SMBC: Love Modeling

I'm a regular reader of Saturday Morning Breakfast Cereal, a very strange comic that has a lot of geek-appeal.

Today's comic is particularly amusing. I won't embed the image here, because of copyright, but please click through and read it.

The interesting part is that this has been demonstrated. Back in the 60's, researchers at MIT created ELIZA, a program that can (among other things) simulate a psychotherapy session. It mostly works by parroting back whatever the human user says, with occasional non-specific questions and statements. It is nothing close to AI, but it is nevertheless convincing to quite a lot of people, including many who understand software enough to know better.

The UN's two-faced policies

This morning, I heard about this incredible news:

43 countries pledge to combat antisemitism at UNHRC session
i24NEWS. October 04, 2021, 04:41 PM

Statement led by Austria, Czech Republic and Slovakia in coordination with World Jewish Congress

At least 43 countries signed a statement pledging to combat antisemitism that was issued at the 48th session of the United Nations Human Rights Council (UNHRC) in Geneva on Monday.

The statement was led by Austria, the Czech Republic and Slovakia with the coordination of the World Jewish Congress.

Austrian Foreign Minister Alexander Schallenberg warned of the dangers of antisemitism in a video statement, saying that "we will remain steadfast in our pledge, never again."

Which was a very welcome surprise. Then I saw the following article, posted only a few hours later:

UN Cuts Off UN Watch Director for Highlighting UNRWA Antisemitism
Aaron Bandler. October 4, 2021

The United Nations Human Rights Council (UNHRC) cut off UN Watch Executive Director Hillel Neuer as he was highlighting antisemitic social media posts from various United Nations Relief and Works Agency for Palestine Refugees in the Near East (UNRWA).

Speaking virtually at the October 2 UNHRC session, Neuer cited UN Watch’s recent report about two UNRWA teachers in the Gaza Strip, one who posted an Adolf Hitler video to Facebook “with quotes to ‘enrich and enlighten your minds’” and another who posted “conspiracy theories” about Jews controlling the world, starting the COVID-19 pandemic aiming “to destroy Islam.” At that point, UNHRC President Nazhat Shameem Khan cut off Neuer’s video feed, accusing Neuer of making “insulting and inflammatory remarks.”

So, apparently, the Human Rights Council opposes Jew hatred, but not when it's coming from other UN agencies. Why am I not the least bit surprised?

Netflix acquires Roald Dahl's estate

Netflix Acquires Prominent Anti-Semite’s Estate, Announces Epic Content Dump
Andrew Stiles • September 22, 2021 6:30 pm

Netflix, a media conglomerate with ties to former president Barack Obama, announced on Wednesday its acquisition of British author Roald Dahl's estate and promised to produce "a unique universe across animated and live action films and TV, publishing, games, immersive experiences, live theatre, consumer products and more."

In addition to authoring such classics as Matilda and Charlie and the Chocolate Factory, Dahl was a virulent anti-Semite who would have already been ruthlessly canceled by woke scolds if his bigotry had been directed at any other vulnerable minority.

I completely understand the desire to censor all of Dahl's work from history because of his anti-semitism.

On the other hand, with Netflix buying Dahl's estate, I no longer feel uncomfortable buying his famous children's books because the money will no longer be going to his family (which seems to have taken a conspicuously long time to publicly disagree with Roald's statements).

Of course, I don't approve of Netflix's politics very much either, but that's another discussion.

Naked Security: How a gaming mouse can get you Windows superpowers!

How a gaming mouse can get you Windows superpowers!
By Paul Ducklin, 24 Aug 2021

What if you’re a gamer who wants to be a sysadmin? On someone else’s computer?

Well, apparently, until last week at least, gamer-centric mice and keyboards from popular vendor Razer could help you to do just that.
...

• You plug in a Razer gaming mouse for the first time.
• Windows detects that this device type has special software and drivers that will make it work Even Better than a regular mouse.
• Windows finds Razer’s official addons in the Windows Update cloud.
• Windows downloads and launches the offical addons so you don’t have to.
• The Razer app helpfully ends with a clickable directory name, showing you what ended up where in the installation process.

...
The problem in this case is the point at which Razer’s app helpfully displays the name of the software installation directory at the end, even though it doesn’t need to.

That’s an active link in Razer’s app, so you can right-click on it and view the directory in File Explorer.

Then, once you’re in Explorer, you can do a Shift-and-right-click and use the handy option Open PowerShell window here, giving you a command-line alternative to the existing Explorer window.

But that PowerShell prompt was spawned from the Explorer process, which was spawned from Razer’s installer, which was spawned by the automatic device installer process in Windows itself…

..which was running under the all-powerful NT AUTHORITY\SYSTEM account, usually referred to as NTSYSTEM or just System for short.

So the PowerShell window is now running as System too, which means you have almost complete control over the files, memory, processes, devices, services, kernel drivers and configuration of the computer.

Wow. A chain of good intentions all leading to an exploitable system vulnerability. I realize that Razer has (or will soon) fix this bug in their driver installation tool, but it seems to me that Microsoft should do something to prevent this from being possible in the future. Maybe do something so an installer trying to open a URL (or an Explorer process) does so at the user's normal privilege level instead of at the driver installer's level (which, of course, needs to be at a higher level in order to perform the installation).

Homestar Runner rises again!

If you have no idea what this subject line is talking about, then you missed out on what used to be one of the coolest parts of the Internet.

Homestar Runner is/was a web site full of silly animations and games, written almost entirely in Flash. Unfortunately, with the demise of Adobe Flash, most of the site ended up a giant mess of broken links. And for those of us who got rid of Flash before Adobe shut it down, the site stopped working a long time ago.

Fortunately, it appears that some enterprising engineers develpped Ruffle, a Flash Player emulator that can be embedded in web sites, and the Homestar Runner people have been busy converting their site over to it.

As its disclaimer says, "Not every cartoon and game works perfectly just yet so be patient and expect some jankiness here and there while we keep a-workin!", but it is pretty good. And I can once again enjoy all of the StrongBad Emails, not just the ones that have been converted to YouTube videos.

And since this post wouldn't be complete without them, here are a few of my all-time favorite StrongBad e-mail videos:

• #57: Japanese Cartoon
• #58: Dragon. Featuring everybody's favorite character, Trogdor, the Burninator
• #118: Virus
• #152: ISP
• #179: Pizza Joint

Google shutting down Bookmarks

I just saw this message this morning. So Google shuts down yet another really useful web service, forcing the rest of us to scramble in search of an alternative.

Once again, the point is hammered home: If you aren't paying for the service, then you are not the customer, you are the product. And cloud-based software means it can be taken away from you at any time and you will have absolutely no recourse when it happens.

And now I need to either switch back to using locally-stored bookmark files, create a web page somewhere to provide remote access, or switch to a different cloud service and risk them in turn going away.

And now my question to you: Is there a good alternative? Ideally, it should offer:

• Stored on an Internet-hosted server so I can access bookmarks when I'm away from home
• Cross-platform. Should work with multiple browsers (especially Firefox, but ideally others as well) and on multiple platforms (Windows, macOS and Linux)
• Have a convenient browser add-on so the bookmarks can be presented as a menu somewhere (ideally on its bookmarks toolbar)

I know Apple supports shared bookmarks via iCloud, but it only supports their Safari browser on Apple devices. Firefox offers a sync service, but it only supports Firefox.

If you know of any other good alternatives, please let me know.

The Heisenberg Life Insurance Principle

H/T Saturday Morning Breakfast Cereal

This comic actually makes a lot of sense.

The best Disney parade ever

Back in 2000, Disney had their Millennium Celebration. Among many incredible attractions was the Tapestry Of Nations parade at Epcot, which many people (myself included) consider the best parade Disney ever produced.

I had the privilege of seeing this parade live in December 2000. It remains a wonderful memory. So I was thrilled when this past week I decided to check to see if anybody had uploaded video of it to YouTube and I was successful, finding a recording of the complete performance from September 2000, only a few months before I saw it.

Great thanks to Jeremy Trist for sharing this video with us.

So, without any further ado, here is the performance. Enjoy.

More Dell sleazy behavior

As you may already be aware, Dell is a company I never want to do business with, thanks to very sleazy and capricious behavior.

Well, it appears that I'm not the only one who feels this way. This past December (yes, six months ago - sorry for the delay), Linus Tech Tips reported even worse behavior.

As a part of their Gaming PC Secret Shopper 2 series, the found that the Dell phone sales person was heavily pushing them to buy unwanted antivirus software and extended warranties. And even though they refused these items at every step, Dell included them in the order and billed them for it.

If you thought my rant was just one person with a bad experience, you may want to think again. Watch the video for Linus's rant, which is even cooler than mine:

And this wasn't the first time Dell tried to scam the LTT secret shopper. In October, 2019, their first secret shopper also showed Dell to be pretty bad.

Just The News: Drunk 19-year-old breaks into Airbnb that was 'loaded with cops'

Drunk 19-year-old breaks into Airbnb that was 'loaded with cops'
By Nicholas Sherman, Updated: June 1, 2021 - 3:50pm

A drunken 19-year-old accidentally broke into an Airbnb in Milwaukee, Wisconsin, only to find the house filled with police officers.
...
The officers heard noises during the night, assuming it was each other. In the morning, they found the person asleep in one of their beds after noticing one of the doors to the house was open.

"He woke up in handcuffs," Pesola said on the video, which went viral over the weekend.

The intruder was taken into custody by the Milwaukee police but wasn't cited or charged, with officers saying he drunkenly stumbled into the wrong house by accident, according to KMOV4.

All I can say is "d'Oh!".

Speaking of old IBM keyboards

Like New
May 31, 2021, Michal Necasek

About twenty years ago, I bought a used IBM Model M keyboard with a PS/2 connector. I believe it cost me around $5-$10 plus shipping at the time. A good investment, given that this sort of keyboard is probably worth $100 or more these days.
...
Given this keyboard’s track record, I would guess that in another 30 years, it will still be working fine, while most keyboards made today will have disintegrated into a pile of plastic dust.

I couldn't agree more. I have two, which I picked up at a flea market many years ago. One with a PS2 cable and one with an older "AT" keyboard cable. I don't use them that often because they don't have USB interfaces and don't have the "windows" key that modern operating systems really require, but they work great and will probably outlast every other piece of electronics in my office.

Clickbait security hole?

“Unpatchable” vuln in Apple’s new Mac chip – what you need to know
By Paul Ducklin, 27 May 2021

Apple’s brand new Mac has a security hole, right inside the processor itself!

The official name for the bug is CVE-2021-30747, but the developer who discovered it prefers to call it M1RACLES, all in caps.

Like every BWAIN (our own impressive name for bugs with impressive names, short for Bug With An Impressive Name), it has a personalised domain, a logo and a website where you can learn all about it.

The finder of the bug, Hector Martin, writes on the website that:

The vulnerability is baked into Apple Silicon chips, and cannot be fixed without a new silicon revision.

... the bug name M1RACLES expands, rather tortuously, as:

M1ssing Register Access Controls Leak EL0 State

It turns out that Apple’s M1 chip includes a CPU system register known, ineffably, as s3_5_c15_c10_1.

According to Hector Martin, this register can be read from by userland programs running at EL0, though he doesn’t know what the register is actually used for, if anything.

However, userland programs aren’t supposed to be able to write into it, given that it’s a system register and supposedly off-limits to EL0 programs.

But Martin discovered that userland code can write to just two individual bits inside this register – bits that are apparently otherwise unused and therefore might be considered unimportant or even irrelevant...

... and those bits can then be read out from any other userland program.

And that’s it!

That, in a nutshell, is the entirety of the “baked-in” security vulnerability CVE-2021-30747, also known as M1RACLES.
...
There’s nothing that you can do, but fortunately there’s nothing you need to do, so you can relax.

Clearly, if it is possible to access a register you're not supposed to have access to, it's a bug that must be fixed and I suppose it technically counts as a security vulnerability but does this really require creating an entire Internet domain and web site to advertise it?

Sounds like click-bait to me.

Sophos: Apple patches dangerous security holes, one in active use – update now!

Apple patches dangerous security holes, one in active use – update now!
By Paul Ducklin, 25 May 2021

... security patches that arrived in the update to iOS 14.6, because Apple fixed 38 significant bugs, covered by 43 different CVE bug numbers.

For what it’s worth, the update to macOS Big Sur 11.4 shared many of those bugs with iOS, as well as adding a raft of its own, with 58 significant bugs patched, covered by 73 different CVE bug numbers.

Perhaps even more importantly, one of the Big Sur bugs that was patched, now dubbed CVE-2021-30713, is a security flaw that is already known to criminals and has already and quietly been exploited in the wild.

Time to update your phone again...

Product announcement: Carbon Copy Cloner version 6

CCC 6 is here! Faster backups, better accountability, Dark Mode, and so much more
by Mike | May 19, 2021

We've had so many new features in the oven for a while, and now we're finally ready to share it with the world! CCC 6 offers unprecedented accountability for your backups and insight into what's changing on your Mac, plus a brand new file copier that's faster, smarter, and designed to adapt to Apple's fast pace of OS and filesystem innovation.

Take a look at what's new in CCC 6:

• Faster backups with our next-generation file copier
• Quick Update: Update your backups up to 20x faster
• Redesigned interface with Dark Mode, real time task performance info and estimated time remaining
• Snapshot navigator: Easy way to explore older versions of files
• CCC Dashboard: The new menubar app, now with snapshot disk usage
• Run backups "When files are modified on the source"
• Task Preview: See what will happen before you back up
• Backup Audit: Review what was copied and why
• Compare: Visual comparison of the source and destination
• Advanced file verification options
• Pause a backup, and several other features our users have asked for

The core CCC backup features you know and love are now better than ever!

I never buy any software that is version x.0, but after there have been a few updates to fix the inevitable new-release bugs, I plan on upgrading. At $20 (to upgrade from version 5), it's really a no-brainer.

The most important feature for me is the faster file copier and the use of Apple's FSEvents API to eliminate the need to read every file on the computer in order to determine what's changed since the last backup.

Disclaimer: I do not work for Mike Bombich. I'm just a happy user of Carbon Copy Cloner and I wanted to share the news of a new release with those who may also be interested.

Fierce Telecom: Learn the No. 1 reason some Americans don't use the internet

Learn the No. 1 reason some Americans don't use the internet
By Roger Entner May 19, 2021 10:02am

The U.S. Government, through the NTIA, has been surveying internet usage since 2001. Since 2009, it has also been surveying reasons for not using the internet. Of all the studies that are currently under consideration to be used to justify the broadband stimulus plan, the government’s own NTIA Internet Use Survey, which was done before the conception of the plan, is the most unbiased and insightful. As universal internet access is a foregone conclusion in the current debate, the reasons why people are not using the internet have been reduced to just two factors — lack of availability and cost — when there is a lot more to the story.
...
What is the number one reason why Americans are not connected to the internet?

I know it is hard to believe that 13% of Americans are just not interested or do not need to use the internet, especially to those of us who live and die by the internet and are ultra-connected. No matter how much we spend on a national broadband plan to provide access to broadband internet or how much we subsidize internet access, when people don’t see the need or are just not interested, adoption numbers are not going to go up substantially.

Almost half of the 13% of Americans who are not interested in the internet are age 65 or older. A third is between 45 and 65 years of age, a surprising 1/6th is between 25 and 44 and an unsurprisingly low 2% is age 15 to 24. Another remarkable finding from the NTIA survey is that there is no significant ethnic or gender difference among people who are not interested in using the internet. There is also no statistically significant difference between people in urban and rural areas who don’t see a point in using the internet.

13% of Americans are not using the Internet because they see no need for it or just don't want to.

RCR Wireless: FCC continues its robocall fight with fines, warnings and a new response team

FCC continues its robocall fight with fines, warnings and a new response team
By Kelly Hill on March 19, 2021

The Federal Communications Commission this week levied its largest-ever fine against a robocalling operation: $225 million, against two companies which the agency says transmitted around 1 billion robocalls shilling short-term health insurance.

The FCC said that many of the calls made in the first half of 2019 by John C. Spiller and Jakob A. Mears (who used business names including Rising Eagle and JSquared Telecom) were illegally spoofed, and that the companies lied to consumers, falsely claiming to offer health insurance plans from companies such as Blue Cross Blue Shield and Cigna. In at least one case, the agency added, the spoofing led to an unassociated company being overwhelmed with call-backs from angry customers.

“Mr. Spiller admitted to the USTelecom Industry Traceback Group that he made millions of spoofed calls per day and knowingly called consumers on the Do Not Call list as he believed that it was more profitable to target these consumers. Rising Eagle made the calls on behalf of clients, the largest of which, Health Advisors of America, was sued by the Missouri Attorney General for telemarketing violations in February 2019,” the FCC added.

“The individuals involved didn’t just lie about who they were when they made their calls—they said they were calling on behalf of well-known health insurance companies on more than a billion calls. That’s fraud on an enormous scale,” said Acting Chairwoman Jessica Rosenworcel.

These people don't just need a fine. They need their entire corporation to be shut down with all the assets confiscated and all the responsible individuals sentenced to years in prison.

Thank you, Internet Archive

When I upgraded my Mac last October, Apple's Migration Assistant utility migrated most of my applications to the new computer. As I wrote in December, the various applications all migrated with differing degrees of success.dfsdfgsdfg

One application where I spoke too soon was Snapz Pro X. Despite MacWorld's lackluster review of version 2.5.1, it is still a very good screen capture utility that I consider superior in many ways to the one built-in to macOS.

When I wrote my review in December, I didn't really test Snapz Pro X. I launched it, saw that the menu appeared, then I quit it and assumed that it worked. I was wrong.

Tip: Remote login to recover from missing display

This morning, I found that my Mac’s screen wouldn’t wake up. The computer runs 24x7, with the screen blanking after a few hours of idle time. Nearly all of the time, I just tap a key on the keyboard to wake the screen when I want to use it.

This morning, that didn’t work. The screen remained asleep. I tried obvious things like hot-plugging the display and hot-plugging the keyboard, but no luck.

RIP, Rush Limbaugh

Rush Limbaugh, Radio Legend, Dies at 70.
The National Pulse, February 17, 2021

One of the world’s most studious and influential broadcast personalities that has ever lived – Rush Limbaugh – has passed away aged 70.

Love him or hate him, all can agree that Rush almost single-handedly defined modern conservative talk radio. My lunch-time radio listening will forever be less interesting without his voice giving me his opinions and analysis of current events.

Bleeping Computer: Researcher hacks over 35 tech firms in novel supply chain attack

Researcher hacks over 35 tech firms in novel supply chain attack
By Ax Sharma. February 9, 2021, 01:04 PM

A researcher managed to breach over 35 major companies' internal systems, including Microsoft, Apple, PayPal, Shopify, Netflix, Yelp, Tesla, and Uber, in a novel software supply chain attack.

The attack comprised uploading malware to open source repositories including PyPI, npm, and RubyGems, which then got distributed downstream automatically into the company's internal applications.

Unlike traditional typosquatting attacks that rely on social engineering tactics or the victim misspelling a package name, this particular supply chain attack is more sophisticated as it needed no action by the victim, who automatically received the malicious packages.

This is because the attack leveraged a unique design flaw of the open-source ecosystems called dependency confusion.

For his ethical research efforts, the researcher has earned well over $130,000 in bug bounties.

A remarkably simple attack revealing serious problems in corporations' open source package distribution systems.

Like most companies using open source software, they develop applications containing both public packages (which come from well-known and trusted Internet repositories) and private packages (developed in-house). In order to maximize reuse of private packages, they are deployed using an internal repository system, which automatically installs and an application's dependent packages, regardless of where they come from.

The problem happens because the internal repository system doesn't seem to distinguish between private and public packages. So if your application is using a private package, and later one a public repository adds a new package with the same name, the system may end up replacing your internal package with the one from the public server. And because automatic updates are common (in order to quickly incorporate bug fixes and security patches), these replacement packages may automatically get installed into publicly accessible applications.

Well that's not right.

Fortunately, this test was from a security researcher, who promptly reported the bugs, but this could just as easily been malware.

I don't think this should be hard to fix. Internal package management systems need to distinguish between public and private packages. When a given package name exists as both a public and a private package, the system *must* always give priority to the private package. It must also alert administrators and owners of affected applications to alert them to the conflics, so appropriate action may be taken. This action may be one or more of:

• Block the public package
• Rename the private package and update all applications using it so they use the renamed package
• Allow application developers to explicitly state in their package manifests if they want to use the public or the private version

Upgrading A Mac System, part 4: Peripheral Hardware

Photo credit: Derorgmas
Wikimedia Commons, CC BY-SA 4.0

The Upgrading A Mac System series:

• Part 1: Hardware Purchase
• Part 2: Migration
• Part 3: Apps
• Part 4: Peripheral Hardware

In part 3 of this article series, I described my application migration story. In this part, I'm (finally) finishing up the tale by talking about my various pieces of hardware that either worked or needed to be replaced. All of the work I'm describing here was actually done in October and November, but I'm just getting around to writing about it now.

Ideally, I would like to just swap the computer and leave everything else unchanged. But life is not ideal. Over the years, Apple has changed the port configuration of the Mac mini, so not everything can just plug in. At least not without some adapters. And some devices that were perfectly great 9 years ago are old and slow by today's standards. So it's time to change up several peripherals.