* Posts by Luke McCarthy

301 publicly visible posts • joined 21 Feb 2008


Firefox to burn FTP out of its browser, starting slowly in version 77 due in April

Luke McCarthy

Re: "FTP is an insecure protocol and there are no reasons to prefer it over HTTPS"

>You can't just slap some TLS on the existing ftp protocol to implement it


Meltdown The Sequel strikes Intel chips – and full mitigation against data-meddling LVI flaw will slash performance

Luke McCarthy

Re: One day, not to far in the future,

Does Windows have an equivalent of "noatime" mount flag?

AMD, boffins clash over chip data-leak claims: New side-channel holes in decades of cores, CPU maker disagrees

Luke McCarthy

Re: Impact?

Any optimisation, either caching or prediction based on past behaviour (which is just a form of caching), is a potentially exploitable side-channel as it introduces an observable variable timing effect based on potentially privileged data. This is true for hardware or software. The only way to not leak information is for all operations to complete in a deterministic time that does not vary based on the data. This does leave a lot of clever speed up tricks on the table.

Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks

Luke McCarthy

Driver Signing

Can Microsoft not revoke the signature for the driver, or would that invalidate all Gigabyte drivers?

Loadable kernel modules were always a security exploit waiting to happen. Why bother with enforcing process memory protection if you can load arbitrary code into ring 0 that can modify arbitrary memory. Sure you have to jump through a few hoops to get there, but in the end you are no more secure than MS-DOS.

Hardware vendors can't be trusted to write secure drivers, and can't be relied upon to update them when exploits are discovered.

Built to last: Time to dispose of the disposable, unrepairable brick

Luke McCarthy

Re: As for me and my house...

I have gone from NUC/laptop, to mini-ITX, and back to full size ATX. The reduced size was too big of a trade-off against the reduced flexibility of adding more than one PCI-e card. Mini PCs are cute and look nice, but you can't beat and good old desktop tower.

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

Luke McCarthy

Yes, true in this case. I was speaking more generally. Invoking the shell is the only reliable way to parse command lines exactly how the shell would parse them, since there is not a standard library function to do this. This mda_command appears to be plucked from smtpd.conf:

> deliver to mda program [ as user]

> Mail is piped to the specified program, which is run with the privileges of the specified user or the user the message is destined to. This parameter may use conversion specifiers that are expanded before use (see .B Format Specifiers .)

I guess someone decided they would like to put arbitrary shell syntax here, to allow for variable expansion and such, and correct interpretation of quoted strings.

Luke McCarthy

Unfortunately, Unix does not provide a way to call another program, or send a message to another program, in a type-checked way. (If it did, command-line syntax parsing could be automatically generated instead of hand-written). In other words, the OS level API is too low-level, burdening every program with the task of correctly serialising and parsing data which crosses a process barrier, a hairy and difficult task even for the experienced developer.

Google halts paid-for Chrome extension updates amid fraud surge: Web Store in lockdown 'due to the scale of abuse'

Luke McCarthy

Re: So Google provide Android....

App stores are the perfect distribution method for malware. You don't have to lure users to your dodgy website and convince them to download and run your program. Instead the user can find your app through a centralised, legitimate platform and all they have to do is click Install. You can even steal the reputation of a legitimate application by copying their name and icon and Google probably won't notice or give a damn. Malware checking? "Curation"? Mostly automated systems that are easily gamed, or underpaid/overworked subcontracted employees in Bangalore that need to approve 100s of apps a day (speculation). By the time your ruse is discovered, thousands or millions of people have already installed and run your malware obliviously.

Brit brainiacs say they've cracked non-volatile RAM that uses 100 times less power

Luke McCarthy

Re: RAM clear on power off ?

The problem could be avoided by encrypting RAM (which AMD EPYC CPUs can do already).

Luke McCarthy

Re: "Within the next decade we'll either have it or we won't"

It's always a good idea to cover all possible outcomes when making predictions about the future ;-)

Luke McCarthy

Re: Times makes things larger not smaller

times_less(x, n) = x * 1/n

Image-rec startup for cops, Feds can probably identify you from 3 billion pics it's scraped from Facebook, YouTube etc

Luke McCarthy

Re: Legality

I think the problem is most people don't think of it as being public - they are sharing photos with their friends and family, and don't expect them to be automatically scraped and added to a database for ulterior purposes. They fact that this is technically possible, most people are unware of. Social media is a very new thing and people have yet to really adjust to the technology or understand its deep implications. Suddenly millions (billions?) of people are as public as politicians and celebrities, but they don't really have the tools, power or ability to manage this level of mass exposure.

WebAssembly: Key to a high-performance web, or ideal for malware? Reg speaks to co-designer Andreas Rossberg

Luke McCarthy

Re: You can import stuff from your host environment

In the case of Wasm, the host environment is JavaScript. So you can import any API JavaScript can access, but nothing more. So Wasm is no better or worse than JavaScript, other than the ability to perhaps run code faster.

LG announces bold new plan for financial salvation: Trying to actually make phones people want to buy

Luke McCarthy

Re: Read it here ...

The majority just want to be cool and fit in, issues that the technical minority care about are irrelevant. For an example, 3.5mm headphone jacks; this is obviously better for various reasons which I won't bother to repeat. To the majority, the trend-setters Apple now say it's cool to have funny white sticks coming out of your ears, so they loss of this jack is a non-issue. What kind of nerd would want to plug in headphones?

Xbox Series X: Gee thanks, Microsoft! Just what we wanted for Xmas 2020 – a Gateway tower PC

Luke McCarthy

I used to have a PC case like that

Silverstone FT03-Mini

WebAssembly gets nod from W3C and, most likely, an embrace from cryptojackers online

Luke McCarthy

Like Java, but without garbage collection or object orientation. So, JVM for C code.

We took a shot every time Qualcomm said 5G, AI or mobile gaming in its Snapdragon 865, 765 system-on-chip launch...

Luke McCarthy

Re: " 'desktop-level' performance"

It's still a moving target. Smartphones already have desktop-level performance, for 15 year old desktop PCs. But desktop-level performance is now represented by the Ryzen 3950X.

No wonder Bezos wants to move industry into orbit: In space, no one can hear you* scream

Luke McCarthy

Re: "it'll work with little energy because you're going down, gravity-wise"

At least in space you have uninterrupted (and unfiltered by atmosphere) solar power, assuming you keep out of the shadow of a planet or other large object.

Bad news: 'Unblockable' web trackers emerge. Good news: Firefox with uBlock Origin can stop it. Chrome, not so much

Luke McCarthy

The Web Platform is the problem

This is inevitable if you allow arbitrary code to execute automatically which can open new connections to another server, either by async requests, web sockets or modifying the page DOM to refer to another resource (which will be auto-loaded by the browser). You could do all the tracking aggregation first-party, with scripts fetched from the primary domain and data exfiltrated to the primary domain, and then send to third parties from the server. There would be no way to stop it without disabling JavaScript, which breaks most websites. Even with JavaScript disabled, you could fingerprint the client with various techniques, like using IP addresses, HTTP headers, and first-party cookies and other side-channels, and send the data out to trackers from the server.

'Literally a paperweight': Bose users fume at firmware update that 'doesn't fix issues'

Luke McCarthy

Re: How did we get here exactly?

If we stuck to CRT tellies none of this would have happened. LCDs created the need for a soundbar because they were too thin to have a decent speaker in them, then some bright spark thought it was a good idea to use Bluetooth instead of a wire to connect it. That requires a CPU and complex software to implement the Bluetooth network stack which created the need for firmware updates. One problem leads to a solution which leads to another problem...

Heads up from Internet of S*!# land: Best Buy's Insignia 'smart' home gear will become very dumb this Wednesday

Luke McCarthy

IoT will never reach its potential

IoT will never reach its potential while it relies on proprietary embedded software, proprietary protocols and proprietary 'apps'. These need to be standardised so the devices and users are not in any way dependent on any particular vendor to release software updates, keep cloud services operational and develop the end-user software to manage and operate the IoT devices.

40 million emoji-addicted keyboard app users left with $18m bill – after malware sneaks into Play Store yet again

Luke McCarthy

Re: so glad google are keeping us safe.

Centralised app stores just make it easier for malware to be distributed and trusted unthinkingly by users. I would argue it would be more secure to distrubute apps on random websites, on average, since the malware authors would have to put in more effort to get punters to their dodgy website. It's clear Google does very little, if any, checking of apps, and the system is gamed very easily. Apps stores are really about extracting maximum revenue and user data from a platform.

Tinfoil-hat search engine DuckDuckGo gifts more options, dark theme and other toys for the 0.43%

Luke McCarthy

Yes, using the CSS selector "@media (prefers-color-scheme: dark)"

Luke McCarthy

Re: Go

Same reason DOS/Windows dominated PC operating systems - because it's installed by default. If you have to lift your little finger to change, forget it. It's too much effort for the average person.

Chemists bitten by Python scripts: How different OSes produced different results during test number-crunching

Luke McCarthy

Re: Not sure the comparison is valid

It would make sense for glob.glob() and os.listdir() to return sorted lists, to avoid these kind of platform-specific random inputs. They already filter out '.' and '..' anyway, sorting is hardly going to make any performance difference in practice.

GDP-arrrrrrgggghhh! A no-deal Brexit: So what are you going to do with all that lovely data?

Luke McCarthy

Re: But didn't parliament vote against a no-deal Brexit?

You can make a law against the tide coming in, but that doesn't mean it won't.

Allowlist, not whitelist. Blocklist, not blacklist. Goodbye, wtf. Microsoft scans Chromium code, lops off offensive words

Luke McCarthy

Re: We need to solve this once and for all

All menus should be removed and replaced by toolbars with icons but no labels or tooltips. On the plus side, all applications will be fully internationalised by default, assuming no culture-specific icons or icon colours are used, reducing the burden of translation. We can remove font rendering from the operating system to save space and reduce complexity.

Stuff like sophisticated government spyware is scary and all – but don't forget, a single .wmv file can pwn you via VLC

Luke McCarthy

Lots of old C and C++ code, especially in video codec, that is difficult to write and re-write. Who is going to re-write hundreds of legacy codecs in Rust? And who is going to pay them to do it? (Nobody)

We checked and yup, it's no longer 2001. And yet you can pwn a Windows box via Notepad.exe

Luke McCarthy

JavaScript code can't call Win32 API functions, not without using a browser exploit first anyway. It's probably possible with VBScript in older versions of IE though...

Linux Journal runs shutdown -h now for a second time: Mag editor fires parting shot at proprietary software

Luke McCarthy

Why are unpaid people bothering to maintain critical infrastructure? If you diligently work to keep the megacorp's bucks rolling, nobody will thank you for it. Let it crash & burn, and they'll come begging you to fix it (with money).

Luke McCarthy

Re: Linux Mag

Surely it was Mandrake back then?

Rome wasn't built in a day, wasn't teased in a day, either: AMD's 7nm second-gen 64-core Epyc server chips finally land

Luke McCarthy

509 keys

That's a funny number... is that actually referring to the X.509 standard for public keys.

Cloudflare gave everyone a 30-minute break from a chunk of the internet yesterday: Here's how they did it

Luke McCarthy

Back to comp-sci school

That's what you get for using a regular expression engine that uses nondeterministic finite automata (with backtracking). For applications at this kind of scale, only a DFA will do.

Google's Fuchsia OS Flutters into view: We're just trying out some new concepts, claims exec

Luke McCarthy

Modern GPUs are very complex beasts which require huge drivers which cannot be effectively audited. Running all that code in kernel mode is asking for trouble (security & stability). Windows since Vista switched to back to mainly user-mode GPU drivers (with a small portion inside the kernel). I've had the NVIDIA driver crash before, the screen goes blank for a second and then a pop-up notification appears telling you the driver crashed.

Can't quite cram a working AI onto a $1 2KB microcontroller? Just get a PC to do it

Luke McCarthy

It doesn't specify which STM32 they used in the paper, and the RAM available varies by quite a lot depending on the model. The highest end model have 1MB, and go as low as 16KB. The image format could have been 8-bit or even 1-bit since it's only character recognition, and the data could have been streamed so the whole image wouldn't have to fit in memory to work. Also some STM32 have a DRAM controller which would allow them to access several megabytes of memory.

Mozilla returns crypto-signed website packaging spec to sender – yes, it's Google

Luke McCarthy

Re: Can we get Web caching back, please?

Your local browser can cache content that you have looked at, but an ISP for example would be unable to cache content that multiple customers are accessing.

Luke McCarthy

Re: Not sure the comparison is valid

This could be achieved by other means, for example cryptographic signing of content which would still allow caching and ensure the content cannot be re-written by third-parties.

Mozilla tries to do Java as it should have been – with a WASI spec for all devices, computers, operating systems

Luke McCarthy

Re: (+1) Spectre likes this

WebAssembly binaries can be re-compiled easily to take in to account new Spectre mitigations as they are discovered. This isn't really possible in general with native binaries.

Packet's 'big boy' servers given a shot in the Arm with 32-core, 3.3GHz Ampere CPUs

Luke McCarthy

Re: Please can we have a real speed metric

The industry standard in this regard is CoreMark. They don't appear to have any scores of any Ampere chips as of yet. https://www.eembc.org/coremark/scores.php

BT: We're killing the dabs brand. Oh and can customers re-register to buy on our site?

Luke McCarthy

I thought BT Shop was just a rebranding of Dabs, I didn't know BT actually run it (and Dabs).

AWS could 'consider' ARM CPUs, RISC-as-a-service

Luke McCarthy

Re: for some applications

The parallel part of the Parallela is a different ISA though (Epiphany).

Eight hour cleansing to get all the 'faggots' and 'bitches' OUT of Github

Luke McCarthy

I can't say I've ever used vulgar language in code comments since I was 16, but then again I don't really write many comments.

Why can’t I walk past Maplin without buying stuff I don’t need?

Luke McCarthy

Re: Matrix Broad?

I guess he's referring to perfboard

Luke McCarthy

Re: Farnell

or Digikey

Microsoft to get in XP users' faces with one last warning

Luke McCarthy

Re: huh ?

Maybe you can triangulate it's location using ping latency.