If you read the Android manifest, the perms Facebook ask for is almost like a novel. I wouldn't be surprised if ACCESS_SUPERUSER was in there.
I miss XPrivacy. If a generic fleshlight app asks for every permission under the sun, it can have them... except it will fetch random strings for contacts, the location would be at the same spot all the time, the microphone and camera would give static. XPrivacy Lua should be its replacement, but it has a ways to go.
Barring that, I wish phone makers would allow for virtualization. That way, work stuff would be in one container/VM/partition, home stuff could be in another, and Facebook and other privacy-challenge apps would be in a safe space all to their own.
The good su apps on Android will not, by default, allow a program to present a su dialog unless the app manifest in the Google Play Store has ACCESS_SUPERUSER declared.
What bothers me is that this is something that has to be explicitly coded. Why would an app -ever- request this by accident, is beyond me.
I can't wait for the malvertisers to use this functionality to make yet another generation of Trojans and scareware, fleece users, and entry points for intruders in company networks.
Can this piece of junk be tossed? We already had this garbage with pop-up ads, where one web page could bring up enough pop-ups that it would grind a box to a halt. Now, browser makers are bringing it back, but with video and sound capability?
Hopefully uBlock Origin and other ad blockers are updated to nip this garbage at the bud.
I wonder if this ban is to prevent casual idiocy from happening (someone losing an unencrypted USB flesh drive with their documents on it), or if it is a measure against people trying to slurp confidential documents.
If this is intended to prevent deliberate intrusions, good luck. I've seen people get around this by shoveling data via iTunes or another sync program, or just plug in an Android device and use MTP (which presents itself differently than a mounted drive.) Worst case, there is popping photos of the screen and making QR codes of encoded binary files.
If a company has to worry about deliberate espionage, they need to get with HR and start cleaning house. No amount of tech is going to stop someone determined to take info. Instead, there needs to be separation of duties and limits to what people can access... basic stuff, but with the idea of "running thin" so just a few employees can wind up with a lot of confidential stuff they really don't have a need for.
If IBM is worried, perhaps they need to hire more employees and rely less on vendors/contractors, so they get more loyal people, not people who will bail when there is some job that offers better benefits out there.
I use the port for charging only myself. It would be nice if iOS had a feature similar to Android that allows the device to choose what it presents itself as. For example, my current Android phone can present itself as an ADB device, MTP device, USB volume, or nothing at all, only allowing charging through the port.
Debian/Ubuntu's apt system has been good over the years, since it doesn't have the "rpm hell" RedHat based distributions have, especially if one has multiple repositories.
It would be nice if they had the ability to roll back a version update without having to reinstall. AIX had this functionality, where if an update caused major problems, rejecting the update and rolling back was easy.
There is a difference between a personal computer which was owned and controlled by the owner, versus IoT devices which are controlled by the device maker, and where the customer is not the person that buys the device, but the company buying the analytic info that the device streams back. The person who buys the device has zero control over it. Load a new OS? Good luck.
In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.
However, what happened is that companies took the easy route. Windows had no innate security so the whole firewall/castle model of company security was formed, where security was done by the network fabric, and not the endpoints. This worked for a while, until malvertising and Trojans allowed malware to attack anywhere.
These days, security is pathetic in general. I have heard "security has no ROI", "the hackers will always win, so why waste money?" and other claptrap for over a decade. In fact, because there is no real criminal penalty, an egregious security breach makes the top levels of a company a lot of money because they can short their stock before making the announcement public, especially if they can keep the breach under wraps for six months.
IoT devices come to mind as a specific example. Why even bother with meaningful security when customers are forced to buy your version 1.1 of a doodad because version 1.0 will get their stuff hacked, and cannot be upgraded? Especially because the money with IoT is the analytics coming in, not the actual purchase of the device.
You summed it up exactly. If T-Mobile runs the show, all is well, as T-Mobile does a great job as a cellular provider. However, if Sprint execs start running things, there is no real reason to stay, because instead of added cool stuff, we likely would get added fees and surcharges. While I've not had much experience with Sprint, I have not read much that is positive about them, and it seems that most people who were on Sprint moved to Verizon.
I have a Time Capsule, and it has been working flawlessly since I got it, as an internal router. It has been regularly patched, and although it doesn't have advanced functionality (manual ACLs in and out, so I can block port 25 outgoing just for sanity reasons), it has been decent. The Time Capsule also is a decent NAS, although with it being a single drive unit, one still needs a secondary backup system for documents, just in case.
For being a primary backup device, with documents backed up via a separate method, it was pretty close to ideal.
I just hope Apple opens the Time Capsule "protocol". Synology and QNAP devices support it, but it would be nice if any CIFS/SMB share could be used for remote Time Machine backups.
As for a router, it is hard to find a vendor with a good security reputation. Apple hasn't had many attacks against its AirPort routers, and they patched often. I wonder what a good home router vendor is that is a suitable replacement. Of course, the best answer would be a PFSense appliance, but it would be nice to have a mainstream vendor with a good reputation for security (as in no backdoors "accidentally" left behind).
Same with my old iPhone 6s. There are few things it doesn't do that the 8 or X does, other than animoji, and that isn't really a deal breaker for me.
What phone makers don't realize is that they just hit where PC makers have been for the past decade: Phones are good enough that models from a few years back do the same function as flagship phones, so other than having a shiny new thing, it isn't really a thing to upgrade. Plus, people are finding that a midrange phone does what they need, even though it may not have the curved screen, or the latest bells and whistles.
What makes sense would be the old Mac Pro back. Not something that looks like an art sculpture, but a plain old tower. Yes, it will cost a bunch, but for what true workstation users want/need, there isn't anything else that beats true PCIe. Thunderbolt is OK, but 4 PCIe lanes pale in comparison to the latest motherboards that have 64+ PCIe lanes for GPUs, RAID storage, and other things that are required for high end work. This isn't cheap, and most users don't need it, but for users who do, it is worth having.
Was there a time when Amazon shipped S3 buckets public by default, with permissions wide open to the world? What is it with these S3 buckets.
Last time I set up a public bucket (to share some of my photos to some friends), I had to explicitly set the checkbox, and it came up with "you can't just walk into Mordor" warning.
Those were cool for their time. I knew one dot.com that used those instead of contactless badges for door entry because they didn't trust RFID transponders.
On the other hand, if a government creates a F/OSS app that has been vetted, isn't this a boon for pretty much anyone in the world? The German government is why GNU's Privacy Guard is still being updated, and France already funds VeraCrypt.
You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.
Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.
You nailed it quite well. A manager can bury someone in processes, fill their calendar up with meetings, then turn around and say they are a poor performer via the metrics set (it could be deliverables, it could be per project, anything.) This reminds me of the Alice in Wonderland croquet game where the rules change dynamically.
Agile and Scrum are great for middle managers, because they look productive. However, as a benefit to a company or organization as a whole, it hamstrings productivity.
To think of it, I don't know anyone who is not a muckety-muck manager who -likes- Agile/Scrum. Most put up with it as part of their job duties, but it doesn't really add anything productive. If a dev team needs daily meetings that take up half the day, something is wrong. This would not fly in any other profession (imagine doctors in meetings for four hours before doing operations, or waitstaff meeting for four hours for customer goals before hitting the tables.)
Agreed. I would actually like to see something other than a permanent sprint, as that is supposed to be a tool for a definite goal, but it seems all the Agile places I was at always are in a sprint state.
In the Agile/Scrum environments I worked at, it wasn't handled by E-mail. Calendar appointments would magically appear, because the Scrum master, PM, manager, team lead, and backup team lead all had delegation authority to add meetings without approval, and these were "The Apprentice" like boardroom confrontations that lasted for hours.
I'm glad I'm away from that. My current place uses a modified waterfall model, and it works quite well, with projects getting done on time.
I have seen weeks where the entire 40 hours were all Agile/Scrum related meetings. This meant that there was no significant coding done whatsoever.
In all of my IT work, I have never understood why some managers think that calling meetings will enhance productivity, and if that doesn't work, call more meetings. I don't know if this is incompetence, or an issue with ego. Either way, it hamstrings actual productivity.
Agile, or more specifically Scrum is pointless. When you have a daily stand-up meeting that can take six hours while the Scrum master chastises, badgers, yells, and excoriates people, one by one, for not making deliverables. During this everyone else is pointing at someone else and saying, "I'm blocked... he did it!". This isn't productivity; it is a game of kangaroo court.
Then the Scrum master tosses more crap on people's swim lanes at random (because marketing wants them done, and because they make the sales, they get what they want, without challenge), without really knowing or caring how difficult the task is. Finally the Scrum master closes the meeting with how everyone has been in a sprint for the past year, and says the sprint will continue until marketing is happy.
I do not see Agile adding any productivity whatsoever. It turns a dev team against everyone else, which may be great for management, but it creates a workplace that is at best hostile, and at worst toxic, because every day you have to go in and defend yourself against everyone in a multi-hour blamestorm. Eventually the good people leave for greener pastures.
Cable and telcos? The governments granted them the land, making them natural monopolies. If someone could make a reliable mesh system using lasers, this would allow some type of interconnected ad-hoc network to exist without having to have a dedicated ISP.
Unless you can make a cheap, point to point solution (laser beams) that work over distances, the biggest problem with another "internet" will be who lays the pipe, which tends to be the government, with private companies handed that privilege as a proxy.
Slashdot Mirror
If you read the Android manifest, the perms Facebook ask for is almost like a novel. I wouldn't be surprised if ACCESS_SUPERUSER was in there.
I miss XPrivacy. If a generic fleshlight app asks for every permission under the sun, it can have them... except it will fetch random strings for contacts, the location would be at the same spot all the time, the microphone and camera would give static. XPrivacy Lua should be its replacement, but it has a ways to go.
Barring that, I wish phone makers would allow for virtualization. That way, work stuff would be in one container/VM/partition, home stuff could be in another, and Facebook and other privacy-challenge apps would be in a safe space all to their own.
The good su apps on Android will not, by default, allow a program to present a su dialog unless the app manifest in the Google Play Store has ACCESS_SUPERUSER declared.
What bothers me is that this is something that has to be explicitly coded. Why would an app -ever- request this by accident, is beyond me.
I can't wait for the malvertisers to use this functionality to make yet another generation of Trojans and scareware, fleece users, and entry points for intruders in company networks.
Can this piece of junk be tossed? We already had this garbage with pop-up ads, where one web page could bring up enough pop-ups that it would grind a box to a halt. Now, browser makers are bringing it back, but with video and sound capability?
Hopefully uBlock Origin and other ad blockers are updated to nip this garbage at the bud.
I wonder if this ban is to prevent casual idiocy from happening (someone losing an unencrypted USB flesh drive with their documents on it), or if it is a measure against people trying to slurp confidential documents.
If this is intended to prevent deliberate intrusions, good luck. I've seen people get around this by shoveling data via iTunes or another sync program, or just plug in an Android device and use MTP (which presents itself differently than a mounted drive.) Worst case, there is popping photos of the screen and making QR codes of encoded binary files.
If a company has to worry about deliberate espionage, they need to get with HR and start cleaning house. No amount of tech is going to stop someone determined to take info. Instead, there needs to be separation of duties and limits to what people can access... basic stuff, but with the idea of "running thin" so just a few employees can wind up with a lot of confidential stuff they really don't have a need for.
If IBM is worried, perhaps they need to hire more employees and rely less on vendors/contractors, so they get more loyal people, not people who will bail when there is some job that offers better benefits out there.
I use the port for charging only myself. It would be nice if iOS had a feature similar to Android that allows the device to choose what it presents itself as. For example, my current Android phone can present itself as an ADB device, MTP device, USB volume, or nothing at all, only allowing charging through the port.
I wouldn't mind a 1-2 hour timeout myself.
Debian/Ubuntu's apt system has been good over the years, since it doesn't have the "rpm hell" RedHat based distributions have, especially if one has multiple repositories.
It would be nice if they had the ability to roll back a version update without having to reinstall. AIX had this functionality, where if an update caused major problems, rejecting the update and rolling back was easy.
There is a difference between a personal computer which was owned and controlled by the owner, versus IoT devices which are controlled by the device maker, and where the customer is not the person that buys the device, but the company buying the analytic info that the device streams back. The person who buys the device has zero control over it. Load a new OS? Good luck.
In the 1980s and 1990s, there was a turning point where security was considered something that should be baked into an OS and product, be it an operating system (thus the C2/C3/B1/etc. levels), MAC/DAC controls, security as part of the kernel, and part of a module, and so on.
However, what happened is that companies took the easy route. Windows had no innate security so the whole firewall/castle model of company security was formed, where security was done by the network fabric, and not the endpoints. This worked for a while, until malvertising and Trojans allowed malware to attack anywhere.
These days, security is pathetic in general. I have heard "security has no ROI", "the hackers will always win, so why waste money?" and other claptrap for over a decade. In fact, because there is no real criminal penalty, an egregious security breach makes the top levels of a company a lot of money because they can short their stock before making the announcement public, especially if they can keep the breach under wraps for six months.
IoT devices come to mind as a specific example. Why even bother with meaningful security when customers are forced to buy your version 1.1 of a doodad because version 1.0 will get their stuff hacked, and cannot be upgraded? Especially because the money with IoT is the analytics coming in, not the actual purchase of the device.
The gaming industry needs another 1983. Desperately.
You summed it up exactly. If T-Mobile runs the show, all is well, as T-Mobile does a great job as a cellular provider. However, if Sprint execs start running things, there is no real reason to stay, because instead of added cool stuff, we likely would get added fees and surcharges. While I've not had much experience with Sprint, I have not read much that is positive about them, and it seems that most people who were on Sprint moved to Verizon.
I have a Time Capsule, and it has been working flawlessly since I got it, as an internal router. It has been regularly patched, and although it doesn't have advanced functionality (manual ACLs in and out, so I can block port 25 outgoing just for sanity reasons), it has been decent. The Time Capsule also is a decent NAS, although with it being a single drive unit, one still needs a secondary backup system for documents, just in case.
For being a primary backup device, with documents backed up via a separate method, it was pretty close to ideal.
I just hope Apple opens the Time Capsule "protocol". Synology and QNAP devices support it, but it would be nice if any CIFS/SMB share could be used for remote Time Machine backups.
As for a router, it is hard to find a vendor with a good security reputation. Apple hasn't had many attacks against its AirPort routers, and they patched often. I wonder what a good home router vendor is that is a suitable replacement. Of course, the best answer would be a PFSense appliance, but it would be nice to have a mainstream vendor with a good reputation for security (as in no backdoors "accidentally" left behind).
Same with my old iPhone 6s. There are few things it doesn't do that the 8 or X does, other than animoji, and that isn't really a deal breaker for me.
What phone makers don't realize is that they just hit where PC makers have been for the past decade: Phones are good enough that models from a few years back do the same function as flagship phones, so other than having a shiny new thing, it isn't really a thing to upgrade. Plus, people are finding that a midrange phone does what they need, even though it may not have the curved screen, or the latest bells and whistles.
What makes sense would be the old Mac Pro back. Not something that looks like an art sculpture, but a plain old tower. Yes, it will cost a bunch, but for what true workstation users want/need, there isn't anything else that beats true PCIe. Thunderbolt is OK, but 4 PCIe lanes pale in comparison to the latest motherboards that have 64+ PCIe lanes for GPUs, RAID storage, and other things that are required for high end work. This isn't cheap, and most users don't need it, but for users who do, it is worth having.
Was there a time when Amazon shipped S3 buckets public by default, with permissions wide open to the world? What is it with these S3 buckets.
Last time I set up a public bucket (to share some of my photos to some friends), I had to explicitly set the checkbox, and it came up with "you can't just walk into Mordor" warning.
Those were cool for their time. I knew one dot.com that used those instead of contactless badges for door entry because they didn't trust RFID transponders.
On the other hand, if a government creates a F/OSS app that has been vetted, isn't this a boon for pretty much anyone in the world? The German government is why GNU's Privacy Guard is still being updated, and France already funds VeraCrypt.
You don't, but there are a lot of companies, governments, organizations, and others who get big money from the analytics from those devices, and who want those to be as "connected" as possible, so the device can slurp as much info as possible.
Best place for IoT devices is to remain on store shelves. Second best place is the dumpster.
Compromises like this make me eel. It is worth the read for the halibut...
You nailed it quite well. A manager can bury someone in processes, fill their calendar up with meetings, then turn around and say they are a poor performer via the metrics set (it could be deliverables, it could be per project, anything.) This reminds me of the Alice in Wonderland croquet game where the rules change dynamically.
Agile and Scrum are great for middle managers, because they look productive. However, as a benefit to a company or organization as a whole, it hamstrings productivity.
To think of it, I don't know anyone who is not a muckety-muck manager who -likes- Agile/Scrum. Most put up with it as part of their job duties, but it doesn't really add anything productive. If a dev team needs daily meetings that take up half the day, something is wrong. This would not fly in any other profession (imagine doctors in meetings for four hours before doing operations, or waitstaff meeting for four hours for customer goals before hitting the tables.)
Agreed. I would actually like to see something other than a permanent sprint, as that is supposed to be a tool for a definite goal, but it seems all the Agile places I was at always are in a sprint state.
In the Agile/Scrum environments I worked at, it wasn't handled by E-mail. Calendar appointments would magically appear, because the Scrum master, PM, manager, team lead, and backup team lead all had delegation authority to add meetings without approval, and these were "The Apprentice" like boardroom confrontations that lasted for hours.
I'm glad I'm away from that. My current place uses a modified waterfall model, and it works quite well, with projects getting done on time.
I have seen weeks where the entire 40 hours were all Agile/Scrum related meetings. This meant that there was no significant coding done whatsoever.
In all of my IT work, I have never understood why some managers think that calling meetings will enhance productivity, and if that doesn't work, call more meetings. I don't know if this is incompetence, or an issue with ego. Either way, it hamstrings actual productivity.
Agile, or more specifically Scrum is pointless. When you have a daily stand-up meeting that can take six hours while the Scrum master chastises, badgers, yells, and excoriates people, one by one, for not making deliverables. During this everyone else is pointing at someone else and saying, "I'm blocked... he did it!". This isn't productivity; it is a game of kangaroo court.
Then the Scrum master tosses more crap on people's swim lanes at random (because marketing wants them done, and because they make the sales, they get what they want, without challenge), without really knowing or caring how difficult the task is. Finally the Scrum master closes the meeting with how everyone has been in a sprint for the past year, and says the sprint will continue until marketing is happy.
I do not see Agile adding any productivity whatsoever. It turns a dev team against everyone else, which may be great for management, but it creates a workplace that is at best hostile, and at worst toxic, because every day you have to go in and defend yourself against everyone in a multi-hour blamestorm. Eventually the good people leave for greener pastures.
Cable and telcos? The governments granted them the land, making them natural monopolies. If someone could make a reliable mesh system using lasers, this would allow some type of interconnected ad-hoc network to exist without having to have a dedicated ISP.
Unless you can make a cheap, point to point solution (laser beams) that work over distances, the biggest problem with another "internet" will be who lays the pipe, which tends to be the government, with private companies handed that privilege as a proxy.