Posts by Displacement Activity

Re: One point in favour

No, he's criticising PHP for being weakly typed, poorly typed, or even untyped. Which is a perfectly reasonable criticism if you think that programmers should understand their data, rather than hoping that the compiler will somehow magically fix everything for them.

Re: I don't understand

Backdoor suitability - I think you've got this the wrong way round. Debian would be a bad choice, because of the two-year release cycle. The same is true of Ubuntu, since most (apparently 95%) of users are on LTS releases. Arch is a rolling-release distro, so downloads include the most recent version of everything. This makes it more susceptible to hacks such as the XZ Utils backdoor.

Why anyone would want to target Arch users beats me, though.

Re: I hate CAPTCHA's

I've just swapped out my site Google CAPTCHAs for a Cloudflare one. No stupid incomprehensible puzzles and no cookies. You just tick a box (which has normally been pre-ticked in the background anyway).

Re: Sure, Linux could make a truly usable desktop system....

Constantly forking distros...

I had to evaluate a significant number of minor distros recently to come up with a low-footprint live system. The conclusion I came to was that many of them were the output of a small number of highly opinionated individuals (or one person, actually), and that "highly opinionated" generally means, well, wrong. And that many distros were effectively dead, and had been for years. All those lists of distros you find are very misleading.

At the end of the day, there are only two realistic options, with minor variations on those two, because (a) they pay their developers, and (b) they release frequent security updates. For all intents and purposes, the OS actually is standardised. Whether you can live with that standardisation is another matter, though.

Re: Probably true, but meanwhile

The threat to cryptography from future large-scale, fault-tolerant quantum computers is now well understood.

I love it. And here was me thinking that the actual threat to CNI was some dork leaving their net-connected RPi in my local electricity substation. Or Cisco. Or everyone putting their bank logins on their mobile phones. Or whatever.

Re: More questions than answers...

A certificate does not prove that you own anything.

When you request a certificate for a domain Let's Encrypt verifies that you control that domain. Specifically, it uses ACME to contact the domain and confirm that you have placed a secret on the endpoint. The intention is to establish "proof" of "ownership". If it didn't establish that, then I could just just get a certificate for my local bank and take all their money.

Re: have to say

I've done a server which required users to log in (because all the pages were user-specific, so the server needed to know who the user was) without cookies.

Since HTTP is stateless, the client has to send something in the request to identify themselves. No cookies in this case, so the server generated an encrypted session token that was just passed backwards and forwards between the client and the server. I guess this is what you mean by "JavaScript".

Both mechanisms are equally secure, because the site is HTTPS-only. The token has the advantage of ensuring zero persistence; it's gone if the browser tab is closed. If you actually want persistence, so that the user can connect on the next day without a sign in, you'd have to store the token on client storage. IOW, it's magically become a persistent cookie.

Re: Human Nature

Thanks for the heads up. I completely missed that article!

The link is literally there in this article, after 31 Other Words.

What happens if they revoke the license to your new enlarged masculine exuberance?

Does it go back to regular size or do you lose all access?

Nope. It disappears after a few people have had a look. Which is, strangely, exactly what their website has done.

Re: I have this Debian server at home...

Ubuntu 24.04 server

Birth: 2011-07-19

Well... that's the problem with 'birth', isn't it? You're running a distro which was released 13 months ago but the root directory was created 14 years ago. In those 14 years your computer has probably been power-cycled, restarted, and crashed a zillion times. You've probably even replaced the drive with an SSD and kept the same birth date. So the birth date isn't really of much value.

And loads of people in the other comments seem to be confusing it with uptime. I used to think I was doing well with an uptime of a couple of years, but nowadays I'm getting 2 or 3 weeks with security update restarts.

I am distrustful of AI but have been keeping an eye on Google's AI Overviews as I encounter them and was slowly being suckered into thinking it's not as bad as I had believed

I occasionally ask Physics questions, and I recently asked one about the meaning of a failure in a specific theorem (Bell's inequality). It gave a plausible summary, and then produced exactly the wrong conclusion. I think it got confused about the meaning of what was basically a double negative : a failure of an inequality. It had a choice of two answers, and picked the wrong one.

OTOH, I'm constantly typing in simple questions about software packages ("how do I generate an email invoice in Stripe" yesterday, and similar), and Google always chimes in with its own answer. And, most, of the time, they're so accurate that it makes my head spin. That particular one wasn't quite right because the software has changed since the AI learnt the answer, but it was a good start. You still have to read the proper hits, but I'm coming to the conclusion that the AI is actually very good with this sort of simple question, and undoubtedly better than most of the slop you find on the net.

And Eclipse if it doesn't work, and you can stomach installing Java. I have a friend who keeps telling me to use VS Code, but I can't quite understand why.

Re: My response

The problem isn't that it "writes log entries as root by default" (anyone can write system log entries without being root); the problem is that it (a) runs as root, and (b) someone has been sloppy about munmap'ping null pointers. This shouldn't really be a problem, but the concern is that another program, which is not running as root, might somehow be able to take advantage of this, and get atop to run something on its behalf, in which case non-root program #2 owns the box.

The moral is that if you've got something you don't know about running in the background, and that program is running as root, and you have concerns about the code quality, then you should stop running that program. Seems fair, and RTFM doesn't really help in this case.

Oh, wait. It's just occurred to me that every time I run Task Manager I see hundreds of these things. Damn.

Re: Coretools has a good test suite and has been battle tested over decades

By the end of the project I'd expect the Rust version to have significantly better test coverage than the original.

There is, quite obviously, no "end to the project". There never has been, and never will be.

Re: One of many ironies

sign with your private key

Not much use if your private key has been compromised.

Re: Quintain

Once upon a time, microcode was quite the fashion.

Pretty much everything was microcoded and bit-slice back in the 70s. I've just dug out my Varian 72 System Handbook (dated March 74; my first job in the 80s was working on a V72), and it had an option for a 'Writeable Control Store' (we didn't have one). The V72 instruction set was in the readable control store; if you had a writeable one you could write your own microcode to extend the instruction set.

I did a bit-slice processor in the mid-80s and wrote all the microcode for it, but that was about the time when custom silicon was becoming relatively cheap, so microcoding largely died out. Fast forward 10 years, though, and it was back in fashion, because it was too difficult to verify complex processors.

Re: Lilliput, Blefuscu & boiled eggs

You've missed the point. If you put the wrong numbers into the page table then it's game over.

I've done one device driver, which DMA'ed from hardware direct into user space. And, believe me, there are many, many ways you can fuck up without ever seeing a pointer. Rust would have exactly the same problem.

This may be a novel idea (spoiler alert, it isn't) but how about a search engine that just takes search terms with the usual operators of and, or and not, and gives the results that fit including the null result if nothing fits. Just like Altavista used to AFAICR.

Google did that for years. It was a long time ago, but I think that may have been one of the main reasons I switched from Altavista.

Anyway, they dropped it after a few years, at about the same time that they screwed over Usenet. It was a disaster for techies who had to do detailed textual searches for programming problems. The current syntax may have made them a lot of money, but it certainly did me no favours.

Re: Why upgrade?

Why "upgrade" old hardware if the current is perfectly fine?

Because the old hardware stops working. I would be very pleased if I could get "3-5 years" out of my newer HP boxes. I'm thinking that MS and HP must have some sort of arrangement here.

Re: fairly obvious to Starlink if its kit is used on a drone

You don't need access to anything which is potentially encrypted. You interfere with the radio signals from the GPS satellites; either jam them or, if you're very clever, provide your own local ones. It's well-known that the Russians already jam GPS over the Baltic/Black Sea/Eastern Med/etc. It's hard to see how anyone in or around the Ukrainian border could get a GPS fix.

data centres whose primary function is the concentration of wealth with little creation of new value.

Wow. And I thought it was to watch kitten videos.

Re: Thanks Gary

I ran a small department in 83/84 that got CP/M running on my own Z80 hardware. It was a fantastic buzz when we got WordStar up (not to mention C and Fortran compilers). It really did feel like the world had changed at the time. IBM eventually screwed us, of course, because people still remembered who they were back then.

I've done a huge amount of hardware since then, from bit-slice to ASIC to quantum, but nothing really compared with that.

So who is "whoever"?.

Is it the EU who demanded that MS keep the market open? Is it Crowdstrike who insusted that their product should include such drivers, but who clearly didn't fuzz test the data input? Is it the customer who chose MS and CS as their "joint" system vendors?

I'd have thought that's obvious. It's the customer, for not carrying out the due diligence to determine that their mission-critical system relied on a pile of amateur-level crock supplied by MS and CS. All this after-the-fact whining is just infantile.

And MS's attempt to pass the blame on to the EU is equally infantile. All the APIs in, for example, the Linux kernel are published. This doesn't make anything insecure. Security is an end-to-end process, and that process failed spectacularly here.

Burnt out in one specific area of the chip

This. The article pretty much confirms that this is the issue with the Intel chips when it says that the eventual failure rate is 100%; failures increase over time. The 4KW thing is a red herring. The actual die power consumption is a function of the frequency, voltage, and capacitance driven; chips like these are very carefully designed to power up specific sections only when required, and to limit the frequency and voltage to keep the die temperature to an acceptable level. The problem is that the tools which predict temperature distribution across the die are not very good, and you can never be sure whether or not the MB has adequate heatsinks, and you can never be entirely sure when silicon on a new process will fail. Eventually, some part of the chip will pop, unless you're very conservative. Microcode is going to be a very blunt instrument for controlling this.

Re: Once saw

fire is actually oxidation of carbo-hydrates

Fire is the rapid oxidation of any material, not just carbohydrates. Metals burn, for example. Spaceships on fire off the shoulder of Orion, etc.

Re: That 'opt out link'

Err … yes you do.

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/right-to-erasure/

It’s also a huge breach of UK/EU GDPR.

Err.. I think you might you have misundertstood. This is a tinpot information broker in Florida. It should be pretty obvious that there's nothing in US law that requires information brokers to find the country of origin of their data subjects, and then trawl through the laws of that country, and then decide whether or not they're bound by those laws. Because, of course, they're not. It should also be pretty obvious that GDPR is only relevant in very specific circumstances and places.

Re: Long term storage to tape, takes more than just a bunch of tapes!

My first dev machine in my current employment (~1990/1) was a SPARC box, with a DAT drive. I've still got the tapes, but it would cost more than I've got to get any data off them. And the data has exactly zero value anyway. Still, it would be interesting - I've backed up stuff on USB sticks that was unreadable after 2 years.

Re: 24,000 VMs

Nowadays you'd use something lighter weight such as containers, etc.

I'm getting the impression that there are a lot of instances out there which are a single containerised app, running on an entire VM. So, basically, you start with 100 VMs, some dev decides it's too complicated to get the app running on "bare metal", so they dockerise/whatever it, then place that on the VM instead.

Re: central data

I got the email, in the UK, so looks like EMEA. Makes you wonder if the "lost" information did actually include the email address. Time will tell.