Here’s a video—I don’t know where it’s from—of an injured juvenile male giant squid grabbing on to a paddleboard.
As usual, you can also use this squid post to talk about the security stories in the news that I haven’t covered.
Read my blog posting guidelines here.
Clive Robinson • December 23, 2022 7:07 PM
@ ALL,
For all those that find “Gizmodo” access policy unacceptable,
You can access Forbes without needing javascript or cookies enabled,
Oh, and Davey, if you are reading along, you still owe me a pint, I’ve not forgotten 😉
Nick Levinson • December 23, 2022 10:19 PM
Hack using parallel email accounts:
Say there’s Hercules99@example.com. Someone cracks in and copies addresses, but sends nothing from inside that account. The cracker, as impersonator, creates Hercules99@example.net and emails everyone, asking if they shop at Macy’s. Those who answer, at least in the affirmative, get another email, this time from Hercules99@example.org , asking them to buy a gift card because Herc’s parents’ anniversary is coming up and Herc’s credit card was declined. If you recognized the scam and wanted to warn Herc but didn’t remember his original (right) address, you might email the warning by replying to one of these parallel addresses because you recognized the username/userinfo, but he’d be guaranteed to never see it.
In this case, I emailed a warning to an address that I hadn’t yet realized was probably fake (parallel), and it wasn’t answered, and I tried voicemail, but that was full. But I also sent postal mail that was similar to the email I had sent, figuring being a few days late was better than no notice at all. Herc got the letter and, fortunately, one of Herc’s close people had already been fast with a heads-up. Damage was limited and the cracker may’ve been taken down in a few hours.
The entry point may’ve been a security software subscription renewal notice. Herc, who once had a career with computers, didn’t suggest that the notice was fake, so perhaps the security company’s servers got infected with malware that infects outbound emails or that gets triggered by clicks on outbound emails’ links. I hope Herc told all relevant companies.
I’ve masked some details in this post and omitted others, all for the sake of privacy, but kept the essence.
modem phonemes • December 23, 2022 10:49 PM
Just what I’ve always wanted and sounds too good to be true
“ MIT researchers have developed what they say is a scalable fabrication technique to produce ultrathin, lightweight solar cells that can be adhered to any surface.”
modem phonemes • December 24, 2022 2:23 AM
Electrical engineers try to convince AI ChatGPT tbat thwy ate human
Clive Robinson • December 24, 2022 4:48 AM
@ modem phonemes, ALL,
Re : Not what you think.
“MIT researchers have made solar panels thinner than human hair that provide 18 times as much power per kilogram as today’s glass and silicon-based solar panels. These solar cells are in fact one-hundredth the weight of conventional photovoltaics.”
Read it carefully and pull out the numbers…
They say that the new cells are 1/100th of the weight of conventional cells. Also that they produce 18 times the energy mass for mass.
So the actual performance is 18/100 or 18% of conventional cells that in turn are at best only about 25% and usually less than 20% efficient under full illumination. So 0.18×0.2 gives 3.6% energy conversion at best or maybe 40w per square metre…
I could go on, but it will only go further down hill.
Basically the article is a “puff piece” for MIT’s Grid-Edge project to make start-ups in “lite-weight” solar cells to attract ESG money. Call it the “Solar Roads 2.0” initiative for want of a more accurate description…
You might remember “solar roads” were the next big “Green Investment” only they have all catastrophicaly failed in a totaly predictable ways, that were predicted by engineers who did make them public…
Not least of which are obvious such as roads are flat and flat solar panels are very inefficient due to not just poor illumination but “shading effect”. Oh and dust, tire waste, grit, etc did not “run-off” with the rain, thus made even the most efficient cell near usless, and that was before vehicles ground up the optical surface… The result millions upon millions of dollars poured into Start-ups that built very very expensive prototypes using very energy intensive processes, and barely a flashlight battery of energy produced over a year. Thus payback times were never ever going to happen. But nice upper middle class salaries were paid to the managers etc…
These “new” grossely inefficient cells from MIT are touted for business/industrial roofs, most of which are effectively flat or shade easily…
Thus the energy payback period will probably be longer than the life time of these new cells…
Whilst I won’t call it a scam, it’s research that currently has no practical use, nor is it likely to. Likewise any patents gained don’t have value because they will have expired long before anything producable as a product comes even close to fruition. What this research might eventually lead to one day is technology that is practical, but that appears way off currently. But in the meantime the research needs funding hence the puff piece to attract “blue-sky money” from “Angel Investors” who think they can either pump-n-dump a startup or attract ESG credit for pension fund investment (ESG is the new “greening” scam and kind of works like China’s “Social Scoring”).
If you want to invest money in “green-research” think about other areas. For instance we’ve just had the winter solstice with barely 1/4 of the day capable of producing solar power. Two things to consider the other 3/4 of the day,
1, Battery technology.
2, Alternative energy sources that have already stored solar energy.
SpaceLifeForm • December 24, 2022 9:51 AM
Re: Twitter implosion
I told you Elmo was pulling wires
https://nitter.poast.org/pic/orig/enc/bWVkaWEvRmt2d3NDbFhnQUFLLUZ0LmpwZw==
SpaceLifeForm • December 24, 2022 10:55 AM
Buffalo Blizzard
It is a bad situation. No one can move. Roads impassable, no visibility. Police, Fire, EMS are not available. Everyone is on their own today. Snow not expected to taper off until tomorrow. Many will be stuck for days.
https://forecast.weather.gov/MapClick.php?lon=-78.84851037723541&lat=42.855027736977405
Clive Robinson • December 24, 2022 10:56 AM
@ SpaceLifeForm, ALL,
Re: Twitter implosion
“I told you Elmo was pulling wires”
It’s not just wires Hell-on Rusk is pulling apparently.
There is a rumour about why a certain person left so suddenly just recently and it’s sure not just the “code is an untanglable mess”.
Nope there are “suggestions” that something all together darker is in there and was seen… The story is that it’s going to blow up very very soon…
As my father taught me about what we now call “Situational Awareness” when I was quite young,
“The place to be when there is danger, is somewhere else.”
It appears that it or something similar is known by the person leaving, who is keen to get out past the blast radius thus potential shrapnel zone before it all comes down, as “duck and cover” is apparently just not going to be good enough.
The problem… Is whilst there are, what are rumors, hard facts are not available… Chinese Whispers perhaps?
lurker • December 24, 2022 1:19 PM
@modem phonemes, Clive Robinson
Yes, these researchers have taken positive steps on the path of improving power/weight ratio and flexibility of solar pv devices. But, as often happens with ivory tower research, they seem unaware of the real world environment where these things are used.
“These cells as they are could last one or two years without packaging,” Bulović says. “With packaging, we could extend that to five to 10 years. And that’s plenty.”
While the solar road was a goofy idea from square one, solar pv panels still have to deal with dust, bird droppings, and a sometimes significantly corrosive atmosphere.
The best protective product we have so far is a thousand years old, glass, and with glass current pv installers offer 15 to 25 year warranty. Setting aside whether the installer will still exist 25 years from now, there is an assumption the the product will still be working then.
So if these guys want to make a contribution to power/weight ratio of practical useful real world they could be looking at the glass, like Corning did with phone screens.
Winter • December 24, 2022 1:25 PM
@Clive
Nope there are “suggestions” that something all together darker is in there and was seen…
I once was part of a project that had a build guru. There was only one person who could build the end product.[1] If that perso would become unavailable, there would ve no product anymore.
If I would now join a project that depended on a single person or third party, I would look for the exit.
From the reporting around Twitter, I would suspect the whole “product” Twitter could hinge on a single point of failure and the team keeping that part running is gone.
[1] I know, avoid like the plague. There were reasons.
MarkH • December 24, 2022 2:23 PM
@Winter:
I worked at a place with a Software Configuration Control office. The only executables allowed to leave the plant, were those built by that office.
We were required to provide them with sources, a list of tools, and a build procedure.
I suppose that as is often the case, they learned the need for this the hard way.
Who? • December 24, 2022 2:46 PM
Can someone, please, check why my comment about PC Engines has been moderated? I have trying sending a note about the PC Engines/3mdeb canary two times in the last month (both starting the comment from scratch) and is has been held for moderation in both cases.
Thanks!
SpaceLifeForm • December 24, 2022 2:55 PM
@ Clive
Re: Blast Radius
I suspect that he realized that Twitter is a cesspool of Spy vs Spy. Insiders facilitating influence ops, and exfiltrating.
I think he spotted a bus on the horizon, and there was no hope that he could fix anything, so leave the bus stop before the bus crashes into the bus stop.
Who? • December 24, 2022 2:57 PM
@ Update, Clive Robinson
Yep, I have read the update on last august’s attack to LastPass recently.
I ask myself on a daily basis why people stores so sensitive information on the “cloud” (a.k.a. other people computers) instead of storing it on an encrypted USB drive.
Some people even criticized me recently for using an encrypted SSD drive from DataLocker to store private information instead of moving it to Microsoft’s OneDrive where it is “safe enough” according to them.
Preston L. Bannister • December 24, 2022 3:11 PM
https://www.youtube.com/watch?v=27OTynwArsw&ab_channel=JamesTaylor
Original video from 2017 – not behind an ad/pay wall.
Poor thing is badly chewed, drifting along the surface, and too far gone to care about the circling humans. At the end, the dying creature is dragged onto the beach where surrounding humans laugh and talk while it expires.
Clive Robinson • December 24, 2022 3:38 PM
@ Winter,
Re : Twit implosion
“From the reporting around Twitter, I would suspect the whole “product” Twitter could hinge on a single point of failure and the team keeping that part running is gone.”
Yes it’s the most likely to happen.
A friend tells a story of a person he still kinda works with, who is quiet, shy, unasuming but actually absolutly pivitol to a very large operation.
The person has a name sufficiently common that another person who was loud, brash, a real pain and no use to man nor beast shared it. Late December 2016 dismissal slips were sent out to some people. One of which was supposed to go to the loud brash pile of waste to go. But unfortunately HR did what HR is good at all to often ie making a mistake…
The quiet chap got the termination slip. He wrote a hand written note for his boss and colleagues saying goodbye put it in the internal mail packed his stuff in a box and left his security pass at the front desk as he went out into the night.
Over the Xmas / new year period nobody in his team or his boss knew he was gone, he was ahead on his work and had holiday time, so they thought he had just tidied his desk before taking a long Xmas break. Untill that is the internal mail finally delivered his boss the hand written goodbye note on the second day back after new year…
His boss was surprised as were the team and as the note did not say they wondered why he had “just left”, especially as there was an important upgrade due in the following weeks. So they got his home number from HR and found it was a disconnected number. So they went round to his home, where the supervisor said he’d paidup and moved out. Packed up his stuff in a VW minibus and gone but not left a forwarding address…
The team at this point got alarmed, as they did not think people just disapear without trace for no reason. So they chased up HR who said he had not resigned or told them he was leaving. So senior managment got told that the upgrade project had been put on hold as he had disapeared without trace. So they reported him missing to the police, who basically did nothing.
Meanwhile another boss was complaining to a different senior manager because he thought the loud Pain in the backside had been sacked but had turned up for work and was realy pissed to be told he did not have a job. A call to HR and finally they realised a mistake had been made, and duly sacked the loud guy…
As for the quiet guy by this time he was badly needed but nobody knew where he was. When one of the team remembered he’d talked about his sister up in some remote place. They managed to get her phone number and called her. She was apparently not happy they had sacked her brother, who had told her about it when he left his stuff in the VW in her garage and “gone walking” along some historic trail to think about what he was going to do. This was the first the team or his boss had heard he’d been dismissed… Apparently HR even though they by that point knew they had made a mistake, did not bother mentioning it to them…
Eventually the boss got in touch with the quiet guy at a walkers hostel and pursuaded him it was a mistake and asked him to come back.
But, HR well they had to be involved… and decided that the quiet guy had taken an unaproved leave of absence and issued a written warning and no annual bonus or pay increase…
It did not go down well with his boss and even senior managnent were not impressed with HR, and apparently it got sorted rather firmly. They aranged paid for hotel accomodation for him to stay in.
But for all the drama going on the quiet guy came back said Hi, unpacked his box of bits, sat down at his desk and quietly got on with things as though nothing had happened, the project got delivered only a couple of weeks late. A few months later he told his boss that he was had bought a small farm up next to his sister and he was leaving as he thought it was time to make a change in life… It obviously came as quite a bit of a surprise
He worked out his notice had a quiet leaving do with the team, packed his stuff in the same box and just as before quietly left. Two weeks later they hired him back as their first remote worker, as for HR they very definitely got left out of the loop… Oh and he got married to a neighbouring farmers daughter the following year and still carried on remote working. According to my friend she’s not just a real good looker but outgoing, fun, and everyone likes her (and they can not work out what she sees in him). With the pair of them travelling down for “office meets” with the team every few weeks in that same old VW minibus.
As my friend observed “it’s funny how things work out, he’s certainly landed on his feet”. All that was pre C19.
The last I heard from my friend was a few weeks back, apparently the quiet guy was now “a proud father for the second time” and still working remotely. As for my friend and the team, C19 introduced them to “remote working” and for a surprising number parenthood as well… Apparently the team meetups can get a bit “loud” but there is no way they are “going virtual”.
Clive Robinson • December 24, 2022 4:19 PM
@ Who?, JonKnowsNothing, MarkH, SpaceLifeForm, Winter,
We’ve all had posts “held for moderation” that have tuned out to be “Kiss of Death”.
All I can suggest is doing a binary split or putting just one paragraph in a post with several short posts labled as “Part 1” etc. Oh and leave atleast five minutes between each as their appears to be a rate limiter in the blog software.
When one part fails split it to find which sentance is causing it to be moderated.
As I’ve found often it’s an inoffensive word that has somehow triggered “the naughty list”.
JonKnowsNothing • December 24, 2022 5:00 PM
@ Who?, @Clive, MarkH, SpaceLifeForm, Winter
re: The Baddy Letter List
While hunting for the funky word, consider: alternate spelling, body parts & language differences too.
Then hunt up replacement alt word in a thesaurus.
===
Not the best but a start
ht tps://en.wiktionary. or g/wiki/Wiktionary:All_Thesaurus_pages
(url fractured)
JonKnowsNothing • December 24, 2022 5:31 PM
@Clive, Winter, MarkH, All
re: single point of failure: The build team
I worked in a build team that was responsible for a highly complex code base with hundreds of engineers dumping their untested-stuff into the repository.
Thankfully, I was not on the QA team who got the brunt of the fallout and who mostly got bypassed in order to make the delivery targets. The view was: We will test it when it fails in the field.
The old timeline jokes of Engineering taking 90% of time, leaving no time for recovery was no joke in practical terms. During management meets “we” would plead with CEOs not to tell Engineering they could have the timeline for the entire project, as Engineering always gobbled up the entire critical path and then some.
We had a team responsible and cross trained to produce a build. Within the team each person had a specialty. No One wanted to touch the MAK file. A forsaken mess of commands and cross dependencies and repeated passes to get the proper OBJs for the LINKER. It was left with the senior member of the team. The only worry that person had was to recover the MAK file when some clever-clogs decided to update the darn thing without including all the dependencies.
It took a team of us to build a release from Top To Bottom: executable, bug list, release notes, documentation, all stamped and numbered per requirements.
Subsequent to that position, I considered 2 other slots in other companies.
One was a high flyer startup with international engineers and 1 Dude running the entire build process. All automated scripts. The Dude was on duty 7days a week. Builds had to complete by 3AM for distribution and no days off.
The other was a well established corporation, holding a significant spot on in the USA backbone infrastructure, where the Take All The Money View, (along with Warren Buffett), had decimated a large build department down to 1 person. Same drill.
I don’t fault either of the Build Engineers. They managed to get it done. They had no life, no down time, no recovery periods and no support.
It was a bad reflection on the Companies for sure. It showed how little regard the Companies had for their own products, product cycle, employees and customers.
MarkH • December 24, 2022 6:47 PM
@Clive:
As far as I have observed, auto-mod of my comments is based solely on length. I don’t know why … I’ve recently seen comments at least five times as long as my apparent quota!
When I shorten my comments, they seem to go through quite dependably. I do so by copying and pasting the end to the next part of a multi-part comment, so the auto-mod shows no signs of being triggered by particular words (or other character sequences).
As I demonstrated not long ago, if a word appears to be an innocent trigger, an alternative allographic spelling should get it through.
Clive Robinson • December 24, 2022 7:30 PM
@ JonKnowsNothing, MarkH, Winter, ALL,
Re : The lie that is test as we go.
“… engineers dumping their untested-stuff into the repository.”
You “can not say that” because developers “test as they go”…
Or that’s what they claim.
I’ve worked in just about all the major parts of the product chain, from setting engineering rules, pre-specification, … …, End of Life close down.
You always get the,
“we” would plead with CEOs not to tell Engineering they could have the timeline for the entire project”
The argument used to be
“They get 7/10ths othereise we can not test and revise”…
Enginering would say,
“We test as we go, so no we get it all”
Of course they don’t test, so they don’t know what to revise. The time line ends and you have a pile of deer droppings not a system. No time to put it together and the finger pointing game starts…
As “test/QA” you say, “We requested 3/10ths time line to test and revise, it was not given’. Because, “Engineering said they would test as they go”, the evidence shows they failed to do this.
So Engineering say “We tested but they did not revise” test/QA, again lob it back… So Engineering then blaim “specification changes”, and when that does not work they try “feature upgrades” and so on.
This is where you start getting “Nightly build an test” where the game changes to “lob it over the fence” engineering keep pushing changes even after the cut off time. The build or test fails so it gets lobbed back across the fence. Engineering scream it’s a plot to stop them working or some such.
The simple fact is way to many senior managers think “Lines of Code” or similar is a “Quality Measure” rather than what it actually is a nonsense metric (made because nobody has yet come up with a propper measurand).
The fact is the whole process is adveserial with one group blaiming another untill you get a circular firing squad…
It does not need to be, but many senior managers in consumer / commercial software production like it that way… Why, because they think it’s more productive…
It’s not, and it never was, but rather than call it for the crock of 541t it is, they play along thus wasting more of the time line in meetings and the like.
This in part accounts for the,
“Small teams work, large teams choke”
Observation. Or if you want the truth of it, N people or groups can have 0.5(N^2 – N) arguments. Or every time you increment N by one to N+1 you get N more arguments each taking T time from the timeline… So whilst four people can have six arguments going, adding in another person takes it from six to ten arguments, add another person and you are upto fifteen arguments and so on.
Whilst that is simple maths, the real managment task is to manage the number of people in a group or it’s size, against the number of groups. Yes there is a mathmatical answer but it’s usually wrong. Because the trick is to get a large group of people to align out of self interest, thus minimizing the T for petson to person argument, whilst also structuring the groups such that the overlap where they can argue is as small as possible, thus reducing T for each group to group argument which becomes zero when there is no overlap. The other part of the trick is to organise things such that arguments can happen in parallel rather than sequentially as that can help reduce the time taken taken from the time line for each parallel time.
Nick Levinson • December 24, 2022 7:38 PM
@Update, @Clive Robinson, @Who?, @SpaceLifeForm, & @lurker:
subset passwords and LastPass:
The LastPass concept is not awful, although that brand’s implementation may now be untrustworthy. It’s an encrypted file of passwords. I don’t use such products, as I prefer another way of protecting my authentication credentials. But the concept of a single credential locker is better than some methods now in use, such as the use of a person’s own name as a password, presumably on everything that person uses (a small percentage of people do that but a small percentage of billions of passwords is a lot and MySQL alone has billions, as a recent dump (since deleted) showed).
A single point of entry into all of one’s passwords is a vulnerability; but a single password into everything one website offers is also a vulnerability, albeit to a lesser degree. I have an account on a well-known website that offers several services that a user need not use simultaneously. One password opens all of that up. I wish it didn’t. I would like a subset password, a password that opens up only a subset of what that website offers, and a master password for that site that would let me control subset passwords. Then, if a subset password is compromised, damage (if any) would be limited. Like, if I have a password for one newspaper, it’s not a password to all newspapers.
I’ve suggested it. I haven’t seen it.
One guess about why, apart from being work to set up: A website wants users to use their site to the max and thereby build loyalty. But at least one website requires that I enter my password, the same password, multiple times, depending on what I want to do. I assume what I want to do are on separately-managed subdomains or directories that each has its own authentication table, but since I had to set up a password only once then presumably all the tables get their entries from one authoritative master table, which my account creation or password change process writes into. So perhaps that linkage could be broken on my online request and I could specify a separate password for each table.
Nick Levinson • December 24, 2022 7:44 PM
@Who?, @Clive Robinson, & @MarkH:
Hold for moderation:
I don’t remember that specific message. When a post of mine doesn’t appear, I get the usual acknowledgment including an invitation to check the page to see my post, but, in my experience, if my post doesn’t appear in half an hour after refreshment, it likely won’t ever appear and no explanation will ensue.
When some nonsense about Bruce got posted and some of us replied, a while later the nonsense disappeared as did, I think, all the replies (a 2-topic post of mine became a 1-topic post). That’s a reasonable application of moderation; and it is someone else’s blog, on which we are guests who shouldn’t ignore our host’s wishes.
But it appears that a word often related to people’s private affairs, although also related to medicine, appeared as a string within a couple of innocuous words, and then posts or parts disappeared. In cases like that, rewording seems acceptable.
Clive Robinson • December 24, 2022 7:56 PM
@ MarkH, SpaceLifeForm,
Re : Length of post.
“I don’t know why … I’ve recently seen comments at least five times as long as my apparent quota!”
After some testing @SpaceLifeForm and myself had a rough mental model of the system being a series of sequential tests.
What we did not realy test for was if the length counter, counts bytes of input or characters of input.
If it counts bytes and the chars you send are multiple byte or become multiple byte for some reason then that would account for the difference.
I’ve reason to believe that there is character changing along the line.
That is the semi-colon, minus, right brace that makes the wink smiley gets changed from three chars that are each a byte into a single multibyte glyph that is four or more bytes in length. Likewise three full stops becomes a single multibyte glyph.
It may be possible you are sending multibyte glyphs or what you are sending gets converted into multibyte glyphs for some reason.
I’m not sure of a way of testing this reliably using just the tools you get on mobile phones, so as they used to say,
“I’ll now open it to the floor to make comment”.
Nick Levinson • December 24, 2022 8:42 PM
@Clive Robinson, @SpaceLifeForm, & @MarkH:
Post approval/mod system:
It may change over time.
It may vary for who’s posting. At one point, I thought all of my posts were being rejected; that stopped.
It has an automatic stage and then a manual stage that can reverse an automatic stage’s approval. The time to the manual stage can vary a lot, but human beings have their limits. (I’ve told some people that I was born at canal number 7, got bored, and went to Earth. Someone said, that explains a lot.)
I have experienced character substitution, maybe once, although I don’t think it was for alphanumerics.
I think emojis, which I don’t use, are 4-byte characters in Unicode, so maybe 3-character ASCII strings get converted.
lurker • December 24, 2022 10:36 PM
@Clive Robinson, @All
re naughty words,
the naughtiness can vary with $LOCALE. I used an east Atlantic word today which was rejected and the acceptable anodyne replacement didn’t really carry the actions the original had on its subject.
Are we now all required to speak en_boston?
SpaceLifeForm • December 25, 2022 2:38 AM
Texas freeze
Looks like everything will be back online soon.
Over 16,000 MegaWatts of generating capacity was offline, but that was covered by increased output from other plants, which kept the grid stable.
On Saturday, demand was less than forecast. It was likely due to sunny skies and that the temperature rose higher that originally forecast.
‘https://www.houstonchronicle.com/business/energy/article/hc122422ERCOTxmaseve-17676065.php
kwilk • December 25, 2022 4:07 AM
Interesting backgrounder on that so-called ‘fusion breakthrough’ a couple of weeks ago…
Mecklin: The news coverage and how it was put out, though—it was all about, you know, electricity generation from fusion.
Rosner: It’s basically—it’s BS, right?
Guess what? It’s actually about making better bombs.
htt ps://thebulletin.org/2022/12/the-energy-departments-fusion-breakthrough-its-not-really-about-generating-electricity/
Winter • December 25, 2022 5:49 AM
@kwilk
Guess what? It’s actually about making better bombs.
Halt the presses: Research done at Lawrence Livermore National Laboratory used for nuclear weapons development!
[/Irony]
Sorry, could not resist it. But anyone who is surprised about the fact that research in LLNL is for DoD has looked the other way for a long time.
Clive Robinson • December 25, 2022 6:36 AM
@ kwilk
Re : Fusion Energy Breakthrough
“Guess what? It’s actually about making better bombs.”
You are only partly right…
s/bombs/weapons
Will fix it 😉
This sort of research goes back aways, look up Lawrence Livermore National Llaboratory “Shiva” multi laser system in the mid to late 1970’s, I remember the excitement of reading avout it at the time,
https://www.llnl.gov/archives/1970s/shiva-laser-system
Or not so much later the Z-Pinch effect machines,
https://www.llnl.gov/news/llnl-scientists-confirm-thermonuclear-fusion-sheared-flow-z-pinch
They are about understabding not just the fundemebtal physics of fusion and it’s base mechanics[1] but also getting the incredibly high pulse energy outputs in a usable form.
So consider the next generation of weapons such as rail guns, lasers, and many more that work at near the speed of light need immense amounts of electrical or EM energy. Traditional high energy release systems like “water capacitors” are too big, fragile etc for putting even in ships.
Get the high energy burst[2] from fusion then convert it into EM radiation moving at the speed of light you save yourself a lot of engineering issues. On such idea was the X-ray laser.
But I’m an old dinosaur and have lived through this with realy eager interest since I could read… So I kind of thought this was “common knowledge”.
Some one once noted that,
“high energy physics is about the creation and beauty of Angels, the problem is those who can afford to make them want them for the most sinful of reasons.”
And that kind of covers “The human dilemma” in a sentance,
“You want beauty then you have to have sin”.
[1] Hiden away at the end of the article you link to is the mention of “gravity” it’s an “attractor” force which means “Spherical” is easy for it and why we have singularities like black holes all over the universe. However fusion which gives us all of the elements above hydrogen, happens via the opposite in an explosive “compressive” force we call suns and supernovas. If you look up “Hydro Codes” from the Manhattan project era and making lense explosives for the compression nuke you will find out just how difficult it is to “push back into the bottle” using compressive forces. It’s actually a realy important trick because amongst many other things it’s how noise cancellation works.
[2] The original idea with laser generated fusion was Just think of those tiny tiny little pellets/prills of tritium as like bags of explosives in a naval gun that drive the shell up the barrel.
Clive Robinson • December 25, 2022 7:40 AM
@ SpaceLifeForm, Winter, ALL,
Re : So Texas is not ready.
You do not say why,
“Over 16,000 MegaWatts of generating capacity was offline”
At the expected highest peek demand time of the year…
I for one would like to know.
Because when you consider,
“On Saturday, demand was less than forecast.”
Then you could assume that the infrastructure system should have failed again, in a planed way. I presume “for profit”…
And that “plan for profit” only failed,
“… due to sunny skies and that the temperature rose higher that originally forecast.”
Because of a bit of unseasonal sunshine…
So you might have lost the bet this weekend, but how about over the next few weeks when more “significantly adverse” weather is to be expexted?
Ever notice that “yellow rose” and “total froze” are kind of interchangqble in rhymes, poems and songs?
So,
“The total froze of Texas,
Is the only froze for me”
Works oh so well…
Clive Robinson • December 25, 2022 8:42 AM
@ lurker, Nick Levinson, ALL,
Re : Words and their meanings.
“I used an east Atlantic word today which was rejected and the acceptable anodyne replacement didn’t really carry the actions the original had on its subject.”
The mind boggles 😉
But yes some words are inoffensive in some places and not in others.
The most likely ones are found within the domain of “isms”. The various “isms” come and go as society changes in some way. They cause a jargon to arise around existing words, and it can do a 180 in less than a handful of generations. For instance the expression “Bachelor gay”[1] back in the very early 1900’s refered to what we might have later called a “lounge lizard” or even “gigalo” for what we now call “cougars” hence “Big girls toys”. It also refered to what was then called a “confirmed bachelor” which also has had a swing in meaning, but now has reverted to it’s original meaning again…
As was observed in Lewis Carrol’s, “Through the looking glass”,
“When I use a word,’ Humpty Dumpty said in rather a scornful tone, ‘it means just what I choose it to mean — neither more nor less.’
’The question is,’ said Alice, ‘whether you can make words mean so many different things.’
’The question is,’ said Humpty Dumpty, ‘which is to be master — that’s all.”
In this case the “master” is the blog software…
[1] It is also the name of a musichall style lament, rather than a bawdy,
JonKnowsNothing • December 25, 2022 11:25 AM
@Clive, @SpaceLifeForm, @Nick Levinson, Lurker, All
re: weird rejects
On my superstitious list of items that can get a no-post are hidden character codes. A reference was made to emojis but I think hidden EOL EOF markers or repeats can trigger the chopper.
It depends on how you write the source and get it to the posting box. Some folks may write in an editor (pick 1M versions) and each editor has it’s own meta-formats. If you C&P from an editor you might trip over one of the meta-formats that go clunk in the posting mechanics.
I also toss-salt by making sure there are no extra lines at the end of the document.
Computers are Capricious
Nick Levinson • December 25, 2022 2:49 PM
Insurance may help improve security.
Cybersecurity is sold for a premium that the insurer and the prospective insured may negotiate and one factor is whether the prospective insured is acting prudently to lower risk, probably with an explicit list of steps that the insurer considers prudent. Failure to comply may result in getting no payout while paying a premium, and management usually wants to know how that happened. That usually means that management will pay the staff for the time it takes to make backups, for example.
I just heard a piece on Bloomberg radio, so maybe its in their media generally.
Clive Robinson • December 25, 2022 8:56 PM
@ Nick Levinson, ALL,
Re : Why Insurance fails.
“Insurance may help improve security.”
But it won’t, when it comes to risks with agency.
Simplistically we insure against known risks that fall into one of two types,
1, Random – accidents / Acts Of God.
2, Determanistic – crimes / Acts of Humans.
The thing about “Random” events is they tend towards an average behaviour over time. So whilst you can not say where lightening will strike, you can say it’s going to happen ~X times per period Y over area Z with sufficient predictability to run an an actuarial business.
The thing about “Determanistic” events such as crimes is that they are only determanistic to the attacker not the defender and they have no reason to average over time, or other measure.
The thing about Cyber-attacks is the “army of one” notion. The attacker does not personally attack systems, they actually give the systems a list of actions to attack themselves with. Thus they can tell a million computers to start pinging network ranges as a massive Distributed Denial of Service (DDoS) attack and bring down large parts of the Internet.
You have no idea of when or how an individual might decide to do this and realistically you can not defend against it. All you can do is pay others to try and mitigate the problem.
So just as with conventional crimes like burglary you end up paying atleast twice,
1, Premium : To the insurer
2, Security: To what is a faux market.
Your house does not need the locks, bars, alarms, guards, etc the insurance company says you do to get lower premiums. Because burglary comes on three forms,
1, Opportunistic : Random event
2, Chosen : “lowest fruit” event
3, Planed : Targeted event.
The first two are the result of a “target rich environment”, you twist enough door knobs and you will find an open door eventually. Or you will see an open door/window.
It does not matter what locks etc you have as long as the attacker can get past or around them. Most people,
“Can not afford the security equipment to adiquately defend their property.”
So the trick is like the old joke about tying shoe laces when a bear chases. You don’t have to be able to out run the bear, you only have to be slightly better than the other guy… So logic says “never go walking alone in the woods”, and “ensure they are fatter&slower than you are” so he’s “the low hanging fruit”.
Which is basically the trick the Insurance company is telling you to do with your neighbours.
The last type of attacker, again you can not afford the security equipment to adiquately defend against such people. All you can do is “detect, delay, detain”. That is you do not give an attacker time to reach their target before your responders capture or scare them off.
Obviously with information system attacks, there is no local active attacker to be “caught in the act” so the “detain” option is gone. Thus the attacker can just keep trying from afar untill one of their sets of instructions sent to your systems works…
lurker • December 25, 2022 9:36 PM
@Nick Levinson, @Clive Robinson
re who gets burgled by whom, and why
I’ve just heard a docu-drama podcast “The people v J Edgar Hoover”
in two parts, currently only listen on demand, should be downloadable in a few days. Second part has delicious detail of the burglary of an FBI regional office …
Nick Levinson • December 26, 2022 2:10 AM
@Clive Robinson & @lurker:
Probability statistics support insuring against almost all of the events you described, profitably for both insurer and insured. Both sides are largely financially secure, even now, and are financially sophisticated and would notice if insurance was generally failure-prone. Insurers get more in premiums and investments with premium income than they pay out and pay for servicing insurance. Insureds find that paying premiums and being paid payouts that are less than total losses is still cheaper than going light (uninsured).
FBI offices (@lurker) probably get burgled only rarely. A political burglary a little over half a century ago was recently reported in a book on the era and that case took unusual planning (viz., the prospective burglars decided they’d never meet again afterwards so they wouldn’t be surreptitiously photographed with two or more in a picture and I think they were never caught).
Ordinary burglaries and other crimes in their ordinary variety tend to occur at frequencies low enough to let victims recover, if only because the return to the criminal drops to less than the investment needed to repeat the crime. If the criminals don’t coordinate schedules, they still tend to have some idea of whether it would be profitable. Those who don’t because they’re careless or out of touch are also the ones who don’t know what they’re doing and therefore are the ones more likely to get caught. Even without any coordination, reasonably reliable statistics and indicators are available on local frequencies. When the crime rate is too high, people move away, policing is increased, or insurance is expensive or unavailable; but relatively few neighborhoods lack insurance or people.
How much security to pay for is answered by a formula used in business risk management: Consider one risk and one time frame. Determine the percentage likelihood it will occur and the financial cost you would suffer if it occurs. Multiply the two numbers together. Don’t spend more than that. E.g., for 1 percent and $1,000, don’t spend more than $10. Mars could crash into Earth tomorrow but you probably shouldn’t spend anything against that, even if all you would suffer would be from breathing enough dust to kill the vegetation dinosaurs would eat and a mask would help you survive, if the mask would cost even a penny. Today, use your money for something else.
Turning all the doorknobs, much like trying every possible PIN at an ATM for a given account, is the kind of brute force attack someone notices and calls the police about or locks the ATM against. A safe cracker could try every possible combination but most safe crackers probably don’t want to risk hanging around long enough. The situations where trying everything makes sense for a crime are fewer.
Even in IT, there often is something to detain. Honeypots detain and activity there can be a signal to lock something else. It’s a cat-and-mouse game, to be sure, but it’s worth the effort. I doubt policing, national security, or major infrastructure (like nuclear power plants) would use computers at all for critical functions if security was pointless.
If insurer #1 insures owner #1 and insurer #2 insures owner #2, the problem of not having to outrun the bear as long as one owner outruns the other owner applies as you describe. But if one insurer insures enough owners who have some kind of proximity, the insurer comes to have an interest in community protection, even in protecting the uninsured and those insured by competitors. Thus, decades ago, in New York City, the Fire Patrol, paid for by insurers, would arrive at a fire scene after the firefighters had been there and the patrol would try to reduce water damage regardless of who insured the burned property and nearby property against water damage. And, according to Mark Twain’s autobiographical memoir, Life on the Mississippi, Mississippi steamship captains in a union had a system within the union for telling each other about river hazards, a system nonmembers could not access; then they were on strike; replacement captains had no such system; you can guess what happened to ships; and, according to Twain, insurers told the ship owners to settle, which they did.
What you (Clive) say about deterministic events as uninsurable applies mainly to events that would be caused by the insured, a narrower class of events than you describe. That’s why you can’t buy insurance against your own suicide, regardless of who the beneficiary would be. I suspect also that life insurance will not pay a beneficiary who murdered the insured (assuming the murder was proven but regardless of motive).
Your (Clive’s) view seems rather fatalistic. You have a point that a security system cannot guarantee security; but your argument seems to extend into that therefore security is useless. I’m not sure you mean that. If you do, you’ve said or hinted that some of your past work was to enhance security and I guess either you’ve changed your mind about its efficacy, toward pessimism, or you couldn’t convince your clients/employers of lack of efficacy of your own work when you agreed to do it. Security is often about outrunning one’s competition and, when that won’t work, and even strengthening a community’s defenses isn’t good enough, we can focus on getting criminals and would-be criminals into legitimate work that pays as well, a seriously difficult challenge that needs to be met even earlier. Willie Sutton, a bank robber who robbed banks because, famously, that’s where the money is, described one robbery from which, I estimate, he made $4,000 a week for 5 weeks’ work about 90 years ago (that would be over $70,000 a week today), so we can see the size of the challenge to be met.
Exceptions, by which insurance is unavailable, apply to situations unknown to insurers, such as those framed by new laws creating new liabilities for which experience has not built up enough and to situations that are too costly for a prospective insured to afford the premium. Decades ago, during wide reporting of a U.S. malpractice insurance crisis, a hospital paid a premium equal to more than the total payout possible under the insurance being bought (I assume the hospital was required to have the insurance and so it had to buy it). It may still be possible to buy insurance as a promotional gimmick, like the female actor for whom someone bought insurance for her legs (I assume it had enough clauses so the insurer would never have to pay more than a token amount and that kind of insurance is likely easier to buy in certain foreign countries with lax regulation over nondomestic sales).
Winter • December 26, 2022 2:24 AM
@Nick Levinson.
How much security to pay for is answered by a formula used in business risk management:
As a private household, you should not unsure against losses you can bear easily financially. The cost of the insurance will always be higher than the expected loss. (the insurance company would go bankrupt otherwise)
There is a racket in Europe where shops offer “extended warranty” on appliances. These are insurances that are way too expensive at little extra coverage as the law already requires ~2y warranty against production faults.
Nick Levinson • December 26, 2022 2:59 AM
@Winter:
Your point is covered by the concept of deductibles, and I’m sure businesses and government agencies agree to them, too.
I don’t buy extended warranties on anything. Scott Mueller, who used to write extensively and well on computer hardware and Windows, was against them, too. I once found a deal for one on a printer at $600: likely the manufacturer’s cost for an entire printer at a rate of one replacement printer for every customer, so I assumed the printer must be so failure-prone I refused to consider even the printer without an extended warranty for an organizational purchase.
Winter • December 26, 2022 4:42 AM
@Nick
so I assumed the printer must be so failure-prone
More likely, this was an attempt to extract more money from the buyer by adding useless items. Most often, the insurance is not offered by the manufacturer, but by the shop.
I see the same in car rentals. You can double the rent with insurance for things that do not happen.
SpaceLifeForm • December 26, 2022 4:48 AM
@ Clive, Winter, ALL
Texas freeze
Yep, the 16,000 MegaWatts offline is a mystery.
I have not been able to get any solid information as to which was intentional load shedding and how much was due to frozen equipment. Especially in Texas where there is wholesale producers and retail resellers, and the resellers speculate on the energy demand. It may be that their WX is not good, and thought the real cold air would arrive on Saturday, but it arrived sooner than they expected. They probably got whipsawed on the speculation.
In Milwaukee, Wisconsin, they asked people to conserve, with the excuse that there was a natgas pipeline problem. Even though the pipelines are definitely underground there. I could not find any evidence of any pipeline problems there. None. I searched for hours. Crickets. It was just BS to make profit.
This is from 2022-12-23
And I see now, they had an update at one of the coldest points of the day (2022-12-24 06:30), saying, all is ok now. I think people started calling out their BS overnight, and that (We Energy) knew they created a sticky wicket for themselves.
There was no pipeline problem. There was a profit problem.
‘https://urbanmilwaukee.com/pressrelease/we-energies-asks-customers-to-immediately-lower-their-thermostats/
Same thing happened in Texas. Conserve. Turn down your thermostat, so we make money.
Clive Robinson • December 26, 2022 5:44 AM
@ JonKnowsNothing, ALL,
Re : What men make…
“Computers are Capricious”
Oh if only they were, then we could just treat them like livestock / slaves / serfs… (yup beat them untill they did what they were told to do, such is mankinds way).
The reality is within a very small margin they do exactly what they are told, and that’s the real problem.
As humans we mainly don’t have a clue as to how things work, we just “use or abuse” and assume anyone / thing inbetween “thinks like us” (which only proves we don’t think 😉 So must ubderstand what we want, and is thus “just being deliberately stupid to upset us…”
I’ve spent much of my adult life trying to make “things” apparently “understand” what people want… As I get older I realise I would have been more successfull if I’d purchased a $5 pipe wrench and re-programed the users…
On the principle of the old legal joke of,
“If you can’t enjoin them, beat them.”
Winter • December 26, 2022 6:12 AM
@Clive
The reality is within a very small margin they do exactly what they are told, and that’s the real problem.
Machines are the genies of the fairy tales. You get three wishes. The third wish is invariably needed to undo the first two.
Clive Robinson • December 26, 2022 7:20 AM
@ Winter, JonKnowsNothing, ALL,
Hope you are not groaning to hard after yesterdays excesses
Yup, as they say,
“the third wish to undo it all”…
Speaking of which, this is technology / security related to the failings of humans and shiny metals,
https://m.youtube.com/watch?v=Jv1jqonqtuc
(skip the first two mins)
Also as it’s that time for year for reflection before making those annual “new year plans”, this will tell you why you should not bother at all,
Another Twitter Breach • December 26, 2022 3:25 PM
A threat actor is claiming they have obtained data of 400,000,000 Twitter users and is offering it for sale.
The seller claims the database is private, he provided a sample of 1,000 accounts as proof of claims which included the private information of prominent users such as Donald Trump JR, Brian Krebs, and many more.
hxxps://securityaffairs.co/wordpress/139993/data-breach/twitter-400-million-users-leak.html
Clive Robinson • December 26, 2022 3:48 PM
@ Nick Levinson, -, SpaceLifeForm, Winter,
“Both posts above…”
It’s actually three posts if you look.
It’s what some one indicates is a “Trumpian 400 pound Troll”, “bashing away at it” in “momies back bedroom” or similar.
Someone else has found meta-data that indicates a time / date pattern that gives a probable location in a Russian Troll Farm.
Me I think “attribution is hard” thus it could also be a spineless wanabe that has a personal grudge / fixation, we’ve had a few of those in the past, you might have noticed one at “Thanksgiving” just past. Likewise it could be someone psycho-karan who gets their unsolicited URL advertising removed.
Sometimes this blog is like a box of Bertie Basset sweets, “We get allsorts”.
https://metro.co.uk/2009/02/13/sweet-new-bride-for-bertie-at-80-456525/
Clive Robinson • December 26, 2022 4:10 PM
@ name.withheld…, ALL,
Re : Voters are the problem.
“How can you have citizens if they are allowed to vote you out of office.”
There are two basic ways,
1, Disenfranchising voters
2, Rigging votes.
We know the GOP/Republicans do the first like a rabid dog going for your leg.
But they shot themselves in the foot over the second…
Having made all that noise and spent all that money and caused others to prove it was a “nothing burger” of the least palatable type. They now can not actually “rig voting” because people are going to be extra vigilant.
But lets be honest, neither major party in the US is what you would even remotely think, could give you a democracy. But the sad reality is both parties fail to live even remotely close to even that lowest of the low mark. Because they are both so far beneath contempt the average person can not think that low without utter revulsion.
Nick Levinson • December 26, 2022 5:12 PM
@Clive Robinson & @Moderator (perhaps also @-, @SpaceLifeForm, & @Winter):
I see only two (from today at 2:05p & 2:11p) unless we include the one posted at 1:57p today. That one doesn’t look like copyright infringement but just off-topic (on sex, in a sense), as are many posts that stay on many squid pages. I assume Bruce is willing for some of the off-topic to stay, so I didn’t raise the 1:57p post as an issue, just the two that could create a legal problem under U.S. law, where Bruce has nexus.
Clive Robinson • December 26, 2022 7:01 PM
@ Nick Levinson,
“That one doesn’t look like copyright infringement…”
But it’s very probably from the same originator, as others will no doubt indicate as well.
It follows a pattern of behaviour.
lurker • December 26, 2022 7:42 PM
@modem phonemes, Clive Robinson
Yes, these researchers have taken positive steps on the path of improving power/weight ratio and flexibility of solar pv devices. But, as often happens with ivory tower research, they seem unaware of the real world environment where these things are used.
“These cells as they are could last one or two years without packaging,” Bulović says. “With packaging, we could extend that to five to 10 years. And that’s plenty.”
While the solar road was a goofy idea from square one, solar pv panels still have to deal with dust, bird droppings, and a sometimes significantly corrosive atmosphere.
The best protective product we have so far is a thousand years old, glass, and with glass current pv installers offer 15 to 25 year warranty. Setting aside whether the installer will still exist 25 years from now, there is an assumption the the product will still be working then.
So if these guys want to make a contribution to power/weight ratio of practical useful real world devices they could be looking at the glass, like Corning did with phone screens.
JonKnowsNothing • December 26, 2022 8:09 PM
@Clive, @SpaceLifeForm, All
re: CH-ov-nado Arrival
There are few reports about the status of C19 in China, trickling in from various MSM reports.
Things that are reported on the known end are:
It would not be improbable that the CH-vo-nado will be arriving faster than previously expected. It is likely already in most countries via 2 routes: VIP Travel and Business Travel to-from China.
The new no restrictions to-from China with Japan and Taiwan also ending travel restrictions, this will increase the likelihood of Ch-vo-nado surge coming sooner, rather than later.
The USA is having a double roller from Halloween and Thanksgiving. We will be having the third roller from Christmas Holidays and a final kicker from the upcoming 2023 New Years gatherings. These were expected to decline in Spring 2023.
We can now add in the Lunar New Year in many Asian cultures and the influx of people visiting to and from Asia.
I would not be surprised if the first serious indicators of CH-ov-nado shows up Jan 2023. Once we know the variant profile, we will know a lot more about Best Mitigations.
It’s like Groundhog Day… 4 years later. 3 more years to go.
Nick Levinson • December 26, 2022 9:06 PM
@Clive Robinson:
I probably agree. I don’t want to discuss other clues here. The mod can see if email addresses are the same and are likely legit. In case they are, I suggested a warning email, which either won’t work at all or can work for all of them, for the same effort (one email) by the mod.
On the other hand, maybe I’m contributing to the problem: If it’s one poster and the poster wants to disrupt us, I’m helping disrupt by occupying page space. I’ll leave it to the mod to decide what to do next.
I’ll raise another issue: One post looks like advertising to appeal to anyone to purchase a product of a data breach. It’s legit to talk about it and to give educational detail, even if that means pointing to a source that a bad actor could use, but one should add content that could be useful to good actors. In this case, it would have helped to tell us what was different about this breach, such as in technology or social engineering, such as a method a security planner who’s a good actor should consider elsewhere. Bruce wants to know what he might have missed and that’s what these squid pages are for.
Thanks for the thoughts.
SpaceLifeForm • December 27, 2022 1:44 AM
Bankruptcy via IT mismanagement
Apparently the crew scheduling system is down and expected recovery is another week.
‘https://www.reddit.com/r/SouthwestAirlines/comments/zw32yt/psa_from_a_swa_employee_since_the_company_wont/
‘https://www.reddit.com/r/SouthwestAirlines/comments/zw6upo/hey_guys_swa_pilot_with_a_little_information/
Clive Robinson • December 27, 2022 2:35 AM
@ SpaceLifeForm,
Re : Southwest to be carpeted.
What the cause of SWA’s upto 50% or more cancellation of flights over the past three days is not “publically known” the CEO is muttering about weather.
However a man in Washington obviously thinks otherwise,
Oh and for those in New York suffering one of the worst blizards for some time, apparently there is “assistance” approved,
What that will actually mean to people on the ground I don’t know.
modem phonemes • December 27, 2022 6:47 AM
In which it is shown, yet once again, you can’t write about what you don’t understand.
https://www.theregister.com/2022/12/27/university_ai_essays_students/
Clive Robinson • December 27, 2022 6:52 AM
@ Bruce, ALL,
From MIT Technology Review about how images from a cleaning robot that was in development went through a series of steps to contract “annotaters” and how that “supply chain” failed[1] and intimate pictures ended up on various parts of Social Media,
I think a couple of things need to be stated,
1, This is due to human failings
2, It’s only going to get worse with time and devices.
So my view of,
“No IoT in the house anywhere any time”
Others might want to think about.
[1] Oh note, that the development company is not sorry it happened, only that they got caught and had to go to the trouble of sacking a service supplier…
&ers • December 27, 2022 9:31 AM
@ALL regulars in States,
I read you have a hell of a winterstorm there?
Direct info is always the best.
How bad it is at your site? Thanks.
lurker • December 27, 2022 1:11 PM
re Start the Planes!
In this day and age why can airlines call weather “unforeseen”?
SpaceLifeForm • December 27, 2022 3:04 PM
@ &ers
It is bad. Last check, 57 dead in Buffalo, NY area. Roads still not cleared. I expect death count to exceed 100 after they find more people that froze to death in their car because they got stuck and there was no place to walk to in the blizzard.
They knew it was going to be bad, but they tried to drive anyway.
SpaceLifeForm • December 27, 2022 4:20 PM
When you see a graph that is small, and you can not read any text, but you can recognize its dna from the squiggles, you know you have been watching the $TSLA movie too long.
Clive Robinson • December 27, 2022 5:59 PM
@ lurker,
Re : Start the Planes.
“In this day and age why can airlines call weather “unforeseen”?”
They can, but all to often they won’t.
Back many years ago airlines could not only cancel your flight they could bump you off a flight with no reason given and in both cases they could keep your money as well. Oh and not alow you to transfer to alternatives, they were also not rsponsible for your welfare either, so you could end up on the street with not even your luggage.
Things started to change and the EU especially clamped down hard on airlines. For instance in the EU the airline is responsible for your welfare when you’ve checked in, where as in the US not so much. Thus in the EU one way to find out how bad a delay is, is to go and ask for meal vouchers. If they hand them out go grab food quick and make yourself comfortable you are going to be there a while[1].
When I traveled I always assumed things would go wrong if they could. I was traveling with my boss for a “one day” meeting trip. And at 0630AM he was surprised to see that besides my brief case I also had a back-pack as “carryon” with 2lts of water 2500kcal of food, two changes of plaid flannel shirts / under cloths trainers and tracksuit trousers and full wash kit and a light weight military poncho and a good book and pack of cards. He kind of understood on the way back when our flight got repeatedly delayed from late afternoon to 3am the following morning… He was not very good at cards and I won fifty or so “jelly-babies” off of him, maybe that was why he was grumpy in the office later that day or it could be because he looked kind of rumpled, stained/strained and bristly 😉
I know people who claim they have made a hundred or more flights each year for a decade or so and never had a delay or cancelation. I think my average for flight problems was oh one in three or there abouts, helicopters were worse… And I’ve had to sleep in some real rough places as a result.
My only advice that worked in my favour is where you can,
“Fly the flag carrier of the destination for the leg of the journy you are on”
That’s because they usually get both flight and landing privileges over other airlines. So AA to America from London, and BA back to London.
[1] Or longer, on one occasion back in the late 1980’s I had been injured and had to travel light via commercial flight, and had only my bergan and field stuff of sleeping bag, mat, and a few other niceties such as a poncho/tarp, bungies and kit to set up a bivi… The airline were not overly amused when I did exactly that in the departure lounge and grabbed some sleep. I guess the grubby uniform and “hardware” I was carrying dissuaded them from being to assertive (back they you’ld be surprised what you could carry onto a plane as hand luggage).
&ers • December 27, 2022 6:05 PM
@Clive @SpaceLifeForm @ALL
hxxps://www.walesonline.co.uk/news/world-news/gallery/winter-storm-elliott-incredible-images-25842333
lurker • December 27, 2022 6:52 PM
The epidemic of window falling continues, down to lowly sausage merchants now. His friend’s “alcohol induced stroke” looks interesting too,
Clive Robinson • December 27, 2022 7:38 PM
@ SpaceLifeForm, lurker, &ers,
Re : They knew it was going to be bad.
“… but they tried to drive anyway.”
Probably entirely unprepared…
Let’s be honest, this is not the first time this decade NY has had appaling winter weather. Heck part of it’s topology actively encorages it.
You can look up French Canadian and Alsakan government sites that explain what you should carry, what you should do with it and a few other things that easily turn life/death situations into just uncomfortable wait situations.
They easily fit on five sheets of A4 so should be printed off, read, before the weather takes a downward turn, and put in the car glove box as well.
Provided you wrap up appropriately you can survive in -40 tempratures for as long as you have both food and water… I’ve survived and whilst not exactly thrived certainly functioned in lower tempratures tgan that for more than a week.
We used to have a saying,
“Any fool can be uncomfortable, but it takes a wise man to be comfortable in all environments”.
I was never quite wise enough 😉
I’ll be blunt though, and say anyone who does not have thinsulate or equivalent gloves, hat, scarf on them when the weatherman says 55f / 13C or below is not being sensible. Likewise sensible footware and long coat. If pushed you can sleep in temps just above freezing in that provided you are out of the wind and wet.
Add a wool blanket[1] in your car and you are good to much lower tempratures provided you have food and water (you need about a USG/person/day below freezing). You would be surprised at just how much heat an 8hour candle gives off, you just have to remember to crack a window due to carbon monoxide / dioxide. You can carry 4-10 8hour candles in the glove box of many cars. Carry a tin mug and you can easily heat the water to warm or above drinking tempratures. Just holding a warm mug of water can lift most peoples moral and mental state, drop an extra strong mint or lemon drop in it… Likewise a pocket AM/FM radio, you can keep under your arm and use ear-buds.
If you are diabetic, remember your BG meter needs to be kept warm to work so stick it under the other arm, I should not have to remind diabetics that diabetes and cold do not play well together and risk of peripheral frost bite is higher so careful monitoring essential.
Similar with other auto-immune diseases. Keep meds on track.
[1] Wool is better than the majority of synthetics and most other non synthetics. The reason is the wool holds air differently, thus it will still keep you warm even when quite wet, unlike most other materials.
headless parakeet • December 27, 2022 7:59 PM
– Microsoft Fined $64 Million By France Over Cookies Used in Bing Searches
headless parakeet • December 27, 2022 8:31 PM
Nick Levinson • December 27, 2022 10:04 PM
A computer security company was studying viri (viruses) a few decades ago when people sent in samples on floppy disks. The people mailing the floppies thoughtfully put prudent warnings on the envelopes, so no one would misuse the floppies. The warning was often something like “Live Virus Inside”. The local post office servicing the company saw lots of these many times and freaked out. The company asked submitters to please stop writing that on outer envelopes. I guess the company figured out another way to handle the floppies and the viri safely. I’m not sure where I read this; maybe in Virus Bulletin in mid 1980s to early 1990s.
@Clive Robinson:
About what you could carry in hand-luggage years ago: Guns in the U.S. long ago could be mailed (now restricted). According to a Black Panther Field Marshall, Congress passed a law requiring that a package containing a gun be labeled as such (no longer). Also, the post office did not, back then, require uniforms for some inside jobs. So, he persuaded someone to let him in to where he could sort packages and he stole whatever had the label. (He wrote about his experience, in a book published posthumously: Don Cox, Just Another Nigger: My Life in the Black Panther Party (2019) (my review on Amazon).)
Nick Levinson • December 27, 2022 11:03 PM
A computer security company was studying viri (viruses) a few decades ago when people sent in samples on floppy disks. The people mailing the floppies thoughtfully put prudent warnings on the envelopes, so no one would misuse the floppies. The warning was often something like “Live Virus Inside”. The local post office servicing the company saw lots of these many times and freaked out. The company asked submitters to please stop writing that on outer envelopes. I guess the company figured out another way to handle the floppies and the viri safely. I’m not sure where I read this; maybe in Virus Bulletin in mid 1980s to early 1990s.
@Clive Robinson:
About what you could carry in hand-luggage years ago: Guns in the U.S. long ago could be mailed (now restricted). According to a Black Panther Field Marshall, Congress passed a law requiring that a package containing a gun be labeled as such (no longer). Also, the post office did not, back then, require uniforms for some inside jobs. So, he persuaded someone to let him in to where he could sort packages and he stole whatever had the label. (He wrote about his experience, in a book published posthumously: Don Cox, Just Another N?????: My Life in the Black Panther Party (2019) (my review on Amazon).)
I originally posted with the N-word as properly supplied by the book author, but apparently this blog filters for that word. The word also appears in the original URL, so I’ve substituted characters. Interestingly, the URL still worked in a browser; maybe the host’s server anticipated this. The link: https:// http://www.heydaybooks.com/catalog/just-another-n?????-my-life-in-the-black-panther-party/ (delete a space and replace the question marks, which here do not signify query strings).
Nick Levinson • December 27, 2022 11:19 PM
In my last post above (11:03p), the URL openly stated at the bottom was auto-edited by the blog’s software to add a protocol string, and it’s the wrong protocol (I don’t think a human would have done that). It may work anyway, but, if it doesn’t, delete the space and the HTTP protocol, so that the HTTPS protocol goes with the rest of the URL, and edit the question marks as stated above.
+ • December 27, 2022 11:30 PM
== Your Cellphone Will Be a Satphone
https://spectrum.ieee.org/satellite-cellphone
rats jumping ship! • December 28, 2022 1:58 AM
Microsoft Buys Canonical And Shuts Down Ubuntu Linux OS
https://fossbytes.com/microsoft-buys-canonical-kills-ubuntu-linux-forever/
Nick Levinson • December 28, 2022 2:23 AM
No, Microsoft does not appear to have killed Ubuntu, and I doubt, if it still would want to kill Linux, that would be the way to go.
For readers who aren’t following the link: The article appears to be an April Fool’s joke from over 6 years ago, maybe last modified a year and a half ago (according to the article page’s source code), and Ubuntu’s website is still up and offering Linux, apparently for free, and showing an apparent partnership with Microsoft.
Clive Robinson • December 28, 2022 8:17 AM
@ Bruce,
“Not quite Squid but…”
From SquidgeeFish a hack of the very old school type, because you can.
To replace the number pad on a keyboard with an old fashioned Rotary dialer from a 1970’s phone,
https://squidgeefish.com/projects/rotary-keyboard/
Mad : Yes, Interesting : Yes, Would you make one : Heck yes 😉
Winter • December 28, 2022 8:26 AM
Here is a marvelous insightful Ars Technica article:
Is it time for GDPR 2.0?
EU rules preserve some privacy but can be better.
(link below)
The article is a two part piece. Part I is the main article that will make you hair stand out. Part II is the comment section that dig a deep hole and bury the original in deep layers of shame.
Part I enumerates all the reasons the GDPR was written as “flaws”. In the comment section, readers enumerate all the reasons why these “flaws” are virtues and features indeed.
Here is the link:
‘https://arstechnica.com/tech-policy/2022/12/is-it-time-for-gdpr-2-0/?comments=1
sadly, JavaScript is needed to see the comments
JonKnowsNothing • December 28, 2022 10:09 AM
@Clive, @ SpaceLifeForm, lurker, &ers, All
re: Cold and Colder
While I don’t have to deal with the huge amount of snow, I often have to stand in line in the cold, rain or heat. It’s interesting how you have to adjust to doing things differently, when you never had to deal with uncomfortable weather or conditions before.
What’s also interesting is learning from other line-standers what they are doing.
There are those who obviously are staying warm but there is another segment that has no coat, or warm attire at all. It’s cold for sure, but they either do not have anything or cannot afford something or they don’t seem to be bothered by the temperature. I do not see them shivering or stamping their feet or even running their arms up inside their sleeves.
iirc(badly) eons ago women wore mini-skirts in New York City, USA in winter time. They also wore “hose” but walked around with otherwise bare legs and no one seemed to be over bothered by the cold temperature. There were also reports of people who eschewed heat or hot items in preference to cold ones. A bit like the New Years Polar Bear Plunge but every day. There are reports that some monks in high altitude cold environments can generate enough body heat to dry “ice cold wet sheets”.
I do not have that facility. I get cold standing in line, in the wet and cold weather. Glove, Hat, Layers, and Leg Wrap help. I wear a light wind breaker under a heavier outer coat.
I also check out what other people do who live in cold climates. Currently I’m hunting up a Tibetan style Chupa/Chuba over coat to wear. It’s essentially a bathrobe-dressing gown but with the outside more suited to being outdoors in public.
Douglas Adams observation of the use of a towel is not too far off. A thick fluffy large spa towel is an excellent thermal barrier.
modem phonemes • December 28, 2022 5:28 PM
SWA
https://www.wsj.com/articles/southwest-airlines-melting-down-flights-cancelled-11672257523
“Airline executives and labor leaders point to inadequate technology systems, in particular SkySolver, as one reason why a brutal winter storm turned into a debacle. SkySolver was overwhelmed by the scale of the task of sorting out which pilots and flight attendants could work which flights, Southwest executives said. Crew schedulers instead had to comb through records by hand.”
Failure to use hashed lookups ? This was the cause of exponential slowdown/failure in the code of two different leading vendors in another industry.
&ers • December 28, 2022 5:58 PM
@Clive @SpaceLifeForm @ALL
Here we go again…
hxxps://news.sky.com/story/covid-patients-no-longer-have-to-quarantine-in-hong-kong-as-restrictions-are-lifted-12775498
&ers • December 28, 2022 6:15 PM
@JonKnowsNothing
In cold weather moisture is your first enemy. Either take
measures it can escape or try to contain it.
I know fishermen here put pantyliners (Libresse for example)
inside their footwear to keep their feet dry and therefore warm.
Hope you are well there.
Clive Robinson • December 28, 2022 6:51 PM
@ SpaceLifeForm, modem phonemes, ALL,
Re : Southwest getting carpeted.
So they used a “commercial” piece of Software under the trade mark “SkySolver” which is,
https://trademark.trademarkia.com/skysolver-78509597.html
Note the holder name,
“GE Flight Efficiency Services”
Yup it’s a subsidiary of “GE” so it’s probably strongly related to,
&ers • December 28, 2022 7:15 PM
@ALL
Ukrainian losses so far.
hxxps://pbs.twimg.com/media/Fhrj3tsXkAA1-eg?format=jpg&name=small
Clive Robinson • December 28, 2022 7:39 PM
@ &ers, JonKnowsNothing, ALL,
Re : Humidity and heat loss
“In cold weather moisture is your first enemy.”
We’ve probably all heard of “wind chill factor” and been given a simple formular to “guesstimate”.
The thing is there is no internationally agreed formular even now.
But practical experiments controling air temprature, speed, humidity and pressure do not give rise to anything like a simple model, and those that exist can be misleading.
For instance water removes heat energy around 25 times more than dry air. So actually high humidity at approx 4C / 39F sucks heat from you faster than those simple equations might suggest.
It’s also known that energy transfer is more efficient the closer the tempratures are (which is one reason we don’t die in hot desserts where the temp is above 40C).
Quite some years ago now, I worked in the petro-chem industry and ended up working in a Canadian winter where the old joke about temprature applies[1]. The one thing they used to impress on us was
“Don’t sweat it will kill you faster”
I ended up “physically working” outside wearing work trousers thermal underware a tee shirt and old British army wool[2] shirt gloves realy thick wool socks and wool face/head protection. However I was chowing down about four days food per day and loosing weight…
Importantly,
“I had a whole load of other layers on when the work was not physical”.
And that’s the important point, you need enough cloths on to feel like you are at comfortable room temprature not less and most certainly not more all the time.
[1] The joke is,
Q: How cold does it get here?
A: Minus thirty five.
Q: If that degrees C or F?
A: First one, then the other.
[2] Wool being an animal fiber has a construction that even when wet holds air trapped so can keep you warm. Something most synthetics and vegetable fibers can not do.
JonKnowsNothing • December 28, 2022 8:51 PM
@Clive, @SpaceLifeForm, All
re: CHOVNADO arriving on Gate 9 3/4
Trickle down info from MSM reports that a few government have decided to test Chinese inbound travelers on arrival. Italy and USA were mentioned. Italy has already detected positive cases, prolly RAT tests.
Official sources (ymmv) claim “They do not know what variants are in China…”.
Of course, it’s far too late for quarantines and the LOVID economies are about to get slammed by CHOVNADO plus whatever is rolling through their own countries (USA is BQ1 BQ1.1) including RSV and Influenza.
The Q1 2023 will be very interesting trying to sort out how the variants will flow and backwash globally. China says they are right on schedule for their modeling: most of Q1 2023 will be COVID dominant.
lurker • December 28, 2022 11:28 PM
Congress critter? Work on the Hill? Then wipe TikTok from your device(s) by order of the House CAO. Just looking at the list of evils of TT, don’t FB and friends already do this?
Nick Levinson • December 28, 2022 11:47 PM
@Winter:
On GDPR 2.0:
I read the article. In most websites, comments are not worth reading; and I don’t have time to read 193 comments (so far), chronologically but not topically ordered, to see if this set is an exception. Here’s mine:
As statements of law, these statements are approximate but close enough for discussion.
SpaceLifeForm • December 29, 2022 12:30 AM
Apparently Twitter did not pay their Sacramento DC bill.
And now people are reporting that they can not login.
Clive Robinson • December 29, 2022 12:50 AM
@ lurker, ALL,
Re : Is Tic ToK a threat?
“Just looking at the list of evils of TT, don’t FB and friends already do this?”
Yes and in the case of FB way way more so. Then there are the realy realy scary organisations like Palantir…
TicTok have pointed out repeatedly that the data they have is held in the US and Singapore and not China. I’ve yet to see anyone believable contradict this in any way with actual facts.
Oh remember as well that Alphabet via Google and YouTube holds more data on US citizens in places like China than people think or realistically realise.
The thing is it’s realy a case of “The old Empire gumming back” politically. US politicians are scared by China for many reasons, not least the US nolonger rules the waves or much else in and around Chinese Waters. That is the Western side of the Pacific and the South China seas are falling under China’s influance and control. Worse China has energy and trade relationships with Russia that are beyond US control. And with the nonsense from the previous POTUS the joke of it is the US politicians have brought this down on themselves and the rest of the world…
I’m not saying any of this is a good thing, just that it’s the direction the world is currently moving in.
The real problem, is when you do things for political face saving reasons you’ve already painted yourself into a corner and have lost a significant degree of freedom of movment.
As for TicTok is it a danger? Yes all large data collecting organisations are. Is TicTok particularly bad? Not that we can see when compared to many large US data collecting organisations.
I’m no big fan of the UK’s GCHQ but they do tend to do their homework without fear or favour, which is why their take on TicTok might be of relevance,
https://www.theguardian.com/technology/2022/oct/11/tiktok-young-people-gchq-chief-jeremy-fleming
Remember though that in ICTsec as in SigInt at NatSec levels things can change rather rapidly such is the way of technology.
Clive Robinson • December 29, 2022 1:26 AM
@ Winter,
Re : Time for GDPR II,
I’ve read through it and I think the author realy needs to think about what they are saying after first ditching their ingrained prejudices.
Basically everything the author proposes will open up loop holes that render any GDPR legislation useless.
Nick Dedeke may be a professor at Northeastern University in Boston, but his arguments are right out of a Silicon Valley Mega Corp lobbying office.
For those that do not know the EU governence bodies are plagued by US lobbyists, and they are worse than the Russian Spys. So ask the question if they do not want to abide by previous agreements (that the broke and waved two fingers at) and want to force their view of the world on the EU, why should thr EU not push back?
In fact I’d like to see the GDPR be tightened even further to stop the US corporate nonsense of “Our Systems our rules” such that they can not alow EU citizens on their systems, as some already do.
They want to do business with people in the EU then they must fully abide by EU rules. If they don’t then they can go do business else where…
lurker • December 29, 2022 1:40 AM
@Nick Levinson
A nation has jurisdiction over its own nationals anywhere in the world and over anyone in its nation regardless of nationality …
I wish to be obtuse and claim a contradiction here. It is the belief in both halves of that statement that causes diplomatic tension when citizens of nation A are arrested in nation B for alleged violation of nation B’s law. Nation A aggravates the situation by claiming they are innocent under A’s law.
The GDPR for all its good intentions, does not solve one significant conundrum: on the internet, where is business transacted? A company nominally domiciled in nation A and transacting significant business there, wishes to do business with the citizens of nation B. Regardless of where the servers, or warehouses for physical goods are located, the company registers an internet domain company.co.b, and hires B speaking staff for a local office. Yet the citizen of B who diligently examines his Terms of Service with the company finds that in spite of the company promising to abide by nation B’s Consumer and Finance law, any irregularities or disputes could be dealt with under the law of Nation A. By agreeing to do business with the company the inhabitant of B has signed away some of his rights of citizenship.
why say happy new year but not merry christmas? • December 29, 2022 3:49 AM
Regarding Canonical+Microsoft “Partnership”
““With Microsoft we can work together without competing,” says Rouffineau in summary. “Which means we can continue to scale while maintaining the community that started Ubuntu, as well as the open source ethos that comes with it.””
HAHAHHAAHAHAHHAHHAAHAHAAHAHHAA
Canonical is the sweet sweet juice M$ will consume.
Winter • December 29, 2022 5:27 AM
@why [be a troll?]
Canonical is the sweet sweet juice M$ will consume.
For a counter argument, see:
Last phase of the desktop wars?
‘http://esr.ibiblio.org/?p=8764
So, you’re a Microsoft corporate strategist. What’s the profit-maximizing path forward given all these factors?
It’s this: Microsoft Windows becomes a Proton-like emulation layer over a Linux kernel, with the layer getting thinner over time as more of the support lands in the mainline kernel sources. The economic motive is that Microsoft sheds an ever-larger fraction of its development costs as less and less has to be done in-house.
For comments on these ideas, see (titles in url):
‘https://www.zdnet.com/article/linux-based-windows-makes-perfect-sense/
‘https://fossbytes.com/why-does-eric-raymond-think-windows-will-lose-desktop-war-to-linux/
‘https://techrights.org/2020/09/25/re-last-phase-of-the-desktop-wars/
(this one is wrong in every prediction about WSL)
The general idea is that the rise of the Linux container in cloud computing and the stagnation and decline of the PC market drove a migration of developers to Apple Mac systems. Loss of developers running Windows would eventually endanger Windows software development (cf., Developers, Developers, Developers). Hence the move of bolting on Linux to Windows.
All major Linux distributions are currently supported in WSL.
That move seems to have been successful. WSL is now the dominant desktop Linux in use, and the latest version, WSL2, is already running full Linux in a VM, not an emulation.
Two years on, the predictions of ESR seem to be still on track. Contrary to the above comment of what looks most like a troll.
Winter • December 29, 2022 5:36 AM
@lurker
By agreeing to do business with the company the inhabitant of B has signed away some of his rights of citizenship.
Consumer protection laws and all human rights tend to be unalienable in the EU. Which makes these Terms of Service generally unenforceable.
In general, the USA does exactly the same when it suits them. If you sell certain products to an American anywhere in the world, eg, crypto-“securities”, the US will feel justified to try you in their courts for breaking US laws.
Winter • December 29, 2022 5:55 AM
@Nick Levinson.
The EU cannot have worldwide jurisdiction over everyone.
The GDPR is enforced against anyone doing business with citizens of the EU or who are within their borders, and only concerns those who do business in the EU.
If you do business or interact with persons who are on EU soil, you are under their jurisdiction. If you fire a missile from abroad that falls on EU soil, you have broken EU law. The same for internet transactions that break EU law.
But say I put the sign way up on a Delaware beach, facing Russia, and Russians see it (it’s so gigantic that Earth’s curvature is not in the line of sight).
If you transport that sign to Russia, physically or digitally, you will have broken Russian law and will be tried for it if you visit Russia. The same holds for making available certain digital information or video materials to, eg, Americans or Europeans, across borders.
Some features of the GDPR would be unconstitutional in the U.S.
If that bothers you, do not interact with people from or in the EU.
But the GDPR does not concern itself with anything not related to the privacy of people from or inside the EU. I cannot see how the US constitution can get involved when PII of EU citizens on EU soil is involved. Please enlighten me.
Nick Levinson • December 29, 2022 9:29 AM
@lurker & @Winter:
@lurker:
Yes, that contradiction does exist and occurs a lot. That doesn’t change the law.
Yes, agreeing to terms that include which law applies to a dispute is a problem. That’s one reason why I don’t have a Yandex email account. Some of those provisions may be lawful; some may not be.
I have websites. I tried to monetize them with Google’s AdSense program. When Google amended its terms so that my agreement to AdSense would put me under GDPR, and therefore under all EU law, that would have given me nexus in the EU. I don’t know EU law apart from the GDPR and I don’t have the financial resources to defend myself in a European court, so I disconnected from AdSense so I wouldn’t have that nexus anymore.
@Winter:
Nations sometimes do enforce laws that they’re not allowed to enforce and then sometimes they get caught up to. The U.S. Supreme Court knocked out tort claims that were largely overseas (and, except for one Florida lottery winner, had never been collected on).
Being under EU jurisdiction for doing business with a EU national depends on how you do that business. A website, in that sense, is not like boarding a ship with a suitcase of merchandise (and it’s not like landing a missile onto EU soil). Big websites may have a server in the EU and therefore have nexus there even if a EU national doesn’t use that server, but if the only connection between a US-nexus-only website and a EU national who’s a customer is that the customer used trans-Atlantic cables to download the site and send a payment, that’s not enough for nexus. If it were, no US website visible in Russia could refer to the conflict in Ukraine as a war. That’s why, for example, CNN closed its bureau/s in Russia but didn’t close completely worldwide or stop saying it’s a war.
I already said, in my post, that putting that sign up in Moscow would be illegal, and I said it just before the statement you quoted. Making digital information available is not the same thing when availability can be simply seeing across a border. Stalin didn’t like seeing the US and UK national flags on diplomatic outposts from his office window; his government persuaded one to move (I think with a new building) but not the other; but not even Stalin could simply send soldiers to take both flags down. If making digital information available were the same as physical presence, then the laws that are the most prohibitive would be the laws of the world, and some contradictions wouldn’t be resolvable, so all borders would have to be solidly sealed like as never happened yet, not for long.
A proposal was for a GDPR-like law to be promulgated in the U.S. If it were identical to the GDPR, some provisions would be unconstitutional. One remedy for that is not to pass such a law in the U.S. The GDPR doesn’t violate the U.S. Constitution as long as it’s a EU law enforced in the EU against holders of EU nexus but enforcement of it in the U.S. may violate the U.S. Constitution and that would limit enforcement. Something akin to that happened with libel tourism in the U.S. from a foreign complainant until U.S. law was amended to shut that down.
I assembled a list of hundreds of firms that supply advertising that can be run on websites. Some of those firms’ websites have what appear to be GDPR-compliant notices on their home pages. Some don’t. Those that don’t tend to appear (based generally on my searches within their websites) to have no nexus in the EU. Not everyone in the rest of the world can be required to comply with the GDPR, no matter what the EU says. I haven’t heard of a flood of lawsuits against non-EU entities for noncompliance; there’d have to be millions of suits. Google has faced enforcement there; but Google has nexus there. I don’t have nexus there.
Winter • December 29, 2022 10:19 AM
@Nick
Being under EU jurisdiction for doing business with a EU national depends on how you do that business.
Simply no. Try using that argument when selling a crypto-security to an American. That has been tried and failed.
If you do business with someone in the EU, that transaction falls under EU law.
Clive Robinson • December 29, 2022 11:05 AM
@ Nick, lurker, Winter, ALL,
Re : EU legislation applicability.
” I don’t know EU law apart from the GDPR and I don’t have the financial resources to defend myself in a European court, so I disconnected from AdSense so I wouldn’t have that nexus anymore.”
No you don’t know EU law that is apparent.
Because disconnecting from AdSense in now way removes you from EU legislation. You have to disconnect from all EU countries / territories to do that.
Importantly if an EU citizen connects to any of your systems and you collect any information from them or their connection, then you’ve signed yourself back into the full EU legislation.
Put simply you are “Placing on the Market” a “good or service” and you fall under the “Any person legal or natural” stipulation.
It’s why you find a lot of US sites especially news sites that rip as much PPI from people as they can, have changed their front ends. That is you come in from any EU IP address you get a simple plain HTML page that says “access not alowed from your region for legal reasons” or equivalent.
So if you are not doing that and still collecting EU citizen data…
How much money did you say you did not have?
Winter • December 29, 2022 12:09 PM
@Nick
I haven’t heard of a flood of lawsuits against non-EU entities for noncompliance; there’d have to be millions of suits.
Enforcement starts from the big fish down.
lurker • December 29, 2022 12:46 PM
@Clive Robinson, @Nick Levinson, @Winter
Because disconnecting from AdSense in no way removes you from EU legislation. You have to disconnect from all EU countries / territories to do that. [emphasis added]
And therein lies a problem. Lawyers, legislators, and the rest of us have a body of law which has evolved through mediæval city states through the age of empires to modern internationalism. It deals moderately well with physical acts occurring on particular territories. We have developed a law of the sea, which deals moderately well with physical acts on the high seas.
[more follows]
lurker • December 29, 2022 12:47 PM
Pt.2
But the internet is very modern in judicial terms, only thirty years. Lawmakers and judges are only slowly coming to terms with its implications. The GDPR is a useful first step. It’s not a complete answer, and will be amended, updated and replaced. The alternative offered by Silicon Valley is the Wild West.
lirker • December 29, 2022 12:49 PM
Pt.3
Citizen A in nation A performs a physical act (clicking a mouse) which adversely affects the financial/medical/political status of citizen B who is actually residing in nation C. Do we implicate the company who facilitated the act, and whose servers are located in nation D?
lurker • December 29, 2022 12:50 PM
Pt.4
It will take time to develop a law of the internet as substantial as the Law of the Sea. In the absence of any enthusiasm from the US, the GDPR is at least a well meaning start.
&ers • December 29, 2022 1:14 PM
@ALL
Luckily some russian rockets have bypassed their
“best before” date.
hxxps://censor.net/ua/photo_news/3390102/u_budynku_na_ivanofrankivschyni_kudy_vluchyla_raketa_perebuvaly_jinka_z_dytynoyu_foto
Winter • December 29, 2022 1:19 PM
@Nick, lurker
But the internet is very modern in judicial terms, only thirty years. Lawmakers and judges are only slowly coming to terms with its implications. The GDPR is a useful first step.
I think lawyers and judges, and the SD sector understand it perfectly well. They are just looking for ways to get out.
For all non-Europeans, it is very simple. Take any text or argument about the GDPR and replacepersonal identifying information or personal data and replace it with Disney movie. Then try to make sense of it.
Like:
If someone visits my website, my terms of service allow me to resell any personal data I collect from him.
Changes into:
If Walt Disney visits my website, my terms of service allow me to resell any Disney movie I collect from him.
See how that works out when you claim a different jurisdiction [1]
[1] Example: the arrest of Kim Dotcom
‘https://en.wikipedia.org/wiki/Kim_Dotcom
SpaceLifeForm • December 29, 2022 2:33 PM
@ Winter
WSL 2 is only available in Windows 11 or Windows 10, Version 1903, Build 18362 or later.
So, that is a non-starter to me, just to use a GNU/Linux environment when I can just install it on my machine that can directly boot it.
There is no reason to trust the Windows telemetry.
&ers • December 29, 2022 3:22 PM
@Clive @SpaceLifeForm @ALL
What was in the beginning of Google
hxxps://commons.wikimedia.org/wiki/Category:Google%27s_first_production_server_rack_(1998)
Almost sad than nobody tripped there…
Maybe it would avoid the evil it has become…
JonKnowsNothing • December 29, 2022 3:48 PM
@kurker, @Clive, Winter, All
re:
Pt.3 GDPR
Citizen A in nation A performs a physical act (clicking a mouse) which adversely affects the financial/medical/political status of citizen B who is actually residing in nation C. Do we implicate the company who facilitated the act, and whose servers are located in nation D?
This concept is currently under consideration in the US Courts with a particular emphasis on USA Laws of Espionage. It’s a very high stakes court case and the ruling will alter a lot of activities.
It is framed in the name of National Security, which is the easiest format to use, to get anything draconian accepted by the US Courts.
The case involves several well known names in Tech Whistle Blowing and Publishing, some of the folks are incarcerated inside the USA or UK, or living in other countries. However, there is a slip stream that rolls right down to the door step of pretty much anyone that has read the news in the last decade or so. That includes pretty much anyone who has read this blog too.
The US Court Case in Summary:
The reasoning runs very much like @lurker describes for the GDPR.
A) If Someone takes a Secret this is a crime.
B) If Someone share the Secret with an Other this is a crime.
C) If an Other shares the Secret with JoePublic this is a crime.
There has been some historical leeway in who the Other is, and news media previously had some “protection” against prosecution for publishing the Secret. The heart of this case is to strip away this “protection”.
You may note, that the reasoning here, does not have an limitations in jurisdiction or time frame. The USA is still capable of rendition and kidnapping, having recently resorted to using kidnappers for hire. So the scope of jurisdiction is global. The time frame for use is unlimited. The application is against anyone the USA selects as a target. Depending on the locations where you are taken after rendition, depends on your legal rights or non-rights.
So, someone in Germany can acquire a document marked Secret. That document is published in the UK and printed globally: Denmark, AU, NZ, France, Spain etc. The articles are read by JoePublic world wide; analyzed in open forums, books, tech reports, discussions, and conferences globally.
All are guilty of US Laws on Espionage.
It’s a Lèse-majesté application.
===
Lèse-majesté is an offence against the dignity of a ruling head of state or the state itself.
… certain malicious acts that would have once been classified as the crime of lèse-majesté could still be prosecuted as treason.
htt ps://en.wikipedia.o rg/wiki/Lèse-majesté
(url fractured)
Clive Robinson • December 29, 2022 3:54 PM
@ SpaceLifeForm, Winter, ALL,
Re : Where Next.
“WSL 2 is only available in Windows 11 or Windows 10, Version 1903, Build 18362 or later.”
How long before the other MS Windows, that precede them are gone?
If Microsoft in effect becomes Linux underneath, then we have lost diversity thus the vigor you get from different species.
Does anyone remember the original “tear-drop” DoS attack in 1997 just ovet a quater of a century ago, that was down to a bug in the BSD network stack, which MS had taken as is?
Yup Windows 3.1 / 95 / NT, Mac, Linux, BSD and some but not all other *nix got hit.
Back then the banks were still having their love-in with VAX VMS so missed the fun…
There are several advantages to having code written by two or three issolated groups to implement the same protocol or standard. Something we appear to have forgotten for some reason…
Mr. Peed Off • December 29, 2022 3:59 PM
Security related opinion article:
https://www.latimes.com/opinion/story/2022-12-29/abortion-privacy-data-tracking-health-websites
Clive Robinson • December 29, 2022 4:20 PM
@ JonKnowsNothing, lurker, Winter, ALL,
Re : No king required.
“Lèse-majesté is an offence against the dignity of a ruling head of state or the state itself.”
More interestingly no monarch or head of state is required in the US.
As far as the 1% of the 1% and other “self entitled” are concerned it also applies to their intetests and they likewise do not hesitate with “might is right” and hiring mercenaries amongst others to “disapear” not just individuals but whole villages.
But the neo-cons and Corporates have now got in on the act and as far as they are concerned “The Market” –they manipulate the hidden hand of– is above such pettifogging of Monarchs, heads of state, national security and suchlike. They demand the right to be supreme thus any slight no matter how small is grevious cause of Lèse-majesté…
Also close behind them and rapidly pushing to the fore are those who do not call it Lèse-majesté, but heresy, and whilst not yet screaming for burning at the stake…
The scary thing is just how easily the common man falls in with these nonsenses…
Clive Robinson • December 29, 2022 4:50 PM
@ Mr. Peed Off, ALL,
Re : Surveillance is ALL.
“Security related opinion article”
It’s a little more than “opinion”, follow some of the links in there for factual events of what is state terrorism and tyrany driven by a few who realy should not be alowed to do what they do.
I have my “opinion” on what should happen to the people behind it and let’s just say they would not be in favour.
But the US is in trouble, much of it’s economic activity is actually little more than faux-churn.
The marketing industry is said to be as large as religion is, but has no tangible assets.
Much of the current marketing bubble, and that is exactly what it is, is based around the myth of “Know the mark”. The result is a surveillance market that actually fails to work for selling goods, but works extrodinarily well for state terrorism and oppressive tyranny by a few who’s morals, ethics, beliefs and behaviours are highly questionable at best.
But don’t tell them this because like any rabid dog you approach the behaviour will be unreasoned working through violent to as has been seen repeated attempted homicides.
lurker • December 29, 2022 5:30 PM
@JonKnowsNothing,
National Security yes, the big guy is holding the high ground. But when the Secret is the marital/pregnancy/disease/bank balance/voter registration status of a simple citizen who will invoke National Security? Nobody will care enough to have a law for this situation because they are only serfs who shouldn’t have secrets.
lurker • December 29, 2022 5:50 PM
@SLF, All
As of 2022, WSL 2 includes a (rather recent LTS) Linux kernel 5.15.74.2.[1]
Will it run earlier kernels? Who cares when its a Rube Golberg subsystem of Windows(TM). I hear the arguments, is it a HV or a VM,
? It doesn’t matter if Windows has to boot first. If anybody rilly, rilly needs some Windows app, then run Windows in a VM on a pure Linux box. There, fixed that for you.
lurker • December 29, 2022 5:52 PM
Sorry, link for above
&ers • December 29, 2022 6:04 PM
@Clive
Brits are well known from their wonderful dark and absurd humor.
However have you ever seen Soviet Kin-dza-dza? It is described
as “Mad Max meets Monty Python”.
If not, find a time. You will not regret it.
hxxps://en.wikipedia.org/wiki/Kin-dza-dza!
hxxps://lwlies.com/articles/kin-dza-dza-1986/
JonKnowsNothing • December 29, 2022 6:23 PM
@ lurker, @Clive, Winter, ALL,
re: National Security yes, the big guy is holding the high ground. But when the Secret is the marital/pregnancy/disease/bank balance/voter registration status of a simple citizen who will invoke National Security?
The case is actually not about National Security, it’s about who has access to information that might be deemed part of National Security.
As insightfully stated above: Where in the chain does National Security stop?
Does a carrier, internet provider, web hosting system, blog provider, social media company, person2person exchange, video conferencing etc, are they responsible for the dispersal of Embargoed Information?
The first wedge is easy: NatSec
If it is determined that the publisher, provider, hosting system, persons-at-large using these systems are all Complicit in a Crime, that crime can be anything at all. If you consider the volumes of legal tomes in a legal library in every country, they all fall right in line with anyone being a target for anything.
NatSec strips any semblance of personal autonomy.
So, the GDPR question is focused on the Harm To Persons. The USA approach is the Harm to Nation State. It’s the same thing. Once we can define a harm, we have judicial cause.
The GDPR may be focusing on Civil Wrongs while the USA is moving straight toward making the same things Criminal ones.
Nick Levinson • December 30, 2022 12:48 AM
@Winter, @Clive Robinson, @lurker, & @JonKnowsNothing:
@Winter:
You wrote, “If you do business with someone in the EU, that transaction falls under EU law.” The person in the EU is under EU law. I’m not in the EU, so, unless I have some other nexus, I’m not under EU law. The transaction itself is under EU jurisdiction insofar as the EU person is under it but not insofar as the non-EU person is not under it. An international transaction dispute is legally complicated.
You wrote, “Try using that argument when selling a crypto-security to an American.”: I am an American and do not have nexus in the EU, so if I sold most kinds of things to an American and did so in the U.S., the EU would not have jurisdiction. I don’t know if there’s a particular item that if sold outside of the EU between non-EU persons would come under EU jurisdiction; probably that would include products sold under a government license conditioning transfers with the first transfer being in or with that nation. And maybe there’s a EU-based crypto-security owned by the EU that would come under EU jurisdiction even if sold in the U.S. between Americans. But, in general, how the sale occurs matters along with where and between whom. So, let’s say buyer and seller are with only U.S. nexus and conduct the sale in the U.S. but via a website hosted in the EU, even if it has a .com or .us top-level domain. That hosting could put the sale under EU jurisdiction. But if that website has no nexus outside of the U.S., the EU could have no jurisdiction.
Imagine a world in which every nation has worldwide jurisdiction over every person and every act. You, for example, could be required to pay 10% tax on your income to every nation every year for the rest of your life. The U.N. has 193 members; therefore, you’d owe 1,930% of your income in taxes every year for the rest of your life. Failure to pay could entitle 193 nations to imprison you, since nations don’t have to have bankruptcy laws. Also, sovereignty would effectively cease to exist. There is no nationhood without sovereignty. But sovereignty is granted or protected by the norms of international law. Therefore, no nation or group of nations can possibly have worldwide jurisdiction over all persons everywhere. They can say they have it, but just saying it isn’t enough to get that jurisdiction.
Your Disney example is likely in real life to become a case of battling terms. Retailers in the U.S.. have that problem all the time with institutional purchase orders. One retailer had 2,500 words on the back of their sales form, one side of the battle; among other things, it purported to void the customer’s terms. Perhaps a customer’s terms purported to void the retailer’s terms. Battles of terms usually get ignored as long as one side pays and the other side hands other the product; sometimes, the terms get litigated, often to determine the intent of the parties.
If the GDPR were applicable worldwide, any nation wanting an equivalent law needn’t bother promulgating one, and that includes the U.S. Evidently, proponents in the U.S. wanting that law think the GDPR doesn’t apply in the U.S. (except in limited exceptions).
@Clive Robinson:
With Google AdSense, how to disconnect from the GDPR was clearly stated in Google’s AdSense terms. I complied. As I recall, one disconnection per code fragment per Web page was sufficient. I did not have to find a separate disconnection procedure for each of the then 27-28 nations for each code fragment. Google had the nexus and using Google AdSense meant I’d have the nexus Google had; disconnecting as Google instructed ended my non-U.S. nexus.
A EU national sending me their PII and my keeping it is not enough to give me nexus in the EU. Without that nexus, I would not be under the GDPR. You wrote, “under the ‘Any person legal or natural’ stipulation”: Whose stipulation? If the EU’s, the EU does not have worldwide jurisdiction over all persons, only those persons who have EU nexus.
Many websites that seem to be U.S.-only actually have foreign nexus, despite the top-level domain. For example, a website’s owner may have an office or a server in the EU. Even if someone without EU nexus uses the website without using that office or that server (somehow), that usage may be enough for EU jurisdiction over that person. That would be like my flying on a French flag aircraft; even if I get on, fly, and get off entirely within the U.S., I’d have EU nexus during that time.
@lurker:
Internet law does not build from emptiness just because the Internet is relatively new. It draws on existing bodies of law, subject to amendment and other legal processes. Some people used to claim that the Internet, being new, has no law; courts said otherwise.
I was rushing yesterday morning, so now I’ll clarify how both sides of a conflict may be consistent with the same law. E.g.: The U.S. sends a spy, a U.S. national, into Russia to get a Russian military secret against the U.S.; this violates Russian law but is lawful under U.S. law. Russia sends a spy, a Russian national, into the U.S. to get a U.S. military secret against Russia; this violates U.S. law but is lawful under Russian law. By the norms of international law, which are generally above treaties and are binding, and are also called general international law, each nation has the right of national self-defense, which, when justified and within appropriate scale, allows breaching another nation’s sovereignty including by war. The U.S. and Russia have nuclear-warheaded ICBMs aimed at each other; therefore, each nation, because it is so lethally aimed at, has the right of self-defense against the aiming nation. That’s roughly the legal basis for each aimed-at nation to send a spy into the aiming nation. It’s also the legal basis for the spy to be covert, including lying to get a visa. However, the right of self-defense also works the other way. A nation that learns it is hosting an enemy spy can legally defend itself by arresting and executing the spy. The spying nation can protest, but the law remains. I doubt that spying alone, on today’s scale and even when successful, is considered by most national governments to justify sinking an entire enemy nation to beneath sea level and drowning everyone there with a massive nuclear attack. A U.S.S.R. power complex had an explosion and a fire that could be seen from space; no war ensued over it; the U.S. had a lot to do with the damage and is still proud of it; but it happened because the U.S.S.R. stole the software and then installed it. Stealing is stealing even if, as there, antitheft security was intentionally tepid. The stolen software had been previously modified so (mis)use would have an effect the U.S.S.R. wouldn’t like. I’ll be a bit flippant here: the U.S.S.R. should have checked the EULA; if they didn’t see a EULA, they should have asked every copyright owner if copying is okay.
@JonKnowsNothing:
Where you wrote “Criminal Law prescribes conduct perceived as threatening, harmful, or otherwise endangering to the property, health, safety, and moral welfare of people inclusive of one’s self.”, maybe you meant “proscribes”, not “prescribes”.
JonKnowsNothing • December 30, 2022 1:48 AM
@Nick Levinson , All
re: prescribe v proscribe
Criminal law is the body of law that relates to crime. It prescribes conduct perceived as threatening, harmful…
The sentenced on Criminal Law was clipped from the wikiP page on the topic which used the word “prescribe”.
IANAL
Interesting catch on interpretation:
Using “prescribe” to mean “establish or lay down rules of bad conduct”.
Using “proscribe” it would mean “a list of rules that are unlawful”.
If a country uses Napoleonic Code (as in Louisiana, USA), it’s a long list of specific unlawful actions; all proscribed.
If a country uses Common Law (most of the USA), rulings are based on previous outcomes (precedent); all prescribed.
The specific vs generalized.
Clive Robinson • December 30, 2022 2:22 AM
@ Nick Levinson,
“The person in the EU is under EU law. I’m not in the EU, so, unless I have some other nexus, I’m not under EU law.”
The EU regards a transaction for goods or services from two basic points.
1, The seller has choice to sell into the EU market or not.
2, The purchaser defines where the transaction takes place.
Therefore as a supplier of goods or services into the EU market you voluntarily agree to be bound by EU legislation for the transaction.
That is you are “Placing on the Single Market” under the single market legislation and regulation.
As for your,
“I did not have to find a separate disconnection procedure for each of the then 27-28 nations for each code fragment.”
Actually you do “for every transaction”, as the nations have not given up their Sovereignty, you sell into a European nation you abide by their legislation for each and every transaction you enter into. But as the Sovereign Nations have agreed to be part of what was called “the common market” in general what you do for a single transaction to one of them is done under the same terms for each of the Sovereign Nations in the EU.
If you forget that you can get into a world of hurt. People assume incorrectly that the CE mark is sufficient to “place on the market”. As the designers of communications devices with an “Over The Air”(OTA) interface such as a mobile phone are aware you have to ensure that you do not sell it into the wrong nations. So you are required to mark,
1, The product
2, The product documentation
3, The product/shipping cartons
With the correct national information. The French have confiscated and prosecuted those who have failed to do so.
It’s that simple, you arguing that you have some remote base of opperation is of absolutly no relevance what so ever to each and every transaction you make on the EU market.
Nobody is forcing you to make the transaction you have choice to do so or not. If however you agree to make the transaction by placing it on the market you are agreeing to be bound by EU law.
Don’t try and argue otherwise, it does not work, the transaction for your good or service is in EU jurisdiction no matter where you are based.
Your national law applies to you only as the seller/supplier of your good or service out of your sovereign nation that is it’s limit of jurisdiction. So if your nation alows you to enter into a transaction for the good or service into the EU you may do so, if it does not then it is you who is liable to your nation.
It’s not complicated to understand, people trying to complicate it are usually only doing so because they wish to break the law that applies.
As for,
“A EU national sending me their PII and my keeping it is not enough to give me nexus in the EU.”
You are wrong, they do not send it, it is you that are taking it. That is it is your software, running on the users computer inside the EU that is transporting the information out of the EU. The transaction falls under EU legislation.
Your notion of a “nexus” is bogus. The EU legislation you agree to applies to the transactions not your corporate structure.
Winter • December 30, 2022 2:23 AM
@Nick
The person in the EU is under EU law. I’m not in the EU, so, unless I have some other nexus, I’m not under EU law.
Julian Assange is not an American and was not in the US. Neither is Kim Dotcom. Both are/will be extradited to the US and tried under US criminal law for allowing “sharing” of information.
Quite a number of non-Americans are under US warrants for selling crypto-“securities” to Americans from far outside the US.
But “stealing” data from Europeans is OK?
Nick Levinson • December 30, 2022 5:25 AM
@Clive Robinson & @Winter:
@Clive Robinson:
Nexus is not corporate or entity structure. It is the connection. For example, citizenship or presence is nexus. For a corporation, it can also be locality of employment, realty ownership, or place of incorporation. Nexus is a key to jurisdiction.
If my website has a form, when a user downloads my Web page, fills it in, and uploads it with a Submit button, the user is acting. If my form is a request, that request is in my server (my hosting service’s server is in the same nation as I am and so is for these purposes essentially indistinguishable) and is downloaded by the user into the user’s computer. I don’t operate the user’s computer. I am not pressing the user’s Enter key or sending the entries out from the user’s computer. I am accepting the input. This is similar to what happens if I sell through a magazine ad with a coupon; if someone finds the magazine, finds the ad, clips the coupon, fills in the coupon and attaches the payment, and mails it, I’m responsible for placing the ad and for what I do when I receive the coupon and the payment but I am not responsible for following the law where the customer is (if I misstate package contents on a customs declaration the importing nation may seize the package but that’s in the addressee’s nation and not in my nation unless a treaty applies). An issue came up when Germany outlawed pro-Nazi literature but American publishers supplied it anyway to German customers through the mail; Germany asked the U.S. FBI to put a stop to it but the FBI said it’s not illegal for American publishers to sell and distribute it. It is legally possible for the same transaction to be lawful in one nation and unlawful in another. The German could be liable for importing the lit even while the American is permitted to export it. The American in exporting the literature does not necessarily agree to the German law and probably doesn’t. The libel tourism cases illustrate my point; someone in the U.S. wrote a book saying some Saudis had financially supported the 9/11 attack; about 20 copies of the book were sold in the U.K. through Amazon; a Saudi sued the author in a U.K. court and won a settlement because defending on a sale of 20 copies wasn’t worth much expense; the Saudi then came to a U.S. court to go after much larger sales here on the basis of the settlement under the U.K.’s law on libel which is broader than the U.S. libel law; this was informally called libel tourism; U.S. statute law amendment (I think State laws) made those claims illegal in the U.S. without changing U.K. law. I can provide a Web page by hosting it in the U.S. without thereby agreeing to EU law. The CIA has a home page; if someone in Russia or PRChina accesses it against the law of their nation, that does not put the CIA itself in violation of that nation’s law for providing that home page.
@Winter:
In many cases, such as Julian’s (I know little about Dotcom’s case and nothing about the crypto-currency cases), a person whom one nation wants to arrest has to be in that nation or in a nation with which the nation wanting to arrest has an extradition agreement. The U.S. has issued arrest warrants for some Russians for cybercrimes; those Russians are safe while in Russia because Russia does not usually extradite to the U.S., but some of them travel abroad from Russia and go to a nation with which the U.S. has an extradition agreement and that is where they are arrested and turned over to a U.S. representative, who transports them into the U.S.
My hosting service’s owner said that he cannot vacation outside the U.S. Collecting and keeping PII from EU nationals if in violation of EU law may give a non-EU person liability in the EU if they are later in the EU. I don’t think you’re going to see millions of Americans without EU nexus being extradited to or sued by the EU, even after the EU has won cases against big U.S.-based players who have EU nexus. Even if the EU wants those millions, the claims grounded in the GDPR will likely include claims that would violate U.S. Constitutional law, which will result in inability to sustain suit on those grounds in U.S. courts or to achieve extradition if resisted in U.S. courts.
Winter • December 30, 2022 6:05 AM
@Nick
My hosting service’s owner said that he cannot vacation outside the U.S. Collecting and keeping PII from EU nationals if in violation of EU law may give a non-EU person liability in the EU if they are later in the EU.
That holds for many nationals in the rest of the world who cannot visit the USA because they violated USA law while outside the US.
When your owner steals data from Europeans for a profit, I do not see the difference with a non-American reselling Disney movies online.
Winter • December 30, 2022 6:48 AM
@Nick
Even if the EU wants those millions, the claims grounded in the GDPR will likely include claims that would violate U.S. Constitutional law, which will result in inability to sustain suit on those grounds in U.S. courts or to achieve extradition if resisted in U.S. courts.
First of all, the GDPR does not violate the US constitution. It simply states that PII and personal data are the exclusive property of a person. That is not different from claiming that the image of Mickey Mouse is the exclusive property of Disney Corp. Nothing objectionable in constitutional terms.
I know the USA was founded on ignoring the property rights of “other people” in the most basic sense. But nowadays, the USA can be subject to laws that protect the property rights of non-Americans.
The EU does protect the safety and property of it citizens, online too. So if Americans sell property that is not theirs but that of Europeans, the EU can start legal proceedings against those involved in the theft.
The fact that you do not find that “just” or “fair” is irrelevant. It was and is irrelevant for those who were kidnapped, tortured, and kept imprisoned in, eg, Guantanamo bay, it is irrelevant for your case. Criminal Law often works against the wishes of those caught up in it.
From the non-American standpoint it is simple: Americans take our data without our consent, we label that “theft” and start corrective action.
Clive Robinson • December 30, 2022 7:33 AM
@ Nick Levinson, JonKnowsNothing, lurker, Winter, ALL,
“Nexus is not corporate or entity structure. It is the connection. For example, citizenship or presence is nexus. For a corporation, it can also be locality of employment, realty ownership, or place of incorporation. Nexus is a key to jurisdiction.”
I had hoped to limit this discussion but it appears to just get longer. The US legal definition of “nexus”[1] is primarily defined in tracable financial terms through organisational structures. Where a structure is a meaningful set of connections between nodes or entities.
I’d already pointed out prior to your use of nexus, the EU legal connection which brought you under EU legislation was made when you voluntarily entered into a “transaction” involving any “good or service” by a “person legal or natural” within the EU.
However you claimed you did not have such a connection and that only left organisational structure / relationships…
So I pointed out they also applied.
So a nexus exists when a transaction is carried out. Such a transaction is a User in the EU clicking on a link to your web server, and your webserver downloading any type of script or programing code into the users browser.
It’s why I pointed out that some US entities with “smarter lawyers” have been advised to only download a simple HTML page to the user with a clear message that for legal reasons the user was not being alowed to use the site[2].
That is it is beholdent on you to arange your systems and servers such that a transaction you enter into does not obtain any information other than that presented to you by the Internet infrastructure and then closes the connection.
Do anything else and legally you’ve quite voluntarily placed your servers and staff under EU legislation.
I’m realy not sure what you are not comprehending about this.
For instance you say,
“If my website has a form, when a user downloads my Web page…”
No that is incorrect, it should be,
“If my website has a form, when my server downloads my Web page…”
It’s not the “user” that carries out the action, it’s the “server” and that is fully under your control. Thus your server downloadong the form into the users browser inside the EU has voluntarily entered into the transaction, and EU legislation applies.
As for you saying,
“I don’t operate the user’s computer.”
You are joking aren’t you?
An HTML page is a series of instructions you use to tell the users browser what to display, CSS and JavaScript take this even further HTML 5 and WebAsm go way way further.
The fact that you can instruct a popup to appear over the content you’ve downloaded that the user can not remove, is clear and positive proof you not the user control that asspect of the users computer.
“I am not pressing the user’s Enter key or sending the entries out from the user’s computer.”
Err how do you think those hints and suggestions you see on web search engines etc work?
They are uploading what the user types character by character long before they hit enter.
As I’ve pointed out before the users use of words and their typing cadence is a very usefull biometric… That Alphabet amongst others clearly use.
I could go on pointing out the other assumptions and mistakes you are making but from the way this is going you have not grasped the fundemental concepts involved.
[1] Nexus from, https://www.lawinsider.com/dictionary/us-nexus
US Nexus means where there is any US involvement or connection, including (without limitation): (i) any US dollar denominated transaction; (ii) any payment in any currency that is cleared through the US financial system, including foreign branches of US banks, and US branches, agency or representative offices or US accounts of non-US financial institutions; and (iii) any US Person, including US financial institutions, foreign branches of US banks, and US branches, agency or representative offices or US accounts of non-US financial institutions.
[2] Although some US web servers drop the initialisation, that is actually technically illegal under EU disability legislation.
lurker • December 30, 2022 1:14 PM
@Nick Levinson
An international transaction dispute is legally complicated.
@Dick the Butcher
See Henry VI Pt2 4.2.40 (thanks modbot)
They say the law was once carved into two blocks of stone carried by one man. [Exodus 31.18]
@Clive pointed out, just downloading a single html page involves not only the writer of the html code. Also implicated are (inter alia)
wherever they may be located. And that’s before we add a single tracking pixel, or stylesheets and javascripts from content distribution networks.
@Nick
Internet law does not build from emptiness just because the Internet is relatively new. It draws on existing bodies of law, subject to amendment and other legal processes.
A transaction on the internet is not the simple transaction of Mosaic law, even if some courts wish it so. The GDPR’s attempt to proscribe limits on such transactions seems to have touched some nerves in the US.
Ted • December 30, 2022 6:29 PM
@vas pup
Re: “See no evil: People find good in villains”
I hope you don’t mind that I’m moving this over to a Squid thread.
It’s interesting that the U of Michigan study focused on the assessment of fictional characters. Maybe that was an appropriate approach for a study that had a majority of children participants.
It does seem like a complex question: “How do children make sense of antisocial acts committed by evil-doers?”
That topic is actually not that far off from a book I just started: “Home, Land, Security: Deradicalization and the Journey Back from Extremism.” I picked it off the Pulitzer Prize list from 2022. It was a Finalist.
The author’s approach is similarly inquisitive and searching. I only just started it, but I think the book will be equally as thought-provoking as the study you posted.
JG4 • December 31, 2022 9:53 AM
Wishing everyone a Healthy Prosperous New Year in 2023 or 2567, regardless of what year you believe it is.
No surprise here. This is a lot like Microsoft’s failings of the 1990’s, in which it was assumed that everyone with physical access could be trusted. Turns out that’s often not the case.
Luxury cars are gone in 90 seconds with thief kit
https://www.thetimes.co.uk/article/luxury-cars-are-gone-in-90-seconds-with-thief-kit-z300g0njf
Ben Clatworthy, Transport Correspondent
Saturday December 31 2022, 12.01am GMT, The Times
…
Security experts know of scores of cars with flaws that let criminals access a vehicle’s controller area network bus, which enables electronics systems to communicate with each other.
On some cars, components on the outside can be removed, revealing wires that allow access to the network that controls that car, including locks, the immobiliser and the engine. Cars can then be stolen within 90 seconds.
Ken Munro, of Pen Test Partners, a security firm, said manufacturers were shocked at the ease with which cars were being stolen. “I think they underestimated the ability of technologists to weaponise these attacks,” he said.
…
Clive Robinson • December 31, 2022 10:49 AM
@ JG4, ALL,
May those celebrating “New Year” tonight enjoy themselves[1].
Re : Gone in a minuite or two.
With regards the article quote
“Security experts know of scores of cars with flaws that let criminals access a vehicle’s controller area network bus, which enables electronics systems to communicate with each other.”
You might find this fairly inexpensive device of interest,
https://m.youtube.com/watch?v=lQUC6d6_r38
It takes very little to make it do much of the things required to,
“Slip in and drive off”
The reason that it’s luxury cars that get hit currently is two fold,
1, Luxury caries premium price so high ROI for the thief.
2, Luxury cars are for the lazy, thus get all these insecure features fitted for their convenience ad well as that of the thief.
The second one is changing in that these insecure features are rather quickly working their way down into lower and lower end vehicles, as electronics becomes less expensive than mechanical systems.
This sort of thing has been going on for over a third of a century. Yet… Nobody in the auto industry appears even remotely concerned with actually fixing the insecurity issues.
There are two basic reasons for this,
1, stolen cars leads to new car sales.
2, Those who steal cars are often not criminals but “repo-men” and the like, who also are lazy and like an easy life.
[1] I actually for the fun of it celebrate three new years each year,
1.1, Winter Solstice of “Yule”.
1.2, Gregorian Calendar “Dec31”.
1.3, Luna New Year.
Oh and two Xmas’s Gregorian Dec25 and older Orthodox Jan7 day after Epiphany Eve / 12th night.
Just to keep the fun going that little bit longer till we get to Burn’s Night Jan25 and Australia Day Jan26… If you think there should be others I could celibrate as an excuse to fight the “winter glom” let me know 😉
Bryan • December 31, 2022 11:42 AM
@Clive: Look into Makahiki; it is far superior to other end of year festivities in that it takes an entire month.
Nick Levinson • December 31, 2022 11:46 AM
@Clive Robinson, @Winter, & @lurker:
You’re, like many people, even like many attorneys, missing the norms of international law. They’re rarely discussed and may get little treatment in bar exams, but the norms are not psychobabble or merely advisory. They’re law above all law except natural law. If, say, a U.S. Constitutional provision contradicts the norms, the contradictory Constitutional provision is not law. Law is what by a legal method can be enforced. What regardless of circumstances cannot legally be enforced is not law. Purported inferior laws that contradict the norms are not law. They are not in a written primary document like the U.S. Constitution or a Magna Carta; instead, the primary sources include writings of speakers of law (viz., professors) and of national chief judges; this makes researching them harder, before considering the languages in which the primary sources are written. The inconvenience of researching them reduces the likelihood of discussing them but does not make them not law. Some discussions of the norms reference them under other terminology, such as by including them in national security law, but the norms definitely apply anyway; the International Court of Justice can enforce the norms as general international law (see (with different wording) Article 38 of its statute). War is sometimes another legal method of enforcing the norms.
URLs in this post are as accessed yesterday or today.
Each of you are responded to separately below.
@Clive Robinson:
Defining nexus: It is not about organizational structure. The source you cite for that view says for US nexus “any US involvement or connection” and only then goes on to say what that includes. Other sources speak similarly: “A point of causal intersection , [sic] link, relation, connection.” “[A] connection or link between things, persons, or events esp. that is or is part of a chain of causation”. “A point of causal intersection, link, relation, connection.” “Generally, a nexus refers to a connection.” When determining whether you have nexus to a nation for determining whether that nation has jurisdiction of the person that is you, if your only connection is that you have a photo of a German landscape on your living room wall, you do not have nexus with Germany, but if you live in Germany you do have that nexus. I gave other examples of having nexus above. When Google limited search engine results about Tiananmen Square, they did so in P.R. China but not in the U.S. (I just tested the latter); that was because Google had nexus in China and thus had to obey Chinese law but Google.com hosted in the U.S. was not under Chinese jurisdiction, so China instead blocked access from China through its firewall. U.S. sovereignty limited Chinese authority overseas.
On the need for recognizing differences in laws among 27-28 nations, that is why I ended my nexus with all of them by following Google’s procedure that applied to all of them for the nexus I had acquired through Google AdSense. (Google’s Ads did not require accepting or having the nexus, regardless of where my ads might run (when I ran ads).) Someone in the EU can now email me their PII and I don’t have to apply the GDPR because I don’t have that EU nexus. None of the EU nations have jurisdiction over me.
You mention sovereignty. Precisely. Every nation has sovereignty. That is why a nation cannot just impose its jurisdiction within another nation without lawful ground, such as nexus or lawful war. The member nations of the EU each have sovereignty but so do the U.S., P.R. China, India, Russia, Iran, Cuba, and Peru.
HTML and CSS are interpreted and executed at the user’s computer according to the user’s computer’s ability to interpret and execute what it encounters. That’s why which browser or user agent and which version a user is using matters. JavaScript, on which I know little and have little of on my sites, apparently is executed in a user’s browser. Security issues would abound otherwise and would make the Internet largely intolerable. (Google Autocomplete is, I think, based on JavaScript, at least for Maps and likely for other services.) The Firefox 108.0.1 (64-bit) browser on Linux, at Settings > Search, lets me turn off Google Autocomplete, as Suggestions, and lets me block popups, at Settings > Privacy & Security > Permissions > Block pop-up windows, so those are normally user-controlled. (There may be an exception for thin clients set for server-side execution, probably within an intranet, which could be international, such as within a single multinational company, but we’re discussing general cases.) (HTML 5 has been succeeded by HTML Living Standard although old versions of HTML are still in use. I’m not familiar with WebAsm, WebAssembly, or Wasm.)
@Winter:
The hosting service owner is at risk, probably not for PII in the sense we’re discussing but because he offers hosting to foreign dissidents whose national governments want them to shut up. The issue of an American being subject to law enforcement if he leaves the U.S. for allowing foreign dissidence is the same as with the GDPR, regardless of whether criminal or civil law is at stake and regardless of which non-U.S. nations are adverse on point. Both with dissidence and the GDPR, worldwide jurisdiction by one nation or subset of nations over all humans cannot exist.
PII and Disney are different, because PII is underlying information about a person and that kind of information cannot be under U.S. copyright. If I write a note on how to get to a building which is by walking up this street three blocks, that’s probably not copyrightable information; but if I write a poem to express the directions with drama, that form of expression may be copyrightable. So it is with Disney’s product. The U.S. Constitution explicitly provides authority for copyright.
Also on Disney, international law has many enforceable principles. Some apply to every nation simply because the nation exists; these are in general international law (a/k/a norms of international law). Other principles apply to some or all nations because those nations agreed to them; these are in treaties and lesser agreements. Copyright, as is extradition, is largely in a body of treaty law as well as in national domestic law. So, downloading a movie under copyright (downloading being copying from their server to a user’s computer), if done wholly in the U.S., generally violates U.S. law unless Disney okayed it; absence of Disney’s permission cannot be overridden by a user’s terms of service because U.S. copyright law is superior to most users’ terms of service. If the copying crosses an international boundary and if both nations have copyright law and are parties to a treaty protecting copyright, Disney is likely protected by that. But Cuba about a decade ago helped itself to a copy of the Sopranos TV show and planned to broadcast it without paying royalties; that doubly violated U.S. law but probably not Cuban law or any agreement to which the U.S. and Cuba (and maybe others) were parties. So, there’s a gap such that a Sopranos copyright claim fails in Cuba. After JFK was assassinated, a U.S. reporter (on WINS-AM radio) said Fidel Castro was behind it. According to the reporter, Fidel personally phoned him and threatened at least arrest if he’s ever in Cuba, even by being on a hijacked airplane. I assume the reporter violated Cuban law and Cuba is legally allowed to have such a law, but the reporter is (while alive, it’s been decades) safe in the U.S. and in some other nations but not in Cuba. But Cuba was not free to make anti-Castro expressions unlawful worldwide and require U.S. compliance or the reporter’s or broadcaster’s compliance with such a Cuban law. The EU is bigger than Cuba; but even the EU can’t have a law with worldwide applicability. No nation or subset of nations (e.g., the EU) can have worldwide jurisdiction over all human beings anywhere. Some nations want it; they might assert it, and do for some purposes (e.g., Spain’s extraordinary jurisdiction); but it’s illegal to go that far. Not all law is always enforced even if it should be (e.g., no one invaded Spain over it); but not always enforcing a law does not make it not a law.
The GDPR is not in violation of the U.S. Constitution but that is because the GDPR is not under the Constitution. But a copy of the GDPR enacted in the U.S. would be, in part, because of the First Amendment. E.g., I have rights of free speech and free press and, being rights and not duties, those include the right not to speak and not to print; so I generally don’t have to tell you what I know about you or erase it (there are exceptions but those are exceptions, not the general case). The U.S. could enter into a treaty providing protection similar to that of the GDPR, but hasn’t.
You write, “I know the USA was founded on ignoring the property rights of ‘other people’ in the most basic sense. But nowadays, the USA can be subject to laws that protect the property rights of non-Americans.” Yes and yes. (The ignoring was also practiced by many nations, such as the (Holy) Roman Empire.) But that subjection cannot be unilateral or the U.S. would not have sovereignty. For the U.S. to have a right to be forgotten would require a U.S. law; the EU cannot impose it on the U.S., even if the EU were to say it can; and a U.S. right to be forgotten would likely violate the First Amendment rights of whomever is supposed to do the forgetting. What constitutes property also differs by nation. If information about someone is that person’s exclusive property if that person is in the EU, the U.S. need not have that definition of property for someone in the U.S., whether that information or property is online or not.
@lurker:
Many of those you list, “the writer of the http server code”, “the owner/operator of the server machine”, “the registrant of the domain name”, and the like are not under the jurisdiction of a nation or subset of nations with which they do not have the requisite nexus for that jurisdiction, even if said nations desire otherwise. The norms of international law, by granting sovereignty, generally deny that cross-border jurisdiction unless there’s the nexus.
You wrote, “A transaction on the internet is not the simple transaction of Mosaic law, even if some courts wish it so. The GDPR’s attempt to proscribe limits on such transactions seems to have touched some nerves in the US.” Courts enforcing law as they do is implementing the law and generally is guidance on what the law is. Your latter point is addressed above.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Update • December 23, 2022 6:21 PM
Just in case you missed the update on LastPass breach:
From Gizmodo: Hackers Had Access to LastPass Users’ Password Vaults
https://gizmodo.com/hackers-lastpass-users-password-vaults-change-now-1849926968