Re: General concern
The UK has the class system
You've been watching too much Monty Python. I have spent decades working in British engineering and have never seen any form of discrimination based on 'class'.
348 posts • joined 2 Jun 2008
They've built an SDR TCAS, which is not really interesting. To get it to do anything, they have to get it *close* to an approaching aircraft - it's physically impossible to pretend to be close, without the next-gen faster-than-light SDR2. And, if they have managed to get their kit near an approaching aircraft, then the target aircraft should get out of the way anyway. There may be some limited mileage in putting it on the ground, spoofing their altitude, and hoping that they can persuade passing aircraft to gently ascend or descend.
Note that 'security' doesn't mean authentication here. ACAS uses 64-bit messages. The Wikipedia article makes the point that it can't be extended to even 128 bits because it would then be too slow to handle high-traffic scenarios.
The only interesting thing here seems to be the comparison of Python and C++.
+1 for effort. Got my 4B about a month ago. Loaded lots of software, and it worked great until I tried to plug an audio DAC on, which is what I got it for. It now pretty consistently fails to boot.
So, it's mouldering in a drawer, while I try to find the time to (a) work out what the power management firmware updates are all about, or (b) send it back during lockdown and hope for the best.
Weird. I was going to post with title "WTF is a sidewalk", or possibly crosswalk. Any Why TF do I always have to do it more than once??
Anyway, fixed it in my current website. The contact form justs asks the user to answer a very simple (technical) question, and there are several valid one-word answers. Anyone who's on the website and wants to contact me will know the answers, and I don't want to speak to anyone else.
I've still got my copy of Mick and Brick, which was the bible of bit-slice (and mini) design. On p259 a '16-bit time-sharing CPU' is described as the heart of a 'minicomputer'. Even more bizarrely, I've still got the handbook for the Varian 72, which I used in an early job, published in March 74. It describes itself as a 'minicomputer'.
OTOH, a 'mini computer' is just a miniature computer.
In more recent news, I'm just about to get a Pi Zero...
Been using Unix since the 80s, on V7, I think. I'm currently running 7 different flavours of Linux. Over the years I've come to the conclusion that the one thing that has really screwed Linux, and kept it as a backwater (if you ignore Android, of course) is... Stallman. I presume he was a moderately competent programmer, since his name is on Yacc and, I think, bits of emacs. Maybe he should have left it there.
He got caught because of "service provider records that point to Kvashuk", and because he used a device with a "specific device identifier"? Seriously? What a plonker.
And Microsoft pays $116,000 (£93K) for a testing job? WTF? You'd think they could produce some useful software for that sort of money.
And I'm not quite sure what the problem is with having assets of $1.76M on a salary of $116K. That's a multiplier of 15, which doesn't sound like it's completely out of the question. Unless you're a banker, of course, in which case it's way too low.
"Reverse engineering those "affected" files in the normal way would easily reveal private symbols".
Please explain how you would get macro names out of this process. I assume the code is in C, in which case the copiler doesn't even see the macro names, as per 22.214.171.124, 6.2.1, etc.
@ReactOS: Anyone who has the extraordinary lack of imagination which would be required to reverse-engineer and copy a Microsoft kernel deserves everything they get, and more.
Cosmic rays cause soft errors in memory chips and general circuit failures. At sea level, 'cosmic rays' are primarily high-energy neutrons. Neutrons are uncharged, so don't themselves cause circuit upsets. However, when they're captured in a nuclei in a circuit element, they produce charged secondaries, including alpha particles, which do cause circuit upsets. See https://en.wikipedia.org/wiki/Soft_error#Cosmic_rays_creating_energetic_neutrons_and_protons, for instance.
"Chinese-built components coming into the US" are almost certainly assembled PCBs and systems, and are unlikely to be anything with any significant IP attached.
I've been with companies (in the UK) who have outsourced assembly to China for 35+ years. Everybody who does this has always lived in fear that they'll be ripped off and their IP will be stolen. The upside is maybe 50% off your end-user price, and the downside is potentially losing your IP and your market completely.
Whatever Trump does or doesn't actually say or believe, if anything, it's a fair bet that everyone in the electronics business (outside China) is breathing a sigh of relief, whatever they say in public. The dust will settle eventually, and the end result will either be that the Chinese start to play ball, or that manufacturing will return on-shore. Both of which are Ok by me. Sure, the US will take a hit short-term, but that's someone else's problem.
And what if you have set up DNS to route *only* 'www.foo.com', or *only* 'foo.com', to your server?? This isn't particularly unusual - my local hardware shop is 'www.woc.com'. 'woc.com' isn't routed and doesn't work. So, go there with Chrome, and you think you're on 'woc.com', which doesn't exist. Or does Google want to run DNS as well?
Those tossers have already achieved the impossible, which is to make me start using MS's excuse for a search engine. Chrome is next on the delete list.
I've been using Google exclusively for 15+ years without problems. Then, a couple of months ago, they started swamping my searches with ads. Not just at the top - mixed in throughout the search results, even when I'd clicked the invisible 'hide ads' button, making the real results unusable. Really, really dumb ads, and all for the same thing - say, 8 different ads for Dubai hotels, all on the first page of results. The connection? I had *flown* over or through those places, with a maximum stay of a couple of hours, over the last year or so, with maps turned on. Seriously. I've never been to Jersey, but flew over at 35,000ft, and got pages of ads on camper van hire in Jersey. In case I crashed, presumably.
My fix is to to dump Google. MS has screwed me in thousands of ways, but their search engine hasn't quite got to this level of stupidity. And duckduckgo if I can be bothered.
Sounds like mine is pretty much the same - also for a kid's club I helped to run (small world!). I've got an extra level of security - everyone gets their own club address, and has to post through a proxy, which modifies all the mails so that no-one ever gets a 'real' outside-world mail address. It never uses BCC, of course - it's far too wooly.
And at the following link:
Ask many computer scientists what happens if P = NP and you'll get the response that it will kill cryptography.
Really? Knowing that there's a class of problems that are harder to compute than to verify isn't going to affect public-key crypto. That will only be affected by one specific problem: the difficulty of deriving a private key from a public key, ie. the ease of factorisation. Everyone knows that factorisation is currently difficult, and that everyone is working on it, and that quantum computers can handle it (already, but only for small numbers) with Shor's algorithm. Whether or not P = NP will make no difference; it's already known that public-key is dead in the longer (or shorter) term.
And P=NP is completely irrelevant to crypto in general. There are already lots of practical systems around the world sharing private keys using provably-secure quantum mechanics, with no public key anywhere. Ok, I know that some people reading this won't agree that something is provable because they can't prove it themselves, but still not P=NP.
And knowing where to look...
Ergo, any trust infected was still running it's own improperly configured separate mail system in preference to using the centrally provided NHS Mail system (nhs.net)
I'm not sure that this actually came in by mail. There was an IBM guy on Radio 4 this morning saying that they'd scanned a billion (literally) mails and hadn't found any with the original infection. Is the source for the mail infection angle just one statement from Telefonica?
If you airgap it, how do you get the images off? Today, things like X-rays and MRIs etc.pass the images etc. into your records and can be seen on screens throughout a hospital. Making them only available on a few screens near the MRI etc. is pointless.
Don't airgap it; open one port, and write an app that retrieves images. Transer with standard sockets code; it's trivial, and the comms can be done in a couple of hundred lines of standard C.
And you wouldn't even think about running this on XP, or Win10, or whatever, and using SMB.
Microsoft provided the patches to those who had contracted for support of XP. No hoarding.
Errr... the point is that MS pointed the finger at the NSA for hoarding. MS selectively disclosed, and the NSA selectively disclosed. No hoarding.
Just in case Microsoft didn't understand: intelligence agencies and hackers all round the world spend their life looking for zero-days, for their own reasons. How MS can then blame them and whine that they're 'hoarding' is beyond me. F***tards.
Obsolete OSes and timely application of patches are one issue, but this could just as well have been a zero-day.
Sooner or later you're going to get an infection inside your network. What you want is (a) to detect it quickly, (b) to limit the spread, and (c) to allow the affected parts to be wiped clean easily.
Well, yes, but you omitted the fundamental problem - don't, by default, assume that your computers have to be on a network. They don't. And, if they do, don't just share everything on SMB/whatever.
Whoever decided that an MRI scanner/X ray machine/whatever had to talk SMB should be fired. It would take a day to knock up a program to transfer X-ray images over a basic sockets connection, and another week to turn it into a client/server app to find and return any image.
@AC: +1 for assisting Mr. Stiles with his enema. However, I would like to point out that 'spelt' *was* probably appropriate (anywhere outside the US, anyway).
And I have to wonder whether anyone defending JS has actually used it. It's an extraordinary mismash of the obscure, esoteric, and downright inane. It was knocked up in a weekend (Ok, more or less), and has been constantly added to ever since. And, whatever you write, there's always some tosser somewhere who'll refuse to run it because you clearly intended to break out of their browser and trash their system, despite your inability to access any files.
Still, on the plus side, there won't be much competition from Stanford graduates in the jobs market.
That's not how it works. The connection is HTTPS, so the secret key is specific to the browser session, so it's not the same as matching "up the flashes around your curtain upon scene changes". The flashes will be specific to the viewer.
Silverlight/DASH/VBR produces specific sequences of video segment sizes, which can be extracted from the headers. Apparently.
And, more interestingly, someone is still using Silverlight.
Here's the thing: one's distributed, one isn't. If you're writing a Linux kernel, distributed is great - 20,000 people get their own complete repo, and mess it up to their heart's content, and you never expect to hear from 19,950 of them ever again.
In the average dev environment, you want that like a hole in the head. You want one centralised repo, and you need to enforce discipline. git can more or less do that, eventually, but it's difficult, and it's not the git way (how many git users even know what a bare repo is for?)
I have to deal with someone who does fixes and adds features by cloning a git repo on his local machine, with the master being his previous local clone, and who very infrequently pushes anything remotely. I then have to try and work out WTF is going on and then merging myself. That would never, ever, happen in an svn enviroment.
I've also used RCS, CVS, Clearcase, and Perforce. For my money, svn does the job, and it's intuitive, and easy to learn. For the right project Perforce is also a good choice, if you've got the money, and someone to read the manual and do the difficult bits.
"What do you think all those new fangled hipster bootstrap/angular/ember/FOTM.js GUIs are querying? Protip: it ain't C. "
Errr.... protip++... yes it is. Maybe not for you but, in my case, Bootstrap/JS querying C++ and some plain-old-C. The code that implements the CGI/JSON/etc stuff is tiny and trivial compared to the rest of the app, and those SQL APIs generally start life as C anyway.
And, if you want real money, you'll get twice as much with a Maths degree/C++/Matlab as you will with Java.
1 - Google charges for TLS on inbound connections;
2 - Google is a prime mover behind 'TLS Everywhere', and is now starting to factor this into page rankings;
3 - (Google's) Let's Encrypt certificates prove exactly nothing except that you have control of the server for which the certificate was granted (you only have to post stuff on it to get the certificate);
4 - Bad People control their own servers anyway, so can trivially get their own certificates; MITM is therefore irrelevant on these sites
95% of sites have exactly *no* reason to worry about whether someone is forging their site, or whether there's a MITM somewhere in the connection. So, Google is screwing us, and we have to pay the price by dicking about with TLS on our own sites, and keeping certificates up-to-date, and trying to ignore pointless warnings, and handing cash to them if we're stupid enough to host with them.
"Have you forgotten that GNU provide the GNU tools, you know, all the userland stuff for Linux, available for many other UNIX's as well ?"
Errr.... I'd be a lot more impressed if they hadn't taken a huge amount of *existing* free software, and rewritten it simply because they disgreed with the definition of 'free'.
Doesn't seem to have happened, judging from the limited summary you're printed. Different parts of the negative electrode may have touched each other. The negative electrode touched the "positive tab". If the actual electrodes had touched, it seems pretty unlikely that affected batteries would have survived any attempt at charging.
@just_me: the browser doesn't send a key (except for very secure sites, where the server asks for a certificate from the browser to prove the browser's identity - not relevant, since the vast majority of us don't have certificates and don't try to connect to these sites anyway).
1 - the server identifies itself by sending a certificate, which includes the server's public key
2 - the browser/client decides on a secret (symmetric) key to be used for the actual browsing part of the transaction (the second phase). It then encodes this using the public key sent by the server, and sends the result to the server
3 - the server decodes the new symmetric key using its own (the server's) private key
4 - Both the client and the server now know the secret symmetric key to be used for encryption.
So, basically, asymmetic keys (different public/secret keys) are used to decide on a symmetric key (one secret key) to be used for subsequent encryption. During the asymmetric phase, only the server's public key is used.
"Today I call on European entrepreneurs and say: imagine what you can do with Galileo – don't wait, innovate."
Curious. I got a letter (remember those?), maybe 10 years ago, from the UK DTI (UK Department of Trade&Industry), asking me to do exactly that. In other words, "we're going to spend billions now, and it's a f*** of a lot of money, so please, please, please, come up some justification for it".
10 years later, and there were no new ideas, because the whole thing is fundamentally flawed. The system is fragile, and even a country as backwards as North Korea could reduce the whole thing to ashes in a matter of hours. Having in-car and in-plane satnav is great, but the Americans have already rather thoughtfully paid for that. We could use it to reduce our reliance on the US for missile delivery, except that they could turn it off just as easily as they can turn off their own system. I can't think of a single other useful application that couldn't be handled better, and much more cheaply, by a ground-based system.
I was going to look up what the problem actually was, until I got to your last paragraph:
"However, Battistelli's abrasive personality and his insistence that the solution to each set back is to give the presidency greater power has long since stopped serving the organization itself and has instead becomes a personal crusade that benefits no one".
Is this your personal opinion? Why have you put it in a news article? How do you expect anybody to take you seriously?
The main reason is to reduce the reliance on the OS.
The main cost is the reliance on "current" browsers, who may pull the rug-out at any time without warning which leads to the still-existent IE6 stuff still hanging around.
+1, but 'reducing reliance on the OS' includes supporting all those users on stupid OSes, dealing with moronic walled garden vendors, learning multiple development environments and languages, handling OS bugs and security flaws, rather than just browser ones, packaging and distribution, you name it.
@bazza - I think you may have the wrong end of the stick as well:
"Why would you need C/C++ to make a website safe?"
Disclaimer: I've only spent 10 minutes on the webassembly website, but that seems to be good enough for ElReg comments...
> On the other hand why on earth does any part of MySQL run as root?
> I've used several other RDBMSs and no part of them runs as root.
For the same reason that everything else runs as root: if you want to listen on a "system" port (less than 1024) then you have to *start* as root. Not just MySQL: MariaDB, all your other RDBMSs, Apache. If you don't want to do this (and why would you?), then don't run mysqld_safe as root.
Apache normally listens on 80/443, so has to be started as root before it drops privileges. The docs have lots of useful advice on how to protect your system during this time, which cover exactly the issues in this article. The problem isn't that your attacker can load malicious code if they already have root access, it's that they can load malicious code when they're *not* root, which is the cunning plan.
> I run the system up and - wow! - no problem.
> so why does the production version not work but the debug does?
If the logging version works, and the production one doesn't, the answer is almost certainly that you have an issue with uninitialised data, or memory over-writes. You can (and should) find and fix all these on your dev system with Valgrind/Purify/etc. before it gets anywhere near production.
Another more recent example. In the early Noughties, the BBC’s iPlayer was envisaged as a sophisticated P2P client, and at one stage had over 400 people involved in spec meetings. iPlayer only rolled out after the team had been reduced to around 15 – and the doors were bolted shut.
And all 15 of them had iPhones. And it was impossible to watch it on Android. And I spent years getting iritated at how anyone could have been so stupid (and still are?), before just giving up. And the news website is equally moronic.
So, just maybe, cutting a team down to 15 and letting them get on with it is not necessarily the right thing to do.
"Of course if you want to avoid support for your hardware going away, best bet seems to be running Linux. Strange how we got to that state".
Speaking as a lifetime Unix user, and an occasional Linux device driver writer, and as sometime who recently had to take a hammer to his wife's computer after it announced that it was going to 'upgrade' to Windoze 10 in 5 minutes...
Not quite. Keeping up-to-date with kernel changes is a major, major, PITA. I did a PCIe driver a few years ago, which was originally for 2.4.7. There were significant or major changes in so many kernel versions that I lost count - 2.4.10, 2.4.17, 2.4.22, 2.6, whatever, not to mention the whole v3 and 4 thing. The only way to keep on top of it is to select a major distro - something like RHEL6 - and try to support that.
The kernel people will update a few selected drivers (which I've never heard of) when they make a change, but the rest of us are on our own, with little or no usable documentation.
“Being a special unique snowflake works for art but not design. Design should be invisible… so you have die hards that love it, but you have the mainstream of the market that struggles with it, if they try at all”.
Now, if somebody could just tell that to the the f***wits behind the Ribbon...
> Industry standard or Microsoft?
Or VMS... DEC... RiscOS... etc. RiscOS was a PITA - deleting *.c could wipe your disk. And MS has actually always supported '/', though I'm not sure to what extent.
Seriously, though, Cygwin and MSYS have file path conversion issues which make it difficult to do Makefiles, scripts, and so on. If MS have managed to sort this out so that the machine looks like it has native *nix file paths then it's probably worth trying out.
Biting the hand that feeds IT © 1998–2020