Posts by bazza

Re: If it's Boeing

It's certainly a slogan that's come back to bight them where it hurts...

But to really make a risk assessment one has to look at what's actually going on. And, after the door blow out, it seems that a large slice of compulsory Quality Control effort has been injected by the FAA themselves (no more self-signing...).

777x

The 777X in particular has been through the ringer, and still is going through it; there's a reasonably good chance that that will turn out to be a safe and reliable aircraft. That would be a remarkable turn-around. Back in the bad old days you'd see ugly court cases where the company was being sued by ex-employees who'd raised concerns only to be fired for their trouble. It's gone from a program widely rumoured to be riddled with questionable design decisions to one that' had a thorough going over by a lot of non-Boeing eyes, and a lot of changes.

There is one thing that troubles me; it's a bit like a software project; you walk into a project, and you can pretty quickly tell what sort of job the team has been doing. Sometimes, it's obviously been done well, with quality at the heart of the project's feeling; everyone's been doing a good job, and you know the software is going to meet its design goals.

Sometimes, you can tell straight away that the project is an absolute stinker, with a lot of question marks over many, many parts. You know that this one's going to succeed only with an awful lot of review, extra test and a ton of debug. Quality is going to have to be hammered into it, and there's a risk that not all bad bits will be found.

Guess which one 777X looks like to me! I was especially alarmed by the thrust link failure, because they found it by luck (that aircraft could easily have crashed on the next take off and they found it only because of some unrelated servicing coincided with a sharp-eyed worker doing the servicing). They weren't looking out for it. They'd gone past the stage where they thought there were no more surprises, everything was back on course (but it wasn't).

FAA, US Gov, and Politics

Certainly, the future of Boeing rests very much in the hands of the FAA. They're deeply involved in the prevailing QA/QC work, and that's likely making a huge difference. This is not necessarily a good thing overall for Boeing.

The 777x is only worth anything at all if it's allowed to fly. The FAA can say "yes, it can fly overhead the USA". But, they can't say that for anywhere else on earth. In Europe, it's the EASA that say "it can fly over Europe", CAA in the UK, CAAC in China, etc. Those regulators give permission largely on the basis of trust; "if the FAA say it's good enough, then that's good enough for me" is how it supposed to go.

The trouble is that the FAA's reputation took a massive knock with the MAX crashes. It was the rest of the world that grounded the MAX, not the FAA. The reason why was because the FAA's assurances on the MAX simply did not have any credibility. That's not because the people in the FAA were making it up out of malice or incompetence, it's because the FAA had been denuded through reduced budgets by under all administrations for decades to the point where the coverage the agency's staff could provide had become ineffectual. This was a ghastly example of ignorant people saying "Why do we need to do this? Nothing ever goes wrong".

The issue for overseas regulators is that - to trust the FAA - they have to know what sort of condition the Agency is in, whether its foundations, funding, mission, freedom to act is secure. And that all starts to become very political judgements. And when one considers that an overseas regulator deciding that the FAA isn't to be trusted, and therefore that new Boeings aren't to be trusted, the consequences of that become big geopolitical problems within about 30 minutes. And if they ever had to reach that conclusion at the moment, that means the Orange Fake Jesus gets annoyed leading to who knows what.

It doesn't even have to get to the point where the FAA is judged to be unfit. If the US politicians / administration are judged to be acting irrationally over the funding and independence of the FAA, it becomes pretty hard for overseas regulators to continue to have faith in it. And the problem right now is that there's already rumblings of political interference in the FAA. It really wasn't helped by the likes of Elon Musk clearly using his former position as a way of (as he would see it) reigning in the FAA so that he can do whatever he likes with SpaceX.

If Boeing were building the 777X under the auspices of the EASA, there'd be no problem; that Agency has a good reputation and it's mostly independent of meddling politicians. And yes, it's perfectly possible for US manufacturing to come under an overseas regulator. It'd still need FAA permission to take off and overfly US territory to leave the USA, but otherwise it'd be good to go to wherever the overseas' regulator's word is accepted. It's a lot more expensive for Boeing to be regulated that way (they'd be paying for EASA staff to travel to the USA a lot).

There's also the hybrid approach; this happened with 747-400; the CAA in the UK was involved in the FAA's effort somehow, and managed to spot a structural problem that everyone in the USA had missed (related to the extension of the hump backwards I think).

TLDR

Anyway, that's a very long winded way of saying that if you don't think US politics is delivering an economic / regulatory environment in which manufacturing tends towards "quality" instead of "profit", then don't fly on one of their aeroplanes. Many have already made their decision on that front.

Personally I think the 777x will turn out to be safe, but at the end of the day it will have 10-across seating in a cabin designed for 9 across. Boeing say they've tinkered with the wall thickness to try and liberate a few more interior inches, but it remains to be seen if this has made any noticeable difference or introduced some other passenger discomfort. In contrast, all of Airbus's planes (and especially the A380) give a high-quality ride even for economy class; guess what I choose to fly on.

Re: How many of those orders will get dropped?

The article is about deliveries, not orders. By definition, they cannot be dropped because they've actually happened!

If anything, despite all that's going on in the world. the recipients are likely grateful for them as they'd be replacing older less fuel efficient aircraft.

Re: Idiots never reboot

Er, I don’t think you know much about electronics or power control in modern computers.

For a start, it’s perfectly normal for a computer or CPU to turn bits of itself off and on just in normal operations without the user ever being aware. And if one is to consider wear and tear on parts, you deal with dopant migration across silicon semiconductor junctions by turning them off as much as possible.

What tends to fail is capacitors and fans. Spinning fans less lengthens their life.

Liquid electrolyte capacitors are a bit odd; they prefer being kept powered up, preferably somewhere close to their operating voltage. Though good modern ones are far better than the old ones and don’t dry out anything like as quickly. It used to be a common design mistake to fit, say, 63V caps then operate at 12V.

I don’t think anyone is using thermionic valves in modern computers.

HDDs are about the only thing I know of that - if old with many operating hours on the clock - can be a bit grumpy about spinning up from cold. I have on occasion revived such drives with a light tap from a hammer to get the bearings unstuck. But if your drive is in that condition it is EOL anyway.

Re: The inversion of capitalism

It is pretty crazy.

It may balance out in the end; there's be a lot of bankrupt companies and second hand hardware fire sales. And, new prices will become cheap again. We kinda saw that when everyone stopped using GPUs for Bitcoin mining...

Some other countries don’t play nicely with dual nationality. Being British but travelling on the other passport is sometimes the only option for visiting one’s other country.

Having to have a “your British” stamp in that passport or having a British passport to travel back is risking losing your other nationality. Ask someone from Malaysia, Japan, Brunei, etc.

Re: To be expected

Not so sure, if they’d stuck to using just Kelvin most of their readers would not understand.

But with that in mind it would probably have been better to stick to Celsius or Fahrenheit

Re: I look forward to the security bounty announcement

They probably would, but I'd guess it's a money thing. Microsoft, Google, et al I think offer substantial rewards. If one is going to enter into that kind of thing, you'd have to attract the participants with something valuable. My guess is that the Notepad++ project doesn't have pockets as deep.

There is the altruistic approach, which in this case (coz Notepad++ has been a generous friend to many of us for years) may succeed. Could take little more than a message on a webpage guiding Whitehats on how to make contact.

Re: author claims makes the "update process robust and effectively unexploitable."

Oh, it's highly exploitable. It's only as strong as the credentials used to access the source end of the update mechanism. One lazy password, one carelessly delayed machine patch, one zero-day on that machine or any of the others involved in building and delivering that binary, one source code repo illicit access and the now oh-so-reassuringly-strong-and-much-more-trusted update mechanism is delivering tainted code as before, likely with less vigilance on the part of the recipients due to the misplaced confidence.

The same applies to end-2-end encryption systems being unbreakable. The intended mathematical design may well be hard to break by a Man-in-the-middle. But what counts is the as-delivered implementation, which is dependent on a pretty wide set of persons (consider all the dependencies) and their log-in credentials being trusted and secure. We've seen this kind of vulnerability nearly succeed against sshd globally a couple of years ago, when that compression library repo got compromised by a long-running social engineering effort against the original developer. Had that attacker been just a little bit more careful, they'd have succeeded.

Re: The problem here

Doesn’t help if the machine is going to be expected to process millions of such checks per second. Isochronic code is intended to be as fast as the machine can achieve and no slower. A timer means a compromise.

Also, there’s consequences in cache usage which another process can probably sense; the process that goes to sleep having completed its function would have to find something negatory to do, with the problem that the compiler may strip that out..:

Re: Only one answer

Can one have one’s G-Cake and eat it?

> To reiterate, this is *not* a bug in the compiler. If anything, it's a bug in the language which explicitly permits your code to be transformed in ways you don't expect.

I've got no problems with compilers spotting and stripping out pointless code that has no side effects or consequences to the final state of the program. It's when they generate code that produces a program with a different final state to that specified by the C source code. That's when the compiler is no longer a C compiler.

I have come across this in some compilers. The one in IAR Workbench for AVR's was at one point producing broken code if one turned on optimisation.

I've no idea if -O3 in gcc falls into this category. I can see why a "myth" could build up that it does (especially as it starts moving code order around), but the gcc folk are generally pretty careful.

> The C spec has nothing to say about timing of the generated assembly language

Indeed so. Though it's interesting; C started off back in the 1970s intending to be just a thin veneer atop assembly code, and therefore gross optimisations (like chopping out side-effectless code) are somewhat contrary to this philosphy (because, an assembler wouldn't carry out such optimisations). In this regard, C is no longer a "Systems" language, at least not with today's compilers implementing it; one cannot guarantee in source code alone what the system behaviour will be. System behaviour depends more than ever on how the code has been built. That's a perversion of what was intended. The side effect is that stuff like security (which is pretty important) can get broken, and is vulnerable to being silently broken despite zero code / build script changes.

It's all very well saying "but the standard says this is OK", the problem is that there were some things so intrinsic in expectations that no one thought to put them into the standard. Simply hiding behind the standard is akin to "just following orders" responsibility denial, especially given that the compiler authors are pretty mixed up in the standards creation process itself.

Perhaps the standard should be updated, so that where such things matter the source code can insist on specific system outcomes.

-O3 being dangerous strikes me as somewhat absurd. If the compiler is building code that does not implement the as-written source's functionality, then it's not acting as a C compiler. Instead, it's acting as a nearly-but-not-quite C compiler that goes wrong in exciting and arcane ways.

Worse still, it's misbehaviours like this that make life a lot harder for developers. If one cannot trust the compiler to build correct code no matter what the build options are, then the build system's configuration and binary testing becomes a whole other thing to worry about, on top of whether or not the source code is correct.

Meusel and colleages are to be deeply congratulated for being alive to the problem and having a means of noticing the change (even if it was luck, or curiousity!). To set up a build / test system that could reliably spot when critical execution time variations have been changed by the compiler (when nothing but the compiler version has changed) - that's a ton of effort to make it work reliably.

Another interesting problem is, it's not just the compiler. All a compiler does is produce op-codes. These days, the op-codes get interpreted by the instruction decoder pipeline and broken down into instructions the core will actually run, and its the timing of these that actually matter. Really, the only way forward with instruction decoders is to make them do more and more complex analyses, much like compiler optimisations. If they start getting good enough to chop out nugatory sections of code...

Operating systems like INTEGRITY are quite interesting. The versions of that which I have used execute on a single core only, and dole out execution time to processes on a fixed-allocation basis. That's probably the only way to be totally sure of not having timing side channels.

There are other concerns that the FTC could be interested in. Such a purchase is some sort of formal tie-up between the two companies which could grow, and there's also the matter of whether or not they're forming a cartel. Of course, a cartel can form without a share purchase, but this way there's a formal governmental "it's all OK".

Possibly the companies will move closer together, and wanted to get this off to a good, officially approved start.

Re: "Digital Sovereignty" -- More Misdirection

That's nothing more than saying that if you get wet, you're wet, and dismissing as useless all the various clothing options that exist to prevent one getting wet.

Re: So Airbus Builds Out It's Own "Cloud" Provider In Europe......

Who knows.

AWS isn't great for straight forward commercial control; copying it may not float anyone's boat. So far as I can tell if one goes all-in with AWS you end up with a bunch of lambdas that work only on AWS, with all your data on AWS. One may have a good commercial relationship with AWS, but if Amazon itself gets into trouble, one runs out of options pretty quickly. If one has a bad commercial relationship with Amazon, things could be considerably worse. Outright copying that feels like it would be missing an opportunity.

One thing the EU has been quite good at is standardisation. Coming up with a standard for "cloud" (whatever that is) and then mandating it creates a more vibrant ecosystem. This is what happened in mobile telephony; the US let companies (Qualcomm) create their own standard, Europe created GSM as an open and complete standard. The result was that the whole world ended up on GSM and a rich choice of phones, whilst the US didn't. Europe / the UK went further, making it trivial to swap providers whilst keeping one's phone number. Now everyone in telecoms understands the commercial benefits of a "standard", so we have 4G and 5G these days. The same could be made to happen in Cloud; there'd be US providers, but if you want actual resiliency you'd pick the Euro-standard suppliers and then be able to pick and choose which provider one actually used.

What such standardisation has done in mobile telephony is made sure that the access providers are profitable, but not too profitable and prices are kept keen. Cloud as currently formulated by AWS and others is somewhat proprietary and has all the possibilities of price gouging (I'm not saying they are, but there's no technological / legal guarantee that any attempt at such a practice would be trivially thwarted by customers simply moving elsewhere over night. It's a lot of work to re-Cloud applications, etc). It would be far better if Cloud followed the telephony business model. It would also make hybrid models (some self hosting, some cloud) more achievable, which is the model most companies would like to follow.

Re: air gap

Google (of all companies) announced a while back they were starting a project to get dev teams working "off-internet". I've no idea how that's going, but as they're probably one of the "usual suspects" it may be that they've got a trick or two up their sleeves to meet such a requirement.

Re: "Digital Sovereignty" -- More Misdirection

Whoa!

There's the vast gulf between a data breach / loss brought about by the hosting company actively cooperating with an aggressive or suddenly hostile foreign government, and one brought about as a result of a security lapse. I'll give you a clue; the former involves a massive betrayal of trust, a contractual breach, and possibly broken laws in a legal jurisdiction and may require a war to reverse, whilst the latter is simply a common or garden hazard of doing business on the Internet against which it is possible to take precautions.

Air gaps and private cabling are well known solutions which are already in use by organisations with specific needs. And, contrary to your assertions, they too are not immune to problems.

Re: "It's new and shiny - it must be better!"

The GNU coreutils seem to have benefitted from a re-write in Rust (fewer bugs including some that were discovered along the way, quicker).

Rust's sneaky party trick is that you don't have to really decide. If you've got a big pile of C (e.g. a kernel) and you want to add a new module, you can write that module in Rust and have a proper calling interface with the existing C. You can do the re-write at leisure.

Though one of the aspects that worries me is that one might end up with a bunch of Rust modules calling each other as if they were C (probably much use of the Unsafe keyword), whereas if the whole code base was pure Rust you'd not have that.

Interfaces are something that most software / software ecosystems does very badly. The worst is command line interfaces; fine if used by a human in an intended way on a terminal, but absolutely terrible as a means to get data moved from one program calling into another. We need fewer ways of interfacing. Anyway, my point is that just because a code base has been converted from one language to another, that's not necessarily the end of it. Getting rid of the old way of interfacing modules and adopting the new language's way is an essential part of the task.

I know someone (younger than myself) who deliberately launched themselves off into COBOL. They're very busy and successful.

Re: Death March

Rust came in to being specifically to support a re-write of Firefox from C++ to Rust! And, they've done a fair bit of that now.

Indeed, the value is in tested, known-to-work code. However, a code re-write in a language that is at a higher level than the original does make sense, and has been done comparatively often. The higher level in theory means that there's less testing / debug to do, and that can be essential for a piece of software to expand so as to help the overall testing burden of such an expansion to remain manageable.

This is precisely why compilers were written in the first place; if not, we'd all still be using assembler.

Re: Not the holy grail

Myriad studies have found that a large proportion of bad bugs in software are related to memory mis-use. Using an alternative to C/C++ that is memory safe just makes sense, because of the ease with which such bugs are eliminated. Even code as venerable as the GNU coreutils was found to not be bug free (after all this time) when someone started a reimplementation in Rust.

I'm firmly in the camp that Rust Makes Sense, if you can have the inclination to use it.

However, I do have some reservation about what MS are doing. There's a lot more to Rust than simply "it's memory safe". Unlike C/C++, it has a built in Actor Model and CSP mechanism (or at least there's a crate for such a thing); the latter is what make Golang so appealing. If you take C/C++ and just translate it, what they'll end up with is a Rust translation of their existing C/C++. However, that'd probably miss out on the opportunity to re-think what the code is actually trying to do, and potentially miss out on using language features that Rust has and C/C++ do not. Granted, their "AI" approach may be smart enough to do that re-thinking, but that feels like a bit of a stretch.

I'd also be interested if they'd turn on Rust's "Fearless Concurrency".

Re: Javascript on the server

Yep. The (deliberate?) inability to control what code runs on that server means that you may not own that server, even when said code is as sandboxed as a JavaScript interpreter achieves.

In this case, it’s another example of folk considering style to be more important than function.