* Posts by Adam Azarchs

177 publicly visible posts • joined 28 Jul 2006

Page:

Over 170K users caught up in poisoned Python package ruse

Adam Azarchs

Re: Stolen Cookies

Because if you're using a website from a phone while on a train, your IP address will be changing constantly.

OpenAI latest to add 'Made by AI' metadata to model work

Adam Azarchs

This could be useful...

If, and only if, non-AI-generated content all starts using this as well. So if for example cameras started to sign the images they produced (would have to be with a hardware-protected key, which certainly complicates things). And then photo editing tools would need to sign their output as well (including whether or not whatever they started with was signed). That gets even trickier unless it's a cloud based tool, because keys can always be extracted from local software. It's not going to be easy.

Basically, it's not very helpful until things get to the point where _not_ having that provenance information starts to become suspicious.

Jury orders Google to pay $340M patent-infringement damages over Chromecast

Adam Azarchs

Re: How does one get such patents in 2010

> they should have either tried to have the patent not be granted (they knew about it before it was granted/ cancelled

In principle, yes, however in practice it's actually quite difficult to challenge the validity of a patent until you've been sued over it. While it's pending there are channels for submitting examples of prior art, but you can't challenge anything else about it then either.

Microsoft's GitHub under fire for DDoSing crucial open source project website

Adam Azarchs

This isn't exactly Microsoft's fault.

They're running the infrastructure, but if a GitHub user writes a script that downloads a file from some server and then tells GitHub to run that script hundreds of times in parallel, I don't see how Microsoft is the one to blame here, any more than if someone did that on AWS or some other cloud provider. They do have a responsibility to monitor for malicious usage of their service, but this case isn't clear cut in that regard.

The project in question, on the other hand, can and should do better than just randomizing the cron job's timing. It should be making use of the caching that GitHub actions provides.

SAE says yes to making Tesla EV chargers an American standard

Adam Azarchs

CCS may be a standard, but not a good one

The adapter for CCS is enormous. I don't think it would physically fit anywhere convenient on a model 3. It's loaded down by decisions that only make sense in the context of backwards compatibility with standards that were developed before anyone was actually buying electric cars. At this point, Tesla has sold many more vehicles (and installed many more charging stations) using their for-the-moment-priority adapter than the cumulative total sold with CCS. If we're going to ditch it, now's the time.

Google Go language goes with opt-in telemetry

Adam Azarchs

Just to be clear, the proposal is for telemetry of the compiler and related tools, not anything affecting the build outputs. And if you read the proposal you will see that the data collection is very carefully designed to be highly resident to fingerprinting and such. Whatever you think of Google as a whole, there are definitely smart people there who do care about privacy. Though, caveats about the possibility they'll get fired and replaced at some point do of course apply.

Open source at America's famous Los Alamos Lab: Pragmatism as its nucleus

Adam Azarchs

Re: Mission-Creep Spiral

https://www.smbc-comics.com/index.php?db=comics&id=1522

Eufy security cams 'ignore cloud opt-out, store unique IDs' of anyone who walks by

Adam Azarchs

Re: Disappointed

Hard to say whether this was malicious or just incompetent. The are very few companies I tried to do Internet connected security correctly. Anker / Eufy seem pretty good at hardware but apparently software is another thing entirely.

Part of the problem here is web standards. It's nearly impossible to do https without phoning home to a cloud server. And the companies that are essentially in control of those standards (Google, Amazon, Microsoft, et al) have no interest in changing that. That doesn't excuse sloppy storage of data once it gets there of course, but it helps to explain why it's possible in the first place.

Google's big security cert log overhaul broke Android apps. Now it's hit undo

Adam Azarchs

Re: What about old software

"bit rot" is real. Unmaintained components eventually stop working, either because (as in this case) some public API it relies on changes, or because it depends on some other library that makes a change (and it didn't constrain the versions for its dependencies properly, or honoring that constraint breaks something else), or because the underlying platform / standard library changes something, and so on and so forth.

While it's certainly true that many end-user-facing "updates" are crap, that tends to be less true for the library components from which that software is assembled. Yeah, you need to test updates (just like any other kind of change) but taking but fixes as they come in is pretty essential. Waiting until you're forced to update some dependency probably means accepting a jump of several versions at once, which makes it harder to track down the problem when something inevitably breaks. And it shouldn't be much work, if you have a proper automated test suite set up. Dependabot (or renovate or any one of a number of other automated tools) opens a PR, you wait for the tests to pass and then you hit the merge button. Easy. But smaller app makers might not have invested in that kind of automated test infrastructure. Writing tests just doesn't feel like it's getting you closer to launching your product (even if basically everyone who's studied it agrees that time spent writing tests pays for itself very quickly...)

Google's Go may add telemetry that's on by default

Adam Azarchs

Re: opt-out of a surprise.

If you actually read the blog posts detailing the proposal, you'll see they are very much NOT suggesting collecting that level of detail. Only course-grained information like operating system version (e.g. Windows 8, but not which service pack, or gcc version 9 but not which minor version or build). That can inform important decisions like what to continue maintaining support for. It's also coarse enough to prevent fingerprinting. I'm not saying the proposal is without trade-offs, but it's sad to see a knee-jerk reaction to the word "telemetry" from people who haven't even investigated what exactly is being proposed.

Nearly 300 MSI motherboards will run any old code in Secure Boot, no questions asked

Adam Azarchs

TPM is quite useful for storing e.g. full disk encryption keys. Not so much for securing things from you as for securing your things from people who might gain physical access to them.

TPM got a bad start, reputation-wise, because probably the first place most people encountered them was as the place where Blu-ray players stored their keys, but there are quite a few less-controversial use cases for having a place you can store an encryption key with reasonable confidence that no one will be able to extract it without your password.

Chinese researchers' claimed quantum encryption crack looks unlikely

Adam Azarchs

Re: To be fair:

Just look at how many people are still using sha1 (or even md5). Change the recommendations today, and _maybe_ 15 years from now, when attacks actually become practical, no one will still be using vulnerable algorithms. There's a lot of inertia in protocols, for both good and bad reasons.

Also, it's not always possible to have perfect forward secrecy; stuff you're encrypting today might still be useful to an attacker by the time they're able to break it. The earlier you upgrade your crypto, the more stale (and therefore hopefully useless) the information will be by the time someone can easily break it.

US Air Force tests its first fully functional hypersonic missile

Adam Azarchs

Re: Oh boy

It's less about being able to shoot the missile down (which would be nice, but not actually terribly important to our defensive strategy) than it is about whether your target sees the middle coming early enough to have a chance to launch their counter-strike before your missiles disable their ability to do so.

America's nuclear fusion 'breakthrough' is super-hot ... yet far from practical

Adam Azarchs
Boffin

Laser ignition fusion

Is not, and will probably never be, a practical source of energy. That's not what it's for. It's for simulating hydrogen bombs. If you want something with a sliver of a chance of eventually being viable as a power source, then you want magnetic confident (e.g. tokamak or stellarator). Or gravitational confinement (e.g. solar, but that's too practical to be fun to talk about).

Aside from the engineering challenges, we're also running into a problem in that we're running out of tritium. The plan was supposed to be that we'd have working fusion reactors by now, that could produce enough neutrons to make enough tritium to keep the whole process sustainable. But we don't, yet, and the tritium made during nuclear weapons manufacturing is well past its half life by now. It's been pointed out that the sun's power density is comparable to that of a human (though it makes up for that with size); this is because the fusion reaction (mediated by the strong force) is rate limited by the dearth of neurons - combining a proton with an electron to make a neuron is a much, much slower reaction, mediated by the weak force. If you try making a human scale fusion reactor regular hydrogen, you won't get very far.

California wildfires hit CTRL+Z on 18 years of CO2e removal

Adam Azarchs

Re: Mismanagement

This is not really true. Natural wildfires historically happened during the rainy season, because they were started by lightning. Because the rainy season is generally colder and wetter, the fires would burn though the undergrown but leave the larger mature trees mostly intact. By contrast, the recent fires have mostly been caused by human ignition sources, during the driest, hottest times of year. Worse, many were caused by electrical sources on days with high wind. Those fires spread much faster and burn much hotter than the natural fires, and are thus far not damaging. Some of the most damaging fires in recent years started or spread through regions which had had fires or were clear cut just a few years previously, still you really can go blaming historical for suppression efforts for them. The mismanagement love is popular with a certain crowd that wants to authorize more clear-cutting, though.

Adam Azarchs
Boffin

Misleading

> The study didn't account for the growth of new vegetation in fire-swept areas

That's a pretty important caveat. In a steady state, forests fix some carbon, but dead leaves and wood also release carbon (and methane, which is worse) into the atmosphere as they rot. On the other hand, charcoal, once buried under new growth, is actually a really good way to sequester carbon. And recently burned areas are going to see very rapid vegetation growth, which will fix carbon. So yeah, over time scales of a few years, forest fires release lots of carbon, but over multi-decade timescales I suspect that a forest that gets periodic alternating cycles of fires and regrowth is going to sequester more carbon than one which doesn't. Especially if those are relatively cool fires which burn the undergrowth (which grows back very quickly) but leaves the big, mature fire-adapted trees behind.

That said, while many of these ecosystems are adapted for fire, they're adapted for the less intense fires you get when they're caused by lightning that is usually accompanied by rain (last year's Big Basin fire being a freak exception). In recent years, most of the wildfires in California were caused by human ignition sources, on hot, dry, windy days, when the fires spread faster and burn hotter. So instead of mostly just burning undergrowth and leaving the older trees behind, it burns everything. That's harder to recover from.

Take this $15m and make us some ultra-energy-efficient superconductor chips, scientists told

Adam Azarchs

"a fair price"

Obviously tung in check, but that tends to be how early stage basic research goes. You keep the spending low until you know enough to know more specifically what you should be prioritizing. A lot of early stage ideas are never going to go anywhere. And once the researchers have a proof of concept, there's still a much, much larger amount that will need to be spent to get it to commercial scale production.

Internet Society condemns UK's Online Safety Bill for demonising encryption using 'think of the children' tactic

Adam Azarchs
Black Helicopters

As far as the cops are concerned...

When it comes to crime, an ounce of prevention is a lot less fun than pounding down the door of a criminal. So they probably see enabling more crime as a side benefit of these measures, so long as it's also easier to catch the criminals.

(which it won't be, because effective end to end encryption is something you can write the code for on a T-shirt, so anyone who can afford the services of someone who knows what a compiler is and doesn't have much respect for the law will still have it)

For a while the USA classified strong encryption algorithms as munitions for export control purposes. That means our right to encryption is protected by the second amendment, right?

Fans of original gangster editors, look away now: It's Tilde, a text editor that doesn't work like it's 1976

Adam Azarchs

Re: Use Libreoffice

... if the sledgehammer were made of plutonium and likely to contaminate the meat of the walnut.

The rocky road to better Linux software installation: Containers, containers, containers

Adam Azarchs

Re: Cleanly uninstalling is impossible

It's certainly possible to make an uninstaller that will cleanly (as in completely) uninstall an application, but it isn't especially common. Most apps' uninstallers will leave some files or registry keys lying around in the hope that the user will some day reinstall the app and want their customized settings to remain. Either that, or just negligence. The issue, I think, is that nothing _forces_ apps to uninstall clearly, and perhaps more to the point nothing forces apps to have sufficiently hermetic runtime behavior to prevent them creating garbage in all kinds of places that the uninstaller doesn't know to look. That later problem is of course not unique to windows; my Linux home directory is littered with .files from programs I've tried out once and then removed.

We were 'blindsided' by Epic's cheek, claims Apple exec on 4th day of antitrust wrangling

Adam Azarchs

That would be a reasonable argument if there were an option to sell you app by means other than their app store; that is to say, if the iTunes app store operated in a competitive environment. It does not. There are, arguably, good reasons to restrict app installs to the app store, but if that is the case then the app store needs to be regulated against abuse if this position, just like any other natural monopoly.

'There was no one driving that vehicle': Texas cops suspect Autopilot involved after two men killed in Tesla crash

Adam Azarchs

Re: Tesla boss Elon Musk has not explicitly responded to the incident

Note update, that car didn't even have autopilot installed. So, job done there.

Proof that Surface devices are not a niche product obsessed over by Microsoft fans: A patent lawsuit from Caltech

Adam Azarchs

Re: This still bugs me

Generally when you license something like a chip, part of what you're paying for us for the manufacturer to indemnify you against such patent claims. Which is so say that while Microsoft is the one getting sued, it's Broadcom who will actually be paying. If that's not the case then Microsoft should be a lot more careful with their licensing contacts.

"Good faith" doesn't mean you aren't liable to pay royalties. If you know you're infringing, that makes it willful, which makes you liable for a lot more.

EncroChat hack case: RAM, bam... what? Data in transit is data at rest, rules UK Court of Appeal

Adam Azarchs

Re: Filth

My interpretation of the distinction is that it was intended for e.g. listening in on radio transmissions or splicing a probe into a fiber line. That is, if you have to compromise the premises of the defendant then it's in storage, but if your presence is only in places outside of their physical control then it's in transit. Sealing up an envelope and putting a stamp on it doesn't protect a letter from being taken by a search warrant for your house. It's not in transit until you drop in in the mail box.

In Rust we trust: Shoring up Apache, ISRG ditches C, turns to wunderkind lang for new TLS crypto module

Adam Azarchs

Re: Real problem mentioned first

Making something possible to do right is very different from making you go out of your way to do it wrong. When you're taking about a few million lines of code, written by a large number of contributors, some of them who may have passed away before the youngest contributors were even born, then even if all of them are highly skilled the odds of a mistake creeping in are very high. Human beings aren't perfect, and it only takes one mistake to get a serious security vulnerability in something directly exposed to the internet like https.

This of course leaving aside the fact that though 85% of people think their driving is safer than average, over a million people die each year in car accidents. Frankly, if you say only other people make mistakes I'm going to stay as far away from you as I can. I say this as an expert in the Dunning-Kruger effect.

Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble

Adam Azarchs

Re: eliminating the entire class of errors.

I've never been in a serious car accident but I still think seat belts and air bags are a good idea. Just because it's possible to write secure code in C if you know what you're doing doesn't mean one shouldn't need a pretty good reason to reject languages which make mistakes like that more difficult, especially in code as sensitive as crypto. There's a big difference between "possible to do it right" and "you have to go out of your way to do it wrong." Even if you don't want to go all aboard the rust train, modern c++ gets you most of the benefits while being somewhat easier to transition to incrementally. If you want to stick to C (and there are reasons why you might, want to for library code like that) then it behooves you to write comprehensive tests and use static and dynamic analysis tools. And you would be doing that even in a safer language like rust.

Adam Azarchs

Distant state

In well designed code you would keep the state that needs to obey some condition close to (e.g. in the same file, ideally) the functions which manipulate that state or depend on those conditions being true, so that a reader can more easily verify that no one is doing something that violates the assumptions (which are ideally documented in comments). If you have stuff modifying that state from all over the place, without going through some common functions which verify that what they're trying to do is ok, the odds of accidentally making a mistake go up substantially.

Colorado cryptocoin execs spark up blunt '$722m ponzi scheme' criminal charges after investments go up in smoke

Adam Azarchs

The fine might be "only" $250k but they'll still have to give back the rest of the money. That's not a fine but rather restitution.

'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine

Adam Azarchs

Wouldn't know about MS, but banks...

HSBC at least I'm certain is storing my password in plain text.

How do I know? Each time I log in they choose a random subset of characters from my password which they want me to enter. I'm not clear on what the point of this process is (making password managers harder to use would be my guess, because their IT security staff apparently live in backwards-land) but unless they've stored a hashes for every possible combination of 4-character subsamples of my password (which wouldn't be a whole lot better, mathematically) then they're storing it plain-text.

Former Mozilla dev joins chorus roasting antivirus, says 'It's poison!'

Adam Azarchs

Re: If Microsoft's own AV is the best...

That's easy. Because they'd be sued for antitrust. That's an actual thing that happened when they released Defender. Norton sued them and the settlement was that they agreed not to bundle it.

Busted Windows 8, 10 update blamed for breaking Brits' DHCP

Adam Azarchs

I've seen this in the US

I'm stuck with Comcast here, and I have a Netgear router. The other day my Windows 10 machine was getting an IP address in a wrong subnet, and there was some truly weird stuff in the arp cache. No, of course renewing the DHCP lease didn't fix anything. I suspect with basically no evidence it's something to do with IPv6 support since about that time I also started seeing DHCP allocating me an IPv6 address on the internal network.

Google Chrome will beat Flash to death with a shovel: Why... won't... you... just... die!

Adam Azarchs

Re: Dear Google,

I mean, I don't disagree that it's a bit ridiculous to force-install flash for everyone but the alternative is to have people install their own version that auto-updates with insufficient regularity. If you don't like it you can always disable it from chrome://plugins.

Surveillance, interrogation and threats: Behind the Nest witch-hunt

Adam Azarchs

Re: Memes???

As a former Google employee, I assure you that was not a typo.

Java API judge tells Oracle to suck it up, quit whining about the jury

Adam Azarchs

Copies aren't illegal unless you claim they are the trademarked brand, which makes them counterfeits. That's a violation of trademark, which google hasn't been accused of.

Why does an Android keyboard need to see your camera and log files – and why does it phone home to China?

Adam Azarchs

Re: Almost every app I consider for installation

With android M, permissions are granted at runtime and the app gets an exception if it isn't granted the permission. Older apps still get their permissions up-front at install time, but a savvy user can disable them before first run. The reason the old K permissions manager was disabled was, put simply, because it broke too many things if you actually used it, and it broke them in unpredictable ways that were very difficult to debug.

As stated, of course, pretty much everything has network access permissions. But pretty much every app needs those for one reason or another (at the very least for ads in the case of the flashlight apps, which why are you even installing that if you're on L or M? It's built into the OS!). And one doesn't want to ask users about a permission that every app asks for because that just contributes to people ignoring the permissions warnings.

Unfortunately the new permissions framework on M doesn't help much since most people aren't on devices which have been upgraded to M. That's Android's real problem relative to Apple - most users don't care about permissions and privacy settings, but they do care about apps. And fewer apps get written, and they have fewer features, when only 10% of the phones have the latest OS.

Google Chrome deletes Backspace

Adam Azarchs

Re: Those are some pretty detailed numbers...

No, they don't report every keystroke back. What do you think this is, Windows 10? However, https://src.chromium.org/viewvc/blink?view=revision&revision=202463 added a counter specifically for backspace to collect data to inform this change, as you can see on the discussion on https://bugs.chromium.org/p/chromium/issues/detail?id=413395. Nothing secretive or nefarious to see here, move along.

'No regrets' says chap who felled JavaScript's Jenga tower – as devs ask: Have we forgotten how to code?

Adam Azarchs

Re: Are these dynamic dependencies really a good idea?

Point taken, but that's what version numbers are for. That's why introducing a new leftpad at version 0.4 didn't fix everyone who depended on 0.3. On the flip side, it does mean that it could take a very, very long time for updates to propagate up the dependency chain, and in the mean time you'll have multiple versions of a package in your project, pulled in as dependencies of other dependencies which haven't upgraded yet.

Jump aboard our load balancing Maglev, Google tells devs

Adam Azarchs

Re: 20 millions line for 900 projects?

Some of those projects as small things like vim plugins. I'd hate to imagine what a even a 10k line vimscript would be like.

How the FBI will lose its iPhone fight, thanks to 'West Coast Law'

Adam Azarchs

Re: Indeed

This exists. It's called a TPM, and afaik the iPhone has one. The issue with the iPhone in question, a 5C, is that the OS is on an unencrypted partition so it can be updated without first decrypting the phone. The iPhone 6 does not have this security hole.

Adam Azarchs

Re: Brain Encryption

The first amendment argument (which is their weakest one probably) is not about encryption per se, but about whether the government can force Apple to say something. In this case, that something is "this is an authorized version of iOS" and the way of saying it is by signing it.

Google calls out Comodo's Chromodo Chrome-knockoff as insecure crapware

Adam Azarchs

Re: Firewall

The one built into Windows is perfectly adequate for most needs (though maybe a little tricky to configure for egress filtering). And on both windows and linux there are scores of good open source alternatives.

Reverser laments crypto game protection, says wares dead after 2018

Adam Azarchs

Re: Just works

Many, but not all GOG games are DRM-free. There is a search filter you can apply for it. Generally the older (retro) games are DRM free, but newer ones are less consistent about it.

Brazil gets a WTF WhatsApp moment

Adam Azarchs

Re: Limited?

Users, yes. But not employees or revenue, which are the traditional targets of government punishments.

California cops pull over Google car for driving too SLOWLY

Adam Azarchs

No big deal

That road has 3 lanes in each direction. Go around.

Top VW exec blames car pollution cheatware scandal on 'a couple of software engineers'

Adam Azarchs

Design reviews

If you've ever worked at a company anything like a car company, you know how many reviews and design needs to go through before it's put into production. A lot more than "a few" employees would need to have been in on it, and if no one from such a large set felt the need to run it by a lawyer I'd be shocked. Far more shocked than if I heard the lawyer was told, offered an opinion, and was overruled.

Oi! 'Hands off America's Wi-Fi spectrum' yells, er, the cable lobby

Adam Azarchs
Boffin

What's the point?

The reason the wifi bands are unlicensed is precisely because they don't have much range. Unless you put a very powerful transmitter in, of course, which you don't want to do on a mobile device. So LTE-U will only get to use that spectrum for people very close (probably not much more than 100m) to the tower. Seems like they'd be better off focusing their efforts elsewhere.

Nobel bro-ffin: 'Girls in the lab fall in love with me ... then start crying'

Adam Azarchs

Proof

Proof that he's not just bigoted against women, but also homosexuals.

Ding Dong, ALIENS CALLING

Adam Azarchs
Headmaster

Re: Don't they know anything?

No, not the main deflector. That's for weapons fire. You're thinking of the navigational deflector, which while sufficiently powerful to deflect pretty much any 21st-century weapon, isn't capable of deflecting things like photon torpedos with kilogram-scale antimatter warheads.

Secure microkernel that uses maths to be 'bug free' goes open source

Adam Azarchs
Boffin

Technically speaking...

Windows uses a microkernel architecture as well. It's just hard to tell under all the layers of proprietary.

New Star Wars movie plot details leak, violate common sense and laws of physics

Adam Azarchs

As fans on the expanded universe know...

Luke's hand ended up in an imperial storehouse, where it was used to create the evil clone Luuke.

And there were waaaay more than just the 2 failed superweapons. In addition to the two death stars and the prototype, there were the eyes of Palatine, the sun crusher, the Tarkin, and the galaxy gun, just to name a few. Turns out diversification of military assets is something the imperials never caught on to.

Page: