, shiny" and PISSING! ME! OFF! with features like Australis 2D FLATTY McFLATFACE everywhere...
"let's compile everything to machine language", if it provides PERFORMANCE, sounds good to me.
What I don't want: another thing WORSE than the BRIGHT BLUE ON BLINDINGLY BRIGHT WHITE 2D FLATTY McFLATFACE look that has been CRAMMED UP OUR ASSES for the last several years...
/me still uses an ESR version of firefox that pre-dates 57 with the "classic Firefox" plugins, on Linux and FreeBSD. And I don't surf the web from windows. So there ya go. no need for 'feature creep'.
Modifying the browser extension APIs in an underhanded way that seeks to underhandedly remove choice and freedom from the customer base will ONLY create a vacuum, into which a competing product can jump.
The bar is higher now, because of all of the "scripty" crap, and it's not just HTML any more, it's HTML5 and backward compatibility and DOM and plugins and who can imagine what else...
But I've been *VERY* irritated by the directions that browsers are heading into. I think that a 'webkit' kind of approach is the correct one, in which the front end (like Midori as one example) uses a standard engine (like webkit, for example) which is adapted for your GUI toolkit (like gtk or Qt, for example), to run on "your platform".
So I should be able to use "my front end" which is 3D skeuomorphic and has built-in 'NoScript' and URL black-listing capabilities, for example, as a WRAPPER around "the rest of those things", to provide a competing browser that has some straightforward ad-blocking capability. And the vast majority of the security-related problems would be in code I don't have to maintain.
yeah, just need $$$ so I can devote time to it...
well, if "strip cookies" is possible, why not "strip script" ? And, if the script is "any 3rd party javascript" or "any URL matching a pattern" (such as 'analytics'), it would greatly simplify the ad blocking, wouldn't it?
Do most everyone else pretty much agree that the SINGLE! BIGGEST! PROBLEM! is the 3rd party javascript being used by ads and "tracker bugs" ? And that if we SIMPLIFY getting rid of those things by stripping them out of the content, EVERYONE would be better off???
this is what I expect from Fa[e]cebook.
After they confess, pay the fine, and the investigations stop, will they turn over a new leaf?
_I_ _DON'T_ _THINK_ _SO_!!!
Yeah, after they wash away their sins, with the fresh scented "sinner's soap" of FTC fines and promises not to do it again, it will merely leave them with that "do it again" scent so they can rinse and repeat...
No matter how much Micro-shaft tries, they'll NEVER replace C++ and native Win32 calls with their bloatware ".Not" no matter WHAT they call it.
And I'd be better off targeting GTK or Qt if I want cross-platform. Trying to shoehorn ".Not Core" into POSIX operating systems is laughable, at best, frightening at worst, and yet another "Embrace, Extend, Extinguish" attempt to those of us who actually KNOW better.
I was a total Microsoft Windows fan up until the announcement of the ".Not Initative" when Ballmer took the reigns. The 1997 PDC here in San Diego was the last conference I went to. I instinctively knew that Micro-shaft had made a sharp turn and was heading into the WRONG direction.
So the idea that they've taken something that worked really well in DevStudio for C++ applications ('data changed' breakpoints, something I have made use of before, LONG ago) and _FINALLY_ got around to putting into the ".Nonsense" side of things, it's no great accomplishment. Wheee.
I got used to MFC with the old 'Visual C++" stuff, back in the 16-bit days, even, and I think *THAT* IDE [which was VERY typist-friendly] is STILL BETTER than anything that Micro-shaft has produced since they went all VB-ish with their "properties" windows for dialog controls, etc.. Class Wizard and dialog control properties, the way it was in DevStudio '98 (pop-up tabbed dialog boxen) was MUCH easier, especially for dialog boxes.
Anyway, I've always liked the integrated debugger, having had to use CodeView before that, with dual monitors even. But I don't do C-pound nor ".Not" and so it's no wonder I didn't know the features were missing...
Icon, because this is all like "whoopeee" and "wheeee" without the exclamation points, bold text, nor capitalization.
I'd like to see a Supreme Court ruling on this one... just to see where it stands on privacy vs law enforcement encroachment. 4th and 5th ammendments to the constitution, to an originalist (like Trump's appointees) should be CLEAR on this one.
So what we need to see is whether the liberal and conservative halves of the Supreme Court are going to rule in favor of law enforcement enroachment in the name of "security", or whether they'll rule in favor of PRIVACY and FREEDOM.
It should be an interesting show, nonetheless. I suspect you'll see at least half of the libs siding with the ACLU, and most of the conservatives, unless there's some compelling national security issue to prevent it [which I suspect is NOT the case, hence redacted version at the least].
With all of the dirty shenanigans going on in the DOJ (in particular, the well known former top level people at the FBI and Attorney General's office) this should be a no-brainer slam dunk in favor of privacy, transparency, and public interest. Why the judge did NOT even allow the redacted version is beyond me...
it's also possible to study for an IQ test in order to improve your score... so think about THAT one.
and IQ tests are notoriously oriented towards college students. Some people even claim they're oriented towards particular "groups" of people, usually "identity politics" kinds of groups.
My IQ was actually unmeasurable when I was 6 years old. They were trying to force me to be drugged because I disrupted the class, being so bored, already knowing how to read at 2nd or 3rd grade level while in kindergarten, reading a 1st year medical book the family doctor gave me because it was cool and interesting, and I guess I was just "the nail" that stuck out, to be HAMMERED BACK INTO PLACE.
Needless to say, the family doctor and my mother insisted I get an IQ test, so the school did that, and I thought I was in trouble when the teacher showed me some Rorschach drawings, and of course one of them looked like a bat, and one of them I described as "cellular mitosis" (trying to impress with big words, typical 6 year old) and the teacher said "what?" and I explained, "see, that looks like the chromosomes dividing". Teacher left the room and I thought I was going to get into trouble. An interminable period of time later, some older guy started timing me solving 3 dimensional puzzles with blocks. Years later, I find out: my IQ was off the scale.
No @#$%^ this really happened.
But yeah I was held back for the remainder of my education, so that I'd be turned into a "bright lazy" (as my old college chem professor for 'honors chemistry' would say, kids so smart they never have to work hard, and get easily bored, and with the RITALIN NAZIS, end up addicted to speed) because, after all, THE NAIL THAT STICKS OUT GETS THE HAMMER, because, social justice, because, equalize outcomes, and most people are just TOO BUSY LIVING THEIR LIVES to notice, and kids don't know any better.
In any case, IQ is interesting but actual ACCOMPLISHMENTS, not academics nor IQ test results, need to be the measuring standard.
on a side note...
"the increase in the welfare budget has been increased spending on pensions."
Similar problem on this side of the pond. Solution: re-define what "retirement age" is to reflect people's ability to work and normal life expectancy. And make sure there's no "age discrimination".
Coming from someone who is getting close to that magic '65' (me), I do _NOT_ want to retire [I shall work until I am dead], and I believe it is high time that the retirement age is re-defined at 75 or 80, in rapidly incrementing steps - like 2 years per year. So next year, it's 67, then 69, then 71, then 73, and so on all the way up until it hits something more reasonable.
Because, when much of these austerity/retirement/social-security/whatever government payouts were conceived, the average age of humankind was *BELOW* the retirement age. yeah.
No WONDER it's getting so expensive!
how about 'goodbye blog sites' in general?
It has been possible for as long as there has been an internet for people to accidentally download "illegal" content, from kiddie-pr0n to terrorism stuff, on ANY web site that can be uploaded to, before the moderators have a chance to take it down.
If _INADVERTENTLY_ downloading such a thing results in PROSECUTION, the law has GONE TOO FAR.
atril seems to work for me, on POSIX systems anyway. I don't want to use evince on POSIX systems any more since (if I remember correctly) the last one I tried to install dragged in all of that MONO crap... I guess 'tomboy' wasn't enough, and the gnome 3 dweebs "decided" to use evince as a way of injecting MONO.
(e-vince does have a winders version and so I'll begrudgingly use THAT one until something better comes along)
A couple of years ago I bought a reconditioned box [to use for windowsy things] with 7 on it, and it had the adobe crapware PDF reader pre-installed. THE! DAMN! THING! INSISTED! ON! GETTING! MY! E-MAIL! ADDRESS! AND! MAKING! ME! LOG! IN! TO! READ! A! SIMPLE! PDF! FILE! and didn't stop IRRITATING me about it, either. What the *FEEL* is this SPYWARE doing on my computer? Well it got uninstalled...
one of the problems is that (after updating it) ".Not" insists on scheduling that background ".Not" pre-compiler / updater. It is *COMPELLED* to pre-compile all of that ".Not" crap your applications will *NEVAR* use. Oh they might call it an "optimizer". But seriously, it's ONE of the big reasons why ".Not" is "dot CRAP". And C-pound along with it.
Also keep in mind that if you aren't using any compression on your hard drive, that the CPU utilization for a disk-intensive process will be VERY low.
"after doing a detailed investigation, we got an excellent high availability IP/DHCP/DNS solution that plays well with everything and configured AD to use it"
well said! And yeah, this is in line with what I was saying and thinking at the time I wrote it...
Even a 'canned' WiFi AP solution for DNS and DHCP would work better, in my opinion. So you plug a WiFi AP into your network, to provide wifi. And then you configure DHCP and DNS on it. And then you configure your active directory stuff to USE THAT instead. And the problem with Micro-shaft's horrible DNS+DHCP solution "just goes away". Or use a commercial provider of a better overall solution in lieu of the WiFi AP, whatever.
people actually use windows server's DHCP ? I would think that MOST people would have the sense to use a Linux box for that, particularly an embedded system... as in a typical DSL or cable modem box, with a built-in wifi access point, firewall, DHCP, DNS gateway, and so on.
But that's probably why it's not until 2019 that such a vulnerability was even FOUND, with no reported 'in the wild' exploits for it.
It's more like "chances are, you do NOT" for using Micro-shaft's DHCP server on a windows server box.
ack on the 'launch the hack from there' - I figured Tor network at the very least, or the dozens of computers altready engaged in dictionary attacks against ssh.
A couple of defenses against that, worth mentioning:
a) disallow root logins
b) only enable specific users [that have guest-level] and require 'su' to root to do "anything"
c) forget passwords, certs only
d) use things like 'fail2ban' to reduce the total number of attempts, and keep a log [of sorts] of those who attempt to crack your ssh
this assumes you NEED SSH in the first place (otherwise, shut it off from teh intarwebs)
live VMs typically need config files and daily data snapshots copied to "something" and that's about it. if they break you just re-build them, restore the data, and move on.
And who said it was 100's of TERABYTES anyway? I would expect commercial solutions to already exist, even if it WERE 100's of terabytes.
lots of info out there about replication and using one of the mirrors to do your backups, re-sync after, periodically storing backups in an off-site archive of some kind. Also cloud backups. And so on.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
