I said "disconnect from USB" - maybe I should've explicitly said "USB data" but I'm talking about when I have it on my desk connected to my PC with USB to transfer data. Sometimes picking the phone up to read a message is enough to cause the USB data connection to drop.
I have a Galaxy S8 with USB type C. I'm underwhelmed. The connector is loose, and it can disconnect from USB if you pick it up from the desk to check something on the phone. I've accidentally not charged my phone overnight because I didn't have the connector in properly. And it's a total mess because you don't know by looking at the connector what it supports. Does it support Thunderbolt-style PCI-e and DisplayPort packets? Does it support analog audio? Does it support USB 2 mode, or only USB 3 mode? Does it support power in, out, or both? At what voltage/current? It's one connector, but it's really easy to end up with two completely incompatible devices.
If, as the summary suggests, this allows arbitrary code to run with elevated permissions simply by viewing a PNG image, then this could be exploited to install malware that runs as root with access to all the data on your device, all your accounts, ability to modify any app, etc. That's pretty fucked up. (Yeah I know summaries can be misleading, but I have a relatively low UID so I've been conditioned over years to never RTFA.)
As an Android user, this is pretty shitty. If it allows arbitrary code execution in privileged context, that means your phone can be rooted just by looking at a web page. Once that happens, you need to restore a clean firmware image or you simply can't trust the phone. That's far worse than being able to access camera/mic if a feature isn't disabled.
Haha back in the day, Win95 was derided as bloated, slow, and unresponsive. It was funny but responsiveness seemed to stay the same as computers got faster and software got correspondingly more bloated. Time to launch the current version of MS Word for Windows was roughly the same from a '386 with Windows 3.1 up to a Pentium II with Windows 98.
Yeah, but the more systems you have available, the more chance there is that at least one won't be controlled by a lunatic, or at least one will be controlled by a lunatic who's roughly aligned with your interests today.
How could you access the "cut off" email service from your old ISP?
Note that I used the words "either" and "or" in that sentence. In the case where a legitimate user has a valid session cookie but can't remember their password, they can use an e-mailed code to recover their account. If they don't have access to their e-mail account but can remember their password and/or have access to another authentication factor (YubiKey, fingerprint, etc.) they can use that to reset their e-mail address.
If there is really a breach, the attacker would have already known the password to get into the account and change the corresponding email.
The GP (or GGP or whatever) was talking about the possibility that passwords haven't been compromised, but rather session management is broken or has been compromised. In this case, the attacker doesn't know the password - they either steal or forge a valid session cookie and use that to access the account. If the service allows the e-mail address to be changed with nothing more than a valid session cookie, this kind of attack is very easy. That's why some sites require you to enter a password to change your e-mail address or other potentially sensitive tasks when you're already logged in. It's to protect against attacks on session management.
(I realise e-mailing codes is pretty weak, as e-mail is only encrypted in transit and gets decrypted at each MTA on the way, and it's vulnerable to DNS hijacking, etc. But that and equally insecure SMS seem to be the most practical ways to allow account recovery when people inevitably forget their passwords.)
That falls over when you need to change your e-mail address because you signed up using your ISP e-mail address and you've changed to a different ISP, or your old web mail provider cut you off. A more workable way is to require either a confirmation code from the old e-mail address, or the password to be entered, or some other authentication factor (e.g. YubiKey or fingerprint) before allowing an e-mail address change. That protects against stealing a session cookie and still allows you to update your address if you lose access to the old one.
At one place I worked they blocked certain HTTP headers with a (not so) transparent proxy. It was so annoying that we took to tunnelling data over ICMP echo requests to work around it.
Hong Kong works like that - you don't need to pay your taxes until they're assessed. You can pay a percentage of your wages into a kind of tax saving account that you can only use to pay taxes and withdraw the difference at the end of the financial year. But if you're disciplined, you're better off investing it in a low-risk mutual fund or something because you'll earn higher interest.
LTE actually is 4G. What AT&T did was get phones with their branded firmware to display "4G" annunciator in W-CDMA HSPA+ mode. This is an enhancement to 3G UMTS W-CDMA and phones usually use a "3G H+" annunciator for it.
Everyone calls LTE 4G - it's a completely different technology (OFDMA/SC-FDMA with cyclic prefix rather than CDMA), and gives far better battery life as well as better data rates. But now AT&T is now using "5GE" branding for faster modes of LTE. Other carriers call this "4GX" and it typically doesn't show a different annunciator to other LTE modes. (For example I have a Galaxy S8 that shows a "Telstra 4GX splash screen on boot, but just shows the regular "LTE" of "VoLTE" annunciators for all LTE modes.)
Yeah, I used to use MacBooks Pros and before that PowerBooks, but I've switched to Dell Latitude. This notebook is unglamorous black plastic, but packs in a lot more functionality for the price, has three USB type A ports, gigabit Ethernet, HDMI, and user-replaceable RAM, SSD, battery, and even keyboard and display. No-one who cares about functionality would be using a MacBook at this point.
Yeah, I have domains where the base domain just gives a 403 but subdomains are used for various things, or / gives a 403 but other URLs have content on them. My wife's e-mail is on a domain with that server a placeholder page with two sentences of text on it. I had someone asking to buy it off me as I'm clearly not using it and she didn't understand that there are more services than web sites.
There's a key cultural difference here - in China and India, you don't question the person giving the orders (the customer when they're paying you, or your boss). I've seen this go badly in various ways. For example two Chinese student pilots in Melbourne were practicing a landing. The pilot forgot to lower the gear, and they walked away unhurt from a belly landing. When asked, the co-pilot said he realised the pilot hadn't lowered the gear, but had said nothing because he dind't want to disrespect his superior (as co-pilot, he felt that the pilot was his superior in that situation). Of course, this defeats the purpose of having the co-pilot in the first place.
As an Indian Australian running a business in China, I find this frustrating at times. If someone nominally subordinate realises something I ask for is a bad idea, I want them to tell me before we waste time/effort/money on it. In Australia, people will let me know pretty quickly, but in China I have to actually ask if they see any issues, or they're unlikely to tell me due to cultural hangups about questioning your superior.
If you need to enter a lot of numbers, the numeric keypad is worthwhile. For example, if you're using a trading terminal, or dealing with a lot of IPv4 addresses, or various kinds of data entry. It's also useful if you use a keyboard layout that uses the topmost row for additional letters/diacritics (e.g. Japanese Kana, or Viet TCVN 6064) so you can type numbers without having to hold Option/Alt. And if you're a hardcore vim user, you can enable application keypad mode and map the numeric keypad to different things in normal, visual and insert modes to suit your workflow.
Nah, it's because Chinese personal bankruptcy laws are pathetically weak. There are people who either rack up debt they can't pay, or just don't pay debts when they're capable of it. If an individual debt is below a certain level, it's very hard to sue the debtor, and with the weak bankruptcy laws you can't get their assets liquidated and/or restrict them from running a business. Fixing or improving the laws for better protection against deadbeat debtors would be hard, because the Chinese government isn't a coherent unit, it's a massive bureaucracy that barely functions. Making this app to try and shame people into servicing their debts and/or get people to avoid doing business with them is far easier.
But do they still have the team that developed the original Metroid Prime trilogy? Game developers are highly mobile, and the studio may have lost the talent that made the Prime trilogy what it was.
Mac system software is only licensed for use with Apple hardware, so even if you're allowed to download it you're still infringing the license if you use it in a different way.
It might be an unlicensed clone. I remember a widespread LodeRunner clone for classic Macs called "LodeRummer". I wouldn't be surprised if there's one called "LoadRunner" as well.
System 7.1 booted off a SCSI Zip drive is fine on a 2.5MB Mac Plus. A SCSI hard disk is fine, too. It's not like everyone just used the built-in drive.
It's all a song-and-dance to make people self-censor. When the rubber hits the road, they still want businesses to operate in China, and that means some degree of pragmatism. Businesses use L2TP VPNs as well as SSH in and out of the country all the time. I know this because I'm SSH'd into my production servers in China from outside the country now, and when I'm in China, the guys in China are SSH'd to the servers in Europe and Australia. Also, do you think market makers like Optiver are going to trade Chinese markets without being able to run secure connections to their regional head office in Sydney?
Just SSH to a VPS somewhere in Europe and use it as a SOCKS proxy (-D option on the command line with OpenSSH, or choose "Dynamic" in PuTTY). Or you could get a business connection that doesn't block L2TP - often the same ISP will block L2TP on personal use connections but not business connections, because they know they'd kill a bunch of businesses outright if they did that.
Slashdot Mirror
I said "disconnect from USB" - maybe I should've explicitly said "USB data" but I'm talking about when I have it on my desk connected to my PC with USB to transfer data. Sometimes picking the phone up to read a message is enough to cause the USB data connection to drop.
I have a Galaxy S8 with USB type C. I'm underwhelmed. The connector is loose, and it can disconnect from USB if you pick it up from the desk to check something on the phone. I've accidentally not charged my phone overnight because I didn't have the connector in properly. And it's a total mess because you don't know by looking at the connector what it supports. Does it support Thunderbolt-style PCI-e and DisplayPort packets? Does it support analog audio? Does it support USB 2 mode, or only USB 3 mode? Does it support power in, out, or both? At what voltage/current? It's one connector, but it's really easy to end up with two completely incompatible devices.
If, as the summary suggests, this allows arbitrary code to run with elevated permissions simply by viewing a PNG image, then this could be exploited to install malware that runs as root with access to all the data on your device, all your accounts, ability to modify any app, etc. That's pretty fucked up. (Yeah I know summaries can be misleading, but I have a relatively low UID so I've been conditioned over years to never RTFA.)
As an Android user, this is pretty shitty. If it allows arbitrary code execution in privileged context, that means your phone can be rooted just by looking at a web page. Once that happens, you need to restore a clean firmware image or you simply can't trust the phone. That's far worse than being able to access camera/mic if a feature isn't disabled.
Haha back in the day, Win95 was derided as bloated, slow, and unresponsive. It was funny but responsiveness seemed to stay the same as computers got faster and software got correspondingly more bloated. Time to launch the current version of MS Word for Windows was roughly the same from a '386 with Windows 3.1 up to a Pentium II with Windows 98.
Yeah, but the more systems you have available, the more chance there is that at least one won't be controlled by a lunatic, or at least one will be controlled by a lunatic who's roughly aligned with your interests today.
Note that I used the words "either" and "or" in that sentence. In the case where a legitimate user has a valid session cookie but can't remember their password, they can use an e-mailed code to recover their account. If they don't have access to their e-mail account but can remember their password and/or have access to another authentication factor (YubiKey, fingerprint, etc.) they can use that to reset their e-mail address.
The GP (or GGP or whatever) was talking about the possibility that passwords haven't been compromised, but rather session management is broken or has been compromised. In this case, the attacker doesn't know the password - they either steal or forge a valid session cookie and use that to access the account. If the service allows the e-mail address to be changed with nothing more than a valid session cookie, this kind of attack is very easy. That's why some sites require you to enter a password to change your e-mail address or other potentially sensitive tasks when you're already logged in. It's to protect against attacks on session management.
(I realise e-mailing codes is pretty weak, as e-mail is only encrypted in transit and gets decrypted at each MTA on the way, and it's vulnerable to DNS hijacking, etc. But that and equally insecure SMS seem to be the most practical ways to allow account recovery when people inevitably forget their passwords.)
That falls over when you need to change your e-mail address because you signed up using your ISP e-mail address and you've changed to a different ISP, or your old web mail provider cut you off. A more workable way is to require either a confirmation code from the old e-mail address, or the password to be entered, or some other authentication factor (e.g. YubiKey or fingerprint) before allowing an e-mail address change. That protects against stealing a session cookie and still allows you to update your address if you lose access to the old one.
At one place I worked they blocked certain HTTP headers with a (not so) transparent proxy. It was so annoying that we took to tunnelling data over ICMP echo requests to work around it.
Hong Kong works like that - you don't need to pay your taxes until they're assessed. You can pay a percentage of your wages into a kind of tax saving account that you can only use to pay taxes and withdraw the difference at the end of the financial year. But if you're disciplined, you're better off investing it in a low-risk mutual fund or something because you'll earn higher interest.
Yes, and Branson is still a very hands-on managing director. It's not fair to say Branson doesn't put in work.
LTE actually is 4G. What AT&T did was get phones with their branded firmware to display "4G" annunciator in W-CDMA HSPA+ mode. This is an enhancement to 3G UMTS W-CDMA and phones usually use a "3G H+" annunciator for it.
Everyone calls LTE 4G - it's a completely different technology (OFDMA/SC-FDMA with cyclic prefix rather than CDMA), and gives far better battery life as well as better data rates. But now AT&T is now using "5GE" branding for faster modes of LTE. Other carriers call this "4GX" and it typically doesn't show a different annunciator to other LTE modes. (For example I have a Galaxy S8 that shows a "Telstra 4GX splash screen on boot, but just shows the regular "LTE" of "VoLTE" annunciators for all LTE modes.)
Yeah, I used to use MacBooks Pros and before that PowerBooks, but I've switched to Dell Latitude. This notebook is unglamorous black plastic, but packs in a lot more functionality for the price, has three USB type A ports, gigabit Ethernet, HDMI, and user-replaceable RAM, SSD, battery, and even keyboard and display. No-one who cares about functionality would be using a MacBook at this point.
Yeah, I have domains where the base domain just gives a 403 but subdomains are used for various things, or / gives a 403 but other URLs have content on them. My wife's e-mail is on a domain with that server a placeholder page with two sentences of text on it. I had someone asking to buy it off me as I'm clearly not using it and she didn't understand that there are more services than web sites.
There's a key cultural difference here - in China and India, you don't question the person giving the orders (the customer when they're paying you, or your boss). I've seen this go badly in various ways. For example two Chinese student pilots in Melbourne were practicing a landing. The pilot forgot to lower the gear, and they walked away unhurt from a belly landing. When asked, the co-pilot said he realised the pilot hadn't lowered the gear, but had said nothing because he dind't want to disrespect his superior (as co-pilot, he felt that the pilot was his superior in that situation). Of course, this defeats the purpose of having the co-pilot in the first place.
As an Indian Australian running a business in China, I find this frustrating at times. If someone nominally subordinate realises something I ask for is a bad idea, I want them to tell me before we waste time/effort/money on it. In Australia, people will let me know pretty quickly, but in China I have to actually ask if they see any issues, or they're unlikely to tell me due to cultural hangups about questioning your superior.
If you need to enter a lot of numbers, the numeric keypad is worthwhile. For example, if you're using a trading terminal, or dealing with a lot of IPv4 addresses, or various kinds of data entry. It's also useful if you use a keyboard layout that uses the topmost row for additional letters/diacritics (e.g. Japanese Kana, or Viet TCVN 6064) so you can type numbers without having to hold Option/Alt. And if you're a hardcore vim user, you can enable application keypad mode and map the numeric keypad to different things in normal, visual and insert modes to suit your workflow.
They were always called "applications" on Macintosh. It's even reflected in the type code "APPL" used for applications.
Nah, it's because Chinese personal bankruptcy laws are pathetically weak. There are people who either rack up debt they can't pay, or just don't pay debts when they're capable of it. If an individual debt is below a certain level, it's very hard to sue the debtor, and with the weak bankruptcy laws you can't get their assets liquidated and/or restrict them from running a business. Fixing or improving the laws for better protection against deadbeat debtors would be hard, because the Chinese government isn't a coherent unit, it's a massive bureaucracy that barely functions. Making this app to try and shame people into servicing their debts and/or get people to avoid doing business with them is far easier.
But do they still have the team that developed the original Metroid Prime trilogy? Game developers are highly mobile, and the studio may have lost the talent that made the Prime trilogy what it was.
Mac system software is only licensed for use with Apple hardware, so even if you're allowed to download it you're still infringing the license if you use it in a different way.
It might be an unlicensed clone. I remember a widespread LodeRunner clone for classic Macs called "LodeRummer". I wouldn't be surprised if there's one called "LoadRunner" as well.
System 7.1 booted off a SCSI Zip drive is fine on a 2.5MB Mac Plus. A SCSI hard disk is fine, too. It's not like everyone just used the built-in drive.
It's all a song-and-dance to make people self-censor. When the rubber hits the road, they still want businesses to operate in China, and that means some degree of pragmatism. Businesses use L2TP VPNs as well as SSH in and out of the country all the time. I know this because I'm SSH'd into my production servers in China from outside the country now, and when I'm in China, the guys in China are SSH'd to the servers in Europe and Australia. Also, do you think market makers like Optiver are going to trade Chinese markets without being able to run secure connections to their regional head office in Sydney?
Just SSH to a VPS somewhere in Europe and use it as a SOCKS proxy (-D option on the command line with OpenSSH, or choose "Dynamic" in PuTTY). Or you could get a business connection that doesn't block L2TP - often the same ISP will block L2TP on personal use connections but not business connections, because they know they'd kill a bunch of businesses outright if they did that.
It provides rubbish when you search in Chinese, too. See my other replies elsewhere in the thread.