Don't jew this one up. If I don't want to accept a form of payment, I should be within my rights to do so.
I disagree. Every form of payment except barter is in some way state-backed, so the state is within its rights to make rules about how payments are made.
Explain to me why a headphone needs to install a certificate that will change which websites my browser trusts. Yes, I understand you can make a stupid design that requires this, but your design - your responsibility. So apart from that, why should the trust that contains my online banking and health insurance be modifyable by a random hardware gadget?
I'm curious for any explanation that doesn't contain a variation of the phrase "because some other part of the thing that we designed relies on it". Find me a reason outside your control that makes this a good idea.
Per the CA/Browser Forum guidelines no publicly trusted CA should issue a certificate for an intranet name or IP address including both localhost and 127.0.0.1.
You didn't answer the question. They were lazy and cheap, that's all. It is possible to setup CORS properly. It is possible to get your certificate signed by a proper root CA. And nothing in the world forces you to use this particular method to access the device, you could have designed the setup differently.
This answer is like saying "yeah, I gave the keys to the vault to every bank customer so they can go and take money whenever they need it. Much easier and convenient and we don't need to pay tellers."
My browser includes a set of root CAs because it needs to. Online banking and all the other HTTPS stuff (i.e. some day the entire Internet) won't work properly without.
In a perfect world, my operating system would manage the root CAs, and the browser would just use them. In reality, it's a mix of both.
But some random app? Sorry no, it has no business messing with this.
Yes, it was. And you explain in your next sentences why. Because we know that not every dofus can handle cryptography correctly, which is why we have a limited number of trusted root CA which we at least expect to not be complete idiots.
And that's why stupid people shouldn't handle root CAs or other dangerous materials.
Why does any app have the right, or the need, to install a root certificate? What is wrong with the people who allowed that to happen in the first place (MS, that means you) and what is wrong with the people who came up with, implemented and shipped that idea (that's the apps).
And how do all those endpoint security solutions, all the three hundred 3rd party apps you need to install on a windows system to make it halfway secure all fail to catch this?
Here is a prime example why information security is a failure: Everyone in this chain didn't understand what certificate chains are for.
The sad fact is that a lot of IT consulting is essentially what a colleague of mine calls "competency simulation". Some people are really good at it and that makes it hard to spot the real deal from those only pretending.
The solution is called a tender offer. It is why large companies make these tenders. So they can weed out, and question and check. I'm working on a large tender offer right now, and it includes a proof-of-concept phase specifically for this purpose.
You need to have your consultants demonstrate actual ability, in an observed environment. No other way. Everyone can come with a convincing presentation and flashy flyers. Most larger consulting companies have backoffices where they can offload work and you'll never figure out that the guy you pay for didn't actually do it, or didn't actually know it and the backoffice did research work to figure it out.
If you need it quick, your best bet is to find someone who is really, really good in the field but doesn't work as a consultant, or is too expensive for you. Hire him for just one hour and let him roast the guy you want to check. In my field (information security), I can figure out reasonably fast if someone actually knows something or is a typical consultant with surface knowledge. You just talk until he says something he seems sure about and then you drill down. Three or so deep-knowledge questions is usually enough.
I realize that the Chinese are not innocent, but from the point of view of an American they are the lesser of two evils.
More importantly, from the POV of the american government, the backdoors your manufacturers added and told you about are better than the backdoors foreign manufacturers added and didn't tell you about.
He is the boss, he says how things are going to run so you cannot always ignore his antics
Really? Why not? Can you prove any effect whatsoever of my bosses drug habits on me?
I remember an extreme case of a business owner being barred from interfering in the day to day operations of his own restaurants, he was the root cause of repeated food safety issues despite never touching anything himself.
One data point is an anecdote, not a statistic. And for this one data point, there are probably a hundred counterexamples where the boss is some kind of dirt bag, but it doesn't affect his business.
Show me a causation or at least a correlation and we can discuss. Otherwise, this smells badly of a) the idiotic american "war on drugs", b) an idiotic fascination with the CEO circus and c) an idiotic, continued smear campaign against Musk, who got so much flak the last time, he's either secretly Hitlers lost grandson or some stock market gamblers are trying to push the price down so they can pick it up cheaply.
People will find ways to post stuff on your service. Back in BBS and FIDOnet times, we had ASCII porn, and it was impossible to filter it out by hand. Today we have machine learning and child pornography database but that a) still doesn't give 100% coverage and b) if you didn't stop for a second there to think about what it means that someone runs a business that provides a database of child pornography, you blinked at the wrong moment.
You should be responsible for your service, to reasonable extent. If you openly and even aggressively invite criminal activity, like some services that already got way too much free publicity here, you should be liable for it. But if you actively discourage it, disallow it int your rules of conduct, and actually act against the cases brought to your attention - what more can the law expect from you?
And why do we have unelected gateholders and worship them? Apple App Store, Google search, Amazon book store, media giants - all of these entities have way too much power over what is available to the general public and what isn't.
Because Musk is personally building and piloting those things. Right. Makes sense.
This american fascination with colourful CEOs has gone too far. What more does it take for you guys to understand that it's all a circus? Who cares? Sure CEOs matter, but not half as much as a good engineering team.
I haven't been forced to watch ads for 25 years and won't start now.
This is how I feel about the Internet. I cringe every time I sit on some computer that doesn't have an adblocker installed, and I wonder how the heck do these people get anything done and not get seizures or something?
Once you get rid of ads in a part of your life, you understand just how much of an annoyance they are and you don't want to go back. In fact, I'd like to get rid of them in many more ways. Someone invented a prototype of glasses that filters out billboards. I'd buy that if it became available.
Not everyone gets to watch. They are all blocked in my country. Maybe some of the 99 aren't but I didn't try them all. Those I checked are all marked as "not available in your country".
*sigh*... ok, here comes the VPN. Why they do such nonsense to us?
Usually the problems caused by the faulty code are infrequent enough that they can afford it.
Yes, I know. That's the kind of thinking that leads to train accidents and the Windows operating system, but it is indeed very common. But here's the thing: If you properly learn how to write good code, and apply your principles religiously, the TCO is actually in your favour. There are a few software development companies in the world who prove that (google for an article named "they write the right stuff", if I remember correclty). Their downside is slightly longer initial development times, but after that you are good. They even give a lifetime guarantee on their code, that's how confident they are.
There are always payoffs. Sometimes "too expensive to fix" is true. Sometimes "let's just accept the risk" is the proper decision. More often, however, it is an excuse.
It costs more to produce good C++ than good Python, Java or Kotlin.
As a blanket statement, I doubt that. It may very well be true in some or many cases, but simply assuming that to be the case is wrong. For example, many years ago I wrote a network simulation code that was pushing the memory limits of my system. It would not have been possible in anything but C where can handle my memory tightly. If I had been forced to write that in something else, I would have needed considerably more expensive hardware, or spent a lot of time writing some kind of virtual memory handling system.
If you need more time to make your c++ code safe, you're increasing its cost. If the business can't bear the additional cost, you're out of luck.
So your business can't afford the cost of fixing the code, but it can afford the problems that are caused by that faulty code? Are you sure about that or are you just looking for an excuse?
The question is who expected this. Certainly not any professior worth anything.
I was taught that not only compiler errors, but also all compiler warnings need to be resolved before the code is considered finished. If I had submitted a program that sometimes crashes, my prof would've asked me if I had slept through his class or if I wrote that shit while drunk.
This. My first thought upon reading the summary: "Here's a person clearly not understanding what they are writing about, but asking me to follow their advise about safe programming... riiiiiight."
all three were made possible because the software that was being exploited was written in programming languages which allow a category of errors called "memory unsafety."
Or, you know, you could just learn to do proper programming.
Back in university, I taught my students to do proper input validation and buffer checks in C. There was a certain amount of frustration as I sent them back again and again, but they got it.
C is a tool, and like a chainsaw, you can hurt yourself or others badly with it if you don't know how to use it. But sometimes a chainsaw is exactly what you need. And for performance, a well-written C program still beats the shit out of all other high-level languages.
The problem with "hate speech" and all the other SJW stuff is that they use flexible definitions of their subject. What exactly "hate speech" means, can easily change and already changed multiple times since the term "hate speech" was invented.
Unfortunately, this does a massive damage to the cases where it actually happens. This is even more clear with "rape". Nowadays, anything from a brutal gangrape with violent penetration into multiple orifices to accidentally touching someones breast is called "rape". There have even been a few cases where pure thought has been labeled with that term. It does nothing but disservice to actual rape victims, who cannot use a clearly understood term anymore to communicate a clear matter without going into details. These days, if you are a victim, you have to describe that penetration was involved or people will think you're just a snowflake who thinks a stupid joke is the same as physical violence.
We will see the same development with "hate speech" as soon as it becomes actionable. Everything even slightly objectable will get the label, until it becomes meaningless.
This, actually, is exactly what remote wipe was invented for: To prevent your data falling into the wrong hands, with you deciding who "wrong hands" are or better: Not having to decide but simply being able to wipe whenever you want.
The police should really be able to anticipate this. What you can't take the SIM card out? While they will probably successfully sue for destruction of evidence (because it is), let's not for one second pretend that this is not exactly the use case of the feature.
Slashdot Mirror
very complex operation indeed. They had to drive in front of it and slow down.
Don't jew this one up. If I don't want to accept a form of payment, I should be within my rights to do so.
I disagree. Every form of payment except barter is in some way state-backed, so the state is within its rights to make rules about how payments are made.
Explain to me why a headphone needs to install a certificate that will change which websites my browser trusts. Yes, I understand you can make a stupid design that requires this, but your design - your responsibility. So apart from that, why should the trust that contains my online banking and health insurance be modifyable by a random hardware gadget?
I'm curious for any explanation that doesn't contain a variation of the phrase "because some other part of the thing that we designed relies on it". Find me a reason outside your control that makes this a good idea.
Per the CA/Browser Forum guidelines no publicly trusted CA should issue a certificate for an intranet name or IP address including both localhost and 127.0.0.1.
That is true. I stand corrected.
For most browsers it does, none the less you need a way to install and uninstall certificates for specific purposes.
The keyword being "for specific purposes". That should not be system-wide.
You didn't answer the question. They were lazy and cheap, that's all. It is possible to setup CORS properly. It is possible to get your certificate signed by a proper root CA. And nothing in the world forces you to use this particular method to access the device, you could have designed the setup differently.
This answer is like saying "yeah, I gave the keys to the vault to every bank customer so they can go and take money whenever they need it. Much easier and convenient and we don't need to pay tellers."
My browser includes a set of root CAs because it needs to. Online banking and all the other HTTPS stuff (i.e. some day the entire Internet) won't work properly without.
In a perfect world, my operating system would manage the root CAs, and the browser would just use them. In reality, it's a mix of both.
But some random app? Sorry no, it has no business messing with this.
The root CA wasn't the problem.
Yes, it was. And you explain in your next sentences why. Because we know that not every dofus can handle cryptography correctly, which is why we have a limited number of trusted root CA which we at least expect to not be complete idiots.
And that's why stupid people shouldn't handle root CAs or other dangerous materials.
This.
Why does any app have the right, or the need, to install a root certificate? What is wrong with the people who allowed that to happen in the first place (MS, that means you) and what is wrong with the people who came up with, implemented and shipped that idea (that's the apps).
And how do all those endpoint security solutions, all the three hundred 3rd party apps you need to install on a windows system to make it halfway secure all fail to catch this?
Here is a prime example why information security is a failure: Everyone in this chain didn't understand what certificate chains are for.
The sad fact is that a lot of IT consulting is essentially what a colleague of mine calls "competency simulation". Some people are really good at it and that makes it hard to spot the real deal from those only pretending.
The solution is called a tender offer. It is why large companies make these tenders. So they can weed out, and question and check. I'm working on a large tender offer right now, and it includes a proof-of-concept phase specifically for this purpose.
You need to have your consultants demonstrate actual ability, in an observed environment. No other way. Everyone can come with a convincing presentation and flashy flyers. Most larger consulting companies have backoffices where they can offload work and you'll never figure out that the guy you pay for didn't actually do it, or didn't actually know it and the backoffice did research work to figure it out.
If you need it quick, your best bet is to find someone who is really, really good in the field but doesn't work as a consultant, or is too expensive for you. Hire him for just one hour and let him roast the guy you want to check. In my field (information security), I can figure out reasonably fast if someone actually knows something or is a typical consultant with surface knowledge. You just talk until he says something he seems sure about and then you drill down. Three or so deep-knowledge questions is usually enough.
I realize that the Chinese are not innocent, but from the point of view of an American they are the lesser of two evils.
More importantly, from the POV of the american government, the backdoors your manufacturers added and told you about are better than the backdoors foreign manufacturers added and didn't tell you about.
He is the boss, he says how things are going to run so you cannot always ignore his antics
Really? Why not? Can you prove any effect whatsoever of my bosses drug habits on me?
I remember an extreme case of a business owner being barred from interfering in the day to day operations of his own restaurants, he was the root cause of repeated food safety issues despite never touching anything himself.
One data point is an anecdote, not a statistic. And for this one data point, there are probably a hundred counterexamples where the boss is some kind of dirt bag, but it doesn't affect his business.
Show me a causation or at least a correlation and we can discuss. Otherwise, this smells badly of a) the idiotic american "war on drugs", b) an idiotic fascination with the CEO circus and c) an idiotic, continued smear campaign against Musk, who got so much flak the last time, he's either secretly Hitlers lost grandson or some stock market gamblers are trying to push the price down so they can pick it up cheaply.
Yes, but within reasonable limits.
People will find ways to post stuff on your service. Back in BBS and FIDOnet times, we had ASCII porn, and it was impossible to filter it out by hand. Today we have machine learning and child pornography database but that a) still doesn't give 100% coverage and b) if you didn't stop for a second there to think about what it means that someone runs a business that provides a database of child pornography, you blinked at the wrong moment.
You should be responsible for your service, to reasonable extent. If you openly and even aggressively invite criminal activity, like some services that already got way too much free publicity here, you should be liable for it. But if you actively discourage it, disallow it int your rules of conduct, and actually act against the cases brought to your attention - what more can the law expect from you?
And why do we have unelected gateholders and worship them? Apple App Store, Google search, Amazon book store, media giants - all of these entities have way too much power over what is available to the general public and what isn't.
Because Musk is personally building and piloting those things. Right. Makes sense.
This american fascination with colourful CEOs has gone too far. What more does it take for you guys to understand that it's all a circus? Who cares? Sure CEOs matter, but not half as much as a good engineering team.
I haven't been forced to watch ads for 25 years and won't start now.
This is how I feel about the Internet. I cringe every time I sit on some computer that doesn't have an adblocker installed, and I wonder how the heck do these people get anything done and not get seizures or something?
Once you get rid of ads in a part of your life, you understand just how much of an annoyance they are and you don't want to go back. In fact, I'd like to get rid of them in many more ways. Someone invented a prototype of glasses that filters out billboards. I'd buy that if it became available.
Not everyone gets to watch. They are all blocked in my country. Maybe some of the 99 aren't but I didn't try them all. Those I checked are all marked as "not available in your country".
*sigh*... ok, here comes the VPN. Why they do such nonsense to us?
Usually the problems caused by the faulty code are infrequent enough that they can afford it.
Yes, I know. That's the kind of thinking that leads to train accidents and the Windows operating system, but it is indeed very common. But here's the thing: If you properly learn how to write good code, and apply your principles religiously, the TCO is actually in your favour. There are a few software development companies in the world who prove that (google for an article named "they write the right stuff", if I remember correclty). Their downside is slightly longer initial development times, but after that you are good. They even give a lifetime guarantee on their code, that's how confident they are.
There are always payoffs. Sometimes "too expensive to fix" is true. Sometimes "let's just accept the risk" is the proper decision. More often, however, it is an excuse.
It costs more to produce good C++ than good Python, Java or Kotlin.
As a blanket statement, I doubt that. It may very well be true in some or many cases, but simply assuming that to be the case is wrong. For example, many years ago I wrote a network simulation code that was pushing the memory limits of my system. It would not have been possible in anything but C where can handle my memory tightly. If I had been forced to write that in something else, I would have needed considerably more expensive hardware, or spent a lot of time writing some kind of virtual memory handling system.
If you need more time to make your c++ code safe, you're increasing its cost. If the business can't bear the additional cost, you're out of luck.
So your business can't afford the cost of fixing the code, but it can afford the problems that are caused by that faulty code? Are you sure about that or are you just looking for an excuse?
The question is who expected this. Certainly not any professior worth anything.
I was taught that not only compiler errors, but also all compiler warnings need to be resolved before the code is considered finished. If I had submitted a program that sometimes crashes, my prof would've asked me if I had slept through his class or if I wrote that shit while drunk.
This. My first thought upon reading the summary: "Here's a person clearly not understanding what they are writing about, but asking me to follow their advise about safe programming... riiiiiight."
all three were made possible because the software that was being exploited was written in programming languages which allow a category of errors called "memory unsafety."
Or, you know, you could just learn to do proper programming.
Back in university, I taught my students to do proper input validation and buffer checks in C. There was a certain amount of frustration as I sent them back again and again, but they got it.
C is a tool, and like a chainsaw, you can hurt yourself or others badly with it if you don't know how to use it. But sometimes a chainsaw is exactly what you need. And for performance, a well-written C program still beats the shit out of all other high-level languages.
The problem with "hate speech" and all the other SJW stuff is that they use flexible definitions of their subject. What exactly "hate speech" means, can easily change and already changed multiple times since the term "hate speech" was invented.
Unfortunately, this does a massive damage to the cases where it actually happens. This is even more clear with "rape". Nowadays, anything from a brutal gangrape with violent penetration into multiple orifices to accidentally touching someones breast is called "rape". There have even been a few cases where pure thought has been labeled with that term. It does nothing but disservice to actual rape victims, who cannot use a clearly understood term anymore to communicate a clear matter without going into details. These days, if you are a victim, you have to describe that penetration was involved or people will think you're just a snowflake who thinks a stupid joke is the same as physical violence.
We will see the same development with "hate speech" as soon as it becomes actionable. Everything even slightly objectable will get the label, until it becomes meaningless.
This, actually, is exactly what remote wipe was invented for: To prevent your data falling into the wrong hands, with you deciding who "wrong hands" are or better: Not having to decide but simply being able to wipe whenever you want.
The police should really be able to anticipate this. What you can't take the SIM card out? While they will probably successfully sue for destruction of evidence (because it is), let's not for one second pretend that this is not exactly the use case of the feature.
Because they have to run them. Your DB-Admin is not a happy camper when he can't get his console because the stupid system hung itself, again.