• Win11 explorer bug?

    From john larkin@21:1/5 to All on Sun Dec 8 16:33:41 2024
    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Mon Dec 9 11:01:24 2024
    On 09/12/2024 00:33, john larkin wrote:
    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    Do you get a BSOD or a crash dump when it fails?

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Joe Gwinn@21:1/5 to john larkin on Mon Dec 9 10:42:57 2024
    On Sun, 08 Dec 2024 16:33:41 -0800, john larkin <JL@gct.com> wrote:

    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    Clear FE's caches, then shut computer down to cold, then boot back up.
    Did anything change?

    Google on the symptoms and see if you have company.

    Joe Gwinn

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to john larkin on Mon Dec 9 11:02:12 2024
    "john larkin" <JL@gct.com> wrote in message news:qieclj5ca2dsc2fnpufpg51fn7qt0u2peh@4ax.com...
    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.


    I'm not using Windows 11 yet but when testing it I have noticed Explorer often dies and restarts itself.

    If you installed anything recently which can be uninstalled, try uninstaling it.

    The most recent reason I had with Explorer completely failing to start on startup (just a black screen with mouse pointer) was that
    someone had installed this:
    https://github.com/valinet/ExplorerPatcher and after a windows update (which updated Explorer) Explorer failed to start.

    It took a while to figure out because I could get a command prompt via task manager but no desktop.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Rid@21:1/5 to john larkin on Mon Dec 9 15:33:35 2024
    john larkin <JL@gct.com> Wrote in message:r
    One of my guys said that File Explorer is lately crashing in weirdways. Now mine has started doing it.We share files with Dropbox, so maybe the bug is there.

    I know win 10 FE does not like searching network shares. Never
    been fixed.

    Cheers
    --


    ----Android NewsGroup Reader---- https://piaohong.s3-us-west-2.amazonaws.com/usenet/index.html

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeroen Belleman@21:1/5 to Martin Rid on Mon Dec 9 22:19:51 2024
    On 12/9/24 21:33, Martin Rid wrote:
    john larkin <JL@gct.com> Wrote in message:r
    One of my guys said that File Explorer is lately crashing in weirdways. Now mine has started doing it.We share files with Dropbox, so maybe the bug is there.

    I know win 10 FE does not like searching network shares. Never
    been fixed.

    Cheers

    Oh, if it's that, Linux suffers from that problem too.
    The trouble is that GUI file explorers want to know
    everything about a file, even remote ones, and even when
    it isn't actually required to show any of it. It will
    even download the whole file *contents* just to make tiny
    little icons! What a waste!

    All that data is costly to get. As a result it takes
    forever. Meanwhile, it won't respond to user clicks, so
    effectively it's hung.

    Very poor software design, but there you have it.

    Fortunately, in Linux we have 'ls' which is smarter.

    Jeroen Belleman

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to All on Mon Dec 9 14:46:50 2024
    On Mon, 09 Dec 2024 10:42:57 -0500, Joe Gwinn <joegwinn@comcast.net>
    wrote:

    On Sun, 08 Dec 2024 16:33:41 -0800, john larkin <JL@gct.com> wrote:

    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    Clear FE's caches, then shut computer down to cold, then boot back up.
    Did anything change?

    Google on the symptoms and see if you have company.

    Joe Gwinn

    One site says to clear the cache, with a step-by-step procedure. In
    conformance to Microsoft standards, those steps don't actually exist
    any more.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to '''newspam'''@nonad.co.uk on Mon Dec 9 14:44:00 2024
    On Mon, 9 Dec 2024 11:01:24 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 09/12/2024 00:33, john larkin wrote:
    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    Do you get a BSOD or a crash dump when it fails?

    The file explorer window just freezes up. It can be killed with the
    task manager and then it works again.

    And, maybe unrelated, my PC has decided to do dead black screen once
    in a while, for 30 seconds or so.

    And when I restart, the cursor has a little blinking hourglass
    attached for a day or so.

    Windows is such garbage.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Joe Gwinn@21:1/5 to All on Mon Dec 9 17:59:21 2024
    On Mon, 09 Dec 2024 14:46:50 -0800, john larkin <jl@glen--canyon.com>
    wrote:

    On Mon, 09 Dec 2024 10:42:57 -0500, Joe Gwinn <joegwinn@comcast.net>
    wrote:

    On Sun, 08 Dec 2024 16:33:41 -0800, john larkin <JL@gct.com> wrote:

    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    Clear FE's caches, then shut computer down to cold, then boot back up.
    Did anything change?

    Google on the symptoms and see if you have company.

    Joe Gwinn

    One site says to clear the cache, with a step-by-step procedure. In >conformance to Microsoft standards, those steps don't actually exist
    any more.

    Yeah, with fatigue. At work I just got Win11, and it's a learning
    experience.

    The cache must still exist, so it's been moved somewhere. I suppose
    the modern answer is to ask CoPilot where it is and how to clear it.

    Hmm. It may be the Edge cache, or this may be carried under Internet
    stuff.

    Joe Gwinn

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Tue Dec 10 09:24:58 2024
    On 09/12/2024 22:44, john larkin wrote:
    On Mon, 9 Dec 2024 11:01:24 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 09/12/2024 00:33, john larkin wrote:
    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    Do you get a BSOD or a crash dump when it fails?

    The file explorer window just freezes up. It can be killed with the
    task manager and then it works again.

    Sounds like a race condition where it is waiting for something that
    never happens and doesn't timeout properly. MS has lots of those :(

    And, maybe unrelated, my PC has decided to do dead black screen once
    in a while, for 30 seconds or so.

    Try disabling the screen saver.

    I have found Win11 almost as usable as Win7 with none of the troubles
    you see. Main advantage for me is that Win11 understands E & P cores.

    Win8 was a complete crock of shit. Win10 wasn't much better but I
    managed to avoid it entirely since Win7 was so good.

    And when I restart, the cursor has a little blinking hourglass
    attached for a day or so.

    Windows is such garbage.

    Don't expect me to stand up for MickeySoft!

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to '''newspam'''@nonad.co.uk on Tue Dec 10 07:44:54 2024
    On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 09/12/2024 22:44, john larkin wrote:
    On Mon, 9 Dec 2024 11:01:24 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 09/12/2024 00:33, john larkin wrote:
    One of my guys said that File Explorer is lately crashing in weird
    ways. Now mine has started doing it.

    We share files with Dropbox, so maybe the bug is there.

    Do you get a BSOD or a crash dump when it fails?

    The file explorer window just freezes up. It can be killed with the
    task manager and then it works again.

    Sounds like a race condition where it is waiting for something that
    never happens and doesn't timeout properly. MS has lots of those :(

    And, maybe unrelated, my PC has decided to do dead black screen once
    in a while, for 30 seconds or so.

    Try disabling the screen saver.

    Don't have one. LCDs don't need them.



    I have found Win11 almost as usable as Win7 with none of the troubles
    you see. Main advantage for me is that Win11 understands E & P cores.

    What's an E&P?



    Win8 was a complete crock of shit. Win10 wasn't much better but I
    managed to avoid it entirely since Win7 was so good.

    And when I restart, the cursor has a little blinking hourglass
    attached for a day or so.

    Windows is such garbage.

    Don't expect me to stand up for MickeySoft!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Tue Dec 10 16:29:00 2024
    On 10/12/2024 15:44, john larkin wrote:
    On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    I have found Win11 almost as usable as Win7 with none of the troubles
    you see. Main advantage for me is that Win11 understands E & P cores.

    What's an E&P?

    Economy cores (E) are good for general stuff working at human data rates
    and much lower power whereas Performance cores (P) are good at running
    flat out but power hungry. Win11 is the first version that properly
    allocates heavy CPU bound tasks consistently to the right sort of core!

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to '''newspam'''@nonad.co.uk on Tue Dec 10 09:41:11 2024
    On Tue, 10 Dec 2024 16:29:00 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 15:44, john larkin wrote:
    On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    I have found Win11 almost as usable as Win7 with none of the troubles
    you see. Main advantage for me is that Win11 understands E & P cores.

    What's an E&P?

    Economy cores (E) are good for general stuff working at human data rates
    and much lower power whereas Performance cores (P) are good at running
    flat out but power hungry. Win11 is the first version that properly
    allocates heavy CPU bound tasks consistently to the right sort of core!

    My new monster Win 11 tower, with a gigantic heavy GPU and terabytes
    of SSD and 16G ram, only runs LT Spice about twice as fast as my old
    laptop. I was disappointed... I was hoping for 10x or so.

    Spice is the only thing I do that needs a lot of compute power.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Tue Dec 10 21:26:20 2024
    On 10/12/2024 17:41, john larkin wrote:
    On Tue, 10 Dec 2024 16:29:00 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 15:44, john larkin wrote:
    On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    I have found Win11 almost as usable as Win7 with none of the troubles
    you see. Main advantage for me is that Win11 understands E & P cores.

    What's an E&P?

    Economy cores (E) are good for general stuff working at human data rates
    and much lower power whereas Performance cores (P) are good at running
    flat out but power hungry. Win11 is the first version that properly
    allocates heavy CPU bound tasks consistently to the right sort of core!

    My new monster Win 11 tower, with a gigantic heavy GPU and terabytes
    of SSD and 16G ram, only runs LT Spice about twice as fast as my old
    laptop. I was disappointed... I was hoping for 10x or so.

    Spice is the only thing I do that needs a lot of compute power.

    Trouble with solving huge non-linear matrix problems is that they don't parallelise at all well. You could well be better off with whichever of
    the current CPU crop has the fastest single threaded performance.

    Provided that it is only for scratch working it is still worth at least considering using the dangerous for risk of data loss RAID0 in a matched
    pair configuration to nearly double effective disk bandwidth. There is
    much less advantage doing this trick now than their used to be.

    Obviously data is toast if anything goes wrong so don't store important
    results on it long term. I no longer bother but it might help you.

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to '''newspam'''@nonad.co.uk on Tue Dec 10 13:47:09 2024
    On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 17:41, john larkin wrote:
    On Tue, 10 Dec 2024 16:29:00 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 15:44, john larkin wrote:
    On Tue, 10 Dec 2024 09:24:58 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    I have found Win11 almost as usable as Win7 with none of the troubles >>>>> you see. Main advantage for me is that Win11 understands E & P cores. >>>>
    What's an E&P?

    Economy cores (E) are good for general stuff working at human data rates >>> and much lower power whereas Performance cores (P) are good at running
    flat out but power hungry. Win11 is the first version that properly
    allocates heavy CPU bound tasks consistently to the right sort of core!

    My new monster Win 11 tower, with a gigantic heavy GPU and terabytes
    of SSD and 16G ram, only runs LT Spice about twice as fast as my old
    laptop. I was disappointed... I was hoping for 10x or so.

    Spice is the only thing I do that needs a lot of compute power.

    Trouble with solving huge non-linear matrix problems is that they don't >parallelise at all well. You could well be better off with whichever of
    the current CPU crop has the fastest single threaded performance.

    I wish the monster graphics processor could run Spice.


    Provided that it is only for scratch working it is still worth at least >considering using the dangerous for risk of data loss RAID0 in a matched
    pair configuration to nearly double effective disk bandwidth. There is
    much less advantage doing this trick now than their used to be.

    Obviously data is toast if anything goes wrong so don't store important >results on it long term. I no longer bother but it might help you.

    We back up brutally, on local servers and online.

    Once a month I get a multi-terabyte USB hard drive with copies of all
    our servers and our shared Dropbox accounts. We treat them as
    write-once, and distribute them around California.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Tue Dec 10 22:15:43 2024
    On 10/12/2024 21:47, john larkin wrote:
    On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 17:41, john larkin wrote:

    Spice is the only thing I do that needs a lot of compute power.

    Trouble with solving huge non-linear matrix problems is that they don't
    parallelise at all well. You could well be better off with whichever of
    the current CPU crop has the fastest single threaded performance.

    I wish the monster graphics processor could run Spice.

    Why do you use the monster graphics processor then?

    I find that for my work the built in graphic capability of Intel chips
    is more than adequate for all 2D work and tolerable for 3D if you never
    do too much full scale photo video rendering and flybys.

    Useless for gaming, AI code or realtime video editing but at present I
    don't do any of those often enough to merit a fancy fast graphics card
    in my main machine. I prefer to have it run cool, quiet and well under
    50W unless it is being asked to work very hard when it rises to 80W.

    When editing documents or diagrams and no serious computations are
    running I sometimes get warnings that the CPU fan has stopped.

    Obviously data is toast if anything goes wrong so don't store important
    results on it long term. I no longer bother but it might help you.

    We back up brutally, on local servers and online.

    Once a month I get a multi-terabyte USB hard drive with copies of all
    our servers and our shared Dropbox accounts. We treat them as
    write-once, and distribute them around California.

    I hope you verify that you can get the data back if you had to.

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to '''newspam'''@nonad.co.uk on Tue Dec 10 18:48:54 2024
    On Tue, 10 Dec 2024 22:15:43 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 21:47, john larkin wrote:
    On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 17:41, john larkin wrote:

    Spice is the only thing I do that needs a lot of compute power.

    Trouble with solving huge non-linear matrix problems is that they don't
    parallelise at all well. You could well be better off with whichever of
    the current CPU crop has the fastest single threaded performance.

    I wish the monster graphics processor could run Spice.

    Why do you use the monster graphics processor then?

    We have IT consultants. I told them to get me four identical PCs,
    small towers with modest graphics and Win10. They bought four monsters
    that I literally can't carry alone, with a crazy GPU mess. The
    motherboard is about 8" square and the GPU is the size and weight of a
    small tractor.

    After months of tuning and registry edits and add-ons, it's usable but
    not enjoyable.

    They do seem to be reliable.


    I find that for my work the built in graphic capability of Intel chips
    is more than adequate for all 2D work and tolerable for 3D if you never
    do too much full scale photo video rendering and flybys.

    The SolidWorks viewer works fine on my old Win7 machines, or on an old
    laptop. As does PADS.


    Useless for gaming, AI code or realtime video editing but at present I
    don't do any of those often enough to merit a fancy fast graphics card
    in my main machine. I prefer to have it run cool, quiet and well under
    50W unless it is being asked to work very hard when it rises to 80W.

    When editing documents or diagrams and no serious computations are
    running I sometimes get warnings that the CPU fan has stopped.

    Obviously data is toast if anything goes wrong so don't store important
    results on it long term. I no longer bother but it might help you.

    We back up brutally, on local servers and online.

    Once a month I get a multi-terabyte USB hard drive with copies of all
    our servers and our shared Dropbox accounts. We treat them as
    write-once, and distribute them around California.

    I hope you verify that you can get the data back if you had to.

    I have a bunch of times, to update various machines in the field. It
    has worked every time. And we have *lots* of backup drives.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Wed Dec 11 09:22:51 2024
    On 11/12/2024 02:48, john larkin wrote:
    On Tue, 10 Dec 2024 22:15:43 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 21:47, john larkin wrote:
    On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 17:41, john larkin wrote:

    Spice is the only thing I do that needs a lot of compute power.

    Trouble with solving huge non-linear matrix problems is that they don't >>>> parallelise at all well. You could well be better off with whichever of >>>> the current CPU crop has the fastest single threaded performance.

    I wish the monster graphics processor could run Spice.

    Why do you use the monster graphics processor then?

    We have IT consultants. I told them to get me four identical PCs,
    small towers with modest graphics and Win10. They bought four monsters
    that I literally can't carry alone, with a crazy GPU mess. The
    motherboard is about 8" square and the GPU is the size and weight of a
    small tractor.

    I will concede that it is extremely difficult to convince any vendor
    that you want such a high spec machine with very basic graphics. I think
    it went round three times before they accepted that I really knew what I
    wanted and understood the trade offs involved. Sales questioned it,
    pre-build review questioned it and then the guy building it rang up too.

    Yes I was sure I didn't want their high spec graphics card using twice
    as much power as all the rest of the machine put together.

    After months of tuning and registry edits and add-ons, it's usable but
    not enjoyable.

    They do seem to be reliable.

    I don't find Win11 different enough to Win7 to really notice anything
    other than a few minor cosmetic niggles that are easily fixed like right
    click menus that by default don't include the features I use most often.

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Martin Brown on Wed Dec 11 04:21:59 2024
    On 12/11/2024 2:22 AM, Martin Brown wrote:
    I will concede that it is extremely difficult to convince any vendor that you want such a high spec machine with very basic graphics. I think it went round three times before they accepted that I really knew what I wanted and understood the trade offs involved. Sales questioned it, pre-build review questioned it and then the guy building it rang up too.

    Yes I was sure I didn't want their high spec graphics card using twice as much
    power as all the rest of the machine put together.

    Look for server offerings. The video is typically designed just to
    support a "maintenance console".

    OTOH, you can get support for many spindles, beefier processors
    (cuz servers are meant to do WORK), etc.

    My latest is a 1U, dual 3.1/3.8GHz, 8 core Xeons with 256G of DRAM and
    ten 2.5" spindles (each 2T but I will probably replace them with 500G SSDs
    just to find a home for the damn SSDs!). Of course, you are limited
    (size and number) to the PCIe cards you can stuff inside (2).

    You can also go the NUC route if you want to watch TDP. But, that tends
    to be more consumerish -- things like in-built BT, etc. I don't think
    they offer anything better than an i7.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Jeroen Belleman on Wed Dec 11 15:00:47 2024
    On 2024-12-09 22:19, Jeroen Belleman wrote:
    On 12/9/24 21:33, Martin Rid wrote:
    john larkin <JL@gct.com> Wrote in message:r
    One of my guys said that File Explorer is lately crashing in
    weirdways. Now mine has started doing it.We share files with Dropbox,
    so maybe the bug is there.

    I know win 10 FE does not like searching network shares. Never
      been fixed.

    Cheers

    Oh, if it's that, Linux suffers from that problem too.
    The trouble is that GUI file explorers want to know
    everything about a file, even remote ones, and even when
    it isn't actually required to show any of it. It will
    even download the whole file *contents* just to make tiny
    little icons! What a waste!

    All that data is costly to get. As a result it takes
    forever. Meanwhile, it won't respond to user clicks, so
    effectively it's hung.

    Very poor software design, but there you have it.

    That's the content indexer, and you can uninstall it.

    Can also be the "find type of file by content" feature in browsers.


    Fortunately, in Linux we have 'ls' which is smarter.

    Jeroen Belleman


    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to '''newspam'''@nonad.co.uk on Wed Dec 11 11:01:13 2024
    On Wed, 11 Dec 2024 09:22:51 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 11/12/2024 02:48, john larkin wrote:
    On Tue, 10 Dec 2024 22:15:43 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 21:47, john larkin wrote:
    On Tue, 10 Dec 2024 21:26:20 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 10/12/2024 17:41, john larkin wrote:

    Spice is the only thing I do that needs a lot of compute power.

    Trouble with solving huge non-linear matrix problems is that they don't >>>>> parallelise at all well. You could well be better off with whichever of >>>>> the current CPU crop has the fastest single threaded performance.

    I wish the monster graphics processor could run Spice.

    Why do you use the monster graphics processor then?

    We have IT consultants. I told them to get me four identical PCs,
    small towers with modest graphics and Win10. They bought four monsters
    that I literally can't carry alone, with a crazy GPU mess. The
    motherboard is about 8" square and the GPU is the size and weight of a
    small tractor.

    I will concede that it is extremely difficult to convince any vendor
    that you want such a high spec machine with very basic graphics. I think
    it went round three times before they accepted that I really knew what I >wanted and understood the trade offs involved. Sales questioned it,
    pre-build review questioned it and then the guy building it rang up too.

    Yes I was sure I didn't want their high spec graphics card using twice
    as much power as all the rest of the machine put together.

    After months of tuning and registry edits and add-ons, it's usable but
    not enjoyable.

    They do seem to be reliable.

    I don't find Win11 different enough to Win7 to really notice anything
    other than a few minor cosmetic niggles that are easily fixed like right >click menus that by default don't include the features I use most often.

    File drag and drop is the worst. If the destination file exists, you
    have to enter a secondary dialog that itself makes no sense.

    I have to read the file dates and times manually, before I copy.

    I do have a little program that copies folders and only does the later
    date files.

    Another bad thing about 11 is that it likes to pop up ugly things that
    make it hard to see what you are doing.

    And keeps changing folder views. I don't want to see cartoons just
    because I'm copying a jpeg.

    Why does the biggest programming team in history write such garbage
    code?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Thu Dec 12 09:59:25 2024
    On 11/12/2024 19:01, john larkin wrote:
    On Wed, 11 Dec 2024 09:22:51 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    I don't find Win11 different enough to Win7 to really notice anything
    other than a few minor cosmetic niggles that are easily fixed like right
    click menus that by default don't include the features I use most often.

    File drag and drop is the worst. If the destination file exists, you
    have to enter a secondary dialog that itself makes no sense.

    I hate file drag and drop. I certainly wouldn't want to be able to
    destroy files that already exist in the destination folder. YMMV

    I have to read the file dates and times manually, before I copy.

    I do have a little program that copies folders and only does the later
    date files.

    Another bad thing about 11 is that it likes to pop up ugly things that
    make it hard to see what you are doing.

    I've turned that crap off.

    And keeps changing folder views. I don't want to see cartoons just
    because I'm copying a jpeg.

    Why does the biggest programming team in history write such garbage
    code?

    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Martin Brown on Thu Dec 12 04:00:23 2024
    On 12/12/2024 2:59 AM, Martin Brown wrote:
    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    Once something becomes "complex" (i.e., too large to fit in a
    single brain), it becomes difficult to understand the repercussions
    of specific design decisions -- because you can't remember
    EVERYTHING with which they interact.

    [This is why big pieces of software are shit. For "efficiency"
    (and lack of design vision), everything gets dropped into one
    big executable. This is the norm for Windows, Android, etc.
    By contrast, in UN*X, one would plumb existing applications
    together to meet some new need -- instead of folding the new
    functionality into that one big app!]

    We have a stove/oven that has the ideal universal interface
    (in the mind of some idiot): a big knob as SELECTOR that
    one can PRESS to make the current selection. A "back"
    button as an afterthought.

    But, it's the SOLE interface.

    Works as expected to "select" cooking conditions. But, the
    designer/coder obviously forgot that multiple things can be
    happening concurrently -- all of which require the user
    to interact via that ONE interface!

    So, if the user is in the process of doing one such thing and
    some OTHER thing demands attention...? Where is the interface
    bound at that point in time? Is he still doing that first
    thing? Or, interacting with that (asynchronous) second thing?

    Eventually, the user resorts to turning the appliance OFF
    (dedicated button to do so). Which aborts BOTH tasks. And,
    leaves hi having to restart BOTH!

    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Don Y on Thu Dec 12 13:47:26 2024
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via WiFi.
    The physical interface has a reduced set of features.

    I'm thinking of a particular heating system with thermostat. You can
    program the times when the heating turns on automatically and the temps
    only via internet. On the thermostat on the wall there is only a manual
    control that sets the temp for "now", a knob.

    Oh, and it comes with no manual, no docs.

    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Carlos E.R. on Thu Dec 12 06:16:22 2024
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.

    Yes. Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network stack in the appliance, all of the network infrastructure from your AP to the manufacturer's server, then, back through the phone network, up through the stack in your phone and, finally, through the app to the display.

    Nothing can go wrong, there, right? <rolls eyes>

    If I can manage to hang (if not outright CRASH) the appliance using the
    FEW controls available to me, how many more wonderful and exciting ways
    might it be at risk with all this other fluff involved?

    Do I *really* need to be able to turn the oven on as I leave work so the
    roast has had extra time to cook while I'm busy driving?

    How might my "blind" actions interact with some activities initiated
    by whomever happens to be IN the house (by the appliance) at the time?

    How many races remain in hiding in the implementation? (clearly they
    didn't test for ALL of these if I can tickle several of them so easily)

    I'm thinking of a particular heating system with thermostat. You can program the times when the heating turns on automatically and the temps only via internet. On the thermostat on the wall there is only a manual control that sets the temp for "now", a knob.

    This is a false design economy: "Let's skip the interface on the actual
    device in favor of one on some OTHER device." It invites the two falling
    out of sync with each other as there is nothing ensuring updates to one
    are also propagated to the other.

    I'm dicking with UPSs this morning. In theory, all of them should be configured identically -- with the exception of specific instance data
    (e.g., host name, IP address, SNMP traps, etc.). I can attempt to verify
    this by dumping the configurations (in text format) and doing a line-by-line compare.

    "Gee, how come this UPS has a whole set of settings that the others
    don't? Same version software..."

    Oh, and it comes with no manual, no docs.

    Of course not! That would be a THIRD thing that would fall out of sync with the others!

    The ideal design is the one where you can remove nothing MORE from it.
    Yet, we see so many products built on Linux kernels (from which a LOT
    can be removed -- including the bugs associated with all that cruft!)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Don Y on Thu Dec 12 14:44:32 2024
    On 2024-12-12 14:16, Don Y wrote:
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via
    WiFi. The physical interface has a reduced set of features.

    Yes.  Via a server located at the manufacturer's facility!

    Certainly. There is no other way unless ISPs provide IPv6 connectivity.


    So, you have the application layer in the appliance, the network stack
    in the
    appliance, all of the network infrastructure from your AP to the manufacturer's
    server, then, back through the phone network, up through the stack in your phone and, finally, through the app to the display.

    Nothing can go wrong, there, right?  <rolls eyes>

    Well, it has economic advantages.


    If I can manage to hang (if not outright CRASH) the appliance using the
    FEW controls available to me, how many more wonderful and exciting ways
    might it be at risk with all this other fluff involved?

    Do I *really* need to be able to turn the oven on as I leave work so the roast has had extra time to cook while I'm busy driving?

    I really do *need* to handle the heating remotely.


    How might my "blind" actions interact with some activities initiated
    by whomever happens to be IN the house (by the appliance) at the time?

    Not a concern for me.


    How many races remain in hiding in the implementation?  (clearly they
    didn't test for ALL of these if I can tickle several of them so easily)

    I'm thinking of a particular heating system with thermostat. You can
    program the times when the heating turns on automatically and the
    temps only via internet. On the thermostat on the wall there is only a
    manual control that sets the temp for "now", a knob.

    This is a false design economy:  "Let's skip the interface on the actual device in favor of one on some OTHER device."  It invites the two falling out of sync with each other as there is nothing ensuring updates to one
    are also propagated to the other.

    They save hardware and firmware, which was my point.


    I'm dicking with UPSs this morning.  In theory, all of them should be configured identically -- with the exception of specific instance data
    (e.g., host name, IP address, SNMP traps, etc.).  I can attempt to verify this by dumping the configurations (in text format) and doing a line-by-
    line
    compare.

        "Gee, how come this UPS has a whole set of settings that the others
        don't?  Same version software..."

    Oh, and it comes with no manual, no docs.

    Of course not!  That would be a THIRD thing that would fall out of sync
    with
    the others!

    The ideal design is the one where you can remove nothing MORE from it.
    Yet, we see so many products built on Linux kernels (from which a LOT
    can be removed -- including the bugs associated with all that cruft!)




    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Carlos E.R. on Thu Dec 12 06:56:49 2024
    On 12/12/2024 6:44 AM, Carlos E.R. wrote:
    On 2024-12-12 14:16, Don Y wrote:
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via WiFi. The >>> physical interface has a reduced set of features.

    Yes.  Via a server located at the manufacturer's facility!

    Certainly. There is no other way unless ISPs provide IPv6 connectivity.

    That assumes you want access from outside the "facility". I.e.,
    you can't use your smart doorbell, stove, refrigerator, etc. IN YOUR
    HOME without inviting the outside world into it!

    So, you have the application layer in the appliance, the network stack in the
    appliance, all of the network infrastructure from your AP to the manufacturer's
    server, then, back through the phone network, up through the stack in your >> phone and, finally, through the app to the display.

    Nothing can go wrong, there, right?  <rolls eyes>

    Well, it has economic advantages.

    The advantages ignore the externalities that come with them. The vendor (manufacturer) has passed costs (risks, inconveniences) onto his customer.

    If I can manage to hang (if not outright CRASH) the appliance using the
    FEW controls available to me, how many more wonderful and exciting ways
    might it be at risk with all this other fluff involved?

    Do I *really* need to be able to turn the oven on as I leave work so the
    roast has had extra time to cook while I'm busy driving?

    I really do *need* to handle the heating remotely.

    I can do that, here. With a VOICE connection. So, I only rely on
    the phone system to get my voice to the house -- not to a third-party
    who THEN sends it to the house.

    How might my "blind" actions interact with some activities initiated
    by whomever happens to be IN the house (by the appliance) at the time?

    Not a concern for me.

    If you came home to a house where the pipes had frozen (ruptured)
    because the heat had been turned OFF (bug in the remote server,
    the application that you use to interact with it, actions of a hostile
    actor, etc.) it would be.

    Banks, governments, large corporations somehow can't seem to keep
    their servers "locked down"... but, a company selling thermostats
    can?

    I.e., its only a matter of time before we hear of a hack that
    compromises all purchasers of "Product XYZ" -- simply because
    the manufacturer KEPT itself in the service loop.

    How many races remain in hiding in the implementation?  (clearly they
    didn't test for ALL of these if I can tickle several of them so easily)

    I'm thinking of a particular heating system with thermostat. You can program
    the times when the heating turns on automatically and the temps only via >>> internet. On the thermostat on the wall there is only a manual control that >>> sets the temp for "now", a knob.

    This is a false design economy:  "Let's skip the interface on the actual
    device in favor of one on some OTHER device."  It invites the two falling >> out of sync with each other as there is nothing ensuring updates to one
    are also propagated to the other.

    They save hardware and firmware, which was my point.

    They MOVED those "savings" to a server that they now have to maintain
    "in perpetuity". You'd probably be annoyed to discover that feature
    you wanted so much has stopped working because they shut down the
    server (sold the company to someone who opted not to continue
    supporting "legacy" products)

    Again, the customer pays the price. Always (no free lunch)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 10:08:46 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjennd$24vi6$1@dont-email.me...
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.

    Yes. Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network stack in the appliance, all of the network infrastructure from your AP to the manufacturer's
    server, then, back through the phone network, up through the stack in your phone and, finally, through the app to the display.

    I hate this too.
    I'm resistant to cameras which bounce off the manufacturer's server, which could be anywhere.


    Nothing can go wrong, there, right? <rolls eyes>

    If I can manage to hang (if not outright CRASH) the appliance using the
    FEW controls available to me, how many more wonderful and exciting ways
    might it be at risk with all this other fluff involved?

    Do I *really* need to be able to turn the oven on as I leave work so the roast has had extra time to cook while I'm busy driving?

    How might my "blind" actions interact with some activities initiated
    by whomever happens to be IN the house (by the appliance) at the time?

    How many races remain in hiding in the implementation? (clearly they
    didn't test for ALL of these if I can tickle several of them so easily)

    I'm thinking of a particular heating system with thermostat. You can program the times when the heating turns on automatically
    and the temps only via internet. On the thermostat on the wall there is only a manual control that sets the temp for "now", a
    knob.

    This is a false design economy: "Let's skip the interface on the actual device in favor of one on some OTHER device." It invites the two falling
    out of sync with each other as there is nothing ensuring updates to one
    are also propagated to the other.

    I'm dicking with UPSs this morning. In theory, all of them should be configured identically -- with the exception of specific instance data
    (e.g., host name, IP address, SNMP traps, etc.). I can attempt to verify this by dumping the configurations (in text format) and doing a line-by-line compare.

    "Gee, how come this UPS has a whole set of settings that the others
    don't? Same version software..."

    Oh, and it comes with no manual, no docs.

    Of course not! That would be a THIRD thing that would fall out of sync with the others!

    The ideal design is the one where you can remove nothing MORE from it.
    Yet, we see so many products built on Linux kernels (from which a LOT
    can be removed -- including the bugs associated with all that cruft!)



    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Jeroen Belleman@21:1/5 to Don Y on Thu Dec 12 16:41:45 2024
    On 12/12/24 14:16, Don Y wrote:
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via
    WiFi. The physical interface has a reduced set of features.

    Yes.  Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network stack
    in the
    appliance, all of the network infrastructure from your AP to the manufacturer's
    server, then, back through the phone network, up through the stack in your phone and, finally, through the app to the display.

    Nothing can go wrong, there, right?  <rolls eyes>

    Apart from the obvious security and reliability worries, there
    is the issue that the *manufacturer* gets to decide when *your*
    device is obsolete.

    The software industry invented that trick, but lots of other
    industries are catching on.

    Jeroen Belleman

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to '''newspam'''@nonad.co.uk on Thu Dec 12 07:32:18 2024
    On Thu, 12 Dec 2024 09:59:25 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    On 11/12/2024 19:01, john larkin wrote:
    On Wed, 11 Dec 2024 09:22:51 +0000, Martin Brown
    <'''newspam'''@nonad.co.uk> wrote:

    I don't find Win11 different enough to Win7 to really notice anything
    other than a few minor cosmetic niggles that are easily fixed like right >>> click menus that by default don't include the features I use most often.

    File drag and drop is the worst. If the destination file exists, you
    have to enter a secondary dialog that itself makes no sense.

    I hate file drag and drop. I certainly wouldn't want to be able to
    destroy files that already exist in the destination folder. YMMV

    I have to read the file dates and times manually, before I copy.

    I do have a little program that copies folders and only does the later
    date files.

    Another bad thing about 11 is that it likes to pop up ugly things that
    make it hard to see what you are doing.

    I've turned that crap off.

    That would be great. How do you do that?



    And keeps changing folder views. I don't want to see cartoons just
    because I'm copying a jpeg.

    Why does the biggest programming team in history write such garbage
    code?

    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    Software Engineering is an oxymoron.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 10:34:44 2024
    On 12/12/2024 8:08 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjennd$24vi6$1@dont-email.me...
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.

    Yes. Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network stack in the
    appliance, all of the network infrastructure from your AP to the manufacturer's
    server, then, back through the phone network, up through the stack in your >> phone and, finally, through the app to the display.

    I hate this too.
    I'm resistant to cameras which bounce off the manufacturer's server, which could be anywhere.

    Also meaning subject to the laws of different countries (based on its
    siting).

    Is there any reason the camera can't talk to a phone that is also
    hosted by the customer's access point?

    If you want to let the camera access a phone that is NOT "local",
    then let the user subscribe to a DynDNS service -- provided by
    any number of competing firms (even the manufacturer -- via a nice
    clean OPEN interface).

    E.g., that data, passing through the server, is no longer under
    YOUR control. And, can be monetized without your compensation.

    This is possible with ANY device that passes through an unnecessary
    server. (Your smart thermostat knows when you are home, when
    you are "active", etc.)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Jeroen Belleman on Thu Dec 12 19:58:36 2024
    On 2024-12-12 16:41, Jeroen Belleman wrote:
    On 12/12/24 14:16, Don Y wrote:
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone,
    via WiFi. The physical interface has a reduced set of features.

    Yes. Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network
    stack in the appliance, all of the network infrastructure from
    your AP to the manufacturer's server, then, back through the phone
    network, up through the stack in your phone and, finally, through
    the app to the display.

    Nothing can go wrong, there, right? <rolls eyes>

    Apart from the obvious security and reliability worries, there is
    the issue that the *manufacturer* gets to decide when *your* device
    is obsolete.

    The device has a limited life expectancy, anyway. About 10 years. The
    boiler needs replacement of rubber gasket every year or two. There is a mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.


    The software industry invented that trick, but lots of other
    industries are catching on.

    Jeroen Belleman



    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 14:32:30 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjf6rs$2rvlf$1@dont-email.me...
    On 12/12/2024 8:08 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjennd$24vi6$1@dont-email.me...
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone, via WiFi. The physical interface has a reduced set of features.

    Yes. Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network stack in the
    appliance, all of the network infrastructure from your AP to the manufacturer's
    server, then, back through the phone network, up through the stack in your >>> phone and, finally, through the app to the display.

    I hate this too.
    I'm resistant to cameras which bounce off the manufacturer's server, which could be anywhere.

    Also meaning subject to the laws of different countries (based on its siting).

    Is there any reason the camera can't talk to a phone that is also
    hosted by the customer's access point?

    If you want to let the camera access a phone that is NOT "local",
    then let the user subscribe to a DynDNS service -- provided by
    any number of competing firms (even the manufacturer -- via a nice
    clean OPEN interface).

    Inbound is problematic for various reasons.
    Do you want your cameras accepting inbound connections from anywhere in the world?
    Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
    firmware updates.
    I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
    attempting brute force to a blacklist.
    But most people have no interest in that.
    Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
    pictures to be viewed by anyone other than themselves.


    E.g., that data, passing through the server, is no longer under
    YOUR control. And, can be monetized without your compensation.

    This is possible with ANY device that passes through an unnecessary
    server. (Your smart thermostat knows when you are home, when
    you are "active", etc.)



    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to blockedofcourse@foo.invalid on Thu Dec 12 13:09:36 2024
    On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
    <blockedofcourse@foo.invalid> wrote:

    On 12/12/2024 2:59 AM, Martin Brown wrote:
    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    Once something becomes "complex" (i.e., too large to fit in a
    single brain), it becomes difficult to understand the repercussions
    of specific design decisions -- because you can't remember
    EVERYTHING with which they interact.

    Engineers design giant systrems - cars, airplanes, bridges, buildings
    - with lots of parts, and nobody understands all the parts. And they
    work first time.

    Software is different, and it never works first time. Most programs
    don't even compile first try.

    I could probably code a "Hello, world!" program that would run first
    try.


    [This is why big pieces of software are shit. For "efficiency"
    (and lack of design vision), everything gets dropped into one
    big executable. This is the norm for Windows, Android, etc.
    By contrast, in UN*X, one would plumb existing applications
    together to meet some new need -- instead of folding the new
    functionality into that one big app!]

    We have a stove/oven that has the ideal universal interface
    (in the mind of some idiot): a big knob as SELECTOR that
    one can PRESS to make the current selection. A "back"
    button as an afterthought.

    But, it's the SOLE interface.

    Works as expected to "select" cooking conditions. But, the
    designer/coder obviously forgot that multiple things can be
    happening concurrently -- all of which require the user
    to interact via that ONE interface!

    So, if the user is in the process of doing one such thing and
    some OTHER thing demands attention...? Where is the interface
    bound at that point in time? Is he still doing that first
    thing? Or, interacting with that (asynchronous) second thing?

    Eventually, the user resorts to turning the appliance OFF
    (dedicated button to do so). Which aborts BOTH tasks. And,
    leaves hi having to restart BOTH!

    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    I insisted that our new cooktops have no electronics. Well, they have
    igniters but you can still light them with a match.

    We have a dual oven that for some reason has one section with a
    classic pneumatic thermostat and the other with electronic controls.
    Guess which is broken.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 13:15:40 2024
    On 12/12/2024 12:32 PM, Edward Rawde wrote:
    Is there any reason the camera can't talk to a phone that is also
    hosted by the customer's access point?

    If you want to let the camera access a phone that is NOT "local",
    then let the user subscribe to a DynDNS service -- provided by
    any number of competing firms (even the manufacturer -- via a nice
    clean OPEN interface).

    Inbound is problematic for various reasons.
    Do you want your cameras accepting inbound connections from anywhere in the world?

    Vendors have no problem selling "hubs" as a prerequisite to talk to
    their devices. Why can't the hub implement a packet filter?
    Use that as a selling point: the hub can act to protect the
    local network (for a fee!!) while their access point/router likely
    has not been reliably configured for that purpose.

    Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
    firmware updates.

    Simply putting the camera (or any device manufactured by someone who
    may or may not be trustworthy) on your "internal network puts you
    at risk.

    E.g., I can open an outbound connection to hostile_actor.com and let
    an external agent act as command-and-control, telling me (the camera)
    what to do ON THE INTERNAL NETWORK.

    This traffic can be disguised to look innocuous. E.g., resolving "whatshouldIdo.hostile_actor.com" can deliver data to the camera that
    can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com". Results can be delivered to the external agency by resolving "thepasswordisFOOBAR.hostile_actor.com", etc.

    Or, open an HTTP connection to hostile_actor.com and anyone looking
    through the logs (ha!) would just think a user visited a website of
    with an oddly suspicious domain name. (So, buy up yahooo.com,
    goggle.com, etc.)

    I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
    attempting brute force to a blacklist.
    But most people have no interest in that.

    Hence the value of a "hub".

    I "hide" my file server behind a particular "knock sequence" that is
    only known to folks who should need access to it. Trying to probe
    the IP address gets you no information -- it looks like there isn't
    a machine AT that IP address.

    Of course, the machine SEES all attempts to connect to it. And, which
    ports and protocols are being used -- and in which sequence -- from every potential external IP. So, if it sees the right combination of accesses
    in a particular time frame, it will THEN respond to a connection attempt
    for a particular service. Or, "callback" on a preassigned port on
    the "caller's" IP address (as many ISPs frown on operating a server...
    but, no constraints on ACCESSING some external service -- even if doing
    so at the behest of said service!)

    Meanwhile, other attempts AT THE SAME TIME still see a "dangling wire".

    Once a connection is granted, there are no limits on what can be
    transfered (set up a tunnel and all of those transactions are hidden)

    Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
    pictures to be viewed by anyone other than themselves.

    <https://www.shodan.io/search?query=camera>

    Even if you can't (easily) access the video, the fact that someone has INSTALLED a camera (five cameras??) has informational value.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 15:42:24 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfg9k$2tnfq$1@dont-email.me...
    On 12/12/2024 12:32 PM, Edward Rawde wrote:
    Is there any reason the camera can't talk to a phone that is also
    hosted by the customer's access point?

    If you want to let the camera access a phone that is NOT "local",
    then let the user subscribe to a DynDNS service -- provided by
    any number of competing firms (even the manufacturer -- via a nice
    clean OPEN interface).

    Inbound is problematic for various reasons.
    Do you want your cameras accepting inbound connections from anywhere in the world?

    Vendors have no problem selling "hubs" as a prerequisite to talk to
    their devices. Why can't the hub implement a packet filter?

    One reason is that the packet filtering would have to be configured specifically for local requirements.
    This gets us back to the issue of most people not knowig a packet filter if they fell over it.

    Use that as a selling point: the hub can act to protect the
    local network (for a fee!!) while their access point/router likely
    has not been reliably configured for that purpose.

    Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
    firmware updates.

    Simply putting the camera (or any device manufactured by someone who
    may or may not be trustworthy) on your "internal network puts you
    at risk.

    E.g., I can open an outbound connection to hostile_actor.com and let
    an external agent act as command-and-control, telling me (the camera)
    what to do ON THE INTERNAL NETWORK.

    I don't permit outbound connections to a long list of countries.
    I can always whitelist if it does turn out that I need to connect to a server in one of those countries.


    This traffic can be disguised to look innocuous. E.g., resolving "whatshouldIdo.hostile_actor.com" can deliver data to the camera that
    can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com". Results can be delivered to the external agency by resolving "thepasswordisFOOBAR.hostile_actor.com", etc.

    Or, open an HTTP connection to hostile_actor.com and anyone looking
    through the logs (ha!) would just think a user visited a website of
    with an oddly suspicious domain name. (So, buy up yahooo.com,
    goggle.com, etc.)

    I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
    attempting brute force to a blacklist.
    But most people have no interest in that.

    Hence the value of a "hub".

    I "hide" my file server behind a particular "knock sequence" that is
    only known to folks who should need access to it. Trying to probe
    the IP address gets you no information -- it looks like there isn't
    a machine AT that IP address.

    I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
    connection is secure.


    Of course, the machine SEES all attempts to connect to it. And, which
    ports and protocols are being used -- and in which sequence -- from every potential external IP. So, if it sees the right combination of accesses
    in a particular time frame, it will THEN respond to a connection attempt
    for a particular service. Or, "callback" on a preassigned port on
    the "caller's" IP address (as many ISPs frown on operating a server...
    but, no constraints on ACCESSING some external service -- even if doing
    so at the behest of said service!)

    Meanwhile, other attempts AT THE SAME TIME still see a "dangling wire".

    Once a connection is granted, there are no limits on what can be
    transfered (set up a tunnel and all of those transactions are hidden)

    Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
    pictures to be viewed by anyone other than themselves.

    <https://www.shodan.io/search?query=camera>

    Even if you can't (easily) access the video, the fact that someone has INSTALLED a camera (five cameras??) has informational value.

    A nearby store installed cameras not long ago.
    The number if cameras (or what looked like there were cameras inside them) made it easy to conclude that they were fake.




    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Joe Gwinn@21:1/5 to robin_listas@es.invalid on Thu Dec 12 16:31:05 2024
    On Thu, 12 Dec 2024 19:58:36 +0100, "Carlos E.R."
    <robin_listas@es.invalid> wrote:

    On 2024-12-12 16:41, Jeroen Belleman wrote:
    On 12/12/24 14:16, Don Y wrote:
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone,
    via WiFi. The physical interface has a reduced set of features.

    Yes. Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network
    stack in the appliance, all of the network infrastructure from
    your AP to the manufacturer's server, then, back through the phone
    network, up through the stack in your phone and, finally, through
    the app to the display.

    Nothing can go wrong, there, right? <rolls eyes>

    Apart from the obvious security and reliability worries, there is
    the issue that the *manufacturer* gets to decide when *your* device
    is obsolete.

    The device has a limited life expectancy, anyway. About 10 years. The
    boiler needs replacement of rubber gasket every year or two. There is a >mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.

    A dodge occurs to me: Install a simple firewall between external
    Internet and internal network that hosts such things as cameras and
    furnaces. Set the firewall to accept only one of a small set of white
    listed sources, and otherwise not to reply.

    White lists have the advantage of immunity to attempts from random
    places. The lack of response if not white listed will defeat most
    port IP address and scanners, even though the firewall most likely can
    be hacked if known.

    Upgrade the firewall from time to time, to sorta keep up with the
    threats.

    Joe Gwinn

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 14:18:05 2024
    On 12/12/2024 1:42 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfg9k$2tnfq$1@dont-email.me...
    On 12/12/2024 12:32 PM, Edward Rawde wrote:
    Is there any reason the camera can't talk to a phone that is also
    hosted by the customer's access point?

    If you want to let the camera access a phone that is NOT "local",
    then let the user subscribe to a DynDNS service -- provided by
    any number of competing firms (even the manufacturer -- via a nice
    clean OPEN interface).

    Inbound is problematic for various reasons.
    Do you want your cameras accepting inbound connections from anywhere in the world?

    Vendors have no problem selling "hubs" as a prerequisite to talk to
    their devices. Why can't the hub implement a packet filter?

    One reason is that the packet filtering would have to be configured specifically for local requirements.
    This gets us back to the issue of most people not knowig a packet filter if they fell over it.

    Most users have banal needs for a firewall. If running Windows hosts,
    then the filter in the host is even finer-grained than a filter in
    an external firewall (as the host-based filter can be tailored
    to specific applications).

    Use that as a selling point: the hub can act to protect the
    local network (for a fee!!) while their access point/router likely
    has not been reliably configured for that purpose.

    Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
    firmware updates.

    Simply putting the camera (or any device manufactured by someone who
    may or may not be trustworthy) on your "internal network puts you
    at risk.

    E.g., I can open an outbound connection to hostile_actor.com and let
    an external agent act as command-and-control, telling me (the camera)
    what to do ON THE INTERNAL NETWORK.

    I don't permit outbound connections to a long list of countries.

    You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as
    a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter defenses" (WELCOMED in!) can act on behalf of some other agency.

    IP filtering doesn't buy you any real protection.

    I (the camera) can masquerade as any host INSIDE your network when I
    want to deliver data to an external agent. Because I can DYNAMICALLY
    set my network stack to masquerade as any IP address on a packet-to-packet basis.

    And, I have a good idea what the range of valid IP addresses for your
    internal network will be -- based on the address and netmask that you
    assigned to *me* when I was installed (or, negotiated my DHCP lease).
    Likewise, I can claim my MAC is anything that I want it to be!

    If you happen to peruse the logs, there is nothing that tells you
    over which "wire" the request came into your switch, AP, etc. So,
    you would have to eliminate devices until you stopped seeing "suspicious" traffic.

    All this assuming you are capable of doing so.

    I can always whitelist if it does turn out that I need to connect to a server in one of those countries.

    See above.

    This traffic can be disguised to look innocuous. E.g., resolving
    "whatshouldIdo.hostile_actor.com" can deliver data to the camera that
    can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com".
    Results can be delivered to the external agency by resolving
    "thepasswordisFOOBAR.hostile_actor.com", etc.

    Or, open an HTTP connection to hostile_actor.com and anyone looking
    through the logs (ha!) would just think a user visited a website of
    with an oddly suspicious domain name. (So, buy up yahooo.com,
    goggle.com, etc.)

    I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
    attempting brute force to a blacklist.
    But most people have no interest in that.

    Hence the value of a "hub".

    I "hide" my file server behind a particular "knock sequence" that is
    only known to folks who should need access to it. Trying to probe
    the IP address gets you no information -- it looks like there isn't
    a machine AT that IP address.

    I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
    connection is secure.

    Knowing that a server exists is information. (esp if your AUP
    prohibits them! :> ) Knowing that there is <something> sitting
    at an IP invites probes.

    An address that never reacts to your actions is uninteresting.
    And, unless you can snoop the actual traffic, you can't know that
    the address is actually actively moving data!

    Once a connection is granted, there are no limits on what can be
    transfered (set up a tunnel and all of those transactions are hidden)

    Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
    pictures to be viewed by anyone other than themselves.

    <https://www.shodan.io/search?query=camera>

    Even if you can't (easily) access the video, the fact that someone has
    INSTALLED a camera (five cameras??) has informational value.

    A nearby store installed cameras not long ago.
    The number if cameras (or what looked like there were cameras inside them) made it easy to conclude that they were fake.

    Many parts of the US deliver "utilities" (phone, cable, power) via
    overhead wiring: "telephone poles". There exist transformers
    on these poles (at regular intervals) to step down the mains to
    the 240V center tapped that feeds our homes.

    Several decades ago, a "transformer" was installed on such a pole
    (why was it SUDDENLY needed, there?) outside from a business that
    sold "growing supplies" to folks who were suspected of being marijuana
    growers.

    The joke was that the transformer had NO wires (primary or secondary)
    attached to it. And, a large, rectangular region that resembled a
    "window" -- on the side facing the business.

    "Gee, wanna bet that's a (really poorly disguised) camera??" :>

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to Joe Gwinn on Thu Dec 12 23:15:00 2024
    On 2024-12-12 22:31, Joe Gwinn wrote:
    On Thu, 12 Dec 2024 19:58:36 +0100, "Carlos E.R."
    <robin_listas@es.invalid> wrote:

    On 2024-12-12 16:41, Jeroen Belleman wrote:
    On 12/12/24 14:16, Don Y wrote:
    On 12/12/2024 5:47 AM, Carlos E.R. wrote:
    On 2024-12-12 12:00, Don Y wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!

    There are devices that put the actual interface on the phone,
    via WiFi. The physical interface has a reduced set of features.

    Yes. Via a server located at the manufacturer's facility!

    So, you have the application layer in the appliance, the network
    stack in the appliance, all of the network infrastructure from
    your AP to the manufacturer's server, then, back through the phone
    network, up through the stack in your phone and, finally, through
    the app to the display.

    Nothing can go wrong, there, right? <rolls eyes>

    Apart from the obvious security and reliability worries, there is
    the issue that the *manufacturer* gets to decide when *your* device
    is obsolete.

    The device has a limited life expectancy, anyway. About 10 years. The
    boiler needs replacement of rubber gasket every year or two. There is a
    mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.

    A dodge occurs to me: Install a simple firewall between external
    Internet and internal network that hosts such things as cameras and
    furnaces. Set the firewall to accept only one of a small set of white
    listed sources, and otherwise not to reply.

    AFAIK, I have the ISP installed router that has a firewall, and
    everything incoming is closed.

    And this thing is installed on the guest LAN.


    White lists have the advantage of immunity to attempts from random
    places. The lack of response if not white listed will defeat most
    port IP address and scanners, even though the firewall most likely can
    be hacked if known.

    Upgrade the firewall from time to time, to sorta keep up with the
    threats.

    Joe Gwinn


    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Carlos E.R.@21:1/5 to john larkin on Thu Dec 12 23:19:46 2024
    On 2024-12-12 22:09, john larkin wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!
    I insisted that our new cooktops have no electronics. Well, they have igniters but you can still light them with a match.

    Over here, there is a safety "thing" (I don't know the name). When hot,
    it opens the gas valve, so that if the flame extinguishes, it goes cold,
    and closes the valve. It could be based on the Seebeck effect, so
    arguably electronics.

    I believe it is mandatory.


    We have a dual oven that for some reason has one section with a
    classic pneumatic thermostat and the other with electronic controls.
    Guess which is broken.


    --
    Cheers, Carlos.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Carlos E.R. on Thu Dec 12 15:45:02 2024
    On 12/12/2024 3:19 PM, Carlos E.R. wrote:
    Over here, there is a safety "thing" (I don't know the name). When hot, it opens the gas valve, so that if the flame extinguishes, it goes cold, and closes the valve. It could be based on the Seebeck effect, so arguably electronics.

    I believe it is mandatory.

    Furnaces have similar ELECTRICAL interlocks on the gas valve.
    If "heat" isn't detected in a certain interval, the valve is
    allowed to return to its nominal "closed" position.

    But, as there is no heat initially, this has to be bypassed
    for a certain "timeout" interval when initially starting the
    furnace.

    We had a failure in the gas supply to the city some years ago.
    There was gas -- but of insufficient pressure/flow to keep
    gas appliances operating correctly. (It was unusually cold for
    this region so gas demand exceeded supply capability)

    This manifested as the thermostat calling for heat, the furnace
    starting the purge fan, then opening the gas valve and firing the
    igniter (all of these under software control)... only to have
    the safeties kick in and shut down the gas supply when the desired
    internal combustion chamber temperature was not reached.

    Then, waiting a while before trying again.

    Of course, if you WATCHED the process, you could see what was happening
    and even "hear" the diminished flow of gas.

    Folks lacking such skill swamped the local plumbers/HVAC guys
    with complaints of "no heat" (Really? You didn't think to ask
    your NEIGHBOR if they had heat? And, when they replied in the
    negative, reason that it is unlikely to be a problem with YOUR
    equipment??!)

    [Of course, the plumbers/HVAC guys likely knew what the real problem
    was but didn't turn away those requests for service! :> OTOH, if
    they HAD and one of those folks had a real problem that led to a
    "loss", they would likely have a hard time justifying their
    inaction!]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Joe Gwinn on Thu Dec 12 15:33:16 2024
    On 12/12/2024 2:31 PM, Joe Gwinn wrote:
    The device has a limited life expectancy, anyway. About 10 years. The
    boiler needs replacement of rubber gasket every year or two. There is a
    mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.

    A dodge occurs to me: Install a simple firewall between external
    Internet and internal network that hosts such things as cameras and
    furnaces. Set the firewall to accept only one of a small set of white
    listed sources, and otherwise not to reply.

    First, not all ISPs will allow inbound connections. E.g., many
    hide their subscribers behind NAT so incoming connections can't
    find specific hosts.

    Second, there is nothing that prevents a device THAT YOU HAVE
    WILLINGLY INSTALLED from having malware in it that compromises
    your internal network. This, because most folks only implement
    perimeter security mechanisms. So, a device is free to "call out"
    and open a connection that allows an external actor to get past
    any such peripheral defenses.

    And, because any of your protections likely deal with the
    internal vs. external networks as separate, homogenous entities,
    there is no way for you to easily determine where (physically)
    traffic is originating or terminating. A device can pretend (from
    the standpoint of packet inspection) to be any device on "your"
    network.

    [There are commercial devices available with exactly this capability,
    used for pen-testing.]

    White lists have the advantage of immunity to attempts from random
    places. The lack of response if not white listed will defeat most
    port IP address and scanners, even though the firewall most likely can
    be hacked if known.

    Many appliances advertise their presence -- through established
    protocols. So, in addition to knowing it is there, they know WHAT
    the device is and what rev level software, etc.

    Building a collection of scripts that target specific vulnerabilities
    in specific devices is then a practical attack plan.

    Upgrade the firewall from time to time, to sorta keep up with the
    threats.

    The only practical way to protect a device (or network) is to impose constraints on both ends.

    E.g., my "knock protocol" burdens folks who try to access my server.
    But, it keeps the server secure -- and well hidden.

    In my distributed system project, I use separate tunnels from each
    device to the switch. So, the credentials for the device connected to
    port #5 are of no value to you if you try to access the network
    via port #8.

    Furthermore, I know WHAT is at the end of each of those wires and
    dynamically control the interactions allowed over those connections.

    E.g., an "exposed/accessible" security camera should never have a need
    to issue a command to open the garage door. And, any attempt to do so (assuming the encryption has been compromised by reverse-engineering
    THE camera that was previously attached to that wire), will cause
    the system to mark that network port ("wire") as tainted. So, even if
    you tried to feed bogus video (because I *think* you are a camera)
    to the system, it would ignore that input.

    Red/Blue team exercises are incredibly educational! Until you actually
    try to break security, you don't realize just how silly most mechanisms actually are!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Don Y on Thu Dec 12 15:50:35 2024
    On 12/12/2024 3:33 PM, Don Y wrote:
    Red/Blue team exercises are incredibly educational!  Until you actually
    try to break security, you don't realize just how silly most mechanisms actually are!

    Think about how flimsy cockpit doors were on aircraft, pre-9/11.
    Did no one remember the hijackings of the 60's and 70's?

    For an interesting (disturbing!) exercise, have a look around
    your house at how you would "break in" if you had to. I suspect
    you could do so WITHOUT actually damaging any part of the house
    (e.g., no broken windows, bent door frames, etc.)

    [Do you think folks intent on such activities haven't already
    done that calculus??]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Joe Gwinn@21:1/5 to robin_listas@es.invalid on Thu Dec 12 18:01:50 2024
    On Thu, 12 Dec 2024 23:19:46 +0100, "Carlos E.R."
    <robin_listas@es.invalid> wrote:

    On 2024-12-12 22:09, john larkin wrote:
    Yeah, I'm REALLY eager to turn on the factory's WiFi interface
    for the stove/oven... NOT!
    I insisted that our new cooktops have no electronics. Well, they have
    igniters but you can still light them with a match.

    Over here, there is a safety "thing" (I don't know the name). When hot,
    it opens the gas valve, so that if the flame extinguishes, it goes cold,
    and closes the valve. It could be based on the Seebeck effect, so
    arguably electronics.

    I believe it is mandatory.

    We have the same thing, and yes it is mandatory.

    The original ones were purely mechanical, or maybe electro-mechanical
    (uses a thermocouple stack to generate enough current to drive an
    actuator. These are still around, but things like oil burners also
    have photocells, to see if the sprayed oil is in fact burning,
    shutting the oil off if no light for maybe ten seconds.


    We have a dual oven that for some reason has one section with a
    classic pneumatic thermostat and the other with electronic controls.
    Guess which is broken.

    Yeah.

    Joe Gwinn

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 18:50:50 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
    On 12/12/2024 2:31 PM, Joe Gwinn wrote:
    The device has a limited life expectancy, anyway. About 10 years. The
    boiler needs replacement of rubber gasket every year or two. There is a
    mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.

    A dodge occurs to me: Install a simple firewall between external
    Internet and internal network that hosts such things as cameras and
    furnaces. Set the firewall to accept only one of a small set of white
    listed sources, and otherwise not to reply.

    First, not all ISPs will allow inbound connections. E.g., many
    hide their subscribers behind NAT so incoming connections can't
    find specific hosts.

    They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained. Previously the IP had been sufficiently static but not totally static.


    Second, there is nothing that prevents a device THAT YOU HAVE
    WILLINGLY INSTALLED from having malware in it that compromises
    your internal network. This, because most folks only implement
    perimeter security mechanisms. So, a device is free to "call out"
    and open a connection that allows an external actor to get past
    any such peripheral defenses.

    It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free access
    to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
    packet filtered as necesary.


    And, because any of your protections likely deal with the
    internal vs. external networks as separate, homogenous entities,
    there is no way for you to easily determine where (physically)
    traffic is originating or terminating. A device can pretend (from
    the standpoint of packet inspection) to be any device on "your"
    network.

    That still doesn't mean it has access credentials for anything it shouldn't have.


    [There are commercial devices available with exactly this capability,
    used for pen-testing.]

    White lists have the advantage of immunity to attempts from random
    places. The lack of response if not white listed will defeat most
    port IP address and scanners, even though the firewall most likely can
    be hacked if known.

    Many appliances advertise their presence -- through established
    protocols. So, in addition to knowing it is there, they know WHAT
    the device is and what rev level software, etc.

    Building a collection of scripts that target specific vulnerabilities
    in specific devices is then a practical attack plan.

    Upgrade the firewall from time to time, to sorta keep up with the
    threats.

    The only practical way to protect a device (or network) is to impose constraints on both ends.

    E.g., my "knock protocol" burdens folks who try to access my server.
    But, it keeps the server secure -- and well hidden.

    In my distributed system project, I use separate tunnels from each
    device to the switch. So, the credentials for the device connected to
    port #5 are of no value to you if you try to access the network
    via port #8.

    Furthermore, I know WHAT is at the end of each of those wires and
    dynamically control the interactions allowed over those connections.

    E.g., an "exposed/accessible" security camera should never have a need
    to issue a command to open the garage door. And, any attempt to do so (assuming the encryption has been compromised by reverse-engineering
    THE camera that was previously attached to that wire), will cause
    the system to mark that network port ("wire") as tainted. So, even if
    you tried to feed bogus video (because I *think* you are a camera)
    to the system, it would ignore that input.

    Red/Blue team exercises are incredibly educational! Until you actually
    try to break security, you don't realize just how silly most mechanisms actually are!



    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 18:36:15 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfjul$2ufi0$1@dont-email.me...
    On 12/12/2024 1:42 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfg9k$2tnfq$1@dont-email.me...
    On 12/12/2024 12:32 PM, Edward Rawde wrote:
    Is there any reason the camera can't talk to a phone that is also
    hosted by the customer's access point?

    If you want to let the camera access a phone that is NOT "local",
    then let the user subscribe to a DynDNS service -- provided by
    any number of competing firms (even the manufacturer -- via a nice
    clean OPEN interface).

    Inbound is problematic for various reasons.
    Do you want your cameras accepting inbound connections from anywhere in the world?

    Vendors have no problem selling "hubs" as a prerequisite to talk to
    their devices. Why can't the hub implement a packet filter?

    One reason is that the packet filtering would have to be configured specifically for local requirements.
    This gets us back to the issue of most people not knowig a packet filter if they fell over it.

    Most users have banal needs for a firewall. If running Windows hosts,
    then the filter in the host is even finer-grained than a filter in
    an external firewall (as the host-based filter can be tailored
    to specific applications).

    The host based filter is worthless if the user is administrator (like most Windows users are) because malware can configure/disable
    the firewall as it likes.


    Use that as a selling point: the hub can act to protect the
    local network (for a fee!!) while their access point/router likely
    has not been reliably configured for that purpose.

    Ok they don't have access credentials but there's still a risk of an 0-day in a camera system which isn't going to get any more
    firmware updates.

    Simply putting the camera (or any device manufactured by someone who
    may or may not be trustworthy) on your "internal network puts you
    at risk.

    E.g., I can open an outbound connection to hostile_actor.com and let
    an external agent act as command-and-control, telling me (the camera)
    what to do ON THE INTERNAL NETWORK.

    I don't permit outbound connections to a long list of countries.

    You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as
    a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter defenses" (WELCOMED in!) can act on behalf of some other agency.

    IP filtering doesn't buy you any real protection.

    It does if you watch the logs for anything unusual.
    A connection to a neighbor IP address would be obvious to me and I'd likely block it to see if anything legitimate breaks.
    Just like I watch who goes in and out of my house and who I give keys to. Imagine owning a house where you can't tell who comes and goes or who has keys. That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
    cleanup.


    I (the camera) can masquerade as any host INSIDE your network when I
    want to deliver data to an external agent. Because I can DYNAMICALLY
    set my network stack to masquerade as any IP address on a packet-to-packet basis.

    And, I have a good idea what the range of valid IP addresses for your internal network will be -- based on the address and netmask that you assigned to *me* when I was installed (or, negotiated my DHCP lease). Likewise, I can claim my MAC is anything that I want it to be!

    If you happen to peruse the logs, there is nothing that tells you
    over which "wire" the request came into your switch, AP, etc. So,
    you would have to eliminate devices until you stopped seeing "suspicious" traffic.

    All this assuming you are capable of doing so.

    I can always whitelist if it does turn out that I need to connect to a server in one of those countries.

    See above.

    This traffic can be disguised to look innocuous. E.g., resolving
    "whatshouldIdo.hostile_actor.com" can deliver data to the camera that
    can be augmented by then resolving "whatELSEshouldIdo.hostile_actor.com". >>> Results can be delivered to the external agency by resolving
    "thepasswordisFOOBAR.hostile_actor.com", etc.

    Or, open an HTTP connection to hostile_actor.com and anyone looking
    through the logs (ha!) would just think a user visited a website of
    with an oddly suspicious domain name. (So, buy up yahooo.com,
    goggle.com, etc.)

    I would do this myself because I can use a firewall to restrict inbound as necessary and I can quickly add any IP or network
    attempting brute force to a blacklist.
    But most people have no interest in that.

    Hence the value of a "hub".

    I "hide" my file server behind a particular "knock sequence" that is
    only known to folks who should need access to it. Trying to probe
    the IP address gets you no information -- it looks like there isn't
    a machine AT that IP address.

    I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
    connection is secure.

    Knowing that a server exists is information. (esp if your AUP
    prohibits them! :> ) Knowing that there is <something> sitting
    at an IP invites probes.

    Knowing that there's a house there is information.
    Or in the country I'm from, knowing that there's a castle there is information but if it's surrounded by a moat then good luck
    getting in unseen.
    Violation of the access protocol could get you an arrow or cannon ball up your somewhere in the past.


    An address that never reacts to your actions is uninteresting.
    And, unless you can snoop the actual traffic, you can't know that
    the address is actually actively moving data!

    In many cases you can infer. 1.2.3.0/24 and if you know 1.2.3.20 is active then the rest are likely doing someting potentially
    interesting.


    Once a connection is granted, there are no limits on what can be
    transfered (set up a tunnel and all of those transactions are hidden)

    Most people just want the pictures on their phone wherever they are and they may wrongly assume that it's impossible for the
    pictures to be viewed by anyone other than themselves.

    <https://www.shodan.io/search?query=camera>

    Even if you can't (easily) access the video, the fact that someone has
    INSTALLED a camera (five cameras??) has informational value.

    A nearby store installed cameras not long ago.
    The number if cameras (or what looked like there were cameras inside them) made it easy to conclude that they were fake.

    Many parts of the US deliver "utilities" (phone, cable, power) via
    overhead wiring: "telephone poles". There exist transformers
    on these poles (at regular intervals) to step down the mains to
    the 240V center tapped that feeds our homes.

    Several decades ago, a "transformer" was installed on such a pole
    (why was it SUDDENLY needed, there?) outside from a business that
    sold "growing supplies" to folks who were suspected of being marijuana growers.

    The joke was that the transformer had NO wires (primary or secondary) attached to it. And, a large, rectangular region that resembled a
    "window" -- on the side facing the business.

    "Gee, wanna bet that's a (really poorly disguised) camera??" :>

    It must have been powered by something, even if everything else was wireless.




    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 17:53:10 2024
    On 12/12/2024 4:50 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
    On 12/12/2024 2:31 PM, Joe Gwinn wrote:
    The device has a limited life expectancy, anyway. About 10 years. The
    boiler needs replacement of rubber gasket every year or two. There is a >>>> mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.

    A dodge occurs to me: Install a simple firewall between external
    Internet and internal network that hosts such things as cameras and
    furnaces. Set the firewall to accept only one of a small set of white
    listed sources, and otherwise not to reply.

    First, not all ISPs will allow inbound connections. E.g., many
    hide their subscribers behind NAT so incoming connections can't
    find specific hosts.

    They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
    Previously the IP had been sufficiently static but not totally static.

    I prefer hiding behind NAT as it makes it that much harder for
    unwanted incoming connections.

    Second, there is nothing that prevents a device THAT YOU HAVE
    WILLINGLY INSTALLED from having malware in it that compromises
    your internal network. This, because most folks only implement
    perimeter security mechanisms. So, a device is free to "call out"
    and open a connection that allows an external actor to get past
    any such peripheral defenses.

    It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free access
    to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
    packet filtered as necesary.

    You don't REALLY think all of theses security breaches happen because
    a piece of malware HAS valid credentials? If that was all it took
    to secure a network, just put 16 character "license plate" passwords
    on all accounts and don't worry about a breach until Hell starts getting
    really cold!

    Once you are inside a perimeter defense, you can poke at machines
    at your leisure and accumulate results, sharing them with your
    external "accomplice" as need be for further refinement and instruction.

    Imagine Joe Super Hacker having a network drop in your spare
    bedroom. Do you KNOW hat he is there? Can you anticipate EVERYTHING
    that he will attempt? Can you lock down the data that he steals before
    it gets out past your firewall?

    [If so, then why do so many "professional organizations" have problems
    doing this?]

    And, because any of your protections likely deal with the
    internal vs. external networks as separate, homogenous entities,
    there is no way for you to easily determine where (physically)
    traffic is originating or terminating. A device can pretend (from
    the standpoint of packet inspection) to be any device on "your"
    network.

    That still doesn't mean it has access credentials for anything it shouldn't have.

    See above.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 17:43:15 2024
    On 12/12/2024 4:36 PM, Edward Rawde wrote:
    Most users have banal needs for a firewall. If running Windows hosts,
    then the filter in the host is even finer-grained than a filter in
    an external firewall (as the host-based filter can be tailored
    to specific applications).

    The host based filter is worthless if the user is administrator (like most Windows users are) because malware can configure/disable
    the firewall as it likes.

    It's not going to suddenly decide that, e.g., PhotoShop needs access to
    the internet!

    I don't permit outbound connections to a long list of countries.

    You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as
    a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter >> defenses" (WELCOMED in!) can act on behalf of some other agency.

    IP filtering doesn't buy you any real protection.

    It does if you watch the logs for anything unusual.

    Do you have more than one host? Printer? etc. How many thousands of connections are you going to examine every day?

    Windows machines typically run a whole slew of protocols, many of which
    have dubious GENERAL value. Yet, disable one and you may find you've
    shutdown CIFS support. Or, network discovery protocols. Or...

    A connection to a neighbor IP address would be obvious to me and I'd likely block it to see if anything legitimate breaks.

    So, you work for your computer! Most folks want their computers to work
    for THEM!

    Just like I watch who goes in and out of my house and who I give keys to. Imagine owning a house where you can't tell who comes and goes or who has keys.

    Knowing who has keys tells you ONLY who has keys. It tells you nothing
    of whether they are using them, have given them to someone else to use, etc.

    Do you really spend your waking hours watching all the lockable doors on
    your property? AND, connections to your computer(s)?

    That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
    cleanup.

    A simpler solution is simply not to have anything "stealable" on a machine
    that can be compromised.

    If you could commandeer THIS machine, remotely, you could look to see
    who I correspond with. And, what I've downloaded, recently.

    And, that's about it!

    If you manage to install malware, then you could use it as a C&C node to manipulate other machines -- machines that I don't own (because the only
    other thing on this network is a printer and the modem).

    And, at the next semi-annual review, I will discover your malware
    and remove it -- along with taking steps to protect against reinfection
    (e.g., install the custom boot loader that I have on the laptop that
    wipes the OS each time I boot)

    I "hide" my file server behind a particular "knock sequence" that is
    only known to folks who should need access to it. Trying to probe
    the IP address gets you no information -- it looks like there isn't
    a machine AT that IP address.

    I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
    connection is secure.

    Knowing that a server exists is information. (esp if your AUP
    prohibits them! :> ) Knowing that there is <something> sitting
    at an IP invites probes.

    Knowing that there's a house there is information.

    Who said there is a house? :> Who says it is (physically) *here*?

    Or in the country I'm from, knowing that there's a castle there is information but if it's surrounded by a moat then good luck
    getting in unseen.

    What difference if you can still get in and inflict whatever damage?
    Imagine trying to get OUT in the event of a fire... when the drawbridge mechanism fails?

    Violation of the access protocol could get you an arrow or cannon ball up your somewhere in the past.

    An address that never reacts to your actions is uninteresting.
    And, unless you can snoop the actual traffic, you can't know that
    the address is actually actively moving data!

    In many cases you can infer. 1.2.3.0/24 and if you know 1.2.3.20 is active then the rest are likely doing someting potentially
    interesting.

    I have ~70 hosts in my office. Yet, you'd be hard pressed to see more
    than one or two (despite not deliberately trying to "hide") simply
    because they are never ALL powered up (yet each needs a distinct
    IP so I can power up any subset of them).

    The advantage of an "internal agent" (like a pwn plug) is that it
    can run 24/7/365 and patiently collect data from its observations.

    Several decades ago, a "transformer" was installed on such a pole
    (why was it SUDDENLY needed, there?) outside from a business that
    sold "growing supplies" to folks who were suspected of being marijuana
    growers.

    The joke was that the transformer had NO wires (primary or secondary)
    attached to it. And, a large, rectangular region that resembled a
    "window" -- on the side facing the business.

    "Gee, wanna bet that's a (really poorly disguised) camera??" :>

    It must have been powered by something, even if everything else was wireless.

    A large battery. The voltage present on the pole is ~11KV (14KV?) or more. Silly to design a surveillance device that has to accept those high voltages for power when you have all that volume to use for an energy store!

    (You can always come back to visit it a month later to replace the battery
    and retrieve the stored video footage!)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 20:31:56 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg0hu$310fn$2@dont-email.me...
    On 12/12/2024 4:50 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
    On 12/12/2024 2:31 PM, Joe Gwinn wrote:
    The device has a limited life expectancy, anyway. About 10 years. The >>>>> boiler needs replacement of rubber gasket every year or two. There is a >>>>> mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.

    A dodge occurs to me: Install a simple firewall between external
    Internet and internal network that hosts such things as cameras and
    furnaces. Set the firewall to accept only one of a small set of white >>>> listed sources, and otherwise not to reply.

    First, not all ISPs will allow inbound connections. E.g., many
    hide their subscribers behind NAT so incoming connections can't
    find specific hosts.

    They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
    Previously the IP had been sufficiently static but not totally static.

    I prefer hiding behind NAT as it makes it that much harder for
    unwanted incoming connections.

    Second, there is nothing that prevents a device THAT YOU HAVE
    WILLINGLY INSTALLED from having malware in it that compromises
    your internal network. This, because most folks only implement
    perimeter security mechanisms. So, a device is free to "call out"
    and open a connection that allows an external actor to get past
    any such peripheral defenses.

    It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free
    access
    to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
    packet filtered as necesary.

    You don't REALLY think all of theses security breaches happen because
    a piece of malware HAS valid credentials? If that was all it took
    to secure a network, just put 16 character "license plate" passwords
    on all accounts and don't worry about a breach until Hell starts getting really cold!

    Once you are inside a perimeter defense, you can poke at machines
    at your leisure and accumulate results, sharing them with your
    external "accomplice" as need be for further refinement and instruction.

    Imagine Joe Super Hacker having a network drop in your spare
    bedroom. Do you KNOW hat he is there? Can you anticipate EVERYTHING
    that he will attempt? Can you lock down the data that he steals before
    it gets out past your firewall?

    [If so, then why do so many "professional organizations" have problems
    doing this?]

    One reason might be because the organization does not employ anyone whose job it is to watch the firewall logs (using log analysis
    scripts as needed) in such a way that they can get familiar with what is usual and detect anything unusual.
    Let's take a hospital with myriad networked devices on various networks.
    Is anyone watching what goes in and out of the firewall like the security people are watching cameras and people activity?
    Or has the IT equipment and firewalls etc been installed and left to run without any monitoring?


    And, because any of your protections likely deal with the
    internal vs. external networks as separate, homogenous entities,
    there is no way for you to easily determine where (physically)
    traffic is originating or terminating. A device can pretend (from
    the standpoint of packet inspection) to be any device on "your"
    network.

    That still doesn't mean it has access credentials for anything it shouldn't have.

    See above.


    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 20:21:01 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfvvb$310fn$1@dont-email.me...
    On 12/12/2024 4:36 PM, Edward Rawde wrote:
    Most users have banal needs for a firewall. If running Windows hosts,
    then the filter in the host is even finer-grained than a filter in
    an external firewall (as the host-based filter can be tailored
    to specific applications).

    The host based filter is worthless if the user is administrator (like most Windows users are) because malware can
    configure/disable
    the firewall as it likes.

    It's not going to suddenly decide that, e.g., PhotoShop needs access to
    the internet!

    I don't permit outbound connections to a long list of countries.

    You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as >>> a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter
    defenses" (WELCOMED in!) can act on behalf of some other agency.

    IP filtering doesn't buy you any real protection.

    It does if you watch the logs for anything unusual.

    Do you have more than one host? Printer? etc. How many thousands of connections are you going to examine every day?

    Automatic (python scripts in my case) examination of successful connections (ignoring anything blocked) takes a few seconds per day
    so that I can easily see anything out of the ordinary. Connection between anything on my network and another nearby IP on the same
    (or not far away) ISP would have been obvious.


    Windows machines typically run a whole slew of protocols, many of which
    have dubious GENERAL value. Yet, disable one and you may find you've shutdown CIFS support. Or, network discovery protocols. Or...

    A connection to a neighbor IP address would be obvious to me and I'd likely block it to see if anything legitimate breaks.

    So, you work for your computer! Most folks want their computers to work
    for THEM!

    See above.


    Just like I watch who goes in and out of my house and who I give keys to.
    Imagine owning a house where you can't tell who comes and goes or who has keys.

    Knowing who has keys tells you ONLY who has keys. It tells you nothing
    of whether they are using them, have given them to someone else to use, etc.

    Do you really spend your waking hours watching all the lockable doors on
    your property? AND, connections to your computer(s)?

    See above. Security personnel are generally trained to watch for anything unusual.
    Knowing whether a complete stranger has entered your house is all that's needed.
    It is of course best that they stay locked out.


    That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
    cleanup.

    A simpler solution is simply not to have anything "stealable" on a machine that can be compromised.

    A better solution is not to get anything compromised.


    If you could commandeer THIS machine, remotely, you could look to see
    who I correspond with. And, what I've downloaded, recently.

    And, that's about it!

    If you manage to install malware, then you could use it as a C&C node to manipulate other machines -- machines that I don't own (because the only other thing on this network is a printer and the modem).

    And, at the next semi-annual review, I will discover your malware
    and remove it -- along with taking steps to protect against reinfection (e.g., install the custom boot loader that I have on the laptop that
    wipes the OS each time I boot)

    I wouldn't want to use a laptop which wipes the OS each time I boot.


    I "hide" my file server behind a particular "knock sequence" that is >>>>> only known to folks who should need access to it. Trying to probe
    the IP address gets you no information -- it looks like there isn't
    a machine AT that IP address.

    I don't see any additional value in this provided the file server is restricted to specific IP addresses or networks and the
    connection is secure.

    Knowing that a server exists is information. (esp if your AUP
    prohibits them! :> ) Knowing that there is <something> sitting
    at an IP invites probes.

    Knowing that there's a house there is information.

    Who said there is a house? :> Who says it is (physically) *here*?

    Or in the country I'm from, knowing that there's a castle there is information but if it's surrounded by a moat then good luck
    getting in unseen.

    What difference if you can still get in and inflict whatever damage?
    Imagine trying to get OUT in the event of a fire... when the drawbridge mechanism fails?

    Violation of the access protocol could get you an arrow or cannon ball up your somewhere in the past.

    An address that never reacts to your actions is uninteresting.
    And, unless you can snoop the actual traffic, you can't know that
    the address is actually actively moving data!

    In many cases you can infer. 1.2.3.0/24 and if you know 1.2.3.20 is active then the rest are likely doing someting potentially
    interesting.

    I have ~70 hosts in my office. Yet, you'd be hard pressed to see more
    than one or two (despite not deliberately trying to "hide") simply
    because they are never ALL powered up (yet each needs a distinct
    IP so I can power up any subset of them).

    The advantage of an "internal agent" (like a pwn plug) is that it
    can run 24/7/365 and patiently collect data from its observations.

    Several decades ago, a "transformer" was installed on such a pole
    (why was it SUDDENLY needed, there?) outside from a business that
    sold "growing supplies" to folks who were suspected of being marijuana
    growers.

    The joke was that the transformer had NO wires (primary or secondary)
    attached to it. And, a large, rectangular region that resembled a
    "window" -- on the side facing the business.

    "Gee, wanna bet that's a (really poorly disguised) camera??" :>

    It must have been powered by something, even if everything else was wireless.

    A large battery. The voltage present on the pole is ~11KV (14KV?) or more. Silly to design a surveillance device that has to accept those high voltages for power when you have all that volume to use for an energy store!

    (You can always come back to visit it a month later to replace the battery and retrieve the stored video footage!)

    A camera system which requires me to go up a ladder to change the large battery and retrieve the footage doesn't sound like fun to
    me.




    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 19:20:40 2024
    On 12/12/2024 6:31 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg0hu$310fn$2@dont-email.me...
    On 12/12/2024 4:50 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
    On 12/12/2024 2:31 PM, Joe Gwinn wrote:
    The device has a limited life expectancy, anyway. About 10 years. The >>>>>> boiler needs replacement of rubber gasket every year or two. There is a >>>>>> mandatory yearly maintenance visit. With the remote controller,
    maintenance visits are every two years, because the remote server
    monitors the parameters and decides when a visit is needed.

    So, that convenience is decisive for me. Win win.

    A dodge occurs to me: Install a simple firewall between external
    Internet and internal network that hosts such things as cameras and
    furnaces. Set the firewall to accept only one of a small set of white >>>>> listed sources, and otherwise not to reply.

    First, not all ISPs will allow inbound connections. E.g., many
    hide their subscribers behind NAT so incoming connections can't
    find specific hosts.

    They tried to put me on lsn/cgnat. I was given a static IPv4 when I complained.
    Previously the IP had been sufficiently static but not totally static.

    I prefer hiding behind NAT as it makes it that much harder for
    unwanted incoming connections.

    Second, there is nothing that prevents a device THAT YOU HAVE
    WILLINGLY INSTALLED from having malware in it that compromises
    your internal network. This, because most folks only implement
    perimeter security mechanisms. So, a device is free to "call out"
    and open a connection that allows an external actor to get past
    any such peripheral defenses.

    It's true that this is a situation you want to avoid but a properly designed internal network will not allow the malware free
    access
    to services it doesn't have access credentials for. And devices such as cameras can be on their own internal network separately
    packet filtered as necesary.

    You don't REALLY think all of theses security breaches happen because
    a piece of malware HAS valid credentials? If that was all it took
    to secure a network, just put 16 character "license plate" passwords
    on all accounts and don't worry about a breach until Hell starts getting
    really cold!

    Once you are inside a perimeter defense, you can poke at machines
    at your leisure and accumulate results, sharing them with your
    external "accomplice" as need be for further refinement and instruction.

    Imagine Joe Super Hacker having a network drop in your spare
    bedroom. Do you KNOW hat he is there? Can you anticipate EVERYTHING
    that he will attempt? Can you lock down the data that he steals before
    it gets out past your firewall?

    [If so, then why do so many "professional organizations" have problems
    doing this?]

    One reason might be because the organization does not employ anyone whose job it is to watch the firewall logs (using log analysis
    scripts as needed) in such a way that they can get familiar with what is usual and detect anything unusual.
    Let's take a hospital with myriad networked devices on various networks.
    Is anyone watching what goes in and out of the firewall like the security people are watching cameras and people activity?
    Or has the IT equipment and firewalls etc been installed and left to run without any monitoring?

    Organizations (like hospitals) typically have SCORES of IT folks.
    In addition to out-sourced "specialists".

    Banks and other groups with obvious financial exposure to such
    losses likely considerably more. Governments? Firms involved
    with that sort of technology?

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to All on Thu Dec 12 21:46:46 2024
    Organizations (like hospitals) typically have SCORES of IT folks.
    In addition to out-sourced "specialists".

    Banks and other groups with obvious financial exposure to such
    losses likely considerably more. Governments? Firms involved
    with that sort of technology?


    So some of them are obviously doing much better than others.

    I'm getting header line too long while replying to this and your other post at 9:17 so I'm going to leave it there.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Thu Dec 12 21:44:24 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg5m0$327bf$2@dont-email.me...
    On 12/12/2024 6:31 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjg0hu$310fn$2@dont-email.me...
    On 12/12/2024 4:50 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfobk$2vgfa$1@dont-email.me...
    On 12/12/2024 2:31 PM, Joe Gwinn wrote:
    Once you are inside a perimeter defense, you can poke at machines
    at your leisure and accumulate results, sharing them with your
    external "accomplice" as need be for further refinement and instruction. >>>
    Imagine Joe Super Hacker having a network drop in your spare
    bedroom. Do you KNOW hat he is there? Can you anticipate EVERYTHING
    that he will attempt? Can you lock down the data that he steals before
    it gets out past your firewall?

    [If so, then why do so many "professional organizations" have problems
    doing this?]

    One reason might be because the organization does not employ anyone whose job it is to watch the firewall logs (using log
    analysis
    scripts as needed) in such a way that they can get familiar with what is usual and detect anything unusual.
    Let's take a hospital with myriad networked devices on various networks.
    Is anyone watching what goes in and out of the firewall like the security people are watching cameras and people activity?
    Or has the IT equipment and firewalls etc been installed and left to run without any monitoring?

    Organizations (like hospitals) typically have SCORES of IT folks.
    In addition to out-sourced "specialists".

    Banks and other groups with obvious financial exposure to such
    losses likely considerably more. Governments? Firms involved
    with that sort of technology?

    So some of them are obviously doing much better than others.

    I got an error (441 I think) trying to reply to your other 9:17 PM post so I'm going to leave it there.



    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 19:17:54 2024
    On 12/12/2024 6:21 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjfvvb$310fn$1@dont-email.me...
    On 12/12/2024 4:36 PM, Edward Rawde wrote:
    Most users have banal needs for a firewall. If running Windows hosts, >>>> then the filter in the host is even finer-grained than a filter in
    an external firewall (as the host-based filter can be tailored
    to specific applications).

    The host based filter is worthless if the user is administrator (like most Windows users are) because malware can
    configure/disable
    the firewall as it likes.

    It's not going to suddenly decide that, e.g., PhotoShop needs access to
    the internet!

    I don't permit outbound connections to a long list of countries.

    You're thinking two-dimensionally. Your *neighbor*'s PC can be acting as >>>> a C&C node for a foreign actor. Just like the camera INSIDE your "perimeter
    defenses" (WELCOMED in!) can act on behalf of some other agency.

    IP filtering doesn't buy you any real protection.

    It does if you watch the logs for anything unusual.

    Do you have more than one host? Printer? etc. How many thousands of
    connections are you going to examine every day?

    Automatic (python scripts in my case) examination of successful connections (ignoring anything blocked) takes a few seconds per day
    so that I can easily see anything out of the ordinary. Connection between anything on my network and another nearby IP on the same
    (or not far away) ISP would have been obvious.

    Wow! I'm sure none of the banks, government agencies, corporations,
    etc. haven't YET thought of that!

    Why are you wasting your time protecting your own network when
    you could be pulling down big bucks protecting these other
    institutions from the "clowns" that they've been employing, to date?

    Just like I watch who goes in and out of my house and who I give keys to. >>> Imagine owning a house where you can't tell who comes and goes or who has keys.

    Knowing who has keys tells you ONLY who has keys. It tells you nothing
    of whether they are using them, have given them to someone else to use, etc. >>
    Do you really spend your waking hours watching all the lockable doors on
    your property? AND, connections to your computer(s)?

    See above. Security personnel are generally trained to watch for anything unusual.
    Knowing whether a complete stranger has entered your house is all that's needed.
    It is of course best that they stay locked out.

    So, obviously THAT doesn't work -- as there are reports of data breaches
    almost every day (not counting those that are NOT reported).

    That's how it is for most people online and they aren't interested in knowing more, except perhaps briefly after the ransomware
    cleanup.

    A simpler solution is simply not to have anything "stealable" on a machine >> that can be compromised.

    A better solution is not to get anything compromised.

    I REALLY don't understand why you don't head up the IT department at a
    Fortune 100 company. Or, director of cyberssecurity in some nationstate!

    Do such breaches NOT happen in your country?

    If you could commandeer THIS machine, remotely, you could look to see
    who I correspond with. And, what I've downloaded, recently.

    And, that's about it!

    If you manage to install malware, then you could use it as a C&C node to
    manipulate other machines -- machines that I don't own (because the only
    other thing on this network is a printer and the modem).

    And, at the next semi-annual review, I will discover your malware
    and remove it -- along with taking steps to protect against reinfection
    (e.g., install the custom boot loader that I have on the laptop that
    wipes the OS each time I boot)

    I wouldn't want to use a laptop which wipes the OS each time I boot.

    With spinning rust, it only adds a few minutes to the boot time.
    Because you only install the applications that you need to expose to the outside world: a browser and MUA. With an SSD, it would be almost instantaneous.

    [I've built such laptops for "disadvantaged" students so I didn't
    have to keep cleaning crap off of their machines each time they
    visited a site they shouldn't have]

    Several decades ago, a "transformer" was installed on such a pole
    (why was it SUDDENLY needed, there?) outside from a business that
    sold "growing supplies" to folks who were suspected of being marijuana >>>> growers.

    The joke was that the transformer had NO wires (primary or secondary)
    attached to it. And, a large, rectangular region that resembled a
    "window" -- on the side facing the business.

    "Gee, wanna bet that's a (really poorly disguised) camera??" :>

    It must have been powered by something, even if everything else was wireless.

    A large battery. The voltage present on the pole is ~11KV (14KV?) or more. >> Silly to design a surveillance device that has to accept those high voltages >> for power when you have all that volume to use for an energy store!

    (You can always come back to visit it a month later to replace the battery >> and retrieve the stored video footage!)

    A camera system which requires me to go up a ladder to change the large battery and retrieve the footage doesn't sound like fun to
    me.

    You're not a police force trying to catch unsuspecting drug dealers!
    Sitting outside the business in an "unmarked car" for several weeks
    is likely going to be noticed!

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to All on Thu Dec 12 21:50:25 2024
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Thu Dec 12 23:59:36 2024
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Brown@21:1/5 to john larkin on Fri Dec 13 09:55:18 2024
    On 12/12/2024 21:09, john larkin wrote:
    On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
    <blockedofcourse@foo.invalid> wrote:

    On 12/12/2024 2:59 AM, Martin Brown wrote:
    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    Once something becomes "complex" (i.e., too large to fit in a
    single brain), it becomes difficult to understand the repercussions
    of specific design decisions -- because you can't remember
    EVERYTHING with which they interact.

    Engineers design giant systrems - cars, airplanes, bridges, buildings
    - with lots of parts, and nobody understands all the parts. And they
    work first time.

    There are hundreds of years experience building large physical objects
    and customers can more or less understand engineering diagrams and now
    virtual 3D renderings of their new building made possible by software.

    It didn't stop someone during build phase connecting a high pressure
    steam pipe to a stairway handrail on one plant that I know of. Big
    engineering diagrams can also be confusing when loads of similar
    diameter pipes (and non-pipes) go through a partition.

    Software is still in the medieval cathedral building era but without the
    make walls thicker just in case strategy. It is still a good heuristic
    that if it is still standing after 5 years then it was a good 'un.

    Ely cathedral on the fens and the crooked spire at Chesterfield are
    examples that didn't quite fall down but don't quite look as designed.

    https://www.elycathedral.org

    https://en.wikipedia.org/wiki/Church_of_St_Mary_and_All_Saints,_Chesterfield

    Software is different, and it never works first time. Most programs
    don't even compile first try.

    It is better if they don't compile at all until they are nearly correct.
    The more faults that are found at compile time the better. Static code
    analysis has done a lot to improve software quality in the past decade.

    The big problem is that software developers get lumped with last minute
    changes caused by salesmen promising new features to customers and to
    hide hardware defects that electronics engineers left in and need to be remediated in software because manufacturing has already started.

    Mission creep (or starting out with nothing even resembling a coherent
    self consistent requirements specification) is a big factor in large
    scale software failures. We are stuck with the suits saying ship it and
    be damned we can always update the software later with something that
    actually works. Hardware tends to be immutable even when there is a
    significant fault present software is expected to kludge around it.

    Unfortunately most projects at universities are sufficiently small that
    anyone who is even reasonably good at programming can hack a solution
    out of the solid more quickly and without using the processes needed for
    large scale software development.

    I could probably code a "Hello, world!" program that would run first
    try.

    That is the problem. Anything under about 3 man months you can get away
    with murder (and that means most university teaching projects). Things
    start to get a bit sticky when you are talking 3 man years and above.

    If you so despise software why are you using Spice and why are you not
    still cutting up bits of red and blue sticky tape? Software mostly works
    and you have to learn to live with its quirks or write your own.

    --
    Martin Brown

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Martin Brown on Fri Dec 13 06:18:54 2024
    On 12/13/2024 2:55 AM, Martin Brown wrote:
    On 12/12/2024 21:09, john larkin wrote:
    On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
    <blockedofcourse@foo.invalid> wrote:

    On 12/12/2024 2:59 AM, Martin Brown wrote:
    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    Once something becomes "complex" (i.e., too large to fit in a
    single brain), it becomes difficult to understand the repercussions
    of specific design decisions -- because you can't remember
    EVERYTHING with which they interact.

    Engineers design giant systrems - cars, airplanes, bridges, buildings
    - with lots of parts, and nobody understands all the parts. And they
    work first time.

    In my lifetime (or of sufficiently common "lore"):
    Hindenberg explosion
    Tacoma Narrows Bridge collapse
    Chernobyl reactor
    Hyatt Regency walkway collapse
    Apollo 1 fire
    Apollo 13 O2 tank explosion
    Space Shuttle Challenger
    Space Shuttle Columbia
    Skylab
    Fukishima nuclear plant
    Deepwater Horizon fire/"spill"
    Doors falling out of airplanes
    Titanic
    BIG! chinese dam failure (no idea of name)
    World Trade Center towers
    Concorde
    De Gaulle airport collapse
    DC-10 engine falling off
    Titan submersible implosion
    All, obviously, software problems??

    There are hundreds of years experience building large physical objects and customers can more or less understand engineering diagrams and now virtual 3D renderings of their new building made possible by software.

    <https://en.wikipedia.org/wiki/List_of_aircraft_structural_failures> <https://en.wikipedia.org/wiki/List_of_building_and_structure_collapses> <https://en.wikipedia.org/wiki/List_of_bridge_failures> <https://en.wikipedia.org/wiki/Dam_failure#List_of_major_dam_failures> <https://en.wikipedia.org/wiki/List_of_hydroelectric_power_station_failures> <https://en.wikipedia.org/wiki/List_of_thermal_power_station_failures> <https://en.wikipedia.org/wiki/List_of_catastrophic_collapses_of_broadcast_masts_and_towers>

    Bias? Or sheer Ignorance?

    It didn't stop someone during build phase connecting a high pressure steam pipe
    to a stairway handrail on one plant that I know of. Big engineering diagrams can also be confusing when loads of similar diameter pipes (and non-pipes) go through a partition.

    Or, misplumb the bedside O2 supply at the hospital where SWMBO worked.

    And, we won't discuss why notes were never taken at the M&M meetings
    she attended. "Something wrong? On OUR part? No....."

    Software is still in the medieval cathedral building era but without the make walls thicker just in case strategy. It is still a good heuristic that if it is
    still standing after 5 years then it was a good 'un.

    And, unlike EVERYTHING physical, it doesn't wear out! Annoying that folks can't seem to design hardware that performs the same 30 - 50 years later.
    Must just be shitty designs that "fail"?

    Ely cathedral on the fens and the crooked spire at Chesterfield are examples that didn't quite fall down but don't quite look as designed.

    https://www.elycathedral.org

    https://en.wikipedia.org/wiki/Church_of_St_Mary_and_All_Saints,_Chesterfield

    Software is different, and it never works first time. Most programs
    don't even compile first try.

    Says the Programmer. I guess an admission of a lack of skill.

    It is better if they don't compile at all until they are nearly correct. The more faults that are found at compile time the better. Static code analysis has
    done a lot to improve software quality in the past decade.

    Lack of education is a big problem. Too easy to be a "programmer" without having any real skillset -- beyond "Look, Ma, it (almost) works!" Kinda
    like having a soldering iron and claiming to be an EE!

    We quiz job applicants with really simple, disarming questions: How
    do you sort a list? Then, watch to see HOW they reply. If they don't *immediately* ask to better define the problem space but throw up
    the name of a sort algorithm, we're pretty sure they're just
    a programmer. So, we coax as much of that superficial knowledge from
    them: how many sort algorithms can you name? how do they differ?
    write the pseudocode for <pick_one>? Great, now write <another>?
    Which is faster? (trick question) Why?

    If they haven't mentioned any trees, we're SURE they're a programmer.

    How would you use this algorithm to sort a list of integers? Based on
    the third digit? Will the sort be stable? (do you even know what
    that means?) variable length strings? A list with 1,000,000 entries? 1,000,000,000,000? What if you only have 25KB of working store?

    How long will that take? How would you make it twice as fast? TEN
    times faster? Programmers quickly fall by the wayside when you get
    past the superficial knowledge needed to write X in language Y.

    [And, if 'Y' is the language du jour, they're almost certainly a
    programmer!]

    Ask a programmer how much stack his code needs. Or, how big it is
    (based solely on what he's committed to paper). "We need to know how
    much memory to put in the device; installing a disk drive would be
    foolhardy just to give you peace of mind with your estimate. We
    need to order the parts NOW so manufacturing can start building product
    and YOU can install your software as they are headed out the door..."

    The big problem is that software developers get lumped with last minute changes
    caused by salesmen promising new features to customers and to hide hardware defects that electronics engineers left in and need to be remediated in software because manufacturing has already started.

    Or, no one anticipated particular conditions, initially. And, came up
    with a kludge to address them, after the fact.

    A classic symbol of hardware designer's ignorance was the design of
    the speech interface on some early video games. A CVSD was used, driven
    by a single bit output by the processor.

    Of course, don't add any hardware to HELP the processor; let it serialize
    the data stream and clock. And, require it to do so at a constant
    sample rate lest audible artifacts manifest.

    So, the CPU sat in a very tight loop, fetching bytes from ROM, shifting them out of the accumulator into the bit-wide output port and clocking the CVSD. It's an interesting programming problem. Remember, the time between clocks
    has to be constant, despite the number of bytes you may have to fetch and serialize! (gee, you couldn't replace the output LATCH with a SHIFT REGISTER that was clocked in hardware so the CPU just had to keep feeding it BYTES??)

    "Duh, I'm just a hardware designer, ignorant of what my design will impose
    on the software folks! But, look at how CHEAP it is!??"

    [I *never* write code for someone else's hardware.]

    Mission creep (or starting out with nothing even resembling a coherent self consistent requirements specification) is a big factor in large scale software

    The latter. Software "specs" are typically bulleted feature lists.
    A properly written spec nails down all of the major design decisions.
    It TELLS the developer what he has to do, instead of leaving that
    up to him to figure out while writing the code. Because it *defines*
    the model that the developer must implement.

    You should be able to write a comprehensive user/operating manual
    from JUST the spec -- because the implementation is supposed to conform!

    By comparison, hardware design is simple: anything outside the
    "operating limits" can gleefully result in catastrophic failure.
    "Well, of COURSE you can't apply 400 volts to the output connection!"

    "Hmmm... spec says I need to get first and last name from user.
    Do I expect the middle name to be entered as part of the first
    name field? Or, last? And what about the any suffix(es)? How
    large of a STATIC character array should I define for each?"

    <https://en.wikipedia.org/wiki/Hubert_Blaine_Wolfeschlegelsteinhausenbergerdorff_Sr.>

    failures. We are stuck with the suits saying ship it and be damned we can always update the software later with something that actually works. Hardware tends to be immutable even when there is a significant fault present software is expected to kludge around it.

    Or, the hardware is deliberately specified to underperform the
    ORIGINAL needs of the product (let alone additional needs from
    feeping creaturism).

    I designed a device that had a built-in barcode reader (to read
    identifiers off of blood samples). Aside from the photoreflective
    sensor (HEDS-1000), I had one input pin to process the "video" stream.
    No "dedicated barcode reader" that I could query for its results.

    I would set the hardware to watch for a black-to-white transition
    (as the label approaches the reader). Then, note the time of said
    transition and reprogram the hardware to watch for the white-to-black transition that should follow. Accumulate the times of all such
    transitions for 20 characters (~160 edges). Then, convert the
    times to bar/space "widths" and decode the corresponding characters
    along with the resulting message.

    With a 95% first-pass-read-rate at scanning speeds of 1 to 100 inches
    per second.

    On an 8b processor.

    Allowing for ink spread, you could end up with 0.007 inch widths
    that had to be resolved (0.00007 seconds between edges).

    And, of course, there is nothing to prevent the user from actually
    moving the label at 110, 125, 150, etc. inches per second! And,
    nothing to prevent him from using the barcode reader when it
    wasn't expected to be used! (No, you can't burden the workflow
    with "Press button to scan barcode")

    No, you can't crash. No you can't misinterpret commands and data
    coming in/out over the serial ports while this is happening. Or, stop refreshing the display, scanning the keypad, etc. PERFORMANCE can
    degrade but you can't fail. And, definitely can't misread a
    blood sample's identifier and assign the diagnosis to the wrong
    patient! Or, misreport a previously store result.

    [This became a bit of a game among fellow employees: "let's see if
    we can crash Don's box!" Nope. You could grind everything to a halt
    but, eventually, your arm would tire and everything would pick up
    where it left off.]

    Really? A total device cost of ~$300 (DM+DL) with a selling price
    of $6K -- and you can't give me a secondary processor (MCU) to offload
    these requirements??

    Unfortunately most projects at universities are sufficiently small that anyone
    who is even reasonably good at programming can hack a solution out of the solid
    more quickly and without using the processes needed for large scale software development.

    *COUNT* the number of times you've seen software TREATED as a science in industry. Where is the formal, FIXED specification? What is the TEST
    PLAN? Which components will be used? What are the qualifications of
    the folks charged with these tasks?

    [We had a 30 man team developing a printer. A *technician* was given responsibility for writing the firmware -- because his EXPERIENCE
    consisted of having a TRS-80 at home (clearly making him most
    qualified to use the HP64000!) "And you guys are a $36B Fortune 500
    TECH company???" (clearly some mistake with THAT assessment!)]

    I could probably code a "Hello, world!" program that would run first
    try.

    That is the problem. Anything under about 3 man months you can get away with murder (and that means most university teaching projects). Things start to get
    a bit sticky when you are talking 3 man years and above.

    I look at complexity, typically, in terms of KLoC. 10KLoC is a "school project". E.g., an RTOS. At 50KLoC, you're starting to approach something where MANAGING complexity becomes a DESIGN issue; i.e., HOW you solve
    the problem is as important as the actual solution.

    Programmers code quality quickly falls off as you exceed 10KLoC -- because
    they haven't likely "planned their trip". Rather, they started off on
    day 1 (maybe day 2?) and just wrote code thinking the destination would
    be apparent, sooner or later, and they could always make deviations
    from their original course to home in on that NEWLY RECOGNIZED destination.

    "Have the builder start pouring the cement for the foundation -- we can't afford to be late! I'll meet with the architect and figure out what sort
    of house we'll actually be building!"

    If you so despise software why are you using Spice and why are you not still cutting up bits of red and blue sticky tape?

    Perhaps afraid it "won't work first time"!

    Software mostly works and you have
    to learn to live with its quirks or write your own.

    Too often, people are stuck with "consumer software" which, like most
    consumer items, is shit -- designed to be cheap and replaceable.
    (Why can't I upgrade my 2 year old TV -- instead of having to buy
    ANOTHER one?? What do I do with THIS one??)

    The whole "Agile"/XP mentality is just an acknowledgement that
    the industry is now full of PROGRAMMERS. Think what hardware
    design would be like if all you had were TECHNICIANS doing
    the work? "Let's just keep trying things until something fits..."

    There are 50-100 *distinct* computers in a modern car. Yet, we
    don't hear about headlights suddenly turning off while driving at
    night. Or, windows opening and closing on dogs' heads hanging out
    them. Or, doors locking and unlocking, randomly. Or, the
    infotainment system suddenly deciding to play Myron Floren
    instead of the classical Jazz you'd selected.

    The furnace in our home is 30+ years old. The microcontroller
    inside it having run flawlessly 24/7/365 for all those years.
    Ditto the microwave oven. VCRs commonly had 4 or 5 processors
    and failures were typically hardware in nature. Even our TOASTER
    has an MCU (cheaper than a bimetal strip?).

    On the other hand, I replace inverters in LCD monitors, blown
    power supplies, faulty connectors, etc. all the time! Isn't that
    stuff that should have been PERFECTED, by now? Shoddy designs?
    (Oh, you EXPECT those things to break. I see...)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to blockedofcourse@foo.invalid on Fri Dec 13 09:01:41 2024
    On Fri, 13 Dec 2024 06:18:54 -0700, Don Y
    <blockedofcourse@foo.invalid> wrote:

    On 12/13/2024 2:55 AM, Martin Brown wrote:
    On 12/12/2024 21:09, john larkin wrote:
    On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
    <blockedofcourse@foo.invalid> wrote:

    On 12/12/2024 2:59 AM, Martin Brown wrote:
    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    Once something becomes "complex" (i.e., too large to fit in a
    single brain), it becomes difficult to understand the repercussions
    of specific design decisions -- because you can't remember
    EVERYTHING with which they interact.

    Engineers design giant systrems - cars, airplanes, bridges, buildings
    - with lots of parts, and nobody understands all the parts. And they
    work first time.

    In my lifetime (or of sufficiently common "lore"):
    Hindenberg explosion
    Tacoma Narrows Bridge collapse
    Chernobyl reactor
    Hyatt Regency walkway collapse
    Apollo 1 fire
    Apollo 13 O2 tank explosion
    Space Shuttle Challenger
    Space Shuttle Columbia
    Skylab
    Fukishima nuclear plant
    Deepwater Horizon fire/"spill"
    Doors falling out of airplanes
    Titanic
    BIG! chinese dam failure (no idea of name)
    World Trade Center towers
    Concorde
    De Gaulle airport collapse
    DC-10 engine falling off
    Titan submersible implosion
    All, obviously, software problems??

    There are hundreds of years experience building large physical objects and >> customers can more or less understand engineering diagrams and now virtual 3D
    renderings of their new building made possible by software.

    <https://en.wikipedia.org/wiki/List_of_aircraft_structural_failures> ><https://en.wikipedia.org/wiki/List_of_building_and_structure_collapses> ><https://en.wikipedia.org/wiki/List_of_bridge_failures> ><https://en.wikipedia.org/wiki/Dam_failure#List_of_major_dam_failures> ><https://en.wikipedia.org/wiki/List_of_hydroelectric_power_station_failures> ><https://en.wikipedia.org/wiki/List_of_thermal_power_station_failures> ><https://en.wikipedia.org/wiki/List_of_catastrophic_collapses_of_broadcast_masts_and_towers>

    Bias? Or sheer Ignorance?

    What fraction of airplanes or bridges or buildings collapse? Estimate
    that in PPMs.




    It didn't stop someone during build phase connecting a high pressure steam pipe
    to a stairway handrail on one plant that I know of. Big engineering diagrams >> can also be confusing when loads of similar diameter pipes (and non-pipes) go
    through a partition.

    Or, misplumb the bedside O2 supply at the hospital where SWMBO worked.

    And, we won't discuss why notes were never taken at the M&M meetings
    she attended. "Something wrong? On OUR part? No....."

    Software is still in the medieval cathedral building era but without the make
    walls thicker just in case strategy. It is still a good heuristic that if it is
    still standing after 5 years then it was a good 'un.

    And, unlike EVERYTHING physical, it doesn't wear out! Annoying that folks >can't seem to design hardware that performs the same 30 - 50 years later. >Must just be shitty designs that "fail"?

    Ely cathedral on the fens and the crooked spire at Chesterfield are examples >> that didn't quite fall down but don't quite look as designed.

    https://www.elycathedral.org

    https://en.wikipedia.org/wiki/Church_of_St_Mary_and_All_Saints,_Chesterfield >>
    Software is different, and it never works first time. Most programs
    don't even compile first try.

    Says the Programmer. I guess an admission of a lack of skill.

    It is better if they don't compile at all until they are nearly correct. The >> more faults that are found at compile time the better. Static code analysis has
    done a lot to improve software quality in the past decade.

    Lack of education is a big problem. Too easy to be a "programmer" without >having any real skillset -- beyond "Look, Ma, it (almost) works!" Kinda
    like having a soldering iron and claiming to be an EE!

    We quiz job applicants with really simple, disarming questions: How
    do you sort a list? Then, watch to see HOW they reply. If they don't >*immediately* ask to better define the problem space but throw up
    the name of a sort algorithm, we're pretty sure they're just
    a programmer. So, we coax as much of that superficial knowledge from
    them: how many sort algorithms can you name? how do they differ?
    write the pseudocode for <pick_one>? Great, now write <another>?
    Which is faster? (trick question) Why?

    If they haven't mentioned any trees, we're SURE they're a programmer.

    How would you use this algorithm to sort a list of integers? Based on
    the third digit? Will the sort be stable? (do you even know what
    that means?) variable length strings? A list with 1,000,000 entries? >1,000,000,000,000? What if you only have 25KB of working store?

    How long will that take? How would you make it twice as fast? TEN
    times faster? Programmers quickly fall by the wayside when you get
    past the superficial knowledge needed to write X in language Y.

    [And, if 'Y' is the language du jour, they're almost certainly a
    programmer!]

    Ask a programmer how much stack his code needs. Or, how big it is
    (based solely on what he's committed to paper). "We need to know how
    much memory to put in the device; installing a disk drive would be
    foolhardy just to give you peace of mind with your estimate. We
    need to order the parts NOW so manufacturing can start building product
    and YOU can install your software as they are headed out the door..."

    I often ask programmers how long some chunk of code will take to
    execute, or how often I can run some ISR. Not as a trick interview
    question, but because it matters to a product design. They usually
    don't know and typically guess runtimes at least 10x slower that a
    reasonable estimate. I buy them an oscilloscope and make them measure
    it.

    Using an oscilloscope actually radically improves their code.

    What's interesting is that FPGA code is usually much more reliable,
    bug-free, compared to procedural code.

    I think that's because logic design is centered on state machines, and procedutal programmers usually don't know what a state machine is.
    Software bugs or often the equivalent of logic races or metastability.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Fri Dec 13 13:35:34 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...



    They are all large organizations rather than a single location with a single firewall.

    Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.

    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the myriad
    reasons why breaches occur.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From john larkin@21:1/5 to john larkin on Fri Dec 13 10:36:12 2024
    On Fri, 13 Dec 2024 09:01:41 -0800, john larkin <JL@gct.com> wrote:

    On Fri, 13 Dec 2024 06:18:54 -0700, Don Y
    <blockedofcourse@foo.invalid> wrote:

    On 12/13/2024 2:55 AM, Martin Brown wrote:
    On 12/12/2024 21:09, john larkin wrote:
    On Thu, 12 Dec 2024 04:00:23 -0700, Don Y
    <blockedofcourse@foo.invalid> wrote:

    On 12/12/2024 2:59 AM, Martin Brown wrote:
    Probably because it is *so* bug.
    (typo for big but Freudian slip seems OK)

    Once something becomes "complex" (i.e., too large to fit in a
    single brain), it becomes difficult to understand the repercussions
    of specific design decisions -- because you can't remember
    EVERYTHING with which they interact.

    Engineers design giant systrems - cars, airplanes, bridges, buildings
    - with lots of parts, and nobody understands all the parts. And they
    work first time.

    In my lifetime (or of sufficiently common "lore"):
    Hindenberg explosion
    Tacoma Narrows Bridge collapse
    Chernobyl reactor
    Hyatt Regency walkway collapse
    Apollo 1 fire
    Apollo 13 O2 tank explosion
    Space Shuttle Challenger
    Space Shuttle Columbia
    Skylab
    Fukishima nuclear plant
    Deepwater Horizon fire/"spill"
    Doors falling out of airplanes
    Titanic
    BIG! chinese dam failure (no idea of name)
    World Trade Center towers
    Concorde
    De Gaulle airport collapse
    DC-10 engine falling off
    Titan submersible implosion
    All, obviously, software problems??

    There are hundreds of years experience building large physical objects and >>> customers can more or less understand engineering diagrams and now virtual 3D
    renderings of their new building made possible by software.

    <https://en.wikipedia.org/wiki/List_of_aircraft_structural_failures> >><https://en.wikipedia.org/wiki/List_of_building_and_structure_collapses> >><https://en.wikipedia.org/wiki/List_of_bridge_failures> >><https://en.wikipedia.org/wiki/Dam_failure#List_of_major_dam_failures> >><https://en.wikipedia.org/wiki/List_of_hydroelectric_power_station_failures> >><https://en.wikipedia.org/wiki/List_of_thermal_power_station_failures> >><https://en.wikipedia.org/wiki/List_of_catastrophic_collapses_of_broadcast_masts_and_towers>

    Bias? Or sheer Ignorance?

    What fraction of airplanes or bridges or buildings collapse? Estimate
    that in PPMs.


    And what fraction of nontrivial programs are bug-free? Also in PPMs.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Fri Dec 13 13:52:19 2024
    On 12/13/2024 11:35 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...



    They are all large organizations rather than a single location with a single firewall.

    Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.

    No. They have automated tools doing this work. No one spends their time manually browsing log files.

    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the myriad
    reasons why breaches occur.



    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Fri Dec 13 17:03:55 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
    On 12/13/2024 11:35 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...



    They are all large organizations rather than a single location with a single firewall.

    Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.

    No. They have automated tools doing this work. No one spends their time manually browsing log files.

    You must have worked for may different large organizations to know how they all do things.

    Did you miss the part where I said I have automated tools (python scripts) to deal with log files?

    I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
    Doing that manually would be ridiculous.


    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
    addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
    myriad
    reasons why breaches occur.





    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Fri Dec 13 17:08:13 2024
    On 12/13/2024 3:03 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
    On 12/13/2024 11:35 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...



    They are all large organizations rather than a single location with a single firewall.

    Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.

    No. They have automated tools doing this work. No one spends their time
    manually browsing log files.

    You must have worked for may different large organizations to know how they all do things.

    Yes. And have colleagues at (or who have consulted with) others.

    Did you miss the part where I said I have automated tools (python scripts) to deal with log files?

    I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
    Doing that manually would be ridiculous.

    And I rely on a knock sequence. Who's spending LESS time on maintaining their service?


    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
    addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
    myriad
    reasons why breaches occur.







    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Fri Dec 13 21:24:06 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjii9m$3ltn2$2@dont-email.me...
    On 12/13/2024 3:03 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
    On 12/13/2024 11:35 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...



    They are all large organizations rather than a single location with a single firewall.

    Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.

    No. They have automated tools doing this work. No one spends their time >>> manually browsing log files.

    You must have worked for may different large organizations to know how they all do things.

    Yes. And have colleagues at (or who have consulted with) others.

    Did you miss the part where I said I have automated tools (python scripts) to deal with log files?

    I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
    Doing that manually would be ridiculous.

    And I rely on a knock sequence. Who's spending LESS time on maintaining their
    service?

    Spending less time on cybersecurity will mean lower knowledge and increased risk of compromise.

    And it's fun to see where the brute force and other attacks come from.

    Knock sequences aren't very useful outbound. The last phishing site I visited (out of curiosity) didn't require one.



    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
    addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
    myriad
    reasons why breaches occur.









    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Fri Dec 13 22:18:59 2024
    On 12/13/2024 7:24 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjii9m$3ltn2$2@dont-email.me...
    On 12/13/2024 3:03 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
    On 12/13/2024 11:35 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...



    They are all large organizations rather than a single location with a single firewall.

    Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.

    No. They have automated tools doing this work. No one spends their time >>>> manually browsing log files.

    You must have worked for may different large organizations to know how they all do things.

    Yes. And have colleagues at (or who have consulted with) others.

    Did you miss the part where I said I have automated tools (python scripts) to deal with log files?

    I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
    Doing that manually would be ridiculous.

    And I rely on a knock sequence. Who's spending LESS time on maintaining their
    service?

    Spending less time on cybersecurity will mean lower knowledge and increased risk of compromise.

    And, in 40+ years, online, I've lost nothing. I guess I must be doing something wrong...

    And it's fun to see where the brute force and other attacks come from.

    Knock sequences aren't very useful outbound. The last phishing site I visited (out of curiosity) didn't require one.

    Why would a SERVER be making *unsolicited* outbound connections?



    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
    addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
    myriad
    reasons why breaches occur.











    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Edward Rawde@21:1/5 to Don Y on Sat Dec 14 00:50:22 2024
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjj4gd$3sa72$1@dont-email.me...
    On 12/13/2024 7:24 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjii9m$3ltn2$2@dont-email.me...
    On 12/13/2024 3:03 PM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vji6qd$3jsoc$1@dont-email.me...
    On 12/13/2024 11:35 AM, Edward Rawde wrote:
    "Don Y" <blockedofcourse@foo.invalid> wrote in message news:vjgm11$396oa$1@dont-email.me...
    On 12/12/2024 7:50 PM, Edward Rawde wrote:
    I'm getting 441 header line too long while trying to reply to Don Y in the other thread so I'm going to leave it there.

    Some organizations are obviously doing a lot better then others at cybersecurity.

    <https://www.crn.com/news/security/2024/10-major-cyberattacks-and-data-breaches-in-2024-so-far>

    at least, the ones that we KNOW about...



    They are all large organizations rather than a single location with a single firewall.

    Large organisations don't have a single individual doing firewall configuration and security for the entire organisation.

    No. They have automated tools doing this work. No one spends their time >>>>> manually browsing log files.

    You must have worked for may different large organizations to know how they all do things.

    Yes. And have colleagues at (or who have consulted with) others.

    Did you miss the part where I said I have automated tools (python scripts) to deal with log files?

    I maintain a blacklist of 200,000 IPv4 addresses and networks in otherwise friendly countries.
    Doing that manually would be ridiculous.

    And I rely on a knock sequence. Who's spending LESS time on maintaining their
    service?

    Spending less time on cybersecurity will mean lower knowledge and increased risk of compromise.

    And, in 40+ years, online, I've lost nothing. I guess I must be doing something wrong...

    Same here. So I must be too.


    And it's fun to see where the brute force and other attacks come from.

    Knock sequences aren't very useful outbound. The last phishing site I visited (out of curiosity) didn't require one.

    Why would a SERVER be making *unsolicited* outbound connections?

    Huh? Phishing sites run web servers. No-one said that such servers make outbound connections.

    I don't use knocking because it's inconvenient and it's debatable whether or not it's any better than a firewall which drops
    everything which isn't from specific IP addresses or networks. Whether knocking or IP filtering is used in front of a server, the
    server should still reject anything which doesn't have valid login credentials.

    But I don't wish to waste time debating it any further.




    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
    addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
    myriad
    reasons why breaches occur.













    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Don Y@21:1/5 to Edward Rawde on Sat Dec 14 02:11:30 2024
    On 12/13/2024 10:50 PM, Edward Rawde wrote:
    Spending less time on cybersecurity will mean lower knowledge and increased risk of compromise.

    And, in 40+ years, online, I've lost nothing. I guess I must be doing
    something wrong...

    Same here. So I must be too.

    Yet you spend ongoing time and effort!

    And it's fun to see where the brute force and other attacks come from.

    Knock sequences aren't very useful outbound. The last phishing site I visited (out of curiosity) didn't require one.

    Why would a SERVER be making *unsolicited* outbound connections?

    Huh? Phishing sites run web servers. No-one said that such servers make outbound connections.

    I don't use knocking because it's inconvenient and it's debatable whether or not it's any better than a firewall which drops
    everything which isn't from specific IP addresses or networks. Whether knocking or IP filtering is used in front of a server, the
    server should still reject anything which doesn't have valid login credentials.

    But I don't wish to waste time debating it any further.




    The ones who have breaches more likely have managers who don't want anything touched if it's working.

    So the individual who suggests that changes should be made to restrict database connections to nothing other than known IP
    addresses
    or networks, rather than having them open to the entire world, is likely to be ignored. This is, of course, just one of the
    myriad
    reasons why breaches occur.















    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)