TLS doesn’t mask the IP of the server. The updater probably isn’t using DNS over HTTPS. If I can determine that a user’s updater just hit the update check server, I can start impersonating the update server.
That takes it out of the one day away territory, but it does allow an attacker to only have a malicious HTTP capture up and detectable during the actual attack window.
Then, of course, if you’re also being their DNS server you can send them to the wrong update check server in the first place. I wonder if the updater validates the certificate.
> Bradbury’s stories are about people, deeply real and deeply feeling people. ... and less interested in exactly how the ray guns worked.
Maybe this is why I never really got Bradbury. When I read scifi, I can't help but consider the logic of the world that's being described, and Bradbury's worlds aren't really logical (e.g. who would live on such a strict timetable? wouldn't all the singing and rhyming be annoying? how is the house still being powered?). But it makes a lot more sense if the point is to convey feelings. Kind of like an impressionist painting I suppose.
FWIW it’s not that I don’t find the worlds logical, just that Bradbury doesn’t explain them. E.g., have you read Seveneves (Neal Stephenson)? At one point he spends about 30 pages describing in loving detail the tech behind a high-atmosphere human glider suit. Really cool stuff. I still don’t remember a damn thing about the person who wore it.
Were it Bradbury, or LeGuin, we’d have had two sentences about the tech behind the suit and pages about the people involved. We’d have learned more about the character and, maybe, our common humanity.
I really enjoy the original Earthsea books. I guess my expectations of sci-fi are different than magic/fantasy; technology feels like it should be explainable in a way that magic doesn't. I'd probably enjoy Bradbury more if I approached his stories as fairy tales rather than sci-fi.
I think that’s a fair take. A lot of his stuff is straight fantasy, some is very nearly realism; a lot of time he seems to enjoy ignoring the lines while he colors. Try “Something Wicked This Way Comes,” perhaps; almost zero science to it :)
I have the inverse perspective. I am uninterested in the mechanics because to me, all science fiction stories are actually stories about the present. The more mechanical a story is, the more I feel it is obscuring that truth. The author can never erase the fact that they are living in the present and that their work is ultimately about the present. They can only obscure it under layers of verisimilitude that, definitionally, is only an appearance.
I remember reading a golden age science fiction story where an engineer is angry because he dropped his slide rule as he was getting into his backyard moon rocket. We’ve not always been good at predicting the future, that’s for sure.
> I can't help but consider the logic of the world that's being described
Focusing your attention on the mechanical logic of a story's world is one lens by which to analyze it, but that is a choice and you can choose to analyze it from other lenses as well. Being able to apply multiple perspectives to anything is a useful skill to practice instead of tacitly accepting the view that comes most easily to us.
I wrote my own email archiving software. The hardest part was dealing with all the weird edge cases in my 20+ year collection of .eml files. For being so simple conceptually, email is surprisingly complicated.
Indeed. A big chunk of my email parser deals with missing or incorrect content headers. Most of the rest attempts to sensibly interpret the infinite combinations of parts found in multipart (and single-part!) emails.
Email is one of those cursed standards where the committee wasn't building a protocol from scratch, but rather trying to build a universal standard by gluing together all of the independently developed existing systems in some way that might allow them to interoperate. Verifying that a string a user has typed is a valid email address is close to impossible short of just throwing up your hands and allowing anything with a @ somewhere in it.
Email is one of the very few success cases of the xkcd Standards meme: https://xkcd.com/927/ - and it's due to practicality and ingenuity on the part of people who made very creative parsers and placed real-world understanding behind every word of the early RFCs.
Without a unified email standard, the world would look incredibly different today, especially as it bootstrapped open communication between different countries and institutions in developing every protocol since.
It doesn't even have to be malicious. I used a certain syntax highlighting theme for years, when out of nowhere the author pushed an update that rearranged all the colors. It was extremely disorienting. I forked the extension and reverted the change, so I know that one at least won't change out from under me anymore.
This is the thing I hate the most about "automatic updates" in general. I've disabled them and gone back to updating manually because the constant unexpected and unwanted UI changes finally broke a part of my soul. Unfortunately that is something that can't be done on the web, where major UI changes can be rolled out right in the middle of a session on you.
I finally got fed up with TM and switched to borg via Vorta. So much more reliable. A couple of times I've gotten error messages when I went off network while it was trying to do a backup, but each time the repo was fine.
I once encountered an intersection with a big "NO ENTRY" sign on the other side. I turned but google maps wouldn't give me another route, so I did a u-turn and came back to it from the side. Which meant I was close enough to read the small text underneath that said "vehicles under 10 tons excepted". I don't think I've ever been so angry at a road sign.
I came across one in Italy that was meant to prevent you from using a street during school days from X to Y am, and Z to W pm, except on weekends, bank holidays and school holidays.
The idea is well-intentioned, but implementing it by making drivers try to parse arbitrarily complex conditionals while driving is unwise.
There's a sign near my house for a school zone with a reduced speed limit, that used to have conditions similar to the GP's example (though not quite as bad) But they recently attached a yellow light to the top of the sign and changed the condition to "when flashing." That's a much more effective solution.
By my work there is a nice clean sign at the main intersection that reads "NO RIGHT ON RED" with a separate smaller crusty looking sign below it that reads "4 to 5 PM" using a much smaller font. Of course the stark difference in signs means everyone just reads the shiny top sign and waits for the green at all times. I keep wanting to modify the sign to highlight the time.
> Why did NYC release it in the first place? Did they not QA it?
Considering Louis Rossmann's videos on his adventures with NYC bureaucracy (e.g. [0]), the QAers might not have known the laws any better than the chat bot.
> Ask me for some random information you shouldn't need? Get bogus answers.
I've never understood software that's free but you have to fill out a form of personal information to download it. Even if I was willing to share, what possible use is my full mailing address to some random software company? It's data collection for the sake of data collection.
There's an oxygen waster whose salary is conditional on bringing this data in. Whether that covers his paycheck, let alone brings profit is irrelevant to him. He is also the one responsible for reporting the profit numbers on that, so obviously the numbers will be cooked to indicate his work greatly benefits the business.
It's more common than you might think. I know of at least one popular email client that stores your credentials on their servers to enable features like multi-account sync and scheduled sending.
I bought a hardware password manager a while back and the bulk load tool sent all your creds to a cloud service. I have not used it since, and sent the manufacturer a nasty note.
>I would expect such a feature to use end-to-end encryption for the data
How would "end-to-end encryption" when such features by definition require the server to have access to the credentials to perform the required operations? If by "end to end" you actually mean it's encrypted all the way to the server, that's just "encryption in transit".
Use our new open source (modification and redistribution not permitted) app to exchange end-to-end encrypted (from your client to our server) messages with your friends! Having all your data on our service protects your data sovereignty (we do not provide for export or interop) by guaranteeing that you always have access to your full history! Usage also protects your privacy (we analyze your data for marketing purposes) by preventing unscrupulous third parties from analyzing your data for marketing purposes.
If we had competent regulators this sort of blatant willful negligence would constitute false advertising.
> MS made it that much worse by wrapping these in dark patterns that may change without notice
> It's truly dangerous if it can and does act against your wishes, interests, and reasonable expectations.
Do you really not consider the first to be an example of the second?
> Shift+Del and rm -rf don't have any guardrails around them.
Shift+Del asks for confirmation. I would expect OneDrive to do at least that much before deleting files off the local machine, even if they're recoverable.
> Do you really not consider the first to be an example of the second?
I think too many people got the impression that I'm defending OD and can't get out of that trench. My point is that a generic tool being able to do dangerous things isn't a high enough bar to say don't use it (often). A tool being able to do dangerous things in the manner I described above is a completely different devil. The "how" you end up doing a dangerous thing is what should be punished.
I want to be able to do whatever I want with my computer and my data and not have someone define what's "too dangerous" for me to use. But what happened here wasn't what the users wanted, or could reasonably expect to happen. That's the key.
> Shift+Del asks for confirmation
I'm sure OD also asked for some confirmation. By that time it's too late, you're confirming what you think will happen, not what will actually happen. When you confirm shift+del you know what you are confirming. When you confirm OD's dialog you're confirming under misleading assumptions.
