* Posts by Michael Wojcik

8533 posts • joined 21 Dec 2007

Pre-orders open for the Mini PET 40/80, the closest thing to Commodore's classic around

Michael Wojcik Silver badge

Re: The PETs inspired me.

Mine too. And the first computer I ever wrote a working program for; and the first I ever modified someone else's code on (which might be more important); and the first I ever worked with someone else on a program (which is definitely more important).

A few years later I was using VIC-20s and TRS-80s (model I and III) and Apple ][s, and not long after the IBM PC, plus various minis and mainframes (for years I had stacks of teletype output stashed away for the sake of nostalgia). But that PET was where I started.

Honestly, if I had somewhere to set it up and use it, I'd be really tempted by this reproduction. I rarely spend money on something purely for the pleasure of it, except books; for this I might make an exception. Then I'd drive the grandkids crazy trying to get them interested in it.

Wine 6.0.1: For that one weird app on that one weird Mac

Michael Wojcik Silver badge

Re: Easier to run a VM

Eh? VMs existed on x86 CPUs before those ISAs included virtualization extensions. Do none of the various hypervisors support those CPUs any more? (I don't pay a lot of attention to this area.)

There are still good use cases for WINE rather than a VM, of course. Running an entire VM for one application that will run well under WINE is an absurd waste of resources on a smaller system.

Global Fastly outage takes down many on the wibbly web – but El Reg remains standing

Michael Wojcik Silver badge

Often that's because what the browser downloaded was an HTML document with no visible content and a horde of scripts which are now busy XHR'ing a dozen different servers for tens of megabytes of pointless crap.

Microsoft (who invented XHR), Google (who popularized it), and designers (who jumped on it like flies on shit) largely ruined the web. RIAs and SPAs are horrible ideas.

Proof-of-space cryptocurrency Chia triggers HDD sales boom in Europe

Michael Wojcik Silver badge

Re: GPUs

Or mining Monero, or Doge, or whatever the flavor of the month is. That's the real key: guess which bandwagon other people will be jumping on tomorrow, and get on first. Then off before the crowd bails out.

So pretty much the same as other investments.

Personally I find the whole thing too tiresome to bother participating in.

Michael Wojcik Silver badge

Re: Just great

Pfft. All criticisms of Chia are wrong, because it was created by Bram Cohen, the best network protocol engineer alive.

Modest, too.

Military infosec SNAFUs: What WhatsApp and bears in the woods can teach us

Michael Wojcik Silver badge

standard security terms

I have to quibble with this bit in a generally fine piece: "Like those Soviet decrypts, on paper WhatsApp looks secure — if you think in standard security terms."

"Standard" security – whether we're talking about security engineering, secure systems analysis, threat modeling, what some people refer to as a "security mindset", etc – would most definitely not stop at WhatsApp's (alleged) communications security.

No competent security professional would imagine for a moment that COMSEC is the full scope of any communications system. And encryption isn't the whole of COMSEC, either. Other posters have already mentioned traffic analysis and the risks of metadata capture by Facebook or other actors. But more importantly, historically COMSEC has more often been bypassed by OPSEC failures or compromising people involved in the system. HUMINT generally beats SIGINT.1

Many years ago Bruce Schneier famously remarked: "If you think cryptography will solve your problem, you don't understand cryptography and you don't understand your problem". To a first approximation that remains true.

WhatsApp is "secure" in a popular or naïve sense, perhaps. Not in any sense that should be called "standard security".

1ObUNIX: Yes, SIGKILL beats SIGINT too.

Michael Wojcik Silver badge

Re: It's not about the message, it's about the metadata

There's an OPSEC concern there, certainly. But those communications are likely to be voluminous and noisy enough that the practical value of traffic analysis is low. And while traffic flows on public networks can be obfuscated (as with Tor), some information will always leak.

That said, WhatsApp seems like a poor choice. They could at least have gone with Signal instead. (I realize WhatsApp has many features Signal doesn't, which is itself a security issue, because of the "Availability" aspect of the CIA triad and because users will seek to circumvent systems which they perceive as failing to meet their needs. But disciplined organizations can overcome those problems.)

There are a number of security analyses of WhatsApp. Here's one summary of some results.

Fastly 'fesses up to breaking the internet with an 'an undiscovered software bug' triggered by a customer

Michael Wojcik Silver badge

Re: If StackOverflow didn't use Fastly

Headline: StackOverflow Down; Software Development Comes to a Halt

(To be fair, SO is handy in the same way Wikipedia is: when you don't really care about the accuracy of the answer because it's just idle curiosity, or when you just can't think of some specific term and you need your memory jogged, or as a starting point to find what you need to look up in more-reliable sources. Unfortunately it will always be popular with the copypasta types.)

Michael Wojcik Silver badge

Re: Credit where it's due

Looks sideways at the employer's GitHub repository.

Ah, GitHub.

Linus: OK, here's an open-source distributed source-control system. It has a data representation few people understand and a user-hostile interface that periodically requires arcane incantations like "git gc --prune=now" to continue functioning under perfectly normal use. But the important thing is that it's decentralized, which is exactly what we want for the Linux kernel.

Everyone else: Great! This would be perfect if only we centralized it.

Cryptography whizz Phil Zimmermann looks back at 30 years of Pretty Good Privacy

Michael Wojcik Silver badge

Re: I think the real reason PGP succeeded...

A key which expired every 6-12 months and had to be replaced

What part of the S/MIME standard do you believe requires this?

Encryption was super slow

An implementation issue. This has nothing to do with S/MIME itself.

I drove a Buick once. It wasn't very good. Therefore all sedans are terrible, and everyone should drive pick-up trucks instead.

Michael Wojcik Silver badge

Re: I think the real reason PGP succeeded...

Actually you're paying for the private key and the certificate that encapsulates the public key which is signed by another key or by the private key. But for brevity I said key.

Still wrong.

If your CA is generating your key pair, You're Doing It Wrong. You should be generating the key pair and sending a CSR to the CA. The CA should never have possession of the private key.

And you don't have to pay for a certificate, either. If you're using a self-signed certificate (which I assume is what you meant by "the certificate ... is signed .. by the private key"), then there certainly shouldn't be any CA involved, and so no charge. Even if you have a CA-issued certificate, there isn't inherently any cost; if you're paying, it's for the privilege of participating in the CA's PKI. There are S/MIME deployments within organizations and consortia that manage their own PKI and thus have no reason to charge.

Indeed, there's no reason why a bunch of people can't cooperate on a PKI, which makes this aspect of S/MIME exactly equivalent to PGP's Web of Trust, in the simple model. And, in fact, PKIX allows other types of PKI graphs, so it's more flexible than the PGP Web of Trust PKI.

PGP is important for many reasons, and the Web of Trust PKI, while it has huge problems with scaling and sparse graphs, works for many purposes under many reasonable threat models. But S/MIME's use of PKIX trivially degrades to be functionally identical to the WoT, while offering a variety of alternatives to handle other use cases. This is a false distinction.

Conversely, there are many things wrong with PKIX, starting with the many (many) things wrong with X.509. But this isn't one of them. You're complaining about a particular use case which isn't even available with the WoT (even as augmented by keyservers, which are problematic in themselves). Apples and oranges.

Michael Wojcik Silver badge

Re: I remember my PGP T-shirt well!

While RC4 is deprecated these days (too many higher-order correlations, plus the inevitable risks of using a stream cipher incorrectly and the lack of an AEAD mode), one of the great things about it was it was so short and simple. It could easily be printed on a t-shirt or even a napkin. Hell, it's pretty trivial to memorize.

In fact, that's one of the things I really like about RC4. It's great for demonstrating the inobvious nature of cryptanalysis. The algorithm is very easy to understand, and when you do it seems "natural": it's easy to see the purpose of every aspect, there are no magic constants or other features that are difficult to explain. That makes its flaws surprising. (How can there be higher-order correlations? Where's the structure? What does it arise from?) It's a great educational tool.

Michael Wojcik Silver badge

Re: I remember my PGP T-shirt well!

Just ten years old and she's already on "watch list" for her school district because she knows too much. What kind of useless milquetoasts are her generation going to become, anyway?

Conversely, idiot school administrators banning these things (and punishing students for offenses such as biting a Pop-Tart into a gun shape) will thereby make them more attractive to many students who might otherwise dismiss them. There's nothing like forbidding knowledge to encourage people to acquire it.

Of course, it's still a problem, particularly for students whose families don't have the sociopolitical power to deal with any adverse consequences. But I have a couple of granddaughters, and a couple of sort-of-in-practice-if-not-biologically-or-legally grandsons, in that general age range, and I think they're going to do Just Fine. With plenty of encouragement and support from the adults closest to them, of course.

In this round of 'Real life or Black Mirror episode', drones that hunt down humans by listening to their screams

Michael Wojcik Silver badge

Re: Wrong sound I think

Agreed, though autonomously recognizing cries for help could be useful for a rescue-assistance drone. I suspect this is mostly a proof-of-concept, and what rescue teams would really like are drones using a model trained on various types of evidence to map an area and indicate the spots to prioritize for further investigation.

It is with a heavy heart that we must tell you America's richest continue to pay not quite as much tax as you do

Michael Wojcik Silver badge

they will only act ethically in their dealings

In cases like this, they are acting ethically. They're 1) following the law, and 2) observing a fiduciary duty to do so in the way that best benefits their clients. That's precisely how their ethical responsibilities are defined by their professional organizations.

If I decide to give $X to, say, Planned Parenthood, and my accountant decides not to claim that deduction on my taxes1 because he opposes Planned Parenthood, that's not ethical. If I give $X to a 501(c)(3) that advocates slavery and white power, my accountant would still be ethically obliged to claim that deduction – the morality of supporting that organization is irrelevant.

Professional ethics are not morals, and they're not about what is fair or just. They're about following the rules that a society has decided ought to apply when exercising a professional function. Morality must be a consideration in trying to develop a code of professional ethics, and there are situations where morality calls for violating ethics. But following both the law and professional requirements such as fiduciary duty is ethical; you can't (tenably) penalize it as unethical.

The problem isn't accountants. It's the law.

1Purely hypothetical. I do my own tax return, and since the Trump-era change to the personal deduction my wife and I haven't had enough in itemized deductions to beat the personal deduction, so our charitable contributions are taxed.

Michael Wojcik Silver badge

Fixes to complicated problems are rarely "simple and obvious", except to people who are rather simple themselves.

Setting a wealth tax at any fixed number, whether it's $10M or anything else, is simply stupid. You need to index for inflation at the very least. The large cost-of-living differences across the US are also a critical consideration.

Taxing capital gains at the ordinary income rate would be hugely punishing to the middle class, whose retirement savings are largely tied up in 401(k) accounts and real property. You'd devastate those members of the middle class who have tried to do the right thing and save for their later years.

Are "stonk transactions" supposed to be "stock transactions"? Those are mostly interstate so sales tax wouldn't apply anyway. I really don't know what you're hoping to accomplish with this one.

Corporate income tax is a sop to people who don't understand taxation. Corporations have all sorts of avenues for burying income, and the larger they are, the better they are at it. Corporate income tax punishes small businesses disproportionately; they're regressive. There are better ways to remedy the corporate-wealth problem, such as amending the tax law to remove the buyback loophole.

FICA (the "social security tax") should be made progressive, or at the very least flat. Agreed on that one. The cap on it is purely regressive.

I'm progressive. I believe real income tax rates are too low, and the Federal income tax is overall regressive. But most of the fixes (FICA aside) are neither simple nor obvious.

And, to be honest, I'd rather expend political capital on problems I think are more pressing. In the US economic realm, that would include access to health care and basic needs, sufficient retirement income for those in the lower and lower-middle brackets, student-loan debt and the cost of education, and so on. Outside economic security it would be things like police violence, incarceration, the surveillance state, and excessive police powers being handed to various agencies under the DHS.

'Universal Processor' startup Tachyum unveils full-system Prodigy emulator ahead of sampling later this year

Michael Wojcik Silver badge

Re: Getting too old for this

Ridiculous if you're not using graphene.

Michael Wojcik Silver badge

Re: Transmeta

Almost all? Is there still an x86 core that executes x86 opcodes directly? (Honest question.)

Michael Wojcik Silver badge

I don't expect we'll see any for the "greener era" or "human brain-scale AI"1 ones. What a load of rubbish that statement was, even for marketing-speak.

I don't have much hope for the performance claims, but at least they mean something.

1Though thanks to their poor understanding of the hyphen, there's no textual reason not to interpret this as "brain-scale artificial intelligence implemented using humans", which might just be achievable.

Australian cops, FBI created backdoored chat app, told crims it was secure – then snooped on 9,000 users' plots

Michael Wojcik Silver badge

Re: snoop-proof comms

Exactly. This is good for privacy, broadly speaking, because it's highly targeted; it's transparent to users (in the sense that the devices were distributed only within criminal networks, so you wouldn't acquire one unless you were a criminal); it didn't affect legal equivalents used by non-criminals (such as Signal); and it was a practical example of a major law-enforcement success which did not require backdoors in generally-available secure-communications systems, undermining the all-too-frequent calls for such backdoors.

Michael Wojcik Silver badge

Re: Pay to Crim

I assume you mean "signed warrant". And, yes, law enforcement engages in prima facie fraud with criminals all the time: undercover operatives, lying in interrogation, sting operations, etc. Obviously this will vary by jurisdiction but in the US, certainly, the law makes considerable latitude for this, due to a compelling state interest.

Michael Wojcik Silver badge

Re: 'What kinds of mobile phones would these be then?'

It's not hard, if you're so inclined and have access to the appropriate resources.

But then it hasn't been hard to use encryption at least since PGP arrived on the scene (and arguably before that, depending on how high you set the "hard" bar); yet many, many people who ought to be using encryption (at least under their own value systems) haven't been. Most people are cheap1 and don't want to take on even the cognitive load of figuring out how difficult it would be to encrypt their communications, not to mention the inconvenience and opportunity costs of doing so.

1This is a gloss and not really a useful observation. A better one would be a behavioral-economics analysis which concludes that most human actors make an economic decision to employ only a small set of the security controls necessary to realize their (generally underdeveloped) threat models, influence to a great extent by intangible costs such as cognitive load and miscalculation of relative threats.

Lotus Notes refuses to die, again, as HCL debuts Domino 12

Michael Wojcik Silver badge

Re: Domino

One thing I liked about Notes as an email client: when you were reading a message and scrolled with PgDn (or PgUp), it put a little tick mark in the margin to show the former bottom (or top) of the page. When scrolling to the final partial page, this made it really easy to find your reading position again.

I don't think I've ever seen another GUI application do that. It seems so obvious.

Apple settles with student after authorized repair workers leaked her naked pics to her Facebook page

Michael Wojcik Silver badge

Re: Details

The question isn't whether an independent shop would do better; it's whether Apple's claim that there's a compelling likelihood it would be worse holds water. A failure of Apple's privacy protections decreases that likelihood.

Michael Wojcik Silver badge

Re: In before . . .

I think you should avoid pronouns with ambiguous antecedents, is what I think.

US House Rep on cyber committees tweets Gmail password, PIN in Capitol riot lawsuit outrage

Michael Wojcik Silver badge

Re: Who is Susan Rosenberg?

Eh? Swalwell isn't a process server. Why would he be personally serving papers to Brooks?

Remember Anonymous? It/they might be back, and it/they are angry with Elon Musk

Michael Wojcik Silver badge

Unless you're the "1 driver", you're not driving.

I'd be happy to take a train if there were any train service anywhere I needed to go. I've used passenger train service many times, when it was available. In the US, for most trips it simply isn't.

Michael Wojcik Silver badge

I often drive >> 400 miles in a day, and I can't sit around for an hour at each refueling stop. Even if chargers were available along my routes, and they aren't.

Michael Wojcik Silver badge

Re: I thought ...

The QAnon nitwits I've run across couldn't find 4Chan with a search engine and a YouTube video explaining it.

I suspect many of the downvotes to the OP are because there's no evidence to support the claim that Anonymous participants have become QAnon adherents. In particular, Anonymous was appealing to people who overestimated their own political and material power; QAnon appeals primarily to those who feel relatively powerless.

Michael Wojcik Silver badge

Not quite, a Ponzi scheme is funding payouts to existing investors from new investors

Exactly. "Ponzi scheme" is a term of art with a specific meaning, and Bitcoin (however terrible an idea it might be) does not meet that definition.

Flying dildo poses a slap in the face for serious political debate

Michael Wojcik Silver badge

Re: Misuse of Drone

Yes, this wasn't a particularly effective form of protest, and when the cost/benefit ratio is considered it's a terrible use of resources. Pretty dumb.

Gonzales is a controversial candidate (AFAIK; I don't live in Albuquerque, which is just fine with me1). Recently a spectator threw a punch at him at another campaign event, and one of his opponents brought an ethics charge against him – not just the usual posturing, that is, but filed a complaint with regulators that apparently has enough validity to be widely reported, at least. But there are much more effective, not to say legal, ways of organizing opposition to a candidate you dislike.

Sheriffs in New Mexico are generally controversial anyway. The sheriff office in the states I've lived in attracts ire because of its involvement in jails and prisons, in serving legal papers, and in property evictions and repossessions. And sheriffs in New Mexico in particular just can't seem to stay away from political battles they have no reason to engage with.

So a sheriff looking to use the office as a stepping-stone to others needs to have a thick skin and a sense of humor, at the very least. Tact and diplomacy would also be helpful.

1As cities go it's OK, I suppose, but I'm not a fan of living in cities larger than a few thousand people. Just not an urban type.

Report commissioned by Google says Google isn't to blame for the death of print news

Michael Wojcik Silver badge

Re: I'm probably being thick...

Maybe the 32.8 figure is the peak, which occurred somewhere between 2003 and 2019? So at some point when the total was higher?

Or, of course, it could just be some sort of error.

Snakes on a Plane meets The Simpsons as airline creates ‘whacker’ to scare reptiles away from parked A380s

Michael Wojcik Silver badge

Re: Engineers

"Sure, my title is 'Principle Engineer', but mostly I just maintain existential qualifiers. It's not a bad job if it exists."

Michael Wojcik Silver badge

Re: Each whacker is, however, labelled with the name of the A380 to which it is dedicated

It's probably as much to keep them uniformly distributed among the planes as anything else. Otherwise a tech would likely grab one from the first plane they passed by, and then leave it at another plane, and soon the whackers would be unevenly distributed and either you'd have five at your plane or none at all.

Labeling them is an incentive to keep one (or N) at each plane.

Simple human nature.

Michael Wojcik Silver badge

Re: Call that a snake?

The Stately Manor (which is soon to be someone else's Stately Manor, as Secret Headquarters have been fully relocated to the Mountain Fastness) is situated in an area known informally as the "Bat Capital of Michigan". Large brown bats and small brown bats are very common and will establish colonies in any building they can get into.

The city containing the SM is the county seat, and has a lovely courthouse in the Second Empire / Italianate style in the town square. During the summers discrete signs are posted in its restrooms urging patrons to check for bats clinging to the underside of the toilet seats, lest they1 suffer an unpleasant surprise.

Bats are, I suppose, less distressing than pythons in this particular context. But the rabies rate is around 3% in the brown-bat population, and rabies treatment2 isn't much fun, though I understand it's better than it used to be.

1The patrons, though I suppose the sentiment could be applied to the bats as well.

2Which you'll probably want to get, should you have any reason to suspect you were bitten. Good luck catching the bat that bit you to have it tested.

Now that Trump is useless to Zuckerberg, ex-president is exiled from Facebook for two years, possibly indefinitely

Michael Wojcik Silver badge

Re: Surprised he doesn't have a new teevee show

Well, sure. Someone else was paying for it.

(We were all paying for it. Even those of us who avoided it like the plague it was.)

Michael Wojcik Silver badge

Re: Good

I suspect that would fail the "cruel and unusual" test. On both counts.

Michael Wojcik Silver badge

Re: On the other hand ...

Yes, what we need is a Constitutional amendment for fair redistricting. That wouldn't solve all the problems with US Federal elections by a long shot, but it would be a big help.

(Marginally-relevant historical anecdote: Elbridge Gerry himself was opposed to gerrymandering, even though as governor of Massachusetts he signed the bill creating the district which inspired the term. Pressure from the party and all that.)

Biden expands Chinese tech and military blocklist to 59 companies

Michael Wojcik Silver badge

Re: But of course

True but tu quoque. US abuses don't excuse Chinese abuses, and aren't a reason for the former to refrain from complaining about the latter.

Antivirus that mines Ethereum sounds a bit wrong, right? Norton has started selling it

Michael Wojcik Silver badge

Re: I didn't need any more reasons to avoid Norton

On the other hand, there's plenty of money to be made hacking buggy Ethereum "smart contracts" (which, of course, are neither smart nor contracts). There's an obscene amount of money tied up in the Ether network, and studies have found that bugs in the contracts are very common.

There have been a few high-profile hacks of Ether, most notably the DAO hack which netted someone $55M.

Wyoming powers ahead with Bill Gates-backed sodium-cooled nuclear generation plant

Michael Wojcik Silver badge

Re: Go for it

Er ... Natrium here is the heat storage mechanism, not the fissile fuel, yeah? So Pascal was saying "I don't care whether you call your reactor by the element you're using to generate heat or the one you're using to store it". He wasn't confusing the two. Unless I've missed something, which is always possible.

FYI: Today's computer chips are so advanced, they are more 'mercurial' than precise – and here's the proof

Michael Wojcik Silver badge

ObIT

That's mercurial as in unpredictable, not Mercurial as in delay lines.

Michael Wojcik Silver badge

Re: Complexity: Another nail in the coffin...

it's not about how much stress any particular CPU encounters, but rather about companies that happen to use a lot of CPUs

Well, it's also about how much of the time a given CPU (or rather each of its cores) is being used, since that's what gives you a result that might be incorrect. If a company "uses" a million cores but a given core is idle 90% of the time, they'll be much less likely to encounter a fault, obviously.

So while "stressing" is probably not really an accurate term – it's not like they're using the CPUs outside their documented envelope (AFAIK) – "using more or less constantly" is a relevant qualification.

Supreme Court narrows Computer Fraud and Abuse Act: Misusing access not quite the same as breaking in

Michael Wojcik Silver badge

Re: Real Issue

Yes. Certainly in the jurisdictions I've lived in, there are other laws against misuse of police databases. The problem with the original Van Buren prosecution, as is generally the case, is the politicization of the prosecutorial office in the US, which has become a stepping-stone to higher political offices, severely compromising its economics. Among other issues, of course.

Various former prosecutors have written about this at length – Ken White on PopeHat, for example, or Jesse Eisinger's The Chickenshit Club.

Remember those wacky cyberpunk costumes in Hackers? They're on display in London this week

Michael Wojcik Silver badge

Re: Soundtrack

I wouldn't bet on it, at least in my case. I don't think I'll ever be able to sit through the whole thing.

There are certainly many bad movies I enjoy, but Hackers isn't one of them.

Unfixable Apple M1 chip bug enables cross-process chatter, breaking OS security model

Michael Wojcik Silver badge

Re: Hum, so now crackers can go full multi-process

All of which is pointed out by Martin on his site.

Michael Wojcik Silver badge

Re: Easy to protect against

Still not difficult for the communicating apps to correct for this with modern codes.

More importantly, it's irrelevant. There's no need to do this. Martin goes into this at length.

Michael Wojcik Silver badge

Re: So...

As Martin explains, at length, on his site.

Michael Wojcik Silver badge

Re: Te bug is real but can it be exploited

On an iMac or MacBook, unprivileged processes already have plenty of side channels.

This is an interesting architectural mistake. It's hard to see how it introduces a plausible new threat.

Martin makes all of these points on his site.

Michael Wojcik Silver badge

Re: Well, no.

There's no sign that a "comprehensive" fix for microarchitectural side channels will ever come. For one thing, researchers keep finding new ones.

Generating and discarding information has physical consequences. It's very difficult to mask all signals from those consequences.

(By the way, I quite like OP's "pale into significance".)

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021