* Posts by Adam Azarchs

167 publicly visible posts • joined 28 Jul 2006


Nearly 300 MSI motherboards will run any old code in Secure Boot, no questions asked

Adam Azarchs

TPM is quite useful for storing e.g. full disk encryption keys. Not so much for securing things from you as for securing your things from people who might gain physical access to them.

TPM got a bad start, reputation-wise, because probably the first place most people encountered them was as the place where Blu-ray players stored their keys, but there are quite a few less-controversial use cases for having a place you can store an encryption key with reasonable confidence that no one will be able to extract it without your password.

Chinese researchers' claimed quantum encryption crack looks unlikely

Adam Azarchs

Re: To be fair:

Just look at how many people are still using sha1 (or even md5). Change the recommendations today, and _maybe_ 15 years from now, when attacks actually become practical, no one will still be using vulnerable algorithms. There's a lot of inertia in protocols, for both good and bad reasons.

Also, it's not always possible to have perfect forward secrecy; stuff you're encrypting today might still be useful to an attacker by the time they're able to break it. The earlier you upgrade your crypto, the more stale (and therefore hopefully useless) the information will be by the time someone can easily break it.

US Air Force tests its first fully functional hypersonic missile

Adam Azarchs

Re: Oh boy

It's less about being able to shoot the missile down (which would be nice, but not actually terribly important to our defensive strategy) than it is about whether your target sees the middle coming early enough to have a chance to launch their counter-strike before your missiles disable their ability to do so.

America's nuclear fusion 'breakthrough' is super-hot ... yet far from practical

Adam Azarchs

Laser ignition fusion

Is not, and will probably never be, a practical source of energy. That's not what it's for. It's for simulating hydrogen bombs. If you want something with a sliver of a chance of eventually being viable as a power source, then you want magnetic confident (e.g. tokamak or stellarator). Or gravitational confinement (e.g. solar, but that's too practical to be fun to talk about).

Aside from the engineering challenges, we're also running into a problem in that we're running out of tritium. The plan was supposed to be that we'd have working fusion reactors by now, that could produce enough neutrons to make enough tritium to keep the whole process sustainable. But we don't, yet, and the tritium made during nuclear weapons manufacturing is well past its half life by now. It's been pointed out that the sun's power density is comparable to that of a human (though it makes up for that with size); this is because the fusion reaction (mediated by the strong force) is rate limited by the dearth of neurons - combining a proton with an electron to make a neuron is a much, much slower reaction, mediated by the weak force. If you try making a human scale fusion reactor regular hydrogen, you won't get very far.

California wildfires hit CTRL+Z on 18 years of CO2e removal

Adam Azarchs

Re: Mismanagement

This is not really true. Natural wildfires historically happened during the rainy season, because they were started by lightning. Because the rainy season is generally colder and wetter, the fires would burn though the undergrown but leave the larger mature trees mostly intact. By contrast, the recent fires have mostly been caused by human ignition sources, during the driest, hottest times of year. Worse, many were caused by electrical sources on days with high wind. Those fires spread much faster and burn much hotter than the natural fires, and are thus far not damaging. Some of the most damaging fires in recent years started or spread through regions which had had fires or were clear cut just a few years previously, still you really can go blaming historical for suppression efforts for them. The mismanagement love is popular with a certain crowd that wants to authorize more clear-cutting, though.

Adam Azarchs


> The study didn't account for the growth of new vegetation in fire-swept areas

That's a pretty important caveat. In a steady state, forests fix some carbon, but dead leaves and wood also release carbon (and methane, which is worse) into the atmosphere as they rot. On the other hand, charcoal, once buried under new growth, is actually a really good way to sequester carbon. And recently burned areas are going to see very rapid vegetation growth, which will fix carbon. So yeah, over time scales of a few years, forest fires release lots of carbon, but over multi-decade timescales I suspect that a forest that gets periodic alternating cycles of fires and regrowth is going to sequester more carbon than one which doesn't. Especially if those are relatively cool fires which burn the undergrowth (which grows back very quickly) but leaves the big, mature fire-adapted trees behind.

That said, while many of these ecosystems are adapted for fire, they're adapted for the less intense fires you get when they're caused by lightning that is usually accompanied by rain (last year's Big Basin fire being a freak exception). In recent years, most of the wildfires in California were caused by human ignition sources, on hot, dry, windy days, when the fires spread faster and burn hotter. So instead of mostly just burning undergrowth and leaving the older trees behind, it burns everything. That's harder to recover from.

Take this $15m and make us some ultra-energy-efficient superconductor chips, scientists told

Adam Azarchs

"a fair price"

Obviously tung in check, but that tends to be how early stage basic research goes. You keep the spending low until you know enough to know more specifically what you should be prioritizing. A lot of early stage ideas are never going to go anywhere. And once the researchers have a proof of concept, there's still a much, much larger amount that will need to be spent to get it to commercial scale production.

Internet Society condemns UK's Online Safety Bill for demonising encryption using 'think of the children' tactic

Adam Azarchs
Black Helicopters

As far as the cops are concerned...

When it comes to crime, an ounce of prevention is a lot less fun than pounding down the door of a criminal. So they probably see enabling more crime as a side benefit of these measures, so long as it's also easier to catch the criminals.

(which it won't be, because effective end to end encryption is something you can write the code for on a T-shirt, so anyone who can afford the services of someone who knows what a compiler is and doesn't have much respect for the law will still have it)

For a while the USA classified strong encryption algorithms as munitions for export control purposes. That means our right to encryption is protected by the second amendment, right?

Fans of original gangster editors, look away now: It's Tilde, a text editor that doesn't work like it's 1976

Adam Azarchs

Re: Use Libreoffice

... if the sledgehammer were made of plutonium and likely to contaminate the meat of the walnut.

The rocky road to better Linux software installation: Containers, containers, containers

Adam Azarchs

Re: Cleanly uninstalling is impossible

It's certainly possible to make an uninstaller that will cleanly (as in completely) uninstall an application, but it isn't especially common. Most apps' uninstallers will leave some files or registry keys lying around in the hope that the user will some day reinstall the app and want their customized settings to remain. Either that, or just negligence. The issue, I think, is that nothing _forces_ apps to uninstall clearly, and perhaps more to the point nothing forces apps to have sufficiently hermetic runtime behavior to prevent them creating garbage in all kinds of places that the uninstaller doesn't know to look. That later problem is of course not unique to windows; my Linux home directory is littered with .files from programs I've tried out once and then removed.

We were 'blindsided' by Epic's cheek, claims Apple exec on 4th day of antitrust wrangling

Adam Azarchs

That would be a reasonable argument if there were an option to sell you app by means other than their app store; that is to say, if the iTunes app store operated in a competitive environment. It does not. There are, arguably, good reasons to restrict app installs to the app store, but if that is the case then the app store needs to be regulated against abuse if this position, just like any other natural monopoly.

'There was no one driving that vehicle': Texas cops suspect Autopilot involved after two men killed in Tesla crash

Adam Azarchs

Re: Tesla boss Elon Musk has not explicitly responded to the incident

Note update, that car didn't even have autopilot installed. So, job done there.

Proof that Surface devices are not a niche product obsessed over by Microsoft fans: A patent lawsuit from Caltech

Adam Azarchs

Re: This still bugs me

Generally when you license something like a chip, part of what you're paying for us for the manufacturer to indemnify you against such patent claims. Which is so say that while Microsoft is the one getting sued, it's Broadcom who will actually be paying. If that's not the case then Microsoft should be a lot more careful with their licensing contacts.

"Good faith" doesn't mean you aren't liable to pay royalties. If you know you're infringing, that makes it willful, which makes you liable for a lot more.

EncroChat hack case: RAM, bam... what? Data in transit is data at rest, rules UK Court of Appeal

Adam Azarchs

Re: Filth

My interpretation of the distinction is that it was intended for e.g. listening in on radio transmissions or splicing a probe into a fiber line. That is, if you have to compromise the premises of the defendant then it's in storage, but if your presence is only in places outside of their physical control then it's in transit. Sealing up an envelope and putting a stamp on it doesn't protect a letter from being taken by a search warrant for your house. It's not in transit until you drop in in the mail box.

In Rust we trust: Shoring up Apache, ISRG ditches C, turns to wunderkind lang for new TLS crypto module

Adam Azarchs

Re: Real problem mentioned first

Making something possible to do right is very different from making you go out of your way to do it wrong. When you're taking about a few million lines of code, written by a large number of contributors, some of them who may have passed away before the youngest contributors were even born, then even if all of them are highly skilled the odds of a mistake creeping in are very high. Human beings aren't perfect, and it only takes one mistake to get a serious security vulnerability in something directly exposed to the internet like https.

This of course leaving aside the fact that though 85% of people think their driving is safer than average, over a million people die each year in car accidents. Frankly, if you say only other people make mistakes I'm going to stay as far away from you as I can. I say this as an expert in the Dunning-Kruger effect.

Severe bug in Libgcrypt – used by GPG and others – is a whole heap of trouble, prompts patch scramble

Adam Azarchs

Re: eliminating the entire class of errors.

I've never been in a serious car accident but I still think seat belts and air bags are a good idea. Just because it's possible to write secure code in C if you know what you're doing doesn't mean one shouldn't need a pretty good reason to reject languages which make mistakes like that more difficult, especially in code as sensitive as crypto. There's a big difference between "possible to do it right" and "you have to go out of your way to do it wrong." Even if you don't want to go all aboard the rust train, modern c++ gets you most of the benefits while being somewhat easier to transition to incrementally. If you want to stick to C (and there are reasons why you might, want to for library code like that) then it behooves you to write comprehensive tests and use static and dynamic analysis tools. And you would be doing that even in a safer language like rust.

Adam Azarchs

Distant state

In well designed code you would keep the state that needs to obey some condition close to (e.g. in the same file, ideally) the functions which manipulate that state or depend on those conditions being true, so that a reader can more easily verify that no one is doing something that violates the assumptions (which are ideally documented in comments). If you have stuff modifying that state from all over the place, without going through some common functions which verify that what they're trying to do is ok, the odds of accidentally making a mistake go up substantially.

Colorado cryptocoin execs spark up blunt '$722m ponzi scheme' criminal charges after investments go up in smoke

Adam Azarchs

The fine might be "only" $250k but they'll still have to give back the rest of the money. That's not a fine but rather restitution.

'Cuddly' German chat app slacking on hashing given a good whacking under GDPR: €20k fine

Adam Azarchs

Wouldn't know about MS, but banks...

HSBC at least I'm certain is storing my password in plain text.

How do I know? Each time I log in they choose a random subset of characters from my password which they want me to enter. I'm not clear on what the point of this process is (making password managers harder to use would be my guess, because their IT security staff apparently live in backwards-land) but unless they've stored a hashes for every possible combination of 4-character subsamples of my password (which wouldn't be a whole lot better, mathematically) then they're storing it plain-text.

Former Mozilla dev joins chorus roasting antivirus, says 'It's poison!'

Adam Azarchs

Re: If Microsoft's own AV is the best...

That's easy. Because they'd be sued for antitrust. That's an actual thing that happened when they released Defender. Norton sued them and the settlement was that they agreed not to bundle it.

Busted Windows 8, 10 update blamed for breaking Brits' DHCP

Adam Azarchs

I've seen this in the US

I'm stuck with Comcast here, and I have a Netgear router. The other day my Windows 10 machine was getting an IP address in a wrong subnet, and there was some truly weird stuff in the arp cache. No, of course renewing the DHCP lease didn't fix anything. I suspect with basically no evidence it's something to do with IPv6 support since about that time I also started seeing DHCP allocating me an IPv6 address on the internal network.

Google Chrome will beat Flash to death with a shovel: Why... won't... you... just... die!

Adam Azarchs

Re: Dear Google,

I mean, I don't disagree that it's a bit ridiculous to force-install flash for everyone but the alternative is to have people install their own version that auto-updates with insufficient regularity. If you don't like it you can always disable it from chrome://plugins.

Surveillance, interrogation and threats: Behind the Nest witch-hunt

Adam Azarchs

Re: Memes???

As a former Google employee, I assure you that was not a typo.

Java API judge tells Oracle to suck it up, quit whining about the jury

Adam Azarchs

Copies aren't illegal unless you claim they are the trademarked brand, which makes them counterfeits. That's a violation of trademark, which google hasn't been accused of.

Why does an Android keyboard need to see your camera and log files – and why does it phone home to China?

Adam Azarchs

Re: Almost every app I consider for installation

With android M, permissions are granted at runtime and the app gets an exception if it isn't granted the permission. Older apps still get their permissions up-front at install time, but a savvy user can disable them before first run. The reason the old K permissions manager was disabled was, put simply, because it broke too many things if you actually used it, and it broke them in unpredictable ways that were very difficult to debug.

As stated, of course, pretty much everything has network access permissions. But pretty much every app needs those for one reason or another (at the very least for ads in the case of the flashlight apps, which why are you even installing that if you're on L or M? It's built into the OS!). And one doesn't want to ask users about a permission that every app asks for because that just contributes to people ignoring the permissions warnings.

Unfortunately the new permissions framework on M doesn't help much since most people aren't on devices which have been upgraded to M. That's Android's real problem relative to Apple - most users don't care about permissions and privacy settings, but they do care about apps. And fewer apps get written, and they have fewer features, when only 10% of the phones have the latest OS.

Google Chrome deletes Backspace

Adam Azarchs

Re: Those are some pretty detailed numbers...

No, they don't report every keystroke back. What do you think this is, Windows 10? However, https://src.chromium.org/viewvc/blink?view=revision&revision=202463 added a counter specifically for backspace to collect data to inform this change, as you can see on the discussion on https://bugs.chromium.org/p/chromium/issues/detail?id=413395. Nothing secretive or nefarious to see here, move along.

'No regrets' says chap who felled JavaScript's Jenga tower – as devs ask: Have we forgotten how to code?

Adam Azarchs

Re: Are these dynamic dependencies really a good idea?

Point taken, but that's what version numbers are for. That's why introducing a new leftpad at version 0.4 didn't fix everyone who depended on 0.3. On the flip side, it does mean that it could take a very, very long time for updates to propagate up the dependency chain, and in the mean time you'll have multiple versions of a package in your project, pulled in as dependencies of other dependencies which haven't upgraded yet.

Jump aboard our load balancing Maglev, Google tells devs

Adam Azarchs

Re: 20 millions line for 900 projects?

Some of those projects as small things like vim plugins. I'd hate to imagine what a even a 10k line vimscript would be like.

How the FBI will lose its iPhone fight, thanks to 'West Coast Law'

Adam Azarchs

Re: Indeed

This exists. It's called a TPM, and afaik the iPhone has one. The issue with the iPhone in question, a 5C, is that the OS is on an unencrypted partition so it can be updated without first decrypting the phone. The iPhone 6 does not have this security hole.

Adam Azarchs

Re: Brain Encryption

The first amendment argument (which is their weakest one probably) is not about encryption per se, but about whether the government can force Apple to say something. In this case, that something is "this is an authorized version of iOS" and the way of saying it is by signing it.

Google calls out Comodo's Chromodo Chrome-knockoff as insecure crapware

Adam Azarchs

Re: Firewall

The one built into Windows is perfectly adequate for most needs (though maybe a little tricky to configure for egress filtering). And on both windows and linux there are scores of good open source alternatives.

Reverser laments crypto game protection, says wares dead after 2018

Adam Azarchs

Re: Just works

Many, but not all GOG games are DRM-free. There is a search filter you can apply for it. Generally the older (retro) games are DRM free, but newer ones are less consistent about it.

Brazil gets a WTF WhatsApp moment

Adam Azarchs

Re: Limited?

Users, yes. But not employees or revenue, which are the traditional targets of government punishments.

California cops pull over Google car for driving too SLOWLY

Adam Azarchs

No big deal

That road has 3 lanes in each direction. Go around.

Top VW exec blames car pollution cheatware scandal on 'a couple of software engineers'

Adam Azarchs

Design reviews

If you've ever worked at a company anything like a car company, you know how many reviews and design needs to go through before it's put into production. A lot more than "a few" employees would need to have been in on it, and if no one from such a large set felt the need to run it by a lawyer I'd be shocked. Far more shocked than if I heard the lawyer was told, offered an opinion, and was overruled.

Oi! 'Hands off America's Wi-Fi spectrum' yells, er, the cable lobby

Adam Azarchs

What's the point?

The reason the wifi bands are unlicensed is precisely because they don't have much range. Unless you put a very powerful transmitter in, of course, which you don't want to do on a mobile device. So LTE-U will only get to use that spectrum for people very close (probably not much more than 100m) to the tower. Seems like they'd be better off focusing their efforts elsewhere.

Nobel bro-ffin: 'Girls in the lab fall in love with me ... then start crying'

Adam Azarchs


Proof that he's not just bigoted against women, but also homosexuals.


Adam Azarchs

Re: Don't they know anything?

No, not the main deflector. That's for weapons fire. You're thinking of the navigational deflector, which while sufficiently powerful to deflect pretty much any 21st-century weapon, isn't capable of deflecting things like photon torpedos with kilogram-scale antimatter warheads.

Secure microkernel that uses maths to be 'bug free' goes open source

Adam Azarchs

Technically speaking...

Windows uses a microkernel architecture as well. It's just hard to tell under all the layers of proprietary.

New Star Wars movie plot details leak, violate common sense and laws of physics

Adam Azarchs

As fans on the expanded universe know...

Luke's hand ended up in an imperial storehouse, where it was used to create the evil clone Luuke.

And there were waaaay more than just the 2 failed superweapons. In addition to the two death stars and the prototype, there were the eyes of Palatine, the sun crusher, the Tarkin, and the galaxy gun, just to name a few. Turns out diversification of military assets is something the imperials never caught on to.

NIST denies it weakened its encryption standard to please the NSA

Adam Azarchs

Lying is still not always legal

Just because you can't tell the truth doesn't mean you're allowed to lie. If, for example, you are an executive at a corporation, making statements about company activities which are later shown to be objectively false is actually illegal under SEC regulations, and you can end up in prison for that (though more slowly than you might for telling the truth). The only thing that you can do with impunity is refuse to comment.

Adam Azarchs

Does not follow

I don't understand what the big deal is for people here. Yes, they consulted with the NSA. The NSA also contributed code the the linux kernel. Not everything the NSA does is evil (just most of it). Furthermore, it's simply bad to confuse technical issues with personal attacks - in this case, the technical question of whether a crypto standard is secure has nothing directly to do with the provenance of the math. The crypto standard process was still open and public, and the NSA was one of several contributors.

The analogy to MS/ISO is false. There was clear evidence that the ISO was not taking its job of managing the standards process seriously, instead just rubber-stamping something from MS.

Swiss space plane to launch robotic orbital debris destroyer

Adam Azarchs

The best long-term solution

In the long term, it's been proposed that the best solution would be to have people who launch into orbit post a bond for $X which they get back if and when their satellite deorbits successfully. It's far cheaper to reserve a small amount of extra fuel for a final deorbit maneuver than it is to send up a second rocket to do it for you, but right now there's little incentive to do that. If you make $X be the amount it costs to remove space junk by other means, then that encourages "insurance companies" to develop cheaper methods to deorbit misbehaving satellites.

Of course, that doesn't help for all the junk that's already up there. That is what we call a Hard Problem.

Facebook's Sean Parker fined $2.5m for tasteless eco-trashing wedding

Adam Azarchs

Re: Endor

Looks like because Endor was filmed just up the coast in very similar habitat.

Google shakes up US utility with green power tariff

Adam Azarchs

Re: Waste of Energy

That isn't how thermodynamics works. Modern coal plants get almost as close to the carnot efficiency as our metallurgical limits allow us to get.

"Heat" is energy, it's true, but to be useful it has to be at a temperature sufficiently above the ambient. Once the temperature of the exhaust gases are close enough to ambient, the efficiency with which work can be extracted becomes so low that the returns of adding additional steps to try to capture it become prohibitively expensive. Coal is expensive enough to make that point very late in the game, but pretty much the only thing you can do with the remaining waste heat from a coal plant is heat an apartment building... and who wants to live that close to a coal-fired power plant?

Net neutrality? We've heard of it, says Ofcom

Adam Azarchs

As long as they are advertising 'almost internet'they can do whatever they want.

Here's the $4.99 utility that might just have saved Windows 8

Adam Azarchs

Re: My cost effective solution that costs $0.00

The SxS folder is almost entirely made up of redundant hard links. While these confuse file size counters, they don't actually take up that much space. In reality deleting the SxS folder would only free up a couple of gigs, not 20+.

Adobe's revenge on Steve Jobs: HTML5

Adam Azarchs

Re: Oh no!

"If portable is your aim then Java is best."

Except we're talking about the mobile market, where iOS has nearly half the market and doesn't allow java to run. So that's a very strange definition of portable.

The prohibition against interpreted code on iOS limits things to platforms which can be AOT compiled, such as .NET (see http://www.mono-project.com/Mono:OSX). Ironic, that.

New Tosh drive can wipe out 4TB 'near instantaneously'

Adam Azarchs

Re: Giant degausser

Modern drive heads don't actually read absolute magnetization. Instead, they read relative magnetization from one sector to the next. Those sectors are very, very close together so any macroscopic magnet is going to hit all of the neighboring sectors almost as hard as the target sector, meaning no change in relative magnetization. Once you hit saturation, you can start breaking data, but experiment shows that the fields needed to get to that point are sufficient to physically rip the platter apart. Your best bet by far is the sector-local fields you can generate with the write head of an operating drive, even compared to physical destruction.

This is not to say that magnets are harmless to hard drives - they can cause head crashes in a running drive. But if you're worried about NSA-level data recovery efforts, a giant degausser will do nearly nothing to corrupt the data.

Boffins biff over ‘twisted radio’

Adam Azarchs

Photons are spin-1 particles

Spin-1 particles have 3 spin states, only two of which are observable along the axis (right-handed or left-handed, or horizontal or vertical, depending on how you build your detector). While you can vary the mixture of photons in your signal, you don't get extra multiplexing out of that because within each channel you'll still get the same old interference. Doubling your bandwidth is nice, but I don't see how you can get more than that without violating quantum theory.