At Friday’s hearing of the Colorado Senate Business, Labor, and Technology committee, lawmakers voted unanimously to move Colorado state bill SB26-090—titled Exempt Critical Infrastructure from Right to Repair—out of committee and into the state senate and house for a vote.
The bill modifies Colorado’s Consumer Right to Repair Digital Electronic Equipment act, which was passed in 2024 and went into effect in January 2026. While the protections secured by that act are wide, the new SB26-090 bill aims to “exempt information technology equipment that is intended for use in critical infrastructure from Colorado’s consumer right to repair laws.” //
“I can point out at least five problems with the bill as drafted,” Gay Gordon-Byrne, the executive director at the Repair Association, said during the hearing. “The definition of critical infrastructure is completely inadequate. The definition that has been proposed in this bill is not even a definition.” //
Repair advocates also say that limiting this kind of repairability is the exact opposite of keeping devices secure. If something goes wrong with a critical piece of technology, the people using it need to fix it and not have to wait for manufacturer approval.
“There’s a general principle in cybersecurity that obscurity is not security,” iFixit CEO Kyle Wiens said in the hearing. “The money that’s behind the scenes, that’s what’s driving the bill.” //
DarthSlack Ars Legatus Legionis
12y
23,110
Subscriptor++
So critical infrastructure is, well, critical, right? Like you need it to keep working because if it stops you're in a world of hurt? So isn't that the stuff you really, really, really want to be able to repair when it breaks and not sitting on your ass waiting for some clownshoes to show up and charge you a small fortune to turn a screw or apply a patch?
IanRS
Bigger problems
In my work as a security architect I occasionally get asked by an assurer or auditor why I think running AWS infrastructure in just two availability zones without a second region is enough. The latest was just earlier this week. It shows that they do not understand risk/impact balance outside their own little box. I have to point out that if something can take out two geographically separated data centres simultaneously then the impact is not restricted just to their website, and they probably have bigger problems to worry about. Some of them accept this. Some still think another region would help.
20 hrs
Anonymous Coward
Re: Bigger problems
I worked for a small public sector body. An auditor once asked what would happen if both our main and DR sites went dark. I said if that happened, something very big & bad was happening and no-one was going to care about our organisation.
Auditor ticked their box as we had clearly considered the possibility and we had a plan. (Do nothing is still a plan!)
Would you rather have a smoke alarm that goes off 33% of the time you make toast, or one which never goes off when there's a fire ?
Re: 1/3 wrong of 60 is progress (?)
The problem is not with the "smoke alarm" it's with the fire engine.
1 day
MOH
Re: 1/3 wrong of 60 is progress (?)
When I'm making toast, I'm making toast.
I'm aware of what I'm doing and ensuring that the toast making doesn't escalate to a house fire.
If it does, that is fully on me.
I don't need a wonky security camera setting off a fire alarm for times a day because my dark brown slippers have vaguely the same shade as burnt toast and it blindly assumes a fire is in progress.
1 day
Yet Another Anonymous coward
Re: 1/3 wrong of 60 is progress (?)
But it could be useful if you're very confused and might be about to put marmalade on your slippers
The Federal Communications Commission yesterday announced it will no longer approve consumer-grade routers made outside of the US, citing a President Trump directive on reducing the use of foreign technology for national security reasons. The action will prevent foreign-made routers from being imported into or sold in the US.
Routers already approved for sale in the US can continue to be sold, and consumers can keep using any router they’ve previously obtained, the FCC said. But the FCC will not approve new device models made at least partly outside the US unless the Department of Defense or Department of Homeland Security determines that the router does not pose national security risks.
The prohibition applies to both US and foreign companies that produce routers outside the US. Foreign production includes “any major stage of the process through which the device is made, including manufacturing, assembly, design, and development.”
“This action means that new models of foreign-produced routers will no longer be eligible for marketing or sale in the US,” FCC Chairman Brendan Carr wrote on X.
A federal judge in Virginia ruled Tuesday that the City of Norfolk’s use of nearly 200 automated license plate readers (ALPRs) from Flock is constitutional and can continue, dismissing the entire case just days before a bench trial was set to begin.
The case, Schmidt v. City of Norfolk, was originally filed in October 2024 by two Virginians who claimed that their rights were violated when the Flock network of cameras captured their cars hundreds of times, calling the entire setup a “dragnet surveillance program.”
However, in a 51-page ruling, US District Court Judge Mark S. Davis disagreed, finding that the “…plaintiffs are unable to demonstrate that Defendants’ ALPR system is capable of tracking the whole of a person’s movements.” //
I intended to NOT drop what I was doing and just let the video play in the background. But after 1 minute, I dropped what I was doing to give the video my full attention. https://www.youtube.com/watch?v=vU1-uiUlHTo
See also "We’re All So F’d | NVIDIA x Palantir, Global Surveillance, 'Pre-Crime' Arrests, & AI." https://www.youtube.com/watch?v=5lYsO4k7OIY
Don't mess with the IT department guys. Although their office might look as messy as mine, they are a force not to be screwed with.
It all started one day with this guy, the origional Etherkiller, developed with a few misc parts to warn new users that the IT department is not to be messed with. You too can make one at home, connect the transmit pins of the RJ-45 to HOT on 110VAC and the recieve pins to Common. Modify to suit tase by varying pinout.
This led to some general discussion that this particular device really is in a class of devices, now called the "killers", which need to be made.
I’ve started only buying smart devices if there’s already an active community project to provide firmware and such should the company disappear or give up. If you want the convenience of “smart” devices, you have to compromise somewhere.
You can also buy devices that use open protocols like zwave, zigbee, or thread/matter. zwave is by far the best of the 3 because the certification requires that the devices properly implement the standard so any controller can manage any device, however that also makes it the most expensive and least flexible of the 3. For me stuff I care about long-term support for is zwave (thermostat, living room lights including wall controller), stuff that I'm less worried about having to possibly replace some day like motion detection or smart outlets can be zigbee, or Matter. Thread/Matter is starting to get to the point where the standard and interoperability testing is robust enough that I might consider it for my mission critical stuff in the near future.
As far as music, I've got 20 year old speakers hooked up to a 10 year old receiver that gets fed by the TV or anything plugged into it, thanks to HDMI ARC I don't have to worry about what TV I use or what device is plugged into it, downside of course is that the TV has to be turned on and tuned to the music source (not a big deal for my personal situation, others may not like the compromise).
And now, with that redesign having been functional and stable for a couple of years and a few billion page views (really!), we want to invite you all behind the curtain to peek at how we keep a major site like Ars online and functional. This article will be the first in a four-part series on how Ars Technica works—we’ll examine both the basic technology choices that power Ars and the software with which we hook everything together.
Reported in Nature this week, the study notes that audiovisual glitches break the illusion of a face-to-face meeting, damaging interpersonal judgments.
The authors argued that distorted faces, misaligned audio and visual cues, and choppy movements resulting from technical failures can create an "uncanniness, a strange, creepy or eerie feeling." //
Some might think the resources of the tech industry could eliminate such problems and their resulting impacts in the real world. But priorities seem to lie elsewhere.
The study's authors noted that older technologies like phone calls have fewer glitches now, but keep getting displaced by those that require more bandwidth. New conferencing methods such as 3D group functionality and VR will have even higher bandwidth demands.
Nephophobia, or cloud phobia, is an excessive or irrational fear of clouds that can evoke intense emotional responses and substantially impact an individual's overall well-being.
It’s always DNS
Amazon said the root cause of the outage was a software bug in software running the DynamoDB DNS management system. The system monitors the stability of load balancers by, among other things, periodically creating new DNS configurations for endpoints within the AWS network. A race condition is an error that makes a process dependent on the timing or sequence events that are variable and outside the developers’ control. The result can be unexpected behavior and potentially harmful failures.
In this case, the race condition resided in the DNS Enactor, a DynamoDB component that constantly updates domain lookup tables in individual AWS endpoints to optimize load balancing as conditions change. As the enactor operated, it “experienced unusually high delays needing to retry its update on several of the DNS endpoints.” While the enactor was playing catch-up, a second DynamoDB component, the DNS Planner, continued to generate new plans. Then, a separate DNS Enactor began to implement them.
The timing of these two enactors triggered the race condition, which ended up taking out the entire DynamoDB.
Aranya is an access governance and secure data exchange platform for organizations to control their critical data and services. Access governance is a mechanism to define, enforce, and maintain the set of rules and procedures to secure your system’s behaviors. Aranya gives you the ability to apply access controls over stored and shared resources all in one place.
Aranya enables you to safeguard sensitive information, maintain compliance, mitigate the risk of unauthorized data exposure, and grant appropriate access. Aranya’s decentralized platform allows you to define and enforce these sets of policies to secure and access your resources.
The platform provides a software toolkit for policy-driven access controls and secure data exchange. The software is deployed on endpoints, integrating into applications which require granular access controls over their data and services. Endpoints can entrust Aranya with their data protection and access controls so that other applications running on the endpoint need only to focus on using the data for their intended functionality. Aranya has configurable end-to-end encryption built into its core as a fundamental design principle.
A key discriminating attribute of Aranya is the decentralized, zero trust architecture. Through the integration of the software, access governance is implemented without the need for a connection back to centralized IT infrastructure. With Aranya’s decentralized architecture, if two endpoints are connected to each other, but not back to the cloud or centralized infrastructure, governance over data and applications will be synchronized between peers and further operations will continue uninterrupted.
GeekyOldFart
Three languages
And I'm not talking about programming languages, where most of us are fluent in half a dozen or so.
1: Regulatorian: This is the language of politicians and lawyers. It sets the mandates on banks, hospitals, schools etc. It contains nuances and terms of art that sometimes make a word mean something totally different to what you would infer if you heard it in general conversation.
2: Beancounterese: Spoken by accountantrs, salesmen and middle manglement. It sounds very similar to regulatorian but is sufficiently different in some of its meanings that it's as big a gulf as between old scots and english.
3: Geekian: The language of hard science, mathematics, real-world realities and the only one to use when specifying what a programmer needs to code. Because they will code what you tell them to, and it will work the way this language describes it.
The same word can mean different things in these three languages.
We have to be fluent in all three to accurately interpret requirements and predict what the emerging software will look like, to take error logs and demonstrate to (sometimes hostile) manglement what corrective action is needed and where it needs to be applied.
Michael H.F. WilkinsonSilver badge
Reply Icon
Re: Three languages
It gets worse, as there are quite a few Geekian dialects. I have learnt to speak a couple over the years, and know the word "morphology" can have radically different meanings, depending on whether you are talking to a medical doctor, an astronomer, or an image processing specialist. Great fun when you are in a project with different geeks each speaking their own dialect.
Shirley Knot
Reply Icon
Re: Three languages
Well said!
When writing specs for dev projects and talking to those speaking Regulatorian or Beancounterese it involves finding out what they actually mean, without saying "What the fuck do you actually mean?!" The skill is in performing iterative attempts without making them blow their stacks! The most frustrated person I had to deal with was a lovely chap that'd been doing his thing for decades, in manufacturing/engineering. He knew exactly what he was doing, but couldn't articulate it - quite understandable, not part of his world. Once he understood that I was just a white collar noob and he was the expert he calmed right down and enjoyed going into as much detail as needed. Explosive decompression averted and job done!
Ersatz-11 emulates an entire DEC PDP-11 system in software while running on low-cost PC hardware. It outperforms all of the hardware PDP-11 replacements on the market, outstripping them by a particularly wide margin in disk-intensive applications.
What operating systems were written for the PDP-11?
My son, Max, once worked for social media companies. Now he makes his living speaking to students about how phones hook them. He compares smartphones to casino slot machines.
"All the things we love about social media, those are the reward in the slot machine ... we get that 'hit' once in a while ... That's there to keep us scrolling for hours."
Haidt agrees, calling smartphones a "gambling machine."
They say some apps are worse than others.
"Instagram, Facebook, Snapchat, TikTok. Those really shatter attention spans. In terms of exposure to things that are really dangerous, Snap is the worst," says Haidt. "In terms of destroying your ability to pay attention, TikTok is the worst. In terms of destroying a teenage girl's sense of confidence, self-esteem, body image, Instagram is the worst."
He says social media affects boys and girls differently.
"Check in on the kids at age 14, girls are doing worse. They're more depressed and anxious, more messed up."
But a few years later, he says, "Girls are more likely to have gone to college, gotten a job and moved out of their parents' home. Boys are more likely to still be in their parents' basement playing video games. They never grew up. Real life is incredibly boring compared to a video game or porn."
Teachers say phone addiction makes it harder to teach.
If you're writing an open source system utility, for example, your chance of widespread adoption depends on its reputation as trustworthy, and that will reflect on you.
Who watches the watchers?
Talon is a case in point. A Windows de-bloater made by an outfit called Raven and distributed through GitHub as open source, it nonetheless got a rep as potential malware. Open source by itself guarantees nothing, and the conversation around whether or not Talon's bona fides checked out simply grew and grew. Enter YouTube cyber security educator and ethical hacker John Hammond. His day job includes answering the question "Is it Malware?" He has the chops, he has the tools, he has the caffeine. Speedrun is go. //
How might Raven have avoided being considered suspicious? There's a concept called defensive coding, where you consider each decision not just as how it contributes to functionality, but how it would cope if given an unexpected input. With Talon, the defensive process is whether a choice of technique will trigger malware scanners, and if it might, but is indispensable, how to make it clear in the code what's going on. You know, that pesky documentation stuff. The design overview. The comments in the code. If your product will need all those open source eyeballs to become trusted, then feed those eyeballs with what they need. There aren't many Hammonds, but there are lots of curious wannabes, and even the occasional journalist eager to tell a story.
Creating security is a huge task, and everyone who launches software for the masses has the opportunity to help or hinder, regardless of the actual intent of the product. Open source is a magnificent path to greater security across the board, because it keeps humans in the loop. Engineering for those humans is a force amplifier for good. Just ask the future historians speedrunning the history of cyber security centuries from now. ®
I'm a ISP network engineer, and across all teams working on the same platform we have agreed on Read-Only Friday. //
Yep, never start/continue/work on a project on a Friday. Or Monday... //
We have a strict "no live deployments on a Friday".
And if a Friday happens to be a public holiday, the rule then applies to the preceding Thursday instead. //
The last day of the working week is virtual or logical Friday, even if it's not calendar Friday.
All Friday rules still apply!
So... this is all you do all day is it?"
"Most days. Other days Carl or Peter does it."
"Carl or Peter?"
"Yeah, we work shifts - because the market never sleeps."
"So let me get this straight. You don't have any servers, you don't have any real work - AND THERE ARE THREE OF YOU - so you just make problems to keep yourself in a job?"
"Yep, That's pretty much it." //
A minute of silence passes, then finally the geek cracks. There's no server hardware. Nothing. Over the last five years the entire company operation has moved into online services - theoretically leaving our geek with no job.
"So what do you... do all day?" the PFY asks.
"SOME days, I'll take a complete snapshot of our cloud infrastructure," he says.
"Once a month you mean?" the PFY surmises. "So what do you do with the rest of your time?"
"I, um, manufacture outages," he admits.
"Manufacture outages?"
"Yeah, I'll light up the RED lamp on a server and, uh, take a cloud service offline."
"Why?"
"Because then they'll call me and get me to fix it. I'll bring them in here, fire up a linux laptop with the Matrix screensaver, edit a JPEG with a Hex editor, pretend to find a virus signature or an internal consistency error, then 'fix' it and bring the service back online again."
It seems so simple now that he says it.