The broswser does TLS, so system access doesn't give you access to monitor it. Not using safe APIs. An attacker with root could dig into your RAM or whatever, but that's not a safe approach.
For scale, that's similar to Tesla's total R&D budget on everything (batteries, motors, the overall car, autopilot, etc). It represents about 12% of Ford's total R&D.
Your concern may have some merit. Just be aware of the trade-off. Remember the $100 million hack yesterday, where the same company got hit twice in eight months, from phishing attacks? Corp sec could have prevented those if they had visibility into what pages the employees were loading. They could have seen the employees entering their ldap credentials into corporateHR.ru and prevented it. Our SOC catches a LOT of that stuff.
Also catches and blocks a lot of malware, crypto-locker style ransomware, etc.
So you have to decide which is worse - crypto-locker and the bad guys having your ldap credentials, or your fear of the NSA seeing you reading Wikipedia. I don't think either answer is always right.
I suspect most people reading this haven't worked in a SOC, so they won't appreciate how much truth there is in what Bobmorning said.
> There is a delicate balance between having situational awareness of what is going on in the network versus
Exactly. We have systems that can see when a site is trying to do a drive-by malware installation or whatever, lots of ways to protect people in some pretty advanced ways. We can't protect what we can't read, though. So there is a balance. Encrypting everything makes it easier for the bad guys to send bad stuff to and from your machine without getting caught. So the ideal is neither "encrypt nothing" nor "encrypt everything as if it's a state secret". The best ways to protect against various attacks are situation dependent. For reading Wikipedia, unencrypted is probably safer overall. It's also faster - https can't be cached.
BTW you made a very good point in this other post, though I don't think most people have the background knowledge to fully appreciate your point. https://tech.slashdot.org/comm...
> They had to divest themselves of the CA business because they prove themselves repeatedly to be not trustworth
Symnatec couldn't be trusted, therefore they couldn't have a CA business. That seems to indicate that untrustworthy companies can't be CAs (for long).
The number one reason, from my experience, is that of people see warnings a lot, especially for dumb things, they are quickly trained to ignore warnings. Microsoft learned this lesson with their first attempt at UAC. SELinux had a similar problem for a few years.
For best security, you should alert people to actual security problems, and only problems they can do something about. Reading Wikipedia over http is not a problem.
The security systems that are supposed to rpotect you can't see all the malware being downloaded onto your system, the data being exfiltrated, etc when everything is TLS.
The best case for the insurance company is that claims aren't filed, and they don't have to do investigations or pay lawyers, they just collect premiums and use about 10% of that on compilance measures. It's not only cheaper for them to not have to deal with claims, but fewer $100 million claims means their risk is lower, their quarterly numbers are more predictable. That's good for them overall, and reduces their rate for re-insurance (the insurance that is purchased by insurance companies).
You may have had experience related to insurance and the fire code. Someone may have walked through your office building doing a fire inspection, looking for things like power strips plugged into other power strips, which are in turn plugged into another power strip. That fire inspection was likely done for insurance reasons. The insurance companies created the National Fire Protection Association, which writes the fire codes, and also created Underwriters Laboratories (UL), which does fire testing and allows it's logo to be put on tested products. You've certainly seen products that are UL listed, UL registered, and UL certified. These are some of the ways that insurance companies encourage fire safety.
If you don't comply with fire code, if you're using electrical appliances that aren't UL listed or better, the insurance company will start taking actions that encourage safety compliance. That can range from simply issuing a recommendation to raising your rates until you comply, and even saying "if this problem isn't fixed within three months, we will no longer cover you for electrical fires". The insurance company analyzes the risks and sets rates and other conditions appropriate for the level of risk.
My company, which does cybersecurity, is working with insurance companies to rate cyber risk the same way the rate fire risk. A company's rates will depend on what safeguards they have in place. Take Windows updates for example. If you roll out all Windows updates within 24 hours of release, you'll get the best rate. Roll them out within 2 weeks and you'll get a middle rate. Have XP servers exposed to the internet? The insurance company will probably give you 60 days to fix that, or you're no longer covered for certain things. It's not an all or nothing thing. We deliver a big report, it can be over 100 pages. Each thing in the report can increase or decrease the rate they pay for insurance, or cause the insurance company to not cover certain things until they get fixed.
Here they had a huge loss due to phishing. When paying out that first phishing claim, the insurance company probably said "we don't want this to happen again. In order to be covered for future phishing, you need to reduce your risk by doing x, y, and z". Sure enough 8 months later, another huge loss due to phishing. The bank probably didn't put proper measures in place to mitigate the risk.
One way to reduce phishing risk is for corporate security to send out a "phishing" email about once per month. Employees who click the link see a page reminding them about phishing. Employees who click the "report this email" button in Outlook get a smiley acknowledgement that they did the right thing.
Suppose Russia isn't constantly trying to hack the US. We have daily news reports saying they are, that essentially they are fighting a cyber war against us and that's been going on for years, but we'll assume for a moment that is false.
Nobody is doing anything about it, of course. Obama nor Trump fired a barrage of missiles in a counter-attack, nor really made any big deal about it - they're still doimg trade deals, selling the Russians a significant portion of our Uranium, etc.
So Putin sees that nobody really cares about the reported attacks. Nobody seems all that bothered about it - not enough to demand any counter-attack.
Suppose you're Putin, or Russian intelligence, or head of Russia's cyberwarfare command. You see that constant statements that you're attacking the US don't lead to any significant response. You see that you COULD attack the US with impunity and they wouldn't do anything about it.
What would YOU do if you were Putin, or head of Russia's cybercommand, and you knew you could get away with attacking the US as much as you wanted?
If it were me, seeing that nobody cares whether Russia attacks us or not, I'd go right ahead and attack. We're getting blamed for it anyway.
So either Putin and his commanders are stupid, and not taking advantage of the situation, or you're mistaken.
As it happens, I'm a career security professional. Knowing about hacks is my job. I work at a company founded by Misha Govshteyn. Guess where Misha is from. Mr. Govshteyn and I will tell you, Russia is hacking the hell out of the US all day long. Only China sends more attacks.
Generally, the first device connected is assigned.2, the next.3, etc. So it would be rare to find any device in a house with an IP higher than about.12
> The republican party was captured by nationalist
There was a nationalist president elected with (r) appended to his name.
The most-elected, longest serving democrat, Robert Byrd ( Democrat senator 1959-2010) was first elected to KKK leadership. That doesn't mean the Democrats are controlled by the KKK. Once upon a time, the KKK was an arm of the Democrat party, but that's not true today and it wasn't true when they elected Byrd in 2004. One politician does not a party make. Just because Clinton was a serial sexual harasser doesn't mean the Democrats are the sexual harassment party. That's just Clinton. Trump is Trump, he isn't Republicans, and a LOT of leading Republicans are not at all fond of him.
The Republicans unanimously chose Paul Ryan for speaker, even after he said that he would not do campaign appearances and stuff for them, like house speakers normally do. If you wanted to look at one guy who represents the party, Paul Ryan is the guy the all liked. And of course Ryan didn't like Trump - it took a long time for Ryan to even say he'd hold his nose and vote Trump over Hillary.
So we'll see what happens. Trump got a lot of voters in 2016. That's one election. I hope the party doesn't swing that way much. That would leave us with both major parties driven by emotional rhetoric completely, with no sound reasoning anywhere to be found.
Most home / small office routers by default assign themselves 192.168.1.1 and hand out IPv4 IPs starting at 192.168.1.2, handing them out in order. Therefore pretty . Uch every device in everyone's house will have one of 11 IPs 192.168.1.2 - 192.168.1.12. The attacker simply tries each in turn.
This attack can't be done with IPv6. You don't have everyone using the same default IPs with IPv6, and IPs aren't normally assigned in order.
The attack is carried out from their own web server. They set up nest-troubleshooting.com on their own hosting account. A script on nest-troubleshooting.com accesses scripts.nest-troubleshooting.com.
scripts.nest-troubleshooting.com (sometimes) has the IP address 192.168.1.4, which is the same IP as your thermostat.
Here's the basic idea of the attack they are talking about. An IoT thermostat can be controlled by your smartphone or computer, via a web service it exposes. Your smartphone might send data to a script at http://192.168.1.4/temp.pyc
An attacker is able to put malicious JavaScript on a web page which changes the temperature. The attack manages to get around the same-origin policy. The bad guy has their web page, titled "NEST Troubleshooting", on nesttb.com. It loads a script from scripts.nesttb.com. Your browser does a DNS request to get the IP of scripts.nedttb.com and it comes back with 77.77.77.77 and a ttl (cache time) of 1 second. The script then calls http://scripts.nesttb.com/temp.... It's been more than 1 second, so the browser does another DNS request for scripts.nesttb.com. The DNS server gives the IP as 192.168.1.34. The attacker can now change your thermostat setting.
Prevention: The device manufacturer should require authentication in order to change the setting. This should involve a TLS certificate for the client, bit at least use a username and password which is generated for each device separately.
The customer can mitigate the risk by using a local network other than 192.168.1.1/24. Try perhaps 192.168.106.1/24
The customer also prevent the attack completely by not buying a super expensive toy, and instead buying a normal programmable thermostat.
Indeed, it is all around worse for me to drive to Fry's. It's worse environmentally for everyone to drive to Fry's rather than have a single truck carry all the items to their neighborhood. It's worse in terms of spending my time and money driving to Fry's and hoping it's in stock.
Lowest cost, both environmental cost and dollar cost, may be ordering at Walmart.com and picking up at the local Walmart store while I'm already there getting groceries. The delivery trucks are already driving to Walmart. So the environmental cost is approximately zero that way. Similarly for the economic cost. I'm already going to Walmart anyway, so there is no additional cost for picking up an item I ordered while I'm there.
The potential downside to ordering at Walmart.com and picking up at the store happens when I need the item in 24-48 hours. Walmart.com is often not the fastest method.
Exactly, the US government is expressly empowered by the people to act for the people, in specific ways. We don't have the Divine Right of Kings here.
The Constitution explicitly delegates certain specific powers to the federal government, and reserves all other powers to the states and the people. Powers are preserved with the people because that's where they come from. Washington politicians work for us, at our pleasure not the other way around.
You said you wouldn't "You mean do a great deal of reading to prove your talking points for you". Sounded to me like you were saying if you read it, that would prove my points correct.
Now it sounds like you're saying you're not so sure, that perhaps if you read the rule, it might not. Interesting guess.
Any time you want to know what it actually says, when you're done guessing, you now have the rule and can read it if you wish. If I were you, I wouldn't bother, since that rule is dead and gone. If I were you, I'd read the new NN bill that will be introduced. The proposed new law is, to me, more interesting than the law that is gone. So you could read the new proposal when it comes along. Or you could make random guesses about what it might say next time.
> Praise is cheap. Heap it generously on all customers > -- Ferengi Rule of Acquisition #39.
Also, apologies are free, yet so valuable.
Of course, to be valuable, praise should be sincere. One can find SOMETHING you appreciate about the other person.
For example, I can praise Obama's idealism, and Trump's directness - Trump doesn't say whatever opinion pills tell him to say. Obama says things *well*, even when I don't agree with the content of what he's saying.
"Unlikely" might be a better word than "absurd". The physical cmos chips associated with ports are delicate. They don't like voltages that are too high, too low, or change to fast.
As you pull a connector out, the power and data pins scrape against each other, causing them to connect and disconnect a hundred times in a hundred milliseconds. Having power switching on and off randomly while the data lines are active transferring data can be bad.
It's probably not LIKELY to cause damage if you do it once, but the possibility isn't absurd.
You'd think the partition table would be pretty darn safe since it's rarely updated. Yet, I've had to help people recover from lost partition tables many times. You can do forensics to discover where the partitions were, such as by looking for blovks that match the beginning of a filesystem, and for the first partition, testing the defaults.
One potential reason for this is that electronics designed to work at five volts can do literally ANYTHING when they have 2.5 volts supplied. You may notice some devices go a little crazy when the battery is very low. As you disconnect a drive, there are several milliseconds in which the chips get lower than specified voltage.
Also the data lines are of course digital - on or off. As you pull the plug out and the contacts scrape against each other, an oscilloscope with show they connect and disconnect several hundred times - turning on and off, generating random ones and zeroes. There are some features designed to *reduce* these risks.
> You mean do a great deal of reading to prove your talking points for you?
Okay so you're saying if you did read the rule, you'd find I'm not making this shit up. Knowing what it says would prove my point, you say.
> Yeah, I'll pass on that.
You'd rather stick to what your first guess was rather than read it and know what it actually says (or listen to someone who has read it). That's cool. Of you change your mind, here's the final rule. It's very similar to the proposed time because the comment process, normally used to make refinements to a rule, to adjust things where needed, got hijacked:
Reading it, it's helpful to have some knowledge of routing on carrier networks, and particularly traffic shaping and policing. A familiarity with queueing theory comes in handy, but isn't required.
Obama did a lot of legistlating from the Oval Office, particularly in his last few months. (Some say a lot of that was unconstitutional, but that's a different discussion). In the first two months of Trump's presidency, both the Congress through legislation and the president undid a lot of Obama's last-minute law making. I would think you would either agree with Obama, or agree with the Republicans undoing what Obama did?
This year, the Republicans have started using the Congressional Review Act to strike down regulatory law that wasn't lawfully submitted as required under that act. If you think we have too much law, I would think you would agree with that action?
Slashdot Mirror
The broswser does TLS, so system access doesn't give you access to monitor it. Not using safe APIs. An attacker with root could dig into your RAM or whatever, but that's not a safe approach.
For scale, that's similar to Tesla's total R&D budget on everything (batteries, motors, the overall car, autopilot, etc). It represents about 12% of Ford's total R&D.
Your concern may have some merit.
Just be aware of the trade-off. Remember the $100 million hack yesterday, where the same company got hit twice in eight months, from phishing attacks? Corp sec could have prevented those if they had visibility into what pages the employees were loading. They could have seen the employees entering their ldap credentials into corporateHR.ru and prevented it. Our SOC catches a LOT of that stuff.
Also catches and blocks a lot of malware, crypto-locker style ransomware, etc.
So you have to decide which is worse - crypto-locker and the bad guys having your ldap credentials, or your fear of the NSA seeing you reading Wikipedia. I don't think either answer is always right.
I suspect most people reading this haven't worked in a SOC, so they won't appreciate how much truth there is in what Bobmorning said.
> There is a delicate balance between having situational awareness of what is going on in the network versus
Exactly. We have systems that can see when a site is trying to do a drive-by malware installation or whatever, lots of ways to protect people in some pretty advanced ways. We can't protect what we can't read, though. So there is a balance. Encrypting everything makes it easier for the bad guys to send bad stuff to and from your machine without getting caught. So the ideal is neither "encrypt nothing" nor "encrypt everything as if it's a state secret". The best ways to protect against various attacks are situation dependent. For reading Wikipedia, unencrypted is probably safer overall. It's also faster - https can't be cached.
BTW you made a very good point in this other post, though I don't think most people have the background knowledge to fully appreciate your point.
https://tech.slashdot.org/comm...
> They had to divest themselves of the CA business because they prove themselves repeatedly to be not trustworth
Symnatec couldn't be trusted, therefore they couldn't have a CA business. That seems to indicate that untrustworthy companies can't be CAs (for long).
The number one reason, from my experience, is that of people see warnings a lot, especially for dumb things, they are quickly trained to ignore warnings. Microsoft learned this lesson with their first attempt at UAC. SELinux had a similar problem for a few years.
For best security, you should alert people to actual security problems, and only problems they can do something about. Reading Wikipedia over http is not a problem.
Also, Bobmorning makes a good point here:
https://tech.slashdot.org/comm...
The security systems that are supposed to rpotect you can't see all the malware being downloaded onto your system, the data being exfiltrated, etc when everything is TLS.
The best case for the insurance company is that claims aren't filed, and they don't have to do investigations or pay lawyers, they just collect premiums and use about 10% of that on compilance measures. It's not only cheaper for them to not have to deal with claims, but fewer $100 million claims means their risk is lower, their quarterly numbers are more predictable. That's good for them overall, and reduces their rate for re-insurance (the insurance that is purchased by insurance companies).
You may have had experience related to insurance and the fire code. Someone may have walked through your office building doing a fire inspection, looking for things like power strips plugged into other power strips, which are in turn plugged into another power strip. That fire inspection was likely done for insurance reasons. The insurance companies created the National Fire Protection Association, which writes the fire codes, and also created Underwriters Laboratories (UL), which does fire testing and allows it's logo to be put on tested products. You've certainly seen products that are UL listed, UL registered, and UL certified. These are some of the ways that insurance companies encourage fire safety.
If you don't comply with fire code, if you're using electrical appliances that aren't UL listed or better, the insurance company will start taking actions that encourage safety compliance. That can range from simply issuing a recommendation to raising your rates until you comply, and even saying "if this problem isn't fixed within three months, we will no longer cover you for electrical fires". The insurance company analyzes the risks and sets rates and other conditions appropriate for the level of risk.
My company, which does cybersecurity, is working with insurance companies to rate cyber risk the same way the rate fire risk. A company's rates will depend on what safeguards they have in place. Take Windows updates for example. If you roll out all Windows updates within 24 hours of release, you'll get the best rate. Roll them out within 2 weeks and you'll get a middle rate. Have XP servers exposed to the internet? The insurance company will probably give you 60 days to fix that, or you're no longer covered for certain things. It's not an all or nothing thing. We deliver a big report, it can be over 100 pages. Each thing in the report can increase or decrease the rate they pay for insurance, or cause the insurance company to not cover certain things until they get fixed.
Here they had a huge loss due to phishing. When paying out that first phishing claim, the insurance company probably said "we don't want this to happen again. In order to be covered for future phishing, you need to reduce your risk by doing x, y, and z". Sure enough 8 months later, another huge loss due to phishing. The bank probably didn't put proper measures in place to mitigate the risk.
One way to reduce phishing risk is for corporate security to send out a "phishing" email about once per month. Employees who click the link see a page reminding them about phishing. Employees who click the "report this email" button in Outlook get a smiley acknowledgement that they did the right thing.
Suppose Russia isn't constantly trying to hack the US.
We have daily news reports saying they are, that essentially they are fighting a cyber war against us and that's been going on for years, but we'll assume for a moment that is false.
Nobody is doing anything about it, of course. Obama nor Trump fired a barrage of missiles in a counter-attack, nor really made any big deal about it - they're still doimg trade deals, selling the Russians a significant portion of our Uranium, etc.
So Putin sees that nobody really cares about the reported attacks. Nobody seems all that bothered about it - not enough to demand any counter-attack.
Suppose you're Putin, or Russian intelligence, or head of Russia's cyberwarfare command. You see that constant statements that you're attacking the US don't lead to any significant response. You see that you COULD attack the US with impunity and they wouldn't do anything about it.
What would YOU do if you were Putin, or head of Russia's cybercommand, and you knew you could get away with attacking the US as much as you wanted?
If it were me, seeing that nobody cares whether Russia attacks us or not, I'd go right ahead and attack. We're getting blamed for it anyway.
So either Putin and his commanders are stupid, and not taking advantage of the situation, or you're mistaken.
As it happens, I'm a career security professional. Knowing about hacks is my job. I work at a company founded by Misha Govshteyn. Guess where Misha is from. Mr. Govshteyn and I will tell you, Russia is hacking the hell out of the US all day long. Only China sends more attacks.
Generally, the first device connected is assigned .2, the next .3, etc. So it would be rare to find any device in a house with an IP higher than about .12
> The republican party was captured by nationalist
There was a nationalist president elected with (r) appended to his name.
The most-elected, longest serving democrat, Robert Byrd ( Democrat senator 1959-2010) was first elected to KKK leadership. That doesn't mean the Democrats are controlled by the KKK. Once upon a time, the KKK was an arm of the Democrat party, but that's not true today and it wasn't true when they elected Byrd in 2004. One politician does not a party make. Just because Clinton was a serial sexual harasser doesn't mean the Democrats are the sexual harassment party. That's just Clinton. Trump is Trump, he isn't Republicans, and a LOT of leading Republicans are not at all fond of him.
The Republicans unanimously chose Paul Ryan for speaker, even after he said that he would not do campaign appearances and stuff for them, like house speakers normally do. If you wanted to look at one guy who represents the party, Paul Ryan is the guy the all liked. And of course Ryan didn't like Trump - it took a long time for Ryan to even say he'd hold his nose and vote Trump over Hillary.
So we'll see what happens. Trump got a lot of voters in 2016. That's one election. I hope the party doesn't swing that way much. That would leave us with both major parties driven by emotional rhetoric completely, with no sound reasoning anywhere to be found.
Most home / small office routers by default assign themselves 192.168.1.1 and hand out IPv4 IPs starting at 192.168.1.2, handing them out in order. Therefore pretty . Uch every device in everyone's house will have one of 11 IPs 192.168.1.2 - 192.168.1.12. The attacker simply tries each in turn.
This attack can't be done with IPv6. You don't have everyone using the same default IPs with IPv6, and IPs aren't normally assigned in order.
> Nothing on the internet can see the IoT. the IoT can only see the OS and firewall.
That's all good, but doesn't solve this issue. This vulnerability requires that:
Your computer or phone can see the web.
Your computer or phone can see the IoT.
The attack is carried out from their own web server.
They set up nest-troubleshooting.com on their own hosting account. A script on nest-troubleshooting.com accesses scripts.nest-troubleshooting.com.
scripts.nest-troubleshooting.com (sometimes) has the IP address 192.168.1.4, which is the same IP as your thermostat.
Here's the basic idea of the attack they are talking about.
An IoT thermostat can be controlled by your smartphone or computer, via a web service it exposes. Your smartphone might send data to a script at http://192.168.1.4/temp.pyc
An attacker is able to put malicious JavaScript on a web page which changes the temperature. The attack manages to get around the same-origin policy. The bad guy has their web page, titled "NEST Troubleshooting", on nesttb.com. It loads a script from scripts.nesttb.com. Your browser does a DNS request to get the IP of scripts.nedttb.com and it comes back with 77.77.77.77 and a ttl (cache time) of 1 second. The script then calls http://scripts.nesttb.com/temp.... It's been more than 1 second, so the browser does another DNS request for scripts.nesttb.com. The DNS server gives the IP as 192.168.1.34. The attacker can now change your thermostat setting.
Prevention:
The device manufacturer should require authentication in order to change the setting. This should involve a TLS certificate for the client, bit at least use a username and password which is generated for each device separately.
The customer can mitigate the risk by using a local network other than 192.168.1.1/24. Try perhaps 192.168.106.1/24
The customer also prevent the attack completely by not buying a super expensive toy, and instead buying a normal programmable thermostat.
Indeed, it is all around worse for me to drive to Fry's. It's worse environmentally for everyone to drive to Fry's rather than have a single truck carry all the items to their neighborhood. It's worse in terms of spending my time and money driving to Fry's and hoping it's in stock.
Lowest cost, both environmental cost and dollar cost, may be ordering at Walmart.com and picking up at the local Walmart store while I'm already there getting groceries. The delivery trucks are already driving to Walmart. So the environmental cost is approximately zero that way. Similarly for the economic cost. I'm already going to Walmart anyway, so there is no additional cost for picking up an item I ordered while I'm there.
The potential downside to ordering at Walmart.com and picking up at the store happens when I need the item in 24-48 hours. Walmart.com is often not the fastest method.
Exactly, the US government is expressly empowered by the people to act for the people, in specific ways. We don't have the Divine Right of Kings here.
The Constitution explicitly delegates certain specific powers to the federal government, and reserves all other powers to the states and the people. Powers are preserved with the people because that's where they come from. Washington politicians work for us, at our pleasure not the other way around.
You said you wouldn't "You mean do a great deal of reading to prove your talking points for you". Sounded to me like you were saying if you read it, that would prove my points correct.
Now it sounds like you're saying you're not so sure, that perhaps if you read the rule, it might not. Interesting guess.
Any time you want to know what it actually says, when you're done guessing, you now have the rule and can read it if you wish. If I were you, I wouldn't bother, since that rule is dead and gone. If I were you, I'd read the new NN bill that will be introduced. The proposed new law is, to me, more interesting than the law that is gone. So you could read the new proposal when it comes along. Or you could make random guesses about what it might say next time.
That's funny.
> Praise is cheap. Heap it generously on all customers
> -- Ferengi Rule of Acquisition #39.
Also, apologies are free, yet so valuable.
Of course, to be valuable, praise should be sincere. One can find SOMETHING you appreciate about the other person.
For example, I can praise Obama's idealism, and Trump's directness - Trump doesn't say whatever opinion pills tell him to say. Obama says things *well*, even when I don't agree with the content of what he's saying.
"Unlikely" might be a better word than "absurd". The physical cmos chips associated with ports are delicate. They don't like voltages that are too high, too low, or change to fast.
As you pull a connector out, the power and data pins scrape against each other, causing them to connect and disconnect a hundred times in a hundred milliseconds. Having power switching on and off randomly while the data lines are active transferring data can be bad.
It's probably not LIKELY to cause damage if you do it once, but the possibility isn't absurd.
You'd think the partition table would be pretty darn safe since it's rarely updated. Yet, I've had to help people recover from lost partition tables many times. You can do forensics to discover where the partitions were, such as by looking for blovks that match the beginning of a filesystem, and for the first partition, testing the defaults.
One potential reason for this is that electronics designed to work at five volts can do literally ANYTHING when they have 2.5 volts supplied. You may notice some devices go a little crazy when the battery is very low. As you disconnect a drive, there are several milliseconds in which the chips get lower than specified voltage.
Also the data lines are of course digital - on or off. As you pull the plug out and the contacts scrape against each other, an oscilloscope with show they connect and disconnect several hundred times - turning on and off, generating random ones and zeroes. There are some features designed to *reduce* these risks.
Here's the official record of Congressional CRA actions rolling back Obama's last-minute regulations:
https://www.rpc.senate.gov/cra...
And an article from about 70 into Trump's term:
https://www.theatlantic.com/po...
> You mean do a great deal of reading to prove your talking points for you?
Okay so you're saying if you did read the rule, you'd find I'm not making this shit up. Knowing what it says would prove my point, you say.
> Yeah, I'll pass on that.
You'd rather stick to what your first guess was rather than read it and know what it actually says (or listen to someone who has read it). That's cool. Of you change your mind, here's the final rule. It's very similar to the proposed time because the comment process, normally used to make refinements to a rule, to adjust things where needed, got hijacked:
https://www.federalregister.go...
Reading it, it's helpful to have some knowledge of routing on carrier networks, and particularly traffic shaping and policing. A familiarity with queueing theory comes in handy, but isn't required.
Obama did a lot of legistlating from the Oval Office, particularly in his last few months. (Some say a lot of that was unconstitutional, but that's a different discussion). In the first two months of Trump's presidency, both the Congress through legislation and the president undid a lot of Obama's last-minute law making. I would think you would either agree with Obama, or agree with the Republicans undoing what Obama did?
This year, the Republicans have started using the Congressional Review Act to strike down regulatory law that wasn't lawfully submitted as required under that act. If you think we have too much law, I would think you would agree with that action?