OK and just how do you log onto your computer so you can run KeePass, to extract the password so you can log onto the computer? Or does your computer automatically log on as you after patching? Or is it never patched at all and passwords are the least of your concerns?
There's almost certainly no way to change that datum as a teller or manager (your birthdate can never change!!), and quite possibly the developers aren't allowed to adjust data in production - even with scripts and to fix broken data. It's probably "all too hard" so there's no point trying (also, anti-fraud, don't trust anyone, etc etc)
I suspect there are too many folk working on these things that have never experienced such a situation and cannot comprehend that it still exists (and will do for a long time to come). "But I have unlimited gigabit fiber for $0.35 a month in my SF apartment, so everyone everywhere must be the same".
I believe the current "head-up-ass" view of this is that you should just throw another few bucks to a CA every year, or get off the web. Maybe just give all your content to Farcebook, Gargle, Nanosoft etc, because why should us peons be allowed to put things on the web without what amounts to the modern version of royal assent? (It's usually couched in terms like "Well, how do you know your content wasn't altered by the time it got to the client" and "Your ISP is secretly recording everywhere you go and everything you do"). These concerns are not incorrect, but they can be... overemphasized.
To be fair, there are cheap places to buy certificates - I was looking recently and found I could get one for about $30 for a normal site. But wildcards etc are still hundreds if you need more than one domain. Killing a free CA (who is delivering exactly what they say they will) isn't going to help.
To be fair this is because browsers like Chrome (swiftly followed by Edge and Firefox) have all decided that the search bar SHOULD act exactly like search. They removed the dedicated search box in favour of a "smart" unified typing place that in my experience, fails to select the correct thing to do about 50% of the time.
It's almost impossible to just type a hostname into the Complete Unified New Technology bar and consistently have the browser load the site (unless you hack Firefox options; I don't use Chrome so I don't know if it's possible at all and I can't see a way to make Edge be sane). No - a simple word MUST mean you're searching for something even if it's locally resolvable and not a word in any language. Thanks Google et al, making the world a worse place, one step at a time.
OK but then you have to have cross-checks that let people register/get certs for paypal-sucks.com without also permitting paypall.com, unless paypall.com is a legitimate business (PayPall being some payment processor in, I dunno, South Uzbekhistan). You also have to prevent getting wildcard certificates for anyone, because then they could set up paypal.com.golbalisecure.com (just by getting a wildcard for com.golbalisecure.com) - which would also let them get close to microsoft.com(.golbalisecure.com), google.com(.golbalisecure.com) etc.
This is not a problem easily solved with simple rules. And even THEN you get to the point of having hundreds or thousands of people employed to push yes/no buttons, which would surely not lead to underpaid, bored staff with bad KPIs/goals just repeatedly clicking Yes with no thought.
All the people pushing hard passwords and catchphrases should probably read this again. They're the top 5%-8% of the population. WE are the top 5%-8% of the population in this regard and we can't even get it right. What chance does your average tradie have - they may be experts and legends in their fields but in ICT they're... well, normal. Have you watched most people type a password or email?
I can't wait for Windows Hello or something similar on phones (Samsung have something I think, windows phones did/do?) to get better and better so that people can have stupidly complex passwords in a safe and use their faces to unlock on a daily basis (it's one thing to sign you into a game console, it probably should be another level entirely to unlock the nucular (sic) launch codes).
Then let them do the same thing here - that's what they DO with locks, and locked safes, and safe-rooms, and vaults, and anything else "physically secured" in that way. Oh - you're saying this is a Lonsdaleite lined safe and you only have cream cheese with which to cut it open? Sorry, not my problem. I'm with others above - either you don't have evidence (and you're fishing) or you do have the evidence, in which case I think the phrase is "crap or get off the pot".
Thing is if you do this and report it, you may be guilty of destroying evidence (even if it's unintentional and recoverable). I think the formal term is "spoliation", and burden of proof/consequences vary greatly.
The biggest problem with SO seems to be moderators stuffing around with the questions. "This is a bad question" (so I'm deleting it). "This belongs elsewhere" (so I'm deleting it). "I don't like the way you asked this question" (so I'm rewriting your 'how to do X' question to ask 'why is Y bad').
Thing is, people ask those questions in that way because it reflects how they think about the problem. Other people who think about it the same way won't be able to find an answer because the self-absorbed twits haven't figured out that if you asked a specific question, that's the one you need answered - not something random! As for deleting questions - FFS. Link to an existing one sure. But deleting questions doesn't help anyone.
Somewhat related: Curation sucks (SO, Yahoo Answers). Search is the answer.
As for the original question: Something is rotten somewhere. Ask a silly simple question you get slammed. Ask a detailed question with lots of information, no-one answers because it's too long or too hard.
So I can't buy something while on holiday in the US, and install on my PC at home in Australia? What if I buy something and move countries? What version do I buy if I live in Australia, travel to the US (and need to use the software there) and take a contract in the Ukraine? Region locks suck, may not be legally enforceable in some countries such as Australia - ACCC Copyright fact sheet used to say this about DVDs, emphasis mine:
An access control TPM specifically excludes TPMs which control geographic market segmentation. This means that consumers will be able to circumvent the region coding TPMs on legitimate DVDs purchased overseas. It also allows for the continued availability of region-free DVD players.
They also suck for users.
But then I guess that's the holy triumvirate, isn't it? Trying to force people to re-buy the same thing multiple times?
It's Google doing this. You just have do it Google's way because someone at Google arbitrarily decided it was the best thing to do for Google, regardless of existing standards, other environments or systems, or indeed the rest of the world breaking as a result.
Look at Gmail's implementation of addressing. Dots in the user portion of the address were significant in 1982 (RFC 822 / STD 11), but not for Google, who cannot differentiate Bob.Dole@ from BobDole@. Still. In twenty-freaking-sixteen.
Look. To Apple (and it seems most of the ICT industry, yay Cloud etc etc) everyone has dual-path failure-resilient 1Gbps wireless Internet with unlimited quotas. They literally fail to comprehend that there could be people who only have 1.2Mbps/200Kbps DSL, only have 10GB of quota a month, or who work disconnected (e.g. away from 3G and 4G networks too). "Ubiquitous wireless" means no RJ45 (without dongles). "Ubiquitous high speed uploads/downloads" means the cloud performs OK (ignore the arguments about ownership, my files on someone else's computer and how much they do or don't care), so everyone backs up to the cloud always. There are no software bugs ("You're doing it wrong") and even if there are, meh, "not my problem, tough luck, your 5TB of backup is gone but our liability is 1 month's service at $5, you won't be billed next month if you argue enough".
Yeah yeah the future is coming and we'll all have 20Gbps mobile broadband. It'll cover every inch of the earth with no need to make allowances for remote areas, and we will achieve near zero latency everywhere (ask a SF or Redmond developer about latency to their clouds from the other side of the planet on a satellite connection and see how many guess less than 200ms (Hah! Closer to the 800+ms mark)). Maybe in this Utopian future it will make sense to assume what Apple and others assume today.
It's my GOMS* talking I am certain, but the current generation of go-getter developers hasn't lived through enough history to understand the times when they push the envelope too far. Just like my generation didn't 20 years ago, and the previous one 20 years before that. We're going to have to deal with this crap for another ten years or so till it levels off; then we should hopefully have ten years of sanity. Don't hold your breath.
There's no legal difference that I can see, but there's a significant functional difference.
Want to install that game from floppies on an old machine you built? Go for it. You have the software, you have the media, go go gadget disks!
Want to install that copy of $Game from $DeadPublisher, you have the license but the download server for the "installer" is offline and the publisher's new owner doesn't want you to play the old game, buy the new one this year instead? Tough!
*How does semi-blind grandma aged 90 use Applepay? Should your 4 yr old be given an iPhone to store her pocket money? Should the government give free broadband and laptops to the unemployed just so they can shop for essentials?
If you're Apple - yes, frankly, everyone should have an iPhone. Even the four year old who needs to learn about money by spending a 10c piece at the grocery store for a paper bag of cheap lollies. She definitely needs a $700 phone.
If you're Apple.
For the rest of us it is just a mindless statement by an out of touch rich white guy stroking himself (stroking his ego, get your mind out of the gutter) on stage for applause.
Yeah funnily enough I can't see the M1 from my house 10km away to know if I should take the feeder road to that freeway, the highway instead, or if I should hop off the freeway halfway to my destination to skip the 20km traffic snarl.
As i recall, still ads were shown from the auditorium opened, usually 20-30 minutes before the movie.
At 5 minutes before the movie, the lights dimmed, and motion ads started. Anyone arriving then were considered late, and were shown to their seat by an attendant with a torch.
At the set time for the movie, the doors closed, and the lights went all the way out including the exit lights, the volume turned up, and then the feature started.
At the end of the feature, the exit lights would come on, then ambient lights would slowly increase during the end credits, and afterwards, an admonition to remember to not leave anything behind, and to leave the theater orderly, letting those sitting close to the exit leave first. Followed by more still ads.
Interesting - my recollection is slightly different (AU theatres, so... could be regional differences).
Everyone leaves, theatre is cleaned. There might be a static screen showing, but more than likely curtains are closed. People start to file in.
At the start time for the movie, the lights dim halfway and the ads start playing (static ads). Anyone arriving can still see, no flashlight needed - but at least we had batteries rather than flames.
At ten minutes in, the lights dim and video ads started. At this point the kids behind you start kicking the seats.
At fifteen minutes in, the previews started and the kids are running around the theatre bored out of their minds.
At anywhere from twenty to thirty minutes in, the film is cued.
Of course by that time, the crowd is completely pissed off and Homer's "Start The Movie" chant is live.
Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum, this effectively means that unless you have a lot of money or a company willing and able to pay what amounts to protection money, you potentially won't be permitted to speak - doing so with an uncomfortable topic for someone gets you knocked offline. Pay the wrong mob and you get to pay again, and again, and again.
One potential outcome may be that truly personal sites will become impossible to support and host; especially if you have any content that could be seen as controversial. You will have to pay someone to host it for you. If they agree, and it doesn't cost THEM too much, and it's not controversial - fine. Want to promote a social cause? Sorry, you can't afford to. Get back into the bit mines, peon. And this fits nicely into the whole cloud thing too, where you don't need anything in your own datacentre, host it on someone else's computer.
I'm waiting for the first wave of destruction to hit the major cloud providers - if this network supposedly of DVRs can deliver 1-1.5Tbps, and you factor in another dozen of similar size, you're talking 15-20Tbps directed at a target. I doubt even Google and the CDNs can withstand that for very long without service impacts, and that's not even factoring in attacks that actually have a little brainpower behind them.
Seems to me the attackers win, at least in the short term, because the caching and CDN provider (who I expect was probably contracted and paid, although it's entirely up to Brian how he handles his business affairs, it does seem likely) takes the site off the air anyway. That being the case... what's the point of having that contracted relationship, if they dump you anyway?
- If you run a webserver, go get yourself letsencrypt, use cloudflare or namecheap has cheap ssl. - Enable http2 on nginx (if you are using it, use it well) - Enjoy faster loading time.
Your welcome.
- The argument against https is pointless.
Let me rephrase that:
Honestly,
- If you run a webserver, install this software, just trust us it's fine; redelegate your DNS to this company with-whom-I'm-totally-not-involved so they proxy all your connections and know who's visiting your site (and can sell or hand it over to whatever TLA you like); or pay money to another organisation for a set of we-promise-they're-unique-and-secure-numbers and we would totally never be compromised or behave unethically [cough] Symantec [cough] DigiNotar [cough] Verisign [hack] [cough]; - Do it my way because spinach and everything supports enforced HTTPS, and the peons can do without - Don't worry that your data usage just doubled for HTTPS, it's only $50 a month extra for the upgraded plan and everyone can get gigabit fiber anyway.
You'rE unwelcome here.
- The argument against https is my-way-or-the-highway so screw you.
I suggest that's months. As a friend pointed out, these stories come from people who were desert nomads. Time passing in the desert is measured by phases of the moon, often, AIUI. So did he perhaps live to be 80 years old? Not impossible, and at that age in those times he would be incredibly old.
Slashdot Mirror
OK and just how do you log onto your computer so you can run KeePass, to extract the password so you can log onto the computer? Or does your computer automatically log on as you after patching? Or is it never patched at all and passwords are the least of your concerns?
There's almost certainly no way to change that datum as a teller or manager (your birthdate can never change!!), and quite possibly the developers aren't allowed to adjust data in production - even with scripts and to fix broken data. It's probably "all too hard" so there's no point trying (also, anti-fraud, don't trust anyone, etc etc)
A wildcard domain cert starts at two hundred bucks.
Woe betide you if you host webmail and the like for friends etc, and you need multi-wildcard certs (last I checked, $2K a year for me vs $0 from LE).
I suspect there are too many folk working on these things that have never experienced such a situation and cannot comprehend that it still exists (and will do for a long time to come). "But I have unlimited gigabit fiber for $0.35 a month in my SF apartment, so everyone everywhere must be the same".
I believe the current "head-up-ass" view of this is that you should just throw another few bucks to a CA every year, or get off the web. Maybe just give all your content to Farcebook, Gargle, Nanosoft etc, because why should us peons be allowed to put things on the web without what amounts to the modern version of royal assent? (It's usually couched in terms like "Well, how do you know your content wasn't altered by the time it got to the client" and "Your ISP is secretly recording everywhere you go and everything you do"). These concerns are not incorrect, but they can be ... overemphasized.
To be fair, there are cheap places to buy certificates - I was looking recently and found I could get one for about $30 for a normal site. But wildcards etc are still hundreds if you need more than one domain. Killing a free CA (who is delivering exactly what they say they will) isn't going to help.
To be fair this is because browsers like Chrome (swiftly followed by Edge and Firefox) have all decided that the search bar SHOULD act exactly like search. They removed the dedicated search box in favour of a "smart" unified typing place that in my experience, fails to select the correct thing to do about 50% of the time.
It's almost impossible to just type a hostname into the Complete Unified New Technology bar and consistently have the browser load the site (unless you hack Firefox options; I don't use Chrome so I don't know if it's possible at all and I can't see a way to make Edge be sane). No - a simple word MUST mean you're searching for something even if it's locally resolvable and not a word in any language. Thanks Google et al, making the world a worse place, one step at a time.
OK but then you have to have cross-checks that let people register/get certs for paypal-sucks.com without also permitting paypall.com, unless paypall.com is a legitimate business (PayPall being some payment processor in, I dunno, South Uzbekhistan). You also have to prevent getting wildcard certificates for anyone, because then they could set up paypal.com.golbalisecure.com (just by getting a wildcard for com.golbalisecure.com) - which would also let them get close to microsoft.com(.golbalisecure.com), google.com(.golbalisecure.com) etc.
This is not a problem easily solved with simple rules. And even THEN you get to the point of having hundreds or thousands of people employed to push yes/no buttons, which would surely not lead to underpaid, bored staff with bad KPIs/goals just repeatedly clicking Yes with no thought.
How did that help, again?
So let me see. Was it:
All the people pushing hard passwords and catchphrases should probably read this again. They're the top 5%-8% of the population. WE are the top 5%-8% of the population in this regard and we can't even get it right. What chance does your average tradie have - they may be experts and legends in their fields but in ICT they're ... well, normal. Have you watched most people type a password or email?
I can't wait for Windows Hello or something similar on phones (Samsung have something I think, windows phones did/do?) to get better and better so that people can have stupidly complex passwords in a safe and use their faces to unlock on a daily basis (it's one thing to sign you into a game console, it probably should be another level entirely to unlock the nucular (sic) launch codes).
Then let them do the same thing here - that's what they DO with locks, and locked safes, and safe-rooms, and vaults, and anything else "physically secured" in that way. Oh - you're saying this is a Lonsdaleite lined safe and you only have cream cheese with which to cut it open? Sorry, not my problem. I'm with others above - either you don't have evidence (and you're fishing) or you do have the evidence, in which case I think the phrase is "crap or get off the pot".
Thing is if you do this and report it, you may be guilty of destroying evidence (even if it's unintentional and recoverable). I think the formal term is "spoliation", and burden of proof/consequences vary greatly.
Not a lawyer, though, so I'm probably wrong.
Imagine if your car had a non-removable battery, or even tires for that matter.
Geez, don't go giving the car manufacturers ideas!
The biggest problem with SO seems to be moderators stuffing around with the questions. "This is a bad question" (so I'm deleting it). "This belongs elsewhere" (so I'm deleting it). "I don't like the way you asked this question" (so I'm rewriting your 'how to do X' question to ask 'why is Y bad').
Thing is, people ask those questions in that way because it reflects how they think about the problem. Other people who think about it the same way won't be able to find an answer because the self-absorbed twits haven't figured out that if you asked a specific question, that's the one you need answered - not something random! As for deleting questions - FFS. Link to an existing one sure. But deleting questions doesn't help anyone.
Somewhat related: Curation sucks (SO, Yahoo Answers). Search is the answer.
As for the original question: Something is rotten somewhere. Ask a silly simple question you get slammed. Ask a detailed question with lots of information, no-one answers because it's too long or too hard.
So I can't buy something while on holiday in the US, and install on my PC at home in Australia? What if I buy something and move countries? What version do I buy if I live in Australia, travel to the US (and need to use the software there) and take a contract in the Ukraine? Region locks suck, may not be legally enforceable in some countries such as Australia - ACCC Copyright fact sheet used to say this about DVDs, emphasis mine:
They also suck for users.
But then I guess that's the holy triumvirate, isn't it? Trying to force people to re-buy the same thing multiple times?
It's Google doing this. You just have do it Google's way because someone at Google arbitrarily decided it was the best thing to do for Google, regardless of existing standards, other environments or systems, or indeed the rest of the world breaking as a result.
Look at Gmail's implementation of addressing. Dots in the user portion of the address were significant in 1982 (RFC 822 / STD 11), but not for Google, who cannot differentiate Bob.Dole@ from BobDole@. Still. In twenty-freaking-sixteen.
Look. To Apple (and it seems most of the ICT industry, yay Cloud etc etc) everyone has dual-path failure-resilient 1Gbps wireless Internet with unlimited quotas. They literally fail to comprehend that there could be people who only have 1.2Mbps/200Kbps DSL, only have 10GB of quota a month, or who work disconnected (e.g. away from 3G and 4G networks too). "Ubiquitous wireless" means no RJ45 (without dongles). "Ubiquitous high speed uploads/downloads" means the cloud performs OK (ignore the arguments about ownership, my files on someone else's computer and how much they do or don't care), so everyone backs up to the cloud always. There are no software bugs ("You're doing it wrong") and even if there are, meh, "not my problem, tough luck, your 5TB of backup is gone but our liability is 1 month's service at $5, you won't be billed next month if you argue enough".
Yeah yeah the future is coming and we'll all have 20Gbps mobile broadband. It'll cover every inch of the earth with no need to make allowances for remote areas, and we will achieve near zero latency everywhere (ask a SF or Redmond developer about latency to their clouds from the other side of the planet on a satellite connection and see how many guess less than 200ms (Hah! Closer to the 800+ms mark)). Maybe in this Utopian future it will make sense to assume what Apple and others assume today.
It's my GOMS* talking I am certain, but the current generation of go-getter developers hasn't lived through enough history to understand the times when they push the envelope too far. Just like my generation didn't 20 years ago, and the previous one 20 years before that. We're going to have to deal with this crap for another ten years or so till it levels off; then we should hopefully have ten years of sanity. Don't hold your breath.
*: Grumpy Old Man Syndrome, I'm over 40 now
There's no legal difference that I can see, but there's a significant functional difference.
Want to install that game from floppies on an old machine you built? Go for it. You have the software, you have the media, go go gadget disks!
Want to install that copy of $Game from $DeadPublisher, you have the license but the download server for the "installer" is offline and the publisher's new owner doesn't want you to play the old game, buy the new one this year instead? Tough!
*How does semi-blind grandma aged 90 use Applepay? Should your 4 yr old be given an iPhone to store her pocket money? Should the government give free broadband and laptops to the unemployed just so they can shop for essentials?
If you're Apple - yes, frankly, everyone should have an iPhone. Even the four year old who needs to learn about money by spending a 10c piece at the grocery store for a paper bag of cheap lollies. She definitely needs a $700 phone.
If you're Apple.
For the rest of us it is just a mindless statement by an out of touch rich white guy stroking himself (stroking his ego, get your mind out of the gutter) on stage for applause.
Why not both?
Yeah funnily enough I can't see the M1 from my house 10km away to know if I should take the feeder road to that freeway, the highway instead, or if I should hop off the freeway halfway to my destination to skip the 20km traffic snarl.
As i recall, still ads were shown from the auditorium opened, usually 20-30 minutes before the movie. At 5 minutes before the movie, the lights dimmed, and motion ads started. Anyone arriving then were considered late, and were shown to their seat by an attendant with a torch. At the set time for the movie, the doors closed, and the lights went all the way out including the exit lights, the volume turned up, and then the feature started. At the end of the feature, the exit lights would come on, then ambient lights would slowly increase during the end credits, and afterwards, an admonition to remember to not leave anything behind, and to leave the theater orderly, letting those sitting close to the exit leave first. Followed by more still ads.
Interesting - my recollection is slightly different (AU theatres, so ... could be regional differences).
Everyone leaves, theatre is cleaned. There might be a static screen showing, but more than likely curtains are closed. People start to file in.
At the start time for the movie, the lights dim halfway and the ads start playing (static ads). Anyone arriving can still see, no flashlight needed - but at least we had batteries rather than flames.
At ten minutes in, the lights dim and video ads started. At this point the kids behind you start kicking the seats.
At fifteen minutes in, the previews started and the kids are running around the theatre bored out of their minds.
At anywhere from twenty to thirty minutes in, the film is cued.
Of course by that time, the crowd is completely pissed off and Homer's "Start The Movie" chant is live.
And that's why I can't stand going to the movies.
Well, since the figures I've seen bandied around are that protection from this level of attack would be about USD100-200K per annum, this effectively means that unless you have a lot of money or a company willing and able to pay what amounts to protection money, you potentially won't be permitted to speak - doing so with an uncomfortable topic for someone gets you knocked offline. Pay the wrong mob and you get to pay again, and again, and again.
One potential outcome may be that truly personal sites will become impossible to support and host; especially if you have any content that could be seen as controversial. You will have to pay someone to host it for you. If they agree, and it doesn't cost THEM too much, and it's not controversial - fine. Want to promote a social cause? Sorry, you can't afford to. Get back into the bit mines, peon. And this fits nicely into the whole cloud thing too, where you don't need anything in your own datacentre, host it on someone else's computer.
I'm waiting for the first wave of destruction to hit the major cloud providers - if this network supposedly of DVRs can deliver 1-1.5Tbps, and you factor in another dozen of similar size, you're talking 15-20Tbps directed at a target. I doubt even Google and the CDNs can withstand that for very long without service impacts, and that's not even factoring in attacks that actually have a little brainpower behind them.
Seems to me the attackers win, at least in the short term, because the caching and CDN provider (who I expect was probably contracted and paid, although it's entirely up to Brian how he handles his business affairs, it does seem likely) takes the site off the air anyway. That being the case ... what's the point of having that contracted relationship, if they dump you anyway?
Ah yes because
DoSomething(i);
i = i + 1;
is so much better.
ProTip: This is sarcasm.
Honestly,
- If you run a webserver, go get yourself letsencrypt, use cloudflare or namecheap has cheap ssl.
- Enable http2 on nginx (if you are using it, use it well)
- Enjoy faster loading time.
Your welcome.
- The argument against https is pointless.
Let me rephrase that:
Honestly,
- If you run a webserver, install this software, just trust us it's fine; redelegate your DNS to this company with-whom-I'm-totally-not-involved so they proxy all your connections and know who's visiting your site (and can sell or hand it over to whatever TLA you like); or pay money to another organisation for a set of we-promise-they're-unique-and-secure-numbers and we would totally never be compromised or behave unethically [cough] Symantec [cough] DigiNotar [cough] Verisign [hack] [cough];
- Do it my way because spinach and everything supports enforced HTTPS, and the peons can do without
- Don't worry that your data usage just doubled for HTTPS, it's only $50 a month extra for the upgraded plan and everyone can get gigabit fiber anyway.
You'rE unwelcome here.
- The argument against https is my-way-or-the-highway so screw you.
There, I think I covered it all.
I suggest that's months. As a friend pointed out, these stories come from people who were desert nomads. Time passing in the desert is measured by phases of the moon, often, AIUI. So did he perhaps live to be 80 years old? Not impossible, and at that age in those times he would be incredibly old.