bboard

Posted by CaptainJistuce
Backwards-compatibility is of value.
I don't think that "if someone can't afford a new computer, they should be banned from the internet" is a good attitude, and that's where we're headed. Current versions of Firefox and Chrome won't run on anything older than Windows 7. That ALREADY leaves a lot of people out in the cold. There is nothing wrong with their Vista and XP machines, but browser vendors said we can't use them anymore and websites said we can't use old browsers.
If you want to tell me privacy needs to be aggressively pursued at the cost of breaking existing browsers, you need to make sure that new browsers are available for older systems.

Also, there's a financial incentive to NOT change the DNS infrastructure. ISPs use their status as "your DNS server" to serve ads on failed lookups instead of returning an error. Commercial filter software relies on DNS being transparent.
Hell, commercial interests are trying to sabotage TLS 1.3, because enterprise software relies on flaws in TLS1.2 to do things that were easier to implement without abusing TLS1.2 in the first place.

Sorry, but nope. There ought to exist a mechanism right now to tell my network "this domain is untrusted and nothing on my network should be allowed to connect to it", and... oh, wait, such a mechanism does exist, and it is local DNS entries.

Instead, Firefox and Chrome want to block websites based solely on Google's "dangerous website" list. And we've already seen how THAT works. How much worse will it be when Google has the power to be overtly malicious instead of overtly inept and subtly malicious?

Posted by tomman
Why speculators are not shorting Intel stock!?

Posted by CaptainJistuce
The Powerbook is a toy I traded a case of beer to a coworker for. I don't genuinely EXPECT it to still be supported, but the main thing keeping it off the net IS security theater, which affects more modern systems too.
Computers which were bought by someone who no longer has the money to upgrade, computers which were handed off to the less-fortunate when someone else upgraded, computers which do everything they need to do fine except that someone decided that security theater requires them being banned from the internet.

The things you can do on the internet with a little pocket computer datatablet are not actually the same as the things you can do with a desktop or laptop computer, unless your use of computers begins and ends at "surfing". Also, vision-impaired people can't see them tiny screens. People with motor disabilities can't touch them tiny screens with remotely the necessary accuracy. "Poor people should just get a cheap smartphone" is not actually a solution.

And you don't just get to say "it's regrettable, but that's how it is" while proselytizing for the changes that MAKE it the way it is.
It is only in the last few years that breaking changes to the internet have become a thing, and they are almost without exception done to give people a false sense of security.

Windows XP has 2.8% market share, which is more than Vista. Hell, it is more than ALL Linux(except Android).
https://www.netmarketshare.com/operating-system-market-share.aspx?options=;{"filter"%3A{"%24and"%3A[{"deviceType"%3A{"%24in"%3A["Desktop%2Flaptop"]}}]}%2C"dateLabel"%3A"Trend"%2C"attributes"%3A"share"%2C"group"%3A"platformVersion"%2C"sort"%3A{"share"%3A-1}%2C"id"%3A"platformsDesktopVersions"%2C"dateInterval"%3A"Monthly"%2C"dateStart"%3A"2018-09"%2C"dateEnd"%3A"2019-08"%2C"segments"%3A"-1000"}

Any argument against supporting Windows XP is also an argument against supporting any non-Windows OS(except Android).

See also: enterprise usage, ISP backend upgrades.

DNS intentionally provides a multi-tiered system where a local DNS server can override a remote one. It has ALWAYS been intended that you can specify your own name resolution.

Hell, the original DNS implementation was user-side only. HOSTS.TXT, MOTHERFUCKERS!

"DNS can be censored, so we need to change the internet so the only way to censor the internet is through Google's blacklist"?

Translation: Privacy doesn't exist.

Posted by tomman
- No OS supports D'OH natively: at this stage, user applications are supposed to BYOD'OH support.

- There is also no support for D'OH on DHCP, unless someone comes up with a extension field and manages OS to support it.

- Deploy D'OH at home? You can do it, but you now have to either wait for your applications to add support to it, or the whole IT industry to get their act together and bring OS-wide support. Good luck getting Troo UNIX® Way nerds and systemd fanboys on board (the former will reject it because it's too complex, the latter will came with systemd-doh which will be buggy and create more defectors to the BSD camp, where I guess there will also be plenty of bikeshedding over the matter). Also: dealing with certificates. Yuck.

- Your legacy boxes are not welcome to the party.
- Same as your bootloaders: suddenly you now have to get a full TLS stack implemented into your boot ROMs/firmware/BIOS/UEFIs/whatever. Yay wider attack surfaces! Security researches are gonna inflate their bank accounts even more with their fancy logo-and-website vulnerabilities!

- The idea of D'OH is not to bring security (wasn't DNS-over-TLS the standards complaint way to do so?) or privacy AT ALL, but to strip you, the luser from being the owner of YOUR devices, because that's how IT rolls today, in the smartdevice era. If the CIA/NSA/FSB/China/Jeff Bezos' secretary want to spy on your DNS queries, they will still be able to do so anyway. They're taking advantage of the fact that normies and millenials don't give a fuck on anything regarding being in control of their goddamned devices because that involves, y'know, learning. And "learning IZ HARD, oh, the Kartrashians are on TV!!!".

Posted by Paul Vixie
DoH is an over the top bypass of enterprise and other private networks. But DNS is part of the control plane, and network operators must be able to monitor and filter it. Use DoT, never DoH.

Posted by Paul Vixie
if your network operator is me in any form, then none of those bypasses [VPNs] will work, because i defend my control plane, which includes dns. i think the IETF was way wrong to standardize DoH since not all network operators are malicious -- my enterprise and home nets are examples

Posted by Paul Vixie
That's inverted. A network operators who defends their control plane may be more worried by outside actors than by it's users. Defensive tunneling from my house or work is not in your interest or mine. Don't do it. Esp not by default. Please.

Posted by Paul Vixie
Nope[, DoH is not about protection against untrusted local networks]. DoH will be the default setting for many BYOD, and will mindlessly bypass security policy. Not at all like DoT, which can be filtered by any network operators with ease, to force local resolver use. DoH is a big F.U. to ALL network operators.

Posted by Screwtape
Traditionally, retrieving a web-page involves trusting a lot of people:

- the browser vendor
- the os vendor
- other apps installed on the same PC
- the local network admin
- all the upstream ISPs between you and the website
- all the governments with jurisdiction over all the above parties

That's a lot of trusted parties, and everybody agrees the world would be a lot safer if we didn't have to trust as many of them. But eliminating one of them means trusting the others even more, and *all* of those parties have been untrustworthy at different times in different places.

So far as I can see, there's a few ways this could go:

1. status quo (chaos)
2. "the needs of the many outweigh the needs of the few"
3. educate everybody involved to the point where they can make an informed choice about what approach suits their personal threat model

Posted by CaptainJistuce

Posted by sureanem

... I can't say I know of anyone actually using these extreme legacy devices. ...

And obviously, you know everyone.
I DO know of people using XP machines. Also, Vista was not eligible for a free Win10 upgrade. This is why I have a machine running Vista today. Speaking of browsers vs old computers, I can't run Steam on the Vista box anymore because Chrome doesn't support Vista and Steam uses Chrome for much of the interface.

Moore's law is not why internet development has moved away from backwards-compatibility and graceful failure and on into "require the latest of everything to do anything online".
And exactly how old a browser do you need to get before you find one that doesn't support javascript? Seriously, that was invented by Netscape.

Legacy devices are "legacy" because they are no longer for sale. Sometimes not even that. RS-232 is a "legacy port" and it is still in widespread use today.

Find me a genuine reason a device shouldn't be supported beyond "Oh my god, that is, like, soooooo old! Why don't they buy a new computer already?!?!"

The point is that these machines are being artificially kicked off the internet because no one wants to compile a browser for them(solely due to laziness) and internet people no longer believe that compatibility is a good thing.

Oh, it only hurts the blacks and yellows and barely touches real white people? Well that's okay, then!

You really don't understand the difference between a web browser and an operating system, do you? XP doesn't NEED to support web standards, because the BROWSER is responsible for that.

Spam filters that can't be disabled and eat far more real e-mails than they do spam. And are you seriously suggesting that e-mail accounts should require identity verification?

Right, keep telling yourself that a networking scheme designed by the US government in the twenty-first century is unmonitorable. Whatever helps you sleep.

That's me [operating my network]. And if I want to block a website, I think I'm allowed.
Trufax, my hosts file contains one entry: "facebook.com 192.168.0.1"

This is a catchphrase, not an argument.
Especially since tomman was calling it a flaw, not a bug.

Said no sane person ever.

I dunno, he sounds perfectly sane and reasonable to me. There are extremely valid reasons for blocking sites from a network. DoH IS a big F.U. to all network operators.

Posted by tomman
Also, that was yet another fine sureanem's "I don't care about anyone living in shitholes with limited access to tech, while I wait for the glorious triumph of buttcoins and the death of cash" spampost.

Posted by wertigon
On the subject of TOR, it is amazing how many people actually believe it is safe and secure and then proceed to run some other shenanigans. Tor is only safe if you adhere to a very strict policy which includes never opening PDFs online, always rely on HTTPS (which is a very weak security) and so on. Breaking these rules makes you pretty much trackable in either case. Because of that a standard VPN solution is far more reliable in order to protect your anonymity.

TOR is a great tool built for a single purpose; to anonymously blow the whistle or release information in a single burst. For this it is excellent.

Posted by Nicholas Steel
>Maximizing the window leaves you open to a fingerprinting attack, but it's hardly instant deanonymization.

Uh... what? How?

Posted by wertigon
I am a security professional, I know quite a few people working with this, and I have hacked quite a few of these very connections myself (for academic purposes only). Sorry, but it is not FUD. TOR is about as safe and anonymous to use through everyday usage as Bitcoin is.

The basic gist of it is, anything you download that makes a http request outside the TOR browser may reveal your identity. It could be an installer, a video game, an excel document or a CAD file. A VPN is not quite as vulnerable to this, but neither option is perfect.

Ignore the expert, though. After all, that is what you are good at. :)

Posted by tomman
More plain FUD from the "security researches" that led to the premature death of the Battery API in Javascript because Teh Googles could use your battery level to sell products and services to you or some BS.

Javascript is a unholy mess and can be used for evil, but this is waaaaaaaaaaaaaaaaaaay low in the scale of importance, but hey, it's clickbait.

Posted by CaptainJistuce
[Richard Hipp] looks like Steve Jobs.
...
Wait, that's what you said.

Okay, but seriously... when is the tech industry gonna get over "Jobs wore black turtlenecks so we must too!"? Jobs was an asshole, are you gonna be one too just because he was... wait, don't answer that, I'm happier not knowing.

Posted by https://2019.www.torproject.org/docs/faq.html.en#WhyCalledTor
Why is it called Tor?

Because Tor is the onion routing network. [...]

Note: even though it originally came from an acronym, Tor is not spelled "TOR". Only the first letter is capitalized. In fact, we can usually spot people who haven't read any of our website (and have instead learned everything they know about Tor from news articles) by the fact that they spell it wrong.

Posted by CaptainJistuce
Navy, actually. Not CIA.
And the point is that if it was actually that secure, they wouldn't have released it to the public.

Controversies arose out of classified design elements, a relatively short key length of the symmetric-key block cipher design, and the involvement of the NSA, nourishing suspicions about a backdoor. Today it is known that the S-boxes that had raised those suspicions were in fact designed by the NSA to actually remove a backdoor they secretly knew (differential cryptanalysis). However, the NSA also ensured that the key size was drastically reduced such that they could break it by brute force attack (the computing power to brute force DES however did not exist in 1975).

Posted by funkyass
the purpose for your post. Its a nice explanation of how rsync works, but im not seeing how it bears on Screwtape's contrasting between bsdiff and beat.

Posted by Kakashi
Didn't read, but I'm assuming he's assuming that rsync doesn't merely change files if they've been changed.

Posted by CaptainJistuce
What about nsync?

Posted by Screwtape
it's not practical to record a hash for *every* offset (that would take even more memory than a suffix array) so you pick some subset of offsets (say, the ones whose hash has 5 trailing zero bits) and hope that that's enough to find all the matches. But it's not guaranteed; there's always a chance that one of the matches has 4 or 3 trailing zero bits, or even that there's matches smaller than the rolling-hash width.

If I ever write another BPS patcher, I'll start with a suffix array, and see if I can figure a way to get, say, 10 near-matches rather than the algorithmically "best" match. Because of the way BPS works, a not-quite-optimal match nearby can actually be more efficient than a slightly longer match further away. I still think there's a lot of room to make even more-efficient BPS patches.

target offset | length | hamming distance
0x1234        | 721    | 0
0x1244        | 289    | 20
0x2981        | 1192   | 40
0x3000        | 600    | 0

Posted by Screwtape
One of the nice things about the BPS format is that it supports files larger than 16MB. Arbitrarily sized, even, given it uses variable-length integers. It would be a shame to have a file-format that supports patching terabyte disk images, but the patch-creation tools only support files of a few megabytes.

How do you mean 'further away' and 'nearby'?

A BPS patching tool maintains "source offset" and "target offset" variables. When you copy a byte at offset X in the source to offset Y in the target, the "source offset" and "target offset" variables are updated appropriately. The source copy instruction stores its offsets relative to the current values of the source and target offset variables. Since they're stored as variable length integers, making the next copy instruction start close to where the last one left off can be a significant savings.