* Posts by Richard Conto

33 publicly visible posts • joined 31 Jul 2008

You can't ignore Spectre. Look, it's pressing its nose against your screen

Richard Conto

Governance model

The human housing market suggests a SET of solutions:

(*) Own your own

(*) Rent dedicated, private unshared housing

(*) Rent shared housing

(*) Rent target market specific housing

(*) Buy into a condominium (where you know who else is there)

(*) Buy into a co-op (where you govern together. Somehow.)

IETF protects privacy and helps net neutrality with DNS over HTTPS

Richard Conto

How wonderful for scammers!

This sounds like a great way for a scammer to take over your browser.

And the premise of the article is variant of "not invented here" - or "I don't want to drive my father's Internet".

Next-gen telco protocol Diameter has last-gen security – researchers

Richard Conto

Good grief. I was there for the original RADIUS hack (and added a few odd hacks of my own.)

It was for Internet of Things like devices before there was an Internet of Things.

I was there when Diameter was trying to get off the ground - but stayed out of it since I was stuck supporting legacy code - in 2003.

The only good thing I could have said about Diameter before this is that it didn't have a large installed base.

Do we need Windows patch legislation?

Richard Conto

Third Party Vendors

And what of the third party vendors who sell equipment that should reasonable be expected to be in service for 10+ years - and who incorporate a Windows (or Linux, etc.)?

When vendors lock down their equipment to a specific version of Windows and (by design) refuse to accept software updates (even critical updates), then hospitals (and manufacturers and research labs) are going to be caught.

Driverless cars banished to fake Michigan 'town' until they learn to read

Richard Conto

Sheep, Cyclists, Pedestrians, Townies, Bridges, buses

This "city" on the University of Michigan (a state chartered university with it's own police force) campus, is within the City of Ann Arbor (with it's own police force), in Washtenaw county (with a sheriff and deputies) in the State of Michigan (with state troopers, etc.) in the US (with the FBI, et. al.)

There's deer within the city limits and on the University of Michigan campus. Not by design though. Are deer a reasonable proxy for (libertarian) sheep?

There are pedestrians and bicyclists - but the vast majority of them are to the west a few miles or so.

There's townies too. The townies and the gownies sometimes make resentful noises about each other. The rest of the region is alternately (and sometimes simultaneously) envious, bewildered, and confused by the whole mess.

There are truck eating bridges in town - a north/south railroad is elevated by bridges over a few of the citie's east/west roads and apparently a truck gets it's top peeled off ever month or so.

Sorry, no double-decker buses - although both the city and the university do run buses past the facility.

So why the hell do we bail banks out?

Richard Conto

Re: Maybe another reason?

Ideally, if the bank is small enough to fail, government (in the US, FDIC) deposit insurance will protect the depositors from loosing their money (although they may loose access to it for a period) and the bank can be either wound down or taken over by another bank. The shareholders get nothing - and with luck, the bank management gets banned from the industry. The system (as a whole) hist a speed bump, but keeps on going.

But "Too Big To Fail" banks claim that without the knowledge in the heads of the banksters and the existing relationships, the bank will collapse bringing down the national (or world) economy, and so the banksters have to be left in place because only they can understand the horrible mess they've gotten things into.

I don't pay enough attention to what's happening in the UK (and the EU) as far as "Too Big to Fail" banks, but here in the US, there doesn't seem to be any effective effort to reduce the size of these banks or the consequences when they suffer mass delusions of competency - if anything quite the reverse.

What's more, the disease of "Financial Experts" is bringing many state and local governments down as the consequences of decisions made a decade or so ago when Wall Street banksters convinced the political parties that unregulated government insurance (backing) was better than regulated government insurance (backing) when certain new financial instruments (scams) were developed.

Man the HARPOONS: YOU can EASILY SLAY ad-scumware Superfish

Richard Conto
FAIL

Forbes listed SuperFish as in it's up-and-coming companies

Forbes might want to answer to how SuperFish made it to #64 on their most promising companies (http://www.forbes.com/companies/superfish/).

It's as if they'd rated a company called "SuperHigh" whose business model involved salesmen on corners near high schools without determining that the little packets those salesmen were weren't exactly suitable for minors.

Microsoft wants LAMP for wireless mobe charger

Richard Conto

Fringe capability

Outside of my home, my cell phone seldom leaves my possession (in a shirt pocket) because it contains enough sensitive information and information important to me that to loose it would be a calamity.

At home, if it's not in my possession, it's likely to be in one of three places, and the place it's likely to be longest (on my bedside table) would make photonic charging distinctly unpleasant.

This is a technically interesting capability - but I doubt the practicality of it.

Ford dumps Windows for QNX in new in-car entertainment unit

Richard Conto

The more things change, the more they remain the same

I'm an annoyed user of My Ford Touch - and from the looks of things, they made minor improvements to some of the screens - but the basic experience (or work-flow) seems to be the same.

Unfortunately, the video gives the impression of the driver barreling down the road concentrating on the annoying touch-screen interface rather than driving.

With the death sentence on My Ford Touch based on Windows Embedded Automotive, I suspect that any attempt to pair a modern cell-phone with my car 5 years from now will be pretty hopeless. The car's going to have the resale value of a brick.

The NO-NAME vuln: wget mess patched without a fancy brand

Richard Conto

A name is really needed

How about NO-NAME-bleed-shock-gate?

The DRUGSTORES DON'T WORK, CVS makes IT WORSE ... for Apple Pay

Richard Conto

Re: Apple Pay flop

A regional grocery, Hillers, is claiming to work with Apple Pay (and Google Wallet and Softcard), but they don't show up on Apple's participating retailers list. I have no way to test this.

Home Depot ignored staff warnings of security fail laundry list

Richard Conto

Bad for PCI DSS too

7 YEARS without satisfying PCI DSS third party audits?

Not good for the credibility of PCI DSS as a whole.

Hey, what's a STORAGE company doing working on Internet-of-Cars?

Richard Conto

Why?

What? No one jumped on that old adage of a station-wagon full of (media) barreling down the highway?

They're going to compete with Cisco/Foundry/etc by filling an EV station wagon full of storage arrays. If they make it a plugin-hybrid, they'll be able to advertise a REAL PHYSICAL FIREWALL too.

JINGS! Microsoft Bing called Scots indyref RIGHT!

Richard Conto

Curiosities

While curious about the outcome, I think the only effect it'll have on me will be the kind of snark I read on The Register and in the Economist. (From my perspective, this is like watching one of those "Fail-Blog" videos - I have no way to influence the results and am very glad to not be involved.)

However I am curious about the number of establishments - both residential and commercial - that physically cross the border. In short, in how many homes and businesses will it be possible to walk a few feet (or a meter for you anti-imperialists) and be subject to different laws and regulations?

Here in the United States such things happen between the states. Have such establishments already been cataloged?

Microsoft Azure goes TITSUP (Total Inability To Support Usual Performance)

Richard Conto

512K Day?

Could this be some aspect of 512K day? Systems that haven't synced or are partially synced due to erratic routing?

Detroit losing millions because it buys cheap batteries – report

Richard Conto

More facts

For more specifics about the Detroit Parking Meter Battery issue, see this Aug 5, 2014 article:

http://www.detroitnews.com/article/20140805/LIFESTYLE/308050023

Take the shame: Microsofties ADMIT to playing Internet Explorer name-change game

Richard Conto

OIDIA

Online

Interface

for

Direct

Internet

Access

or

Ooops

I

Did

It

Again

Either way, the memes involved show how up-to-date it is.

Hackers' Paradise: The rise of soft options and the demise of hard choices

Richard Conto

Tedious and uninformative

This article spends 3 1/2 pages of a 4 page article on computer technologies through the mid-1990s, and then fails to show how the lessons of memory protection (and privileged instructions as well) are insufficient for modern computer architecture.

This was a complete and utter waste of my time.

For what it's worth, my synopsis of why memory protection and privileged instructions are insufficient for modern computer architectures can be outlined as follows:

(1) Modern OSes (Windows, OSx, Linux, presumeably IOs too) do run with protected memory, privileged instructions, etc.

(2) Computers are among the most hideously complex devices created. (And networked systems of computers are even worse.)

(3) The complication of (2) above means that the OSes on those devices will need updates (necessarily from external sources.) Networks, USB drives, etc. make this convenient and possible.

(4) Most computers sold to end-users as such (or as phones, game devices, tablets, etc. other infotainment) are incomplete - they do NOT have what the end user wants, so a mechanism must be given to obtain that from external sources.

(5) Often, the add-on services represent a virtual-machine in and of themselves - JavaVM is explicitly a VM, but even the javascript environment in a web browser is a VM, as is Adobe Flash. It is nearly impossible to make these VMs more secure than the underlying OS and hardware.

(6) Various extensions to the underlying OS in order to provide better speed (i.e.: kernel level device drivers, extensible file systems, etc.) or to patch flaws in the OS security model (i.e.: anti-virus hooks) complicate the security model, weakening it overall.

(7) Software installation often requires higher privileges in order to install software the customer wants. This is as often for the convenience of the software developer as it is required by the underlying security model.

(8) Software manufacturers / publishers have evolved a model whereby they're not necessarily liable for flaws in their software. This leaves the need to publish quickly paramount in their priorities.

It's time for PGP to die, says ... no, not the NSA – a US crypto prof

Richard Conto

Re: Hyperbole?

Given what happened to domain name registrars for .COM becoming decentralized, and the scary/horror issues of all the multitudinous problems there have been with Certificate Authorities - he's going to have to make a better argument for a centralized key management system than just implying The Leader Knows Best.

Richard Conto

PGP is like Democracy ...

... in that it's the worst possible encryption system, except for all the others.

This professor's complaints are mostly that PGP (or GPG) have awful applications. That's a side effect of PGP/GPG being pretty much a niche application AND being open source. The open source part is WHY the thing is trusted, and the niche part is because security and privacy is not terribly high on most people's communication priorities. (I don't doubt that cat videos are more important to most people than locking their houses and cars - much less securing private communications or passwords.)

But re-engineering e-mail to provide for security & privacy is not likely to happen. Anyone remember X.400, the OSI's mail protocol? Any attempt to redesign email from scratch is likely to end up with something worse in terms of inability to inter-operate. (Besides, Facebook, Twitter, Google, et. al. are all re-engineering inter-personal communications anyway into proprietary social-networking horrors.)

Facebook: Want to stay in touch? Then it's Messenger or NOTHING

Richard Conto

App Hazard

The more Apps, the more resources are consumed on your phone - from notifications to memory (due to duplicate resources - code, images, etc.) And the greater "surface area" there is for vulnerabilities.

Mostly, I see this as a great opportunity for new life for Google's social networking service.

And perhaps it'll allow me to wean myself from Facebook as my work desktop is Ubuntu and if they go to a proprietary-only messenger app, I doubt Pidgin will be able to support it.

MIT boffins moot tsunami-proof floating nuke power plants

Richard Conto

Not all oceanscapes are created equal...

Geography still applies. There are oceans subject to "Monster Waves" that could damage one of these. If one of these things "melts down" or sinks in relatively shallow water in a place with a strong current, it could poison enormous fisheries, etc.

And imagine one of these in the Mediterranean. With religious crazies all around who care nothing for life.

The best location for these would be over some of the deep trenches by a subduction zone, where if the darn thing "melts down", down is into a subduction trench where the fuel will end up back in the planet (I've been re-reading David Brin's "Uplift" books, so that might explain why I think this is plausible.)

Windows Phone 8.1: Like WinPho 8, but BETTER

Richard Conto

Battery life?

What about battery life? I saw the Nokia was down to 36% power in one shot. About half the screen shots were from about the same time (11:27), but a few showed other times too.

El Reg in email address blunder

Richard Conto
Boffin

You may be a winner ...

Sadly, I never received a copy of the e-mail.

I did find your company privacy policy at: http://www.theregister.co.uk/about/company/privacy/

I think you need to change:

"If permission is granted, this information may be used to send occasional emails containing offers from our partners. This will only ever be provided to readers who have specifically given us permission to use their information in this way.

The Register will never use your data for anything beyond the reason stated and the permissions you grant us. "

to:

"If permission is granted, this information may be used to send occasional emails containing offers from our partners. This will most likely but not exclusively be provided to readers who have specifically given us permission to use their information in this way.

The Register will probably not use your data for anything beyond the reason stated and the permissions you grant us - again. "

On the other hand, snarkiness aside, most of my e-mail address(es) have been as public as they get forever. Don't fire anyone on my account - although I wouldn't mind knowing that they were on tea duty (or coffee-pot scrubbing duty) for month.

I *definitely* would like to know the business case for allowing mass-mailings like this - and I would even more like to know that those executives were going to be buying staff nice lunches and dinners every few weeks for a year.

Microsoft Tag emerges from beta

Richard Conto
WTF?

Eye-watering-ly bad colors

Ouch. My eyes hurt just looking at those colors.

Windows Phone chief and Xbox brain exit Microsoft

Richard Conto
Troll

Pseudo-pedant pursues proper use of "past time" and "pass time"

> Re-org is one of Microsoft's favorite past times, and the summer is high season for such activities.

In the past, a pass-time I enjoyed was remarking on the grammar or spelling of someone's blog post or response. That, of course, was long in the past and it quickly came to pass that I (like other pseudo-pedants) was roundly criticized (negatively) for not passing on a simple human frailty. Nevertheless, as a resident of the Lower Peninsula of Michigan (living "below" the Mackinaw Bridge and therefore an Troll in ways that someone from a land-locked polity can never aspire to), I must make comment on your usage of "past time".

Physicist unmasks 99-year-old mistake in English dictionaries

Richard Conto

The Map is Not The Territory

Sadly, I can't get past the pay-wall to see the article, but the summary suggests that a "chain model" is the best way to mathematically model a siphon. Now, I can't comment on that - and for all I know, as a model of the flow rates, etc. of a siphon, it may be the best - suitable for video game simulations, etc..

But I can say, from practical experience using old garden hoses to drain puddles at my childhood home, that atmospheric pressure isn't irrelevant. If you have a leaky hose or hose-coupling between the water level you are trying to drain and the top of the siphon,. you'll loose your siphon effect - and even if you have a leak on the lower end, you'll find a reduced siphon effect.

Any physics explanation of the process that claims that atmospheric pressure is unimportant is flat-out bone-headed wrong. Sure, surface-tension (or at least the electro-static attraction between different sides of the H2O molecule) might help maintain a siphon in a vacuum - but as any pump maker/operator knows, there's a limit to the "drawing" power of a pump.

Google tweaks search results with mystery site speedometer

Richard Conto
Thumb Up

Hurrah for the Web!

Hurrah for the web!

But I suspect that this will only affect sites that are using overloaded databases as backends, or use flash or complicated and indirect javascript to drive their pages. Unfortunately, it won't be enough to discourage Flash or overworked Javascript entirely.

The whinging of the flash obsessed web developers is a joy to hear.

When ISPs hijack your rights to NXDOMAIN

Richard Conto
Boffin

In the USofA, COMCAST is poisoning their customers DNS too

COMCAST in the United States - at least in Ann Arbor, MI, is doing the same thing. They're redirecting to some company called FASTSEARCH.NET, although they're redirecting only names that begin with "WWW." and end with a valid TLD.

They have an opt out page too. You have to be using their service and know the MAC RF ID of your cable modem (which ought to be printed on the thing anyway.)

Late Sunday, I did the opt-out. They processed it this morning (Tuesday).

Nevertheless, I'm thinking of querying the root name servers directly. If enough people do that, the root nameserver people will start gnawing on COMCAST for this bit of evil mindedness.

P.S.: I'm blocking FASTNET's net-block , 208.68.136.0/21, in my home router/gateway. I tend to take an aggressive view of people attempting to abuse my system, and so most of Vietnam is blocked as well as major parts of China. And various parts of the American South and West...

Boffins: Atlantic temperature ruled by dust, not CO2

Richard Conto

An experimental test---

Neat theory, Now let us test it. I can suggest the following:

(1) A few surface (or slightly below surface) nukes in the North Africa Desert

(2) Nuke a volcano, especially one that produces lots of dust.

---

Been watching too much Battlestar Galactica

Where has all the bad storage gone?

Richard Conto

Backup, Archive, Recovery

I've got Time Machine serving two Macs, a MacBookPro (over wireless) and a PowerMac G5 (wired). The disk is attached to an Airport Extreme.

The MacBookPro never gives me problems, but I'm not backing up a lot. The PowerMac is another matter. The "sparse bundle" disk image gets corrupted every few months and I then have to spend 18 hours re-initializing it with a fresh backup (currently, 250G.) Both backups are to the same disk on the Airport Extreme.

I'm only backing up User space. I see Time Machine as an archive/recovery mechanism, not a disaster backup/recovery.

Has anyone successfully used Time Machine to recover an entire system? I'd like to know if anyone has set up Time Machine and then managed to recover what they needed after Time Machine had been running for several months.

Take a hammer to your hard drive, shrieks Which?

Richard Conto
Boffin

Cordless Drill/Power Screwdriver & Deck Screw

The most effective and dramatic demonstration of "wiping" a disk of confidential information I ever saw was when one one of our technical support people used a cordless drill to drive a deck screw completely through the case and platters of a disk drive being retired.

Given that it would have taken something like 18 hours to write/rewrite the drive (using "dd"), as well as the staff time it would have taken to install the drive and then remove it afterwords (about an hour), it was cheaper for our organization to simply scrap the drive than send it out through channels for re-use.

It was astonishing to see how fast the deck screw burrowed its way through the case.

Black hats attack gaping DNS hole

Richard Conto

Comcast - Great Lakes Region

https://www.dns-oarc.net/oarc/services/dnsentropy

DNS Resolver(s) Tested:

68.87.72.131 (chic-cns01.area4.il.chicago.comcast.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

68.87.77.131 (detr-cns01.westlandrdc.mi.michigan.comcast.net) appears to have

POOR source port randomness and GREAT transaction ID randomness.

68.87.72.133 (chic-cns03.area4.il.chicago.comcast.net) appears to have POOR source port randomness and GREAT transaction ID randomness.

Test time: 2008-07-31 18:37:53 UTC

---

When I changed my DNS forwarder to one I knew was patched, it reported GREAT GREAT.

---

DOXPARA said that things were good, and only reported ONE of the DNS servers I forward to.