Posts by Displacement Activity

Re: Someone Else's Computer certification

@Breakfast - good question. It's next to impossible to find useful information, and these comments are better than anything else I've found online. I had a simpler problem recently. I've been renting (one) server for years, for personal stuff. I now have an app that I need to roll out to a few hundred customers, who have very predictable, and low, CPU and traffic requirements, and who don't need particularly high availability. How do I handle this? Do I stick with renting servers, and put everyone on their own VM? Or do I roll out a cheap VPS for everybody? The only fairly obvious thing was that any solution with the word "cloud" in it wasn't appropriate and would work out way too expensive. I'm trying the VPS route, which seems to be working.

If you find out anything useful, you should post it somewhere. There's obviously a lot of interest.

Re: What they've achieved

Red Hat then nuked CentOS as a viable option by making it not "the same as" RHEL, and my entirely unscientific observation is that Serious People departed for Ubuntu.

That's exactly what I did, 2+ years ago, when the storm clouds gathered (and what about the 'A bit of advance warning wouldn't have gome amiss' thread? Seriously?)

However, unlike the AC commentard, I can't agree that this is a good thing. Ubuntu's Ok, but it's not nearly as polished as RHEL. RH actually does something useful with all their money and employees, and I still use a free dev system for some tricky stuff. If I could develop on RH, and produce an RH-compatible image that I could deploy without paying RH more than my customers pay me, I'd change back in a flash.

Re: GPL violation... well, no

By tacking extra restrictions onto the license Red Hat are violating the GPL

They're not doing that. If I legitimately owned, say, a shiny pebble, and gave it to you, and we entered into a contract which prevented you from giving anyone else that shiny pebble, your options would be pretty limited if you did want to give it away.

There no magic inscription that you can etch on to it that over-rides that contract. Unless, of course, it is magic.

Re: Digital signatures really hard to apply in this context

I was going to upvote this, till I got to "Baker's dozen corpo's scrabbling for their cellphones". What?? Is that a non-contextual hallucination? Are robots now commenting on Reg stories?

Re: Lucky you.

There are many reasons why people run Linux and the ability to run the OS on what others might regard as obsolete resource starved systems is one that I have seen mentioned many times on El Reg and other sites.

I run my apps on minimum possible/cheapest hardware on a VPS: 1 pretend CPU, 2 GB RAM, 8+ GB SSD (I can't get much to work on less than 2 GB RAM). This costs the end-user about $110/year. And, just for kicks, it also runs on RasPi. These servers have to run for 2+ years with only security updates. I suspect that this sort of system is going to way outnumber Linux desktop systems over the next few years.

Bizarrely, the image I start with (a 'minimised' Ubuntu server) has snap pre-installed, which has to be removed. If I get an SSL certificate with the Certbot snap, for example, it costs me 500 MB of SSD. And, equally bizarrely, snap is considered to be more important than rsync, cron, ufw, etc, which aren't pre-installed.

Re: Regional and country of Origin

So machine written texts would surly have the programmers syntax or style in their output?

Not really. Written (scientific and technical) English is much more uniform that spoken English. You never see "Howay man" or "Howdy y'all" in a paper.

Anyway, the language output isn't produced by an individual programmer anyway. The same is true when writing papers. I had a Chinese boss once, and his papers went through half a dozen people (with 3 or 4 native languages) before being published, to the point where there was no Chinglish in the output.

Re: Gross misunderstanding of the tool

There seems to be a collective and very gross misunderstanding of how these tools function.

Repeat after me. ChatGPT IS NOT AI. ChatGPT IS NOT AI.

Wellll... that's not really the point, is it? The programmers have allowed it to present information as fact, when it has no basis in reality. They have allowed it to give completely different answers to the same questions, when presenting those answers to questioners who have some sort of history with it. They have allowed it to form a 'relationship' with questioners, and to adjust its responses as its knowledge of the questioner grows. They have allowed it to lie, and to double down on those lies. They have allowed it to show signs of a human personality.

In short, the programmers want to make it appear to be human, and 'intelligent'. They want you to believe that it is "AI", whatever that actually is. And the vast majority of people who use it will believe exactly that.

How is it any better than, for example, the Kremlin press office? It's not; it has exactly the same characteristics. It serves no purpose, and is dangerous, and should be turned off. Before it starts any wars.

Re: Love the language

So actually it is not PR speak, it demonstrates greater expertise with the English language than yourself

Incorrect use of a reflexive pronoun. Unless, possibly, you're Irish... :)

Re: "The company is known to use a one-way salted hash for master passwords"

A salt is helpful even if it is known to the attacker as it makes infeasible to use rainbow tables.

Short reply - so what? Let's say I steal your encrypted password database, where each password has its own salt. I now have those salts. I extract the salt, compute the hash of the top 1000 dictionary passwords using that salt, and compare the result against the value in the stolen database. Now repeat for every value in the database.

If the database has 10K passwords, and you're computing 1000 hashes for each, that's 10M computations, which is trivial on your desktop PC. If the passwords hadn't been salted, I would only have had to compute 1000 hashes, instead of 10M. Yes, that's much more trivial, but the difference makes it meaningless to crow about having "a one-way salted hash".

IOW, a rainbow table is irrelevant. It's not needed, even if it was possible. And it's not actually mandatory to downvote just because your knowledge is limited to Wikipedia entries.

Re: Decommissioning?

Which, in turn, would require near-doubling the amount of energy production in order to both charge the storage and also meet regular demand. This is just one of many reasons why grid-scale battery storage is a stupid, stupid idea.

Errr.... have I missed something here? Any charge of the batteries can be carried out slowly, and off-peak. No increase in generating capacity is required.

The worst-case scenario is that you drive the entire peak-usage grid from the batteries, while simultaneously charging the batteries from your generating capacity, which would need an increase of 5-10% of generating capacity to account for inefficiencies. But that would be very, very, dumb.

Re: Assuming they were properly hashed

Well, colo[u]r me stupid, but my (limited) understanding is:

1 - either the server expects the hashed data, in which case the hashed data is, for all intents and purposes, the password/authentication token/etc, so the hashing process was completely pointless and adds no security

2 - or the server expects the plaintext data, but the app writer thinks that he/she is being clever by hashing the secret instead of storing it plain in the app, and unhashing before transmission. Which is pretty pointless, because the key must also be in the app, so you're adding minimal additional security by hashing.

Note that salting is irrelevant, for 2 similar reasons, which I won't bother to repeat.

Basically, if you need a secret to access a resource on the server, and you store that secret in your app somewhere, then you have to hope that (a) the attacker can't reverse-engineer your app, and (b) that the attacker can't break into the keychain and decode your TLS data to the server. And we all know at least one laptop manufacturer has done exactly that, and it would be pretty dumb to assume that your phone manufacturer hasn't done the same thing.

I think. In any event, I refuse to have a mobile banking app on my phone, despite regular requests from my bank.

Re: Observations

If a quantum computer is needed to break encrypted communications in a reasonable amount of time, the selection of what gets run through the machine will have to be limited. Having "quantum computing proof encryption" isn't a necessity.

We already have crypto which is resilient to attack by any computer, quantum or not. It's called, confusingly, Quantum Crypto. Currently, it's expensive, clunky, and relatively slow, but is deployed in the real world (even on [Chinese] satellites). It uses quantum mechanics, and not a mathematical algorithm which can be 'cracked'. What we're discussing here is conventional crypto, which is implemented with algorithms that researchers hope aren't amenable to cracking on future Quantum Computers (and, presumably, old Pentiums).

Re: Not impressed

> These people are whining because their [potential] customers want to use MS products.

That's what drove the growth in PC's !

Indeed. But, you misunderstood me. My point was that there's no point complaining if you haven't got what the market wants. Instead of complaining, and running off to the regulators, and creating industry organisations with fancy names, you should just get on with it and fix the problems that caused the market to go elsewhere.

Re: Unique emails

Agree. I've been using plussed addresses for 20-odd years now. It's a sendmail feature, but I think it's common: start with a prefix of some sort, add a '+' and some text (normally the vendor's name), and set up sendmail for the prefix only. If the vendor turns out to be an ***hole you block the combo. For some years, though, I was plagued by second-rate coders assuming that '+' wasn't a valid character in a mail address and rejecting the address as invalid.

Doesn't stop anyone harvesting your name and address, though. But, of course, I'm sure we always lie about those unless we need a real delivery.

Re: RISC OS

Long, long ago, a friend lent me his RiscOS machine so that I could port some SunOS C code. It took me a while to get the hang of extension-free .c and .h files. Before I got to that point, I typed in

delete *.c

Re: Good to see

in the REAL world, security does NOT mean a performance reduction. If there IS one, and it is NOTICEABLE, you need to re-think your architecture.

Wow. Pretty obvious how you got BOMBASTIC in your name.

Re: Calling OfCom and Openreach...

@gerdesj: it's hugely distributed. It doesn't require any power to the premises. It may be the only technology that survives a zombie acopolypse, at least within an exchange area. Have you never actually seen a disaster movie? Or been in a blackout? Duh.

Here is a list of open source components shipped with MS products: https://3rdpartysource.microsoft.com/

That's impressive. But it would be more impressive if large parts weren't 'Redistributed OSS', bits for Android, and so on.

Re: O365 but not as you know it

So...

it's "provided for all the cloud working capabilities", but "only within an enclosed environment".

Surely that's an oxymoron?

Re: Gamers also have to contend with bots and scalpers looking to make a profit

I'm on XPlane! Sort of, anyway - it's unusable on i7/Intel UHD. I can't get 2080 cards. There are some UK retailers with expensive 2060s, and there are a couple of good 2060 results on the speadsheet, so maybe I'll go for that.

Re: Substituted Article 5 (page 11)?

Interesting. Are 5.1 and 5.4 inconsistent? Unfortunately, I got the scanned version on Friday. I can't find a link to the pdf version anywhere in the article or the comments. The scanned version is absolutely clear, though - the commission hasn't got a leg to stand on.

Also pretty astonishing that there are 140+ comments and only 2 or 3 people appear to have read it. The rest is just noise.

Re: So?

You forgot number 0. Give everything away to Bill Gates.

Re: But Office365 is free!

Really? Details appreciated. I'm on 2010 because the cheap 5-licence 'Home and Student 2010" appears to allow far more than 5 installs. Still, not keen on the cloudy bits.

Re: HP Microserver Gen8/Gen9 and their failiing NAND chips used for iLO system monitoring.

Hadn't heard of the flash problem, but I reckon GenX in general is pretty much done. Gen8 excellent, I had to give away my Gen9 after it bricked, Gen10 ok but too much cost cutting. Pity.