* Posts by Chronos

1257 publicly visible posts • joined 21 Oct 2007

UK Home Sec Amber Rudd unveils extremism blocking tool

Chronos
Stop

Re: Different Configuration

Genuinely terrifying to see such incompetence and alarming speeches. It'd be great to have these people filtered out of society!

No. If anything, it needs to be preserved for posterity. When they look back on the early 21st Century and find that "patronising" became a euphemism for smarter people telling the clueless they're wrong, we need as much evidence as we can muster. Covering up history never did anyone any good.

What did we say about Tesla's self-driving tech? SpaceX Roadster skips Mars, steers to asteroids

Chronos

Re: Maybe coming back

It probably would have been better to launch a few old Trabants. Those things are notoriously difficult¹ to get rid of and Elon would finally be doing something useful. It would also give the aliens a good laugh...

¹ The body is made from cotton and resin, the same phenolic resin that used to be used for PCBs that gave off that distinctive old electronics smell. It never rots, it's toxic and it doesn't biodegrade, hence it hangs around for longer than Keith Richards. This is what happens when you get too "clever" and mix tech with transport.

Wileyfox goes TITSUP*: Smartmobe maker calls in the administrators

Chronos

Re: Russian money

Nothing to do with their cashflow being frozen or them not selling the number of phones they expected to in the face of increased competition.

Not forgetting their shit customer service and priority on posting to social media rather than doing what they should be doing.

This does not come as a surprise.

Beware the looming Google Chrome HTTPS certificate apocalypse!

Chronos

Re: Well done Google....

@katrinab many thanks for that heads-up. Seems I have my good ideas just after everyone else :)

Edit gawd, I'm getting old. I must have come across the docs in the wee small hours one day because it seems I already have CAA records set up on my main domain. The master DNS is right in front of me, so nobody else did it. Is that a sign of imminent Alzheimer's or is it just one more example of JIT learning not sticking?

Chronos

Re: Well done Google....

How exactly does promoting TLS connections for web traffic benefit Google, especially now letsencrypt is a thing? They're not a CA.

What we really need is a DNS extension which tells the browser which CA root it can expect hosts in its domain to use. A simple TXT record with the fingerprint of the root CA certificate would do, or even the OpenSSL style hash, e.g.:

$ORIGIN @

_tlsca IN TXT "4042bcee,6187b673"

Chronos
Coat

Indeed.

Symantec wasn't very happy, of course, and used a whole range of angry words in a blog post about it: words like irresponsible, exaggerated, and misleading.

And that was just a plug for one of its own products...

Mine's the one with the decrapifier USB stick in the pocket.

Driverless cars will lead to data-sharing – of the electrical kind

Chronos
Holmes

First they came for the meter readings...

AEV Bill A new amendment to the UK's Automated and Electric Vehicles Bill aims to make it mandatory for electric car charging point operators to transmit power consumption data to Britain's National Grid.

Hate to say I told you so but, as the harbinger of bad news, I'm doing my job correctly. Now they have a data slurping tentacle in there. Next up, mandatory odometer readings, GPS tracks and timestamps for road pricing. From there it's a free-for-all on in car entertainment listening habits, Bluetooth connectivity, occupancy (so that you can be charged a higher rate at peak times for not sharing your car with that one smelly co-worker who never washes), places visited and shopping habits extrapolated from that. The charging point operators will become µGoogles, selling your metadata to the highest bidder. Oh, and let's not forget insurance companies examining your telemetry data with a squad of becardiganned¹ adenoidal navel-gazers critiquing your driving style.

Icon. It was utterly bloody inevitable.

¹Yes, it is a word. I just made it up, the same as marketing are wont to do.

Microsoft whips out tool so you can measure Windows 10's data-slurping creepiness

Chronos
Holmes

Re: No brainer

Many of us have taken this road - or never had to because we were already on the Free-way. What we're moaning about is the "slowly boiling frog" element where they exploit the clueless to generate a critical mass of people who "aren't bothered" by the intrusiveness. We can see what they're doing to people who know no better and are concerned about it. Once it becomes established, like any virus it then infects other areas, just as it originally cross-contaminated Microsoft from Google.

If you recall, many of us were just as vociferous when Google started it. This isn't a case of looking after numero uno. As professionals, we have to deal with the fallout from this bollocks. It is a widely accepted tenet that prevention is better than cure.

Chronos
FAIL

Here's an idea, MS...

Stop bloody doing it! It's an operating system. It should abstract the hardware, provide APIs and a UI and then stay the hell out of the way. Many of us just want to use our computers. We don't need to have a "relationship" with you or anyone else in order to do so.

Europe slaps €997m antitrust fine on Qualcomm

Chronos
Flame

Great.

Guess who pays that. Don't you just love backdoor taxation? It's a double-win for them, too, because spreading the OpEx of punitive fines knows no borders...

Electric cars to create new peak hour when they all need a charge

Chronos
FAIL

his study didn't include any potential “return to grid” from vehicles' batteries.

Won't happen. Anyone who has the slightest knowledge of efficiency will turn that "feature" off. If it can't be switched off, assuming EVs ever become viable at all given all the other massive elephants in that particular room, then someone somewhere is planning on doing brown-out load-balancing with your money while saving short-to-medium term infrastructure cash.

Which is basically the definition of a politician these days.

It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs

Chronos
Facepalm

Clickbait title indeed.

If it's a choice between various ad flingers or Mozilla it's a bloody no-brainer. Some of those vulns don't affect the clueful anyway. It's 2018 and... wow, you still have WebRTC enabled¹?

¹ about:config, media.peerconnection.enabled, false

President Trump turns out the lights on solar panel imports into US

Chronos
Coat

Re: Maybe I don't understand how this works

BTW the sovereign US also imposed Tariffs on Washing Machines with the same PV act

Arsenoise probably thinks that will stop money laundering through foreign investment...

I'll get me coat.

'WHAT THE F*CK IS GOING ON?' Linus Torvalds explodes at Intel spinning Spectre fix as a security feature

Chronos

Re: The right time - for a change

When Linus is swearing and waving his arms around you pretty much know everything is normal. When he goes all professional with only the occasional sweary, that is a danger sign. It means someone is in deep shit - Intel, in this case, although let's not forget almost everyone else using speculative execution is potentially vulnerable to this. Even MIPS has a couple of P series cores that may be affected.

Meltdown/Spectre week three: World still knee-deep in something nasty

Chronos
Thumb Up

Re: Intel "shouldn't be selling CPUs?"

Maybe it's a good opportunity to slow down and take stock of where the world is headed rather than continue the knees bent, running about advancing behaviour blindly, up up the ziggurat lickity split...

I could only give this one upvote when it deserves three: One for the philosophy, and one each for the Python and Dwarf references.

The fact that this came about in the blind pursuit of speed über alles makes the performance hit all the more ironic. Had this been any other sector but the whale-song-fuelled tech industry where "we do because we can," where all ideas are delivered in a Californian accent complete with uptalk and riddled with buzzwords we'd be seeing a massive land-shark mobilisation by now. Hell, even governments would be salivating at the punitive fines they could levy for the amount of customer-fuckery this has generated.

We do need to take a step back, not only to examine the efficacy of harder, better, faster, stronger but also what the current plethora of technical advances such as automation and convenience is doing to humanity's ability to survive. We're already only a few megawatts away from looting and anarchy. Do we push on and make that looting, anarchy and extinction?

5 reasons why America's Ctrl-Z on net neutrality rules is a GOOD thing

Chronos

Replying this far down...

...to preserve the illusion. Thank you, El Reg. Now I have a hardlink to an article I can present whenever anyone asks me "What is a troll?" No, it's not being nasty or insulting, that's just being a complete see you next Tuesday.

Put simply, a troll is simply a post or article cunningly crafted to get someone, anyone biting and thrashing at the keyboard maniacally. This article and the sarcasm dripping therefrom is a perfect example which, given that this is three or more pages of thrashing, splashing and foaming in, worked magnificently. The keep net¹ must be overflowing.

¹ "Trolling" is actually an angling term. Nothing to do with mythical creatures, billy goats or bridges whatsoever.

¹½ I remain extremely disappointed that nobody has called out <CTRL><Z> as being the background current process key-press rather than the Windozified "undo" with which everyone now associates it.

Chronos

What goes through someone's head when they do that?

Greed and the good ol' tradition of winner takes all.

Intel to slap hardware lock on Management Engine code to thwart downgrade attacks

Chronos

Re: So...

@whitepines, yes, it would be better if they'd join the debate rather than just clicking the little button, wouldn't it? I agree that the down-vote was unwarranted.

Chronos

Re: So...

It's pertinent information if anyone is looking to specifically avoid this mess, as is the fact that Core number numeral devices, more often than not, do come with ME, albeit easily disabled on at least some of the ICH9 variants. I wasn't trying to contradict you or "be clever," just inform.

Chronos

Re: Macs don't have it, AFAIK

No OEM has the ability to remove the ME, period.

True. One can force the thing into a halted state, however, by removing everything but essential bringup (BUP in all the docs so far) code from the embedded firmware. For some machines, this means breaking out the SPI flasher. For others, mainly consumer motherboards, the EFI setup utility's own flasher usually suffices once you have run me_cleaner on the flash file.

However, since the flash is accessible from the client OS (they're mostly just dangling from an SPI bus these days), it's conceivable that Chipzilla will conspire with MS or EFI vendors to put the code back again, quite possibly with a routine to halt the boot process completely and drop you into a flash rescue mode if it is anything less than fully operational. As you rightly say, the ME machine is still there with its tentacles in your entire memory space and remains a security risk.

If I may be permitted the vulgarity, it's a right pain in the arse and is making x86 look even less appealing than it was before they started this nonsense.

Chronos

Re: So...

Let me be as clear as possible. EVERY AMD CPU has the PSP. It cannot be removed, it cannot be disabled, and it has full access to the x86 cores and all of the system components. It's stored on rewriteable firmware storage and anyone with access to the AMD signing key can run their code at the highest possible privilege level on the entire system.

Correct, with the tiny qualifier of CPUs and APUs >= family 16h. Trinity and Richland APUs on socket FM1 and Phenom II and Athlon II CPUs on Socket AM3 are probably the last to be PSP-free. A general rule-of-thumb is if it's a 2013 or newer core, it has PSP/Secure Processor.

Chronos
Facepalm

Re: Macs don't have it, AFAIK

only

That word does not mean what you think it means. TFA points you in the direction of several OEMs who will butcher/castrate ME or flip the HAP bit for you. Was this anti-troll rant a troll of its own, perchance?

Chronos

Re: Blast from the past: remember 'Trusted Computing'?

The sad part is that 98% (number from anus) of users won't care. As long as Netflix works, fux not given.

No one saw it coming: Rubin's Essential phone considered anything but

Chronos

Also, the US is not the world. Some of us aren't subject to the DMCA so aren't afraid to tinker despite all the warnings of the apocalypse, Armageddon, the heat death of the Universe and inter-dimensional rifts caused by people trying to fix or de-traitorify their own sodding property.

VW's US environment boss gets seven years for Dieselgate scam

Chronos

Poor bugger.

Seems that we have this week's designated goat, sacrificed upon the altar of Being Seen To Be Doing Something. One can't help wondering just how "seriously" this would be taken were VW a B2B or, better still, a government supply organisation.

Capita appoints back bencher baroness as non exec director

Chronos
Facepalm

Once more unto the trough...

"Sinecure" is not a decongestant - in any context.

Car rental firms told: Tell your customers about in-car data slurps

Chronos
FAIL

Sure the manufacturer might be able to get to it but how likely is that going to happen?

Big Data loves you. This data has value to be (I hate this word) "monetised" and Cerberus will be wearing little bootees¹ and a doggie coat before anyone with an MBA and a performance review forthcoming misses this opportunity.

Please note that said MBA isn't inherently evil, just working in an environment that mandates such tactics to survive.

¹ Like these.

Chronos
Flame

Small fry

Just wait until EVs enable full log slurps while on charge. Track, speed, control usage ("throttle" position, braking, steering input) listening habits, calls made, occupancy, times and dates, the lot. Autonomous vehicles will be even worse, especially if this idea of dial-a-shed becomes reality. The scope for private information leakage is enormous.

With that, facial recognition and smart meters it'll only take getting out of bed and turning on the bog light before some beige numpty in a cardigan with a notebook (computer) can see what you're doing.

Mozilla and Yahoo! trade sueballs over Firefox-Google search deal

Chronos

Re: Yahoo

Who didn't install Firefox and immediately add StartPage, DDG and DeepSearch then remove everything else?

I also have github as a provider but that's just me. I'm odd.

Voyager 1 fires thrusters last used in 1980 – and they worked!

Chronos
Thumb Up

Re: It's good to see your tax money being spent

I seem to have struck a nerve. If NASA wish to replace the ageing RTG design with a commentard with steam coming out of its ears as a power source, do give me a shout. Just think of me as that neutron that pushes the reaction to criticality...

Chronos

Re: It's good to see your tax money being spent

Knowledge is always relevant. Imagine if Voyager had hit the heliopause and just blipped out of existence because its location variable was trying to access memory in the UniverSim that was dedicated to another process. Would that have been wasted money?

It didn't happen but it could have; that would have told us all manner of interesting things.

The sun rose, you woke up, and Qualcomm sued Apple three times

Chronos
Boffin

WebOS?

I thought LG owned WebOS now? Perhaps, given that it's a patent dispute, we're not supposed to understand it?

Linux laptop-flinger says bye-bye to buggy Intel Management Engine

Chronos

Re: Cool marketing idea

The Tecra I mentioned up-thread is a Core 2 Duo. It has Intel ME, so I'd say the 2006 quote is the more accurate. If in doubt, assume it's there and check with intelmetool (a sub-project of coreboot) with iomem=relaxed passed to the kernel at boot if running >Linux 4.4.

At this point, Intel's little backdoor snoop is quite well understood. What is more worrying is the number of people who have never heard of PSP or Secure Processor and think they're so much safer using AMD chippery.

On x86 the assumption has to be, if it's fairly recent, that there's some form of hidden embuggerance that has the potential to bite you on the bum. Even if it doesn't fulfil the requirements for Active Management, you still don't know what that little Minix (apologies to Professor Tanenbaum - it runs a derivative of Minix, it wasn't his idea) parasite is doing which, given that it has direct access to memory (and you'll recall most devices are mapped into memory space these days), could be just about anything. In fact, even after running me_cleaner on the firmware dump I can't be 100% sure the thing really is in a stopped state after bringup but it's far better than trusting Intel's encrypted code buried in the flash chip.

Chronos

"What happens if you don't install it [the driver] ?" looks like willingness to learn to me, which puts x 7 several orders of intelligence above the average manager. We're not born experts, it takes pain, exposure to lusers and unwilling loss of follicles. Enough with the down-votes already.

x 7, imagine a Raspberry Pi made small enough to fit into a motherboard chipset with electronic tentacles that reach deep into the parent machine. The operating system for this parasitic computer is embedded into the BIOS, so it initialises first before the BIOS/EFI hands off to the real operating system. The only way to confound it (as pointed out downthread, it's not really permanently castrated, just befuddled) is to take away its bits of BIOS to the point it enters a halted state and minds its own sodding business. All the driver does is allows you to interact with it from the main operating system. Without the driver, it's still there with its tentacles in your RAM and buses but your OS isn't aware of what the conduit that links the parasitic computer to the main computer is for.

Chronos

Re: Matryoshka dolls

Certain implementations can be disabled by removing just enough of the code to stop it from running. You have to be very careful as some of these machines shut down after 30 minutes if the ME is in a particular state of not being able to boot.

See ME Cleaner for details. It's not for the faint of heart but I was going to stop using this Lenovo if I couldn't rid myself of at least the ME code running at ring -3 so I had very little to lose. With a dump of both SPI chips, I could always restore it to factory state anyway.

Chronos
Flame

Matryoshka dolls

A computer within a computer with access to everything and no idea what it is up to. Yes, that's a brilliant idea, especially if we can't see the code or use it for our own purposes.

Two machines here with IME, a Lenovo G710 and a Tecra M10. The former required a full strip-down and a CH341A dongley thing with an SOIC8 clip to remove this malware. The latter (well done, Toshiba) allows disabling the thing before it even starts, confirmed by intelmetool. On the Lenovo, removing all but BUP has left a dangling USB device that can no longer enumerate. I suspect this is the JTAG port oft reported but it's a pain in the arse as it spams syslog.

That said, I can live with a dead USB device hanging off of bus 3. It's infinitely preferable to hardware which does $DEITY knows what behind my back.

Yes, @x 7 it requires a driver for the control interface, yet the underlying processor and code still run regardless of driver status. If it's exposed to $SKIDDIE or $THREELETTERAGENCY you're SOL and JWF¹. Please note that AMD on anything newer than Piledriver also has something similar called PSP/Secure Processor which is pretty much the same idea - closed source crap running at ring -3.

¹ Shit out of luck and jolly well fucked.

BT lab domain grab – 17 years after cheeky chap swiped 'em

Chronos
Devil

Runaround

I hope, should the BTs decide to pursue this offer, that the vendor will keep them on hold, transfer them to another extension which will also keep them on hold, repeated ad nauseam until they give up. That would be poetic justice.

Team Trump goes in to bat for Google and Facebook

Chronos
Facepalm

Re: What did you expect?

East Asia? I thought it was Eurasia this month, and always had been?

/me fully expects this to whoosh far overhead...

It's artificial! It's intelligent! It's in my home! And it's gone bonkers!

Chronos

Relieved of command by Captain Bogbot.

I can't help thinking, putting myself into the situation you so eloquently describe, that it would all be worth it if there were a Matrix-style EMP generator. The satisfaction when you turn the big red switch and robo-leg-shagger slumps into a heap, the alarm silences forever, all the doors become manual again and the idiot lantern finally shuts the feck up would be blissful.

All joking aside, we're setting ourselves up for a fall here. I'm not talking about Elon's vision of AI-enhanced killbots stalking the last remnants of humanity through the ruins of cities, rather that we're already only 10kWh away from total vulnerability. Adding more artificial dependence on technology is just asking for extinction because the whole bloody mess is really quite fragile and apt to go TITSUP (total inability to support usual pandering) at a moment's notice. At what point do we admit we are damaging our ability to adapt, survive or even make our own decisions amidst all this convenience?

Internet of So Much Stuff: Don't wanna be a security id-IoT

Chronos

IoM

The very first priority should be shifting the focus from the needs of marketers to the requirements of the meatsack trying to use these devices. The vast majority of this traffic doesn't need to ever leave the local segment.

In the case of those that do need to use the maelstrom of the Internet, there are certain design rules that should be followed. I wanted a vehicle tracker. I researched the various options from hideously expensive to cheap and shonky. All, without fail, required the use of some third party server, more often than not Google's maps crept in, leaked data like a sieve and kept quite a lot of numbers you probably didn't want them to keep.

I ended up designing my own. STM32+SIM800+Neo6, simple firmware that opens a GPRS connection and uploads a JSON string to my MQTT server over TLS every three minutes if the vehicle has moved more than twenty metres then turns the GSM radio completely off. Simple, effective, private and secure. I can then use HomeAssistant to grab an OSM tile and display the location on a nice map.

At no point does unencrypted data move out of my control. Nor is there any facility for communicating with the device over any public network - it talks, the server listens, then it says goodbye once a successful status message is received. It cannot be redirected, suborned, repurposed to carry out DDoS attacks or tricked into leaking data.

Other IoT stuff here include a weather station, solar charge controllers, various light and socket controllers and the garage door opener. All are custom built, all have ONE job and none of them will even acknowledge the existence of anything but the intended control channels.

The Unix philosophy works well in this arena and I commend it to my colleagues.

Android at 10: How Google won the smartphone wars

Chronos

Re: XDA

Beautifully put, conscience. Even Apple's early GUI was heavily influenced by GEM. What Apple now do best is marketing and packaging products to look shinier than they otherwise would then convincing you that your life will be empty without these things. Jony Ive's design skills are not to be belittled, yet to claim the results are anything more than admittedly inspired interpretation of existing technology with much prior art is risible.

Chronos

Re: XDA

The Treo 180 and 270 were the first integrated touch/phone devices. The former was monochrome, the latter colour. I had both. Both had keyboards. Graffiti™ was introduced with the PalmPilot (and the USRobotics branded device, back when modems were a thing) and subsequently carried across to the likes of the Tungstens, which were excellent in their day. It still wasn't the slab format, though. Palm's Treo 650 was the closest they ever came and, yes, it had a keyboard,

As for the Newton, least said soonest mended. The fact remains that the XDA was the first of what we now recognise as the de-facto standard format for a smartphone.

Chronos
Flame

XDA

Everyone forgets this device. It was the first slab+colour touch screen with rounded edges that preceded the iShiny by years. If anyone has a claim to the format, it's O2. Palms either had keyboards or Grafiti™ input areas, Nok's Symbian was still a clunky menu-driven affair and Apple were still churning out clicky iPods.

Although it ran CE, the XDA was still an impressive beast for its time. With a decent OS, it could have spawned a revolution with itself as a major player. Instead, it rested on its laurels, kept the mediocre Redmondware and allowed Apple to pinch the format, as is their wont, apply polo-necked street cred to it and market it aggressively. Like Psion, whose 5MX has yet to be bettered in certain niche tasks, a very solid foundation was left unbuilt upon.

BT hikes prices for third time in 18 months

Chronos

@Andy 97: Suckered in by the usual bait and switch. Don't feel as if it's your fault, many of us have been there. I'm fully expecting MinusNet to bump theirs by the same amount now, and STILL no IPv6 to show for it. Bastards.

Humble civil servant: Name public electric car chargers after me

Chronos

Re: He really wants this?

I'm not convinced "sorry, love, I'm running a bit late. I need to find a Vacant Bellend Charge Point™" is going to improve the lot of already unpopular electric vehicles, either, especially when they grow another two connections (I2C, I'm assuming, although this is the Government so they'll probably have to spend a quarter of a billion to make a new standard that doesn't work) to slurp your mileage for road pricing...

Please note that Vacant is part of the name, not the charging facility's actual state. So, to specify one that you can actually use would mean "I need a vacant Vacant Bellend Charge Point™"

Credit insurance tightens for geek shack Maplin Electronics

Chronos

Re: You cant have it both ways

Remember Cirkit? Buy the catalogue in Smiths and order away to your heart's content.

I'm afraid I won't lament the passing of Maplin. They've been extracting the urine on prices for years and their products really aren't much cop, either. Take that "temperature controlled" soldering station with a triac chopper circuit and no tip feedback. It's temperature controlled only in that you can vary how fast the tip loses heat to a joint. Worse, it wipes out anything below 30MHz any time it is switched on. Awful bloody thing, and that's just one example.

Release the KRACKen patches: The good, the bad, and the ugly on this WPA2 Wi-Fi drama

Chronos
Thumb Up

Re: Lineage OS

Ta muchly for that post. I shall sync and kick off a build. That will be pretty much all devices patched against this flaw.

Chronos

Re: LEDE

Credas wrote: Great idea, but who's going to do the hard work in the absence of a future source of income from patent licensing?

I didn't say it was a perfect solution; those only exist in the minds of idealists. There are some advances, however, that we could do without. Let us first define progress: Taking the best of what you have. And ruining it.

It's somewhat confusing that we have one law which prohibits monopolies and another that encourages them in very specific niches. It's almost as if it was designed by two different committees. Oh, wait...

Chronos

Re: LEDE

I've been saying since forever that patents and standards should be mutually exclusive. Moot point here, though, because WPA/RSN is handled by the host so the binary blobs full of trade secrets used to abstract the hardware (Atheros, Broadcom et al) aren't an issue in this context.

Chronos

Re: MAC Filtering

Never rely on MAC filtering for anything. MAC spoofing is utterly trivial. That's not to say don't enable MAC filtering and know what's on your network, just don't treat it as a layer in the security onion.

IPSEC is your friend if you really want to be secure over 802.11. There's the obvious trade-off in CPU cycles and throughput overheads, natch, but you need to define your priorities and compromise accordingly.