I used to use linked'in@mycustomdomain.com. It (slightly) broke the interface for reasons I won't understand, but I eventually got lazy and changed it to a normal email. The extra page refreshes were driving me crazy. Seems I should have kept it.
You could make a case for everyone being bumbling and third-rate today. Post an edge case and have a lack of information to counter. I think by not addressing concerns head on gov't agencies are inviting for this type of behavior. I don't agree that stating that you have white labs as a defense for possibly tainted equipment is a full answer. I assume there is more coming since having a white lab test of equipment would be unreasonable for every piece of equipment due to workload. Not testing every piece of equipment to be used isn't a solution either since if Huawei is "evil" then they will just taint the box going to the correct provider.
If the Canadian government doesn't want people talking negatively about them then there needs to be more transparency. Not to the level of risking a breach, but something along the lines of a list of safeguards they are implementing. I wouldn't ever consider one safeguard a solution. If somebody feels the need to call out where the information is, I would legitimately like to read it.
I am a fan of NIST. They seem to be pushing forward with less than average amount of bureaucracy. By definition everything should be public and they don't have any responsiblity for enforcement of the rules which might be a slow pitch to your question.
Drawing from my roots the Canada Wheat board was always surrounded by heated arguments and controversal decisions. There was the UN wheat scandal but that is more a matter of if you believe they are evil and not their level of incompetancy.
They received a significant amount of name calling due to their decisions and policies, but I can't recall any significant missteps in their application of the policies they set out to act upon.
>Maybe i'm just being paranoid but I'm a security engineer. I'm supposed to be.
No, you really shouldn't. Every bad thing can happen unless you protect against it, but being paranoid isn't helpful for this industry.
This was going to happen eventually. If they didn't want this to happen then the funding would be there to have this system built up with triple redundancy (or possibly 7 times, maybe they have triple). We all do the best with the funding we have. The good thing about this is that they assessed the problem and they had remediations for it. They announced it publicly (using several methods) and they have an alternative line.
Given the typical vehicle up here in the North, if the bus has even a few people on it probably is an environmental win. Generally if a person is needed up here then a person will go down and get that person and return with them. Cars are less common than trucks and a "small" truck is a 1/4 ton. Additionally, the greyhound is a popular shipping choice for industry because of the time to ship. Most of the packages/mail gets sorted in Vancouver and then returns back up to Prince George. Putting on the Greyhound and it getting to where it needs to go next day was amazing. Shipping times were often better from Alberta and BC with the major players since the package didn't have to double back. Hotshot services are typically field based, but it isn't rare for somebody to hot shot packages between cities since it can take days through other methods now.
Outside the filehash thing there isn't anything wrong with his responses. The project chose to get third party products from sources outside their control. There is nothing "technically" wrong with it. The thread is littered with poor security practices, but I see TightW's response as more painful. The admin is already clearly aware of the concern and is stating why it is setup that way. I would much rather see somebody state the practices are wrong rather than just calling this guy out since it is really counter-productive.
Your reactions to this post deeply concern me. I do believe this is a serious problem you should at least entertain investigating whomever you have an agreement with in regards to bundling their stuff into your installer.
Your defensive attitude is what alarms me the most. Almost as if you might care more about your bundle agreement profits than your users security/safety.
Hole in one. I wouldn’t trust those admins to make me a cup of tea, and I agree that their attitude reeks of deception for selfish reasons. Nobody should ever trust their software again, full stop.
I don't support crapware but I'm not going to tell someone how they should make their living. That post looks like rabble rousing to me. I have yet to see any factual information except a whole lot of "it seems" "it appears" "I believe". I'd rather reserve judgement till the facts emerge.
If I see someone being immoral I'm going to tell them "how to make their living" not because I hope they are going to be so inspired as to change for the better because you and I both know that's not going to work.
I do so because I hope other people will listen and stop doing business with them leading to a decrease in profit and THEN changed behaviour from the culprit.
There is lots of factual information. They are factually doing a lot of malware like behaviour in their installer and bundling software from questionable sources they have no control over. At best they are putting their customers at risk.
The only facts that can possible emerge is that its actually worse and customers are getting their identities stolen or some such.
Rabble rousing is literally the only way anything gets fixed.
Okay, but malware "like" is not actually malware. If it turns out that it is, then ofcource why would anyone support a malware distributor.
>They are factually doing a lot of malware like behaviour in their installer and bundling software from questionable sources they have no control over.
Their explanation was that AV vendors flag their competitors, so now in the 'arms race', competitors have resorted to downloading individual bits from random URLs and then merging them together. While this would be a technique that malware software would use to possibly defeat security software, but hey, its also how torrents work. Tools can be used for good or bad.
The admin's replies are clever smokescreens: they stay neatly of the periphery of the matter and avoid giving actual answers to the questions being posed.
Whoever wrote these replies would probably do well in politics.
Dude you are all over these comments defending indefensible behavior. What they are doing is wrong. Full Stop. You seriously sound like the admins in the forums.
I'm wagering he has some kind of connection or relationship with the software or developers. There's just no way someone would espouse the views KSK holds without some kind of external factor / ulterior motive.
Oh my god. You're talking to competent computer users on Hacker News, not people who use crapware download sites and need to be warned away from them by "HowToGeek".
Of course there is trustworthy freeware. You can get it using Apt, Yum, Ninite, Chocolatey, Homebrew, or just by going to the actual site of a trustworthy software product.
The fact that the people who run most download sites are scum isn't a problem with the software. It's a problem with those sites.
>HN readers are capable of not using FileZilla, because its admin is actively trying to mislead its users into running malware.
Then your prior comment makes no sense to me.
>Of course there is trustworthy freeware. You can get it using Apt, Yum, Ninite, Chocolatey, Homebrew, or just by going to the actual site of a trustworthy software product.
If you don't use the crapware downloader, then the vendor doesn't get any money. I noted that pretty much all freeware is bundled like so, including your "trustworthy" software, on various other download sites.
Then the only way the vendor can stay in business is if enough people download the crapware version.
>Are you associated with FileZilla?
Huh? Why are you asking, and why would it matter?
>Why are you here bringing out the "everyone is doing it" defense?
What doesn't make sense? FileZilla is a bad actor who is trying to infect people's computers with malware. Download sites are bad actors who are trying to infect people's computers with malware.
People should have all the information they need to avoid malware, so they can make good decisions, such as installing WinSCP from Ninite instead of installing FileZilla by any method.
You keep denying that trustworthy free software exists, and yet when anyone points out that it does, you change the topic to something fraud-ridden like download sites. People who cheat on tests believe everyone is cheating on tests.
I do not care one bit for your business model. Please go out of business ASAP.
It would have been a bad idea to use WinSCP in 2014 also. Yet you'll notice they backed off and have had years to repair their reputation, instead of getting caught a second time and trying to cover it up like FileZilla is doing.
I understand how your kind of free software makes money perfectly well. It's not trustworthy in the slightest.
You don't need to make money to make a program that copies files. And if you bundle your free software with a scam, you're not making money as a software developer anyway, you're making money as a scammer.
You've crossed into incivility in this thread. That's not allowed on HN, regardless of how wrong someone else (or everyone else) may be. If you could please (re-)read https://news.ycombinator.com/newsguidelines.html and not do it again, we'd appreciate that.
The likeliest explanation for that is always the simplest one: we didn't see it. Obviously, though, breaking the rules isn't justified by other people breaking the rules. It always feels like the other person started it, so one could use that to justify anything.
Re your comments, personal swipes like "you seem very confused", "you are unable to understand", "rather than wild accusations and hysteria, I'd recommend calm collected analytical thinking" are certainly uncivil and violate the site guidelines. We ban accounts that make a habit of this, so please (re-)read the rules and use the site as intended from now on: https://news.ycombinator.com/newsguidelines.html
I don't expect you to look at 100% of the comments, but its a bit like citing someone for jaywalking but letting the murder escape. Sure cite the jaywalker, but after you've found the murder.
>Re your comments, personal swipes like "you seem very confused", "you are unable to understand", "rather than wild accusations and hysteria, I'd recommend calm collected analytical thinking" are certainly uncivil and violate the site guidelines.
There are several flaws in your interpretation, but I don't wish to convince you otherwise.
this guys is trolling, seriously, just stop responding to them.
ksk - many hn readers build using free software for places like google, amazon etc, that are trusted all the way up to places like the CIA. Seriously, please troll somewhere else. Basically no one working in almost any open source project wants to be working with an author that bundles in crapware, ESPECIALLY if the author doesn't actually even control the crapware. If you don't get why this is a bad idea you'll have to trust folks who use open source software regularly that this is a bad thing.
These articles drive me crazy when they don't mention the testing process. Yes, he is using a "server class" machine, but did he disable the features on a hardware level that would skew the test. Answer: probably. I'll assume he did some sort of clear to makes sure that the data wasn't cached on the hard drive or assume that all the reads were in memory. I can't even tell if he ran the test over several iterations.
It isn't that I am doubting the results, but without some trail on how to get the results I can't make this useful information. For example if I were architecting a system and was using this as information I have no idea if I run this in a VM that I need enough memory to get these results.
To start with let us see the impact of work done to improve the performance of hash indexes. Below is the performance data of the pgbench read-only workload to compare the performance difference of Hash indexes between 9.6 and HEAD on IBM POWER-8 having 24 cores, 192 hardware threads, 492GB RAM.
The workload is such that all the data fits in shared buffers (scale factor is 300 (~4.5GB) and shared_buffers is 8GB).
And chart itself says it is a median of 3 5 minute runs.
Why would I assume that Concurrent runs == Seperate Runs or that other caching mechanisms aren't in place or really anything. Computers do really odd things trying to optimize and making assumptions that your system is the same over a period of 30 minutes when you don't even know it is the same 30 minutes is concurrent. There is all sorts of stuff that gets in the way of performance tests and I would like to know how it is mitigated. Again, I am sure there is proper process, but why wouldn't know want to know what that is?
You haven't seen my collection of cat pics torrent ;)
Also from a more serious stance the danger is the malware vector or the destruction of the ability to have integrity and not the data in the torrent itself.
Do they have a feed into security yet? At the time I reported the release of all the emails and I couldn't get past first line support. They kept telling me that spam wasn't their problem.
I am pretty excited about this as I have few cross-platform languages that I can use (due to conditions at work). I am wondering how many distros will adopt it into their repos.
