* Posts by Henry Wertz 1

2757 posts • joined 12 Jun 2009

Cloudflare slams AWS egress fees to convince web giant to join its discount data club

Henry Wertz 1 Gold badge

Huge markup

It's true though, AWS must make huge money on the bandwidth charges, they charge whatever costs for the cloud services and full retail on the bandwidth as well. Of course, this is just Cloudflare wanting to get you a discount on AWS, but make it up by you paying them for egress charges instead essentially.

Microsoft has a workaround for 'HiveNightmare' flaw: Nuke your shadow copies from orbit

Henry Wertz 1 Gold badge

ACLs too complicated

I said this on the previous article about this, but the Windows ACL system is simply too complicated. If Linux (or OSX, BSD, etc.) had a backup password file readable by anyone who's not supposed to be able to, it'd be apparent at a glance (the user, group, and RWX permissions are listed as soon as you run "ls -l", and quite a few GUI file browsers also show them.)

I don't have any big suggestion on what to do about this, I guess even the possibility of replacing or changing it much depends on how much of Windows stuff is tied deeply into ACLs, and how much just kind of "sits on top", it's still restricted where it can read and write but would not care what security mechanism was doing the restrictions.

Everyone cites that 'bugs are 100x more expensive to fix in production' research, but the study might not even exist

Henry Wertz 1 Gold badge

Probably irrelevant anyway

Whether the 100x figure ever existed is probably irrelevant anyway. You now have advanced IDEs (Integrated Development Environments), better debuggers, faster compilers and such (so if you don't have proper logging in your program, you can add some to track down a bug and rebuild in a reasonable length of time), heavy use of languages like Python where you don't have to recompile (...usually)... OK they had interpreted languages back to the dawn of time too. Languages now tend to give useful error messages, and line numbers, when things crash too (which is not 100% reliable, since the crash could have been due to an earlier problem, but sure helps.)

I'm just saying, even if there had been a 100x figure 40+ years ago, things have changed now. Personally, when I've found bugs in my Python code, it may be marginally harder to find the bug later than to avoid a typo or something as I type the code, but surely not a 100x difference or even close to that.

AWS gave Parler a chance, won't say if it talked to NSO before axing spyware biz's backend systems

Henry Wertz 1 Gold badge

So one was running spyware one wasn't

So, there's an easy reason for different treatment here.

NSO was running spyware and running the spyware backend in AWS. There's no question that's against TOS, it's not a grey area, and there's nothing to discuss. It doesn't matter if they're running it as a business or service, they can do that with their own systems if they want.

Parler is (or was) a disgusting hive of villainy and infamy. BUT, the US has the 1st ammendment, freedom of speech does apply (at least AWS would get bad PR for immeidately terminating accounts due to speech even though they are allowed to). So AWS gave them a chance to straighten up, then closed their services when they didn't.

Make-me-admin holes found in Windows, Linux kernel

Henry Wertz 1 Gold badge

I didn't know you could make a path that long!

I didn't know you could make a path that long! The Linux flaw involves making a *1GB* long file name path (+ 10 bytes, at which point the 10 bytes are outside the buffer but at a known location.)

As for the Windows flaw -- essentially a system makes backups (VSS Shadow Copy) of the password files (security hives), and the backup is readable by normal users. I have found in the past the Windows ACL (Access Control List) system to be overcomplicated, and I think you'll find others who agree. I could be wrong but I'm assuming this problem may have been easier to spot (before it was released) with a less-complicated security system.

Restoring your privacy costs money, which makes it a marker of class

Henry Wertz 1 Gold badge

Probably not US

Probably not the US. Last year, Nutjob Trump sided with those even opposing mask mandates. He was overridden by common sense and decency, so there were mask mandates. But with most states expecting the feds to do something (not literally, but breaking out a procedure for states and localities to follow), and the feds doing nothing... there was no tracing, anywhere in the US, as far as I know.

Now? It's horrifying, several months back Faucci (as an attempt to encourage vaccination) said people would not have to wear masks any more if they vaccinated (to me, it seemed obvious that the anti-mask, anti-vaccine assholes would take this as an opportunity to never wear a mask again.) Of course that's exactly what happened, EVERYONE quit wearing masks within days. There's like 0 mask wearing going on here now (I still put mine on, usually, and I've seen maybe 1 out of 10 wearing one once in a while, despite there still being in-the-wild, widespread Delta variant.) Vaccination rate is like 80% in some areas to as low as 20% in others. California is now re-enacting some mask mandates... but otherwise, with an out-of-control, more virulent, deadlier, and infecting some people with full vaccination, variant in the wild, it's "no masks, go ahead and have that concert or whatever you want." And you know, according to the old media, it's this huge surprise that there's a third (or is it fourth?) COVID wave running through the US.

As for costs... I don't know. I don't think it's even a matter of money. My friend (who is rather short on cash) claims to care about privacy but won't even quit using Facebook and Facebook Messenger. It's not a matter of being able to afford privacy or not, it's just that people will claim they worry about privacy but not even take the first step.

Teen turned away from roller rink after AI wrongly identifies her as banned troublemaker

Henry Wertz 1 Gold badge

Human elemented needed

As first poster said, human element is needed -- and NOT just to say "the computer said there was a match." The honest fact is, in a sense the system is racist -- you're probably going to have like a 60% match just for having 2 eyes, a nose, and a mouth (maybe 65 or 70% because of the glasses), +10% for a similar hairstyle, +10% for skin tone, maybe another 10% for having vaguely the same head size and shape (i.e. a girlish head), you're then at like 90% without it meaning much of anything.

If places are going to use an AI, they really MUST have it so a match like this has the operator pay attention, not just go based on some result from the system. The system really needs to have show a name and photo for the match, and the operator needs to be expected to use it (not rely on some percentage match.) It would have been easy enough to be able to either see the photos don't match (... maybe, I suppose it's possible they really are practically a doppleganger for the trouble maker), or easy enough to ask "hey, are you (name)?" or "could I have your name please?" and let them in when it's clear they aren't the same person.

edit: Looked at the photos in TFA, I can see why a AI may have thought they were similar (in particular, they have similar eyeshadow... or possibly some purplish-blue effect in the photos from how the camera and glasses interact.. that stands out.) But it takes a few seconds of human intervention to see they don't have the same head shape and are not the same person. The owner admitted they just look at % match and not photos, that's the issue I'd take up here, if they're going to use an AI that's a bad way to do it.

US offers Julian Assange time in Australian prison instead of American supermax if he loses London extradition fight

Henry Wertz 1 Gold badge

and it was

"He skipped bail because he claimed the Swedish sex case was just a front to get him to America."

And it was. The woman involved said she was not interested in charges, and shortly (within a year) after he was not extradited for these charges the charges were dropped.

I'm not a big Assange fan but this charge was bunk, and I would not want to come to the US if I were him, the US prisons are nowhere close to international legal minimum standards (both by design and because the US loves long prison sentences but doesn't love spending money on the prisons to stick the prisoners in)... and the suggested sentence is excessive (13 years NOT for allegations of espionage, strictly for computer crimes acts violations, is pretty high.)

Biden to sign exec order calling for right-to-repair rules for farmers, maybe rest of us

Henry Wertz 1 Gold badge

This is a big problem

This is a big problem. As alluded to in the article, John Deere is ridiculous. It's not even as bad as those printers where you have to put in the official cartridges, it's worse.

You can buy a fuel injector or sensor, even the official John Deere one, and the tractor will not use it until some dope at the Official John Deere Dealership (TM) hooks up a USB cable to the tractor and "authorizes" the parts.

You (unless "you" have the Official Dealership (TM) diagnostic equipment) also apparently cannot hook up a scan tool to get diagnostic information, the tractor refuses until the official DRM handshake is performed. Unless you put in black-market Ukranian firmware, which I encourage everyone to do.

It's exactly what the car companies started pushing towards in the late 1970s, before the feds made sure to pass right-to-repair laws (unfortunately only covering cars & trucks.)

Edit: Just to note, this is usually not about farmers wanting to do emissions deletes, as has been suggested (I'm sure a few do...); it's really about wanting to be able to have the equipment you own repaired by any ol' diesel mechanic, just as I don't want to have to go to a GM dealership to have ordinary repairs done on my car.

Microsoft and Eclypsium lock horns over Dell SupportAssist flaws on secured-core PCs

Henry Wertz 1 Gold badge

linux can provide same level

just to note, the "may or may not" just depends on how hard you lock it down. linux does support verified and signed bootloader, kernel, kernel modules and application binaries, and other stuff to ensure nothing unauthorized sneaks on. used for sure on slot machines and atms.

A real go-GETTR: Former Trump aide tries to batter Twitter by ripping off its UI

Henry Wertz 1 Gold badge

reason us politics are so toxic

The big reason US politics are so broken and toxic is summed up right here: "same products as liberals, libertarians, greens, communists" ... in the us there are (as far as most people are concerned) no greens, libertarians, or communists, there are liberals and conservatives. Both main parties pretend 3rd parties do not exist at all, with the result of just the most ridiculous rhetoric and polarization. As far as conservatives are concerned, it's there way or a mix of extreme greeen and communist policies; as far as liberals are concerned it's there way or an extreme isolationism, "go back to slave days" conservatism mixed with fascism. You have extremists like Nutjob Trump where this is true, but you now have people in both main parties pretending like this is true with everyone.

You, robo-car maker, any serious accidents, I want to know about them, stat – US watchdog

Henry Wertz 1 Gold badge

Good

Good. I've seen one Tesla on my parents street. It turned onto the end of the street, kept turning, drove over the curb onto the grass (still turning), about the time it would have hit the sidewalk the driver realized things were going sideways and jerked it back on the road. Nothing there to confuse the system, no snow, the road and grass were nice distinct colors. I do not put any trust into these systems!

Microsoft warns of serious vulnerabilities in Netgear's DGN2200v1 router

Henry Wertz 1 Gold badge

yeah

yeah I saw kit like this a few years back. like (url)&auth=foo and it turns out you could just skip the login screen, use direct urls, chop off the auth part, no auth required. Nice.

Court kills FTC, US states' antitrust complaints against trillion-dollar Facebook

Henry Wertz 1 Gold badge

I have to agree

I have to agree. I'm not a fan of Facebook, but to take action against a company in the US under antitrust laws, they both have to have a dominant market petition and have to be using this position to lock out competition. Denying mergers and acquisitions can and is done for antitrust reasons. I could certainly see denying them further mergers and acquisitions of competitors. But the fact of the matter is they are not even close to having a monopoly, and (other than buying companies) are not accused of using their market position to limit competition (for example, Facebook does not have any clause prohibiting someone business or person with Facebook from using other services... unlike for example Microsoft, who has had in the past licensing fees that are per-computer, whether it has a single Microsoft product on it or not, and continues to this day to have deals with OEMs making it nearly impossible to buy a PC without Windows on it.)

Hubble Space Telescope may now depend on a computer that hasn't booted since 2009

Henry Wertz 1 Gold badge

Re: Easy...

Yes, back in end of 1999, I knew someone with some Apollo computers (not the NASA ones.... the Apollo that was bought by HP in the mid-1980s, these ran DomainOS.) The U of Iowa ISCA (Iowa Student Computer Association) ran their BBS off the DomainOS systems.

They actually released a year 2000 update for these, but it involved powering them off and back on. The drives were VERY prone to stiction, they stuck and did not release. RIP several Apollos.

Henry Wertz 1 Gold badge

At least it's not on the ground

I thought they were (for some reason) having to power up a ground computer for some unusual activity. At least it's not on the ground! I'd honestly be more concerned about one on the ground being lost, maybe missing parts, dust, perhaps rust (some of these systems in the past were not put in careful storage, they were just stashed wherever); whereas the in-orbit one is known to still be there and was stored roughly as well as the in-use one.

Good luck backup computer, NASA, and Hubble!!!

Three things that have vanished: $3.6bn in Bitcoin, a crypto investment biz, and the two brothers who ran it

Henry Wertz 1 Gold badge

Yup should have been suspicious

Yup they should have been suspicious being promised 10% daily returns (as first poster and many have said.)

Cryptocurrencies are highly volatile, higher volatility means high and fast potential gains, but also faster potential losses (and the potential to make 0 if the money is sitting but not being actively traded.) Indeed if these people were promised any particular level of profit they should have run straight away.

Also, you'd hope some of these people would do due diligence to realize they do not have to take their money to some magic startup to roll the dice on cryptocurrency, there are forex traders who got bored with the relative stability of currency trading and have applied their techniques to crypto trading. If you want to invest in crypto without watching over it yourself, you do not have to take your money to some magic crypto startup, there are conventional investors who are happy to professionally* invest your money in crypto.

*Crypto in general, due to the high volatility, is really above the risk levels professionals typically take. But they will apply their hard-earned professional techniques and experience they use to eek out profits from some 1% price difference in forex, to try to make and hold profits in crypto, so they're likely to be better at it than a lot of randos who just go on and trade some currencies around.

Containers make life easier for the software vendors you buy from, and that's why they'll win

Henry Wertz 1 Gold badge

I guess either way

Wow, it's dead even (when I voted), over 1000 votes and it's 50/50!

I voted "agreed", but...

Virtual machines? Linux kernel on a VM is aware it's on a VM, it's tickless (so it's not generating interrupts and so slowing down the shared system when it's not doing anything) and the "virtual server" distros are pretty light. Running stuff on VMs is not too bad. But you have then a kernel running, virtualized disk access, then running through another kernel; multiple caches (both the VM and physical box will have a disk cache for example); you then have a in-VM scheduler and physical system scheduler... there's overhead there. But, the VM has it's own OS, there's no worrying over kernel differences or distro differences, or your app is for Linux but someone wants to run it on Windows. Security-wise, both the VM and the container are supposed to isolate everything, but the VM restricts the attack surface rather severely in terms of what can be done to the physical machine.

BUT.. containers have nearly 0 overhead, you are not having to pre-allocate RAM or disk space, there's nice controls for the disk, RAM, and CPU usage (VMs let you change # of CPUs and at least on VirtualBox reduce % speed of the cores VirtualBox exposes, but the containers have nice CPU usage control too.) Modern containerization solutions in linux, the containerized app has it's own /proc and /sys, it's own process list, and some kind of user id mapping stuff so you can "be root" inside a container, but have no special privileges outside it. it can have it's own view of CPUs and available RAM or have access to the whole thing, etc., and that can generally be changed on the fly. Conversely to the VM, the container does have direct access to the real system kernel, you've got the real system kernel as an attack surface instead of having to get through a VM kernel, bust through the virtualization and then try to dick with the physical system.

In the case of both, you have the disadvantage of not taking advantage of your distro's package mechanism, your distro is likely to update vulnerable libraries straight away, while a container or VM you are at the whim of whoever updating the whole package to replace vulnerable libs. But, there's plenty of containers and VMs where you simply don't expose them to the outside world, and it won't matter if you get these updates immediately or not.

Edit: technology maturity. VMs have been around on IBM kit since the late 1960s, of course it was kind of "rediscovered" in the late 1990s/early 2000s for use on PCs, UNIX servers, etc. Plenty mature technology by now. Containers, they can be quite flexible, UNIX has had "chroot jails" since like the 1970s; the enhancements to make a /proc, /sys, seperate process list for "top", etc. and give a better illusion of being on your own full system came out more like late 90's-early 2000s too. But besides the cloud providers, you have shared web providers that run this stuff on a massive scale quite successfully, it's well-understood and mature technology too. I've used a few "shared server" setups where you update your own kernel; they're using a VM; a few where it seemed just the same but no kernel to update (you were in a container.) They're good enough now that that was literally the only apparent difference, it seemed like I was on my own (these were like a $5-10/month plan) 1 or 2-core server with 512MB or 1GB of RAM.

Samsung pushes out single console all-in-one RAN kit for cramped European markets

Henry Wertz 1 Gold badge

They can blend in pretty well!

They can blend in pretty well!

Verizon Wireless in my area (Iowa, United States).. Coralville, IA has no microcells, there's a couple "tower" sites and that's it; Iowa City, IA (these two towns are directly adjacent and sprawled together..), microcells about every 2 blocks. So you're going along this bit of highway (Coralville strip), you're getting like 10mbps with occasional dips to like 1-3mbps, you keep going and you're in Iowa City, 90mbps+ all the time with the "worst case" dips being like 30mbps.

Those things really blend in!

One, those barrel-shaped grey power transformers up on the power pole, there's a third "transformer" that's plastic and has fiber optics running up instead of ground wires (we have above ground power and cable, but buried phone lines, here.).

The other I've been able to find (only because I have a signal strength app and can see it pegging out so I know it's there...), the side of this building has like a building-sized air conditioner and the utility boxes and meters for phone company, power company, etc., apparently one of the "etc." is a cell site made to look like a generic utility box. I know I was looking right at it and couldn't even tell which it was (I suppose the required markings ... thing saying it's owned by Verizon WIreless, the "no digging" for the fiber, etc., must have been on the back so they face the building? Otherwise you'd think you'd at least see the box with cell phone company markings on it.)

Third one there's a grass area like between two houses with a maybe 2 foot tall green pipe sticking up, it looks all faded though like the smaller size phone company boxes. Not sure if the pipe's it, or (given how the other two were hidden) there's just an extra "utility meter" or something tucked in next to the houses, I didn't care to walk into someone's yard just to take a look. But from the sidewalk, you could look at the equipment and I would have guessed there was no cell site there.

I was very surprised, generallly in areas with this site densification the "big 4, now 3..) (Verizon Wireless, AT&T, T-Mobiile, and former Sprint, who T-Mo just bought) did just end up (occasionally) putting up new masts but otherwise using what clearly look like cell site antennas stuck to street poles, power poles, toops of buildings and whatever else.

Google cans engineering diversity training scheme after alumni complain of abysmal pay packages

Henry Wertz 1 Gold badge

Problem is probably cost of living

Honestly part of the problem is probably cost of living based, depending on how abysmal those abysmal pay packages are. I could tough it out with lower pay for a genuine opportunity to get in at a place like this. But, the prices in silicon valley area and areas like that are so extreme you could be paid what would be a very good pay scale here in the midwest, there you would essentially have a choice of sharing an apartment with a bunch of roomates (and have some discretionary money left over to save up or spend) or rent on your own but barely scrape by. Could be especially difficult if you got through the first year, and the pay scale offered at that point is still low enough for this to be a problem.

Deadline draws near to avoid auto-joining Amazon's mesh network Sidewalk

Henry Wertz 1 Gold badge

fun!

it's going to be fun to find out how to tap into this and get a few GBs of free internet off various rings'n'things.

JBS Foods ransomware gang: White House 'engaging directly' with Russia about attack on massive meat producer

Henry Wertz 1 Gold badge

Re: A simpler explanation

>Maybe whoever is behind these attacks simply single out large (rich) organisations with crappy security?

Spot on. These usually spread the same way as any windows viruses... they spaff out spam with virus payload and port scan, finding poorly secured Windows PCs and automatically infecting them. Found a nice clump in one place? Flip on the "encrypt and ask for ransom" switch for them via command & control.

Refurb your enthusiasm: Apple is selling an 8-year-old desktop for over £5k

Henry Wertz 1 Gold badge

1980s?are you kidding me?

1980s? are you kidding me?

maybe this is different in uk, but in us 1980s are squarely part of the "malaise era" of automobiles. modern vehciles are much safer, better gas mileage (somewhat better while being much faster, or much better mileage while being somewhat faster, depending on engine in the modern vehicle.) Quieter, and better handling (excluding gross SUVs).

Big Tech has a big problem with Florida passing a law that protects politicians from web moderation

Henry Wertz 1 Gold badge

Leave the state

Honestly, I would just cut off the state of Florida from service, and let anyone who was not automatically geoblocked that if they are from Florida, they are using the service without permission and must stop using the service.

AWS Free Tier, where's your spending limit? 'I thought I deleted everything but I have been charged $200'

Henry Wertz 1 Gold badge

First thing I looked into..

First thing I looked into when I had AWS Free Tier... how do I set things up so I don't have massive potential cost overruns. There's a few machine types where they throttle your CPU usage when you "burst" to using too much usage, so your maximum monthly bill is like $5/month. I made sure to use those (I didn't exceed free usage, but if I did I couldn't end up with that large a bill. Of course, it also meant I didn't have much more processing power than I'd have on my personal desktop anyway).

It's true though, (not that I blame it on Amazon, they are there to make money off usage...), their documentation didn't really even discuss this kind of thing, and they make it much easier to start up machines and rack up usage than to make sure they are shut off, and it's harder than it should be to accurately track what your actual usage (and thus bill) is (I didn't realize the alerts are like a day behind though -- that's pretty ridiculous given you could potentially blow through a month's expected spending in a minute or two if things went seriously sideways... for instance by having some auto-scale thing turned on, have your stuff malfunction and fire up like 10,000 instances.)

Firefox to adopt Chrome's new approach to extensions – sans the part that threatens ad blockers

Henry Wertz 1 Gold badge

Why at all?

"Why do Mozilla need to implement manifest v3 at all?"

They don't, I think the idea here is most of the rest of the stuff in manifest v3 is legitimately useful to protect against malicious extensions (while not impacting legitimate ones), while the part regarding webrequests cripples ad blocking without a suitable replacement.

Big red buttons and very bad language: A primer for life in the IT world

Henry Wertz 1 Gold badge

Replacement hardware?

I would think, if those RM03s and RM05s were getting all that finicky, that they'd be phased out for newer equivalents. I can't find the info now, but I'm fairly sure by then vendors sold equipment for PDPs and the like that let them replace these drives with regular SCSI hard disks (possibly even IDE, although I rather doubt it.) Although I've certainly seen shops like that, if it works don't touch a thing other than the required upkeep.

That Salesforce outage: Global DNS downfall started by one engineer trying a quick fix

Henry Wertz 1 Gold badge

Did they ignore procedure or "ignore procedure"?

Did the tech ignore procedure or "ignore procedure"? I worked at a place like that for a while (not IT)... There were procedures to be followed (developed by some people who had not worked on the line at all), and a schedule to be met, but it was physically impossible to meet the schedule if the procedures were followed. So, in actuality there were on-paper procedures to be followed, and the procedures followed in reality (which saved about an hour a shift without affecting quality at all.)

It does make me wonder, if this tech really kind of "went rogue", or if this was just routinely done until something went wrong. To me, it sounds like a middle ground would be good -- having so much red tape and asking permission for a change they know they have to make that it's tempting to skip it is not great. Rolling out everywhere at once is not great. It seems like a fair middle ground would be not to require all the multiple permissions and red tape (since they know DNS records must be rolled out, jsut a notice that thye're doing it now seems like it should be adequate); but rolling out to 1-2 regions/partitions first then the rest after hours to days is definitely a good idea to avoid a global outage.

Help wanted, work from anywhere ... except if you're located in Colorado

Henry Wertz 1 Gold badge

Re: I want to know the salary rang

Yeah they really sound like a bunch of douchebags; I've seen a bit of that first hand, and read about plenty of it. Both the jerking you along that long without any hint of where the job is or what it pays; and that whole "ego trip" that (mainly larger) companies have of thinking you're applying because you're EVER SO EXCITED to work at their company, as opposed to "I work to get paid" or even "I am interested in this line of work".

Henry Wertz 1 Gold badge

*woosh* right over their heads

"If large employers are refusing to comply, they risk being seen as refusing to address racial and gender equity," (plus quote from Coloardo senator): "Just recently, this has come to my attention," she said. "Women here are outraged because this bill was something they worked for years and years and the pay transparency piece was a huge part of that."

*woosh* right over their heads!

It didn't even occur to me this would be some racial/gender equality thing... since it's not. It's a matter of some of these places not wanting to pay the Silicon Valley payscale for someone that is living in Idaho (.. which may not be fair either, if someone remote works from somewhere inexpensive perhaps they should get the same pay and get to pocket that money... but you also have places in UK that pay London pay bumps and so on.) Plus, for whatever reason, it's simply common for firms to not even hint at what their payscale is, they think it's some kind of negotiating tactic.

Cloudflare stops offering to block LGBTQ webpages

Henry Wertz 1 Gold badge

Fair point, but...

Fair point, but I'm quite sure there's a direct filter for porn.

BadAlloc: Microsoft looked at memory allocation code in tons of devices and found this one common security flaw

Henry Wertz 1 Gold badge

Responsible disclosure?

So, as much as Microsoft use to whine about so-called responsbile disclosure (thinking flaws should be sat on indefinitely, until the vendor gets around to patching it; and presumably sat on forever if the vendor can't be bothered)... did they follow this policy? Just saying.

UK watchdog would cease to enforce data protection law if Supreme Court sided with Google, its lawyer tells judges

Henry Wertz 1 Gold badge

Agreed with ICO

Agreed with ICO -- if one has to prove damages (i.e. their data used for identity theft most likely) rather than that the company violated data privacy laws, then I could see ICO saying "the hell with it" and not enforcing the law at all. Showing abusing privacy is easy, showing it lead to identity theft or other actual damages is difficult. The thing is, once the identity theft occurs, the company could be sued for real damages anyway, so obviously the point of the privacy law is to provide more protection than that.

Stealthy Linux backdoor malware spotted after three years of minding your business

Henry Wertz 1 Gold badge

systemd is the devil

"As linux users (and especially the admins of servers) , aren't you supposed to read and understand the entire sourcecode to your running install ? Isn't that why we have open source in the first place ? So you can inspect it before running."

Yes, and this is a reason why systemd is the devil. Replace readable and understandable scripts with poorly-documented opaque binary blobs* that tentacle their way through the system, subsuming more and more system functionality.

*Obviously systemd does have source code, but compared to just having shell scripts booting the system it's still pretty opaque.

Appeals court nixes online blueprint sharing ban on 3D-printed 'ghost guns'

Henry Wertz 1 Gold badge

"My take on the issue is that the gun issue is very much a cultural issue, especially in America where things like the Mountain Men have become a part of the country's lore. Plus, there's the whole 2nd Amendment "guard against tyranny" thing."

Problem I've seen, very often you have the "mountain men", and regular rural people who like to hunt (deer usually), stuff like that. A large number of the "lets take away gun rights" types live in the middle of cities (New York, Chicago, etc.) where there honestly is nowhere appropriate to fire off a gun, if you go hunting rats or pigeons each miss is going to hit a building or bystander; but they seem to think they don't need guns so nobody else should possibly need them either.

"Plus, there's the whole 2nd Amendment "guard against tyranny" thing. "

The reason people are so distrustful of any gun regulations, in the past the anti-gun lobby in the past has gotten what should be minor, sensible laws passed then intentionally abused them, at which point they get repealed. Years back, a law got passed so people who get guns at gun shows should have to get a background check, with the ability to do an "instant" background check that can be run in 10 minutes to an hour (which is sensible, and even the NRA thought it was fine, if they actually stuck to doing it this way); then, they decided it'd be really cute to intentionally delay these background checks so they would take 3 days (since the gun shows usually only last 2-3 days), intentionally to make the checks too slow to try to shut down gun shows. Of course, at this point the law was repealed. The "assault weapon" bans are similar.. it sounds sensible! But, if you push most people who want one (including the congressmen etc.) they'll admit they don't actually know what an "assault weapon" is (... for the most part these are automatic machine guns that are already illegal.) In the past there were leaked plans to get an "assault weapon" ban passed, then just redefine more and more types of guns as "assault weapons" so eventually a hunter would not even be able to legally go hunting with their hunting rifle because now it's an "assault weapon". Third example, a few states have had laws so the sherriff gets final OK on gun permits, with the sensible reason that this way if someone does act all crazy (but legal), they could still be turned down for a gun permit. But, this law didn't require any actual reason for denying permits, so in some jurisdictions (not the middle of a city either, rural), the sherriffs just decided they'd deny all permits except a few friends of theirs. Of course the law then got repealed.

Henry Wertz 1 Gold badge

Freedom of speech issue

"I have not looked at the drawings or the bill of materials for these guns but knowing something about metallurgy I wonder about how the parts are heat treated so they have the correct properties so they are safe for the user."

No, that's one of the points that was made back when Defense Distributed put these up back in 2013. The 3D printer material is in no way correct for guns, when they printed a few at the time, I don't think they necessarily even fired once, after 1-2 shots maximum they were warped. I don't know if guns really can blow up in one's hand if they misfire, but if they do these probably have a decent risk for that.

The point of this when Distributed Defense put it up in 2013 was not to distribute a useful 3D printed gun design; it was in fact to make a point that those who are willing to ignore the 2nd ammendment right to bare arms will also be perfectly willing to ignore the 1st ammendment freedom of speech (which is in fact what happened -- with no laws on the books barring this type of blueprint, the feds got it pulled anyway, despite it just being a description and not a physical object.)

I don't have any guns myself, but fully pro gun runs -- there are procedures for modifying or rescinding constitutional ammendments (2/3rd vote), that's the way to restrict guns. Until that point, anti-gun right types in the US are simply deciding it's OK to pick and choose which parts of the bill of rights they want to follow and which they don't.

(Incidentally, if the concern is about the amount of shootings in the US, the big issue now isn't too many guns, it's the total lack of mental health treatment availability in the US, it's pretty ridiculous. Both lack of capacity, and of course keep in mind the US health insurance system is broken so most uninsured cannot even consider this; and you can be fully insured and still have your insurance company decide they're not going to pay for it. You can have someone muttering "Only my gun understands me" and acting full-out "The Shining" crazy but stroking a gun instead of an ax, and in some jurisdictions nothing would happen at all until they start shooting (they haven't broken any laws yet) and in others, they'd be taken to a police station, but even if they're found to be 100% nuts, the choice in most of the US for nutters is release them or find some reason to throw them in prison. People will have a relative who is full-on schizophrenic, and (if they have insurance, otherwise too expensive to even consider) they will spend a month or more finding anywhere to put them.)

Microsoft joins Bytecode Alliance to advance WebAssembly – aka the thing that lets you run compiled C/C++/Rust code in browsers

Henry Wertz 1 Gold badge

Essentially webassembly *is* Javascript

Webassembly at it's base uses tokenized versions (i.e. few-byte opcodes rather than full names) of a very limited set of Javascript functionality, I assume on a big byte array, using assembly-language-level Javascript instructions (i.e. probably huge amounts of use of 8-bit, 32-bit and 64-bit values, and no use of strings and other data types, object oriented anything, and so on). So, with some Javascript compatibility wrapper (to de-tokenize the webassembly) it can actually run in a straight Javascript interpreter (probably rather slowly).

Any modern browser (Firefox and Chrome for quite a while at least) handles the webassembly as actual bytecode (not a series of tokenized Javascript instructions); instead of the a compiler front end breaking C or C++ down into bytecode and using LLVM (or backend of gcc) or custom JIT compiler or whatever to optimize and compile, it pulls in the webassembly and LLVM or custom JIT or whatever optimizes and compiles it, so you essentially get native performance if you have a good webassembly compiler.

If you want to see a fun demo of this, go around on archive.org and find the stuff on there for like DOS games, C64 games, Atari 8-bit games, etc. -- instead of like "here's the disk images to download", a lot of these pages are like "here's the disk images to download, or click on this box to boot up the game and play it", click the box and an Atari 800XL powers up, boots off the floppy and there's your game.

Shadow over Fedora 34 as maintainer of Java packages quits with some choice words for Red Hat and Eclipse

Henry Wertz 1 Gold badge

btrfs?

btrfs?

Hmm... I tried it years back; it seemed unstable and I suffered some data loss from it. I tried it about a year ago, people report it's nice and all that. I ran an dedpluicater on some of my stored stuff, and compression on some stuff. It would run fine as long as you had 100% up time. Oh, you had a power cut or something? btrfs still has no strategy to recover from that kind of thing; it'll detect issues and go read-only, if you're lucky enough to not lose access to any files at that point (I had files or directories just go at that point), it can tell you that a generation of stuff is corrupted.... ok, it tells you the most recent generation. fsck doesn't help. Rolling back a generation fixes problems there, then it goes read only again because the generation count doesn't line up somewhere else in the directory tree. Seriously it was crap unless you have flawless hardware. rsync and virtualbox both seemed to have remarkably poor performance on btrfs.

Plain ext4, never a problem -- worst case if you have a poweroff is an empty file if you were in the middle of copying over a file. But, no deduplciation, no compression.

s3qlfs lets you have a filesystem mount with deduplication and compression, with the actual data stored on your ext4 filesystem. I had a dodgey USB drive for a while so I can tell you it's pretty fault tolerant. It has a proper fsck command that usually worked; once or twice it complained about the database being corrupt (which it does back up regularly, so you don't have a total loss if it's irrecoverable, you use one of the about dozen backup copies), I was able to run a sqlite3 .recover on it, and with an fsck it had everything but whatever I copied in within the last minute or so (which it stuck in lost+found). The performance is quite good, I back up a bunch of junk into s3ql and can also run virtualbox out of it (I doubt the .ova files shrink much since they're probably already compressed, but the live .vdis sure do.)

Traffic lights, who needs 'em? Lucky Kentucky residents up in arms over first roundabout

Henry Wertz 1 Gold badge

Kansas City "virtual highway"

Kansas City has some kind of, I'll call it a "virtual highway" going through, something like a dozen highways combined in these couple stretches of road. (Those couple miles of road were in about the shape you'd expect from having a road having like a dozen times the traffic with 1 times the maintenance.). To stay on the one I wanted to stay on, I ended up taking something like Exit 1B, then multiple multi-lanes split off that offramp (that I didn't take) until something like exit 1Y, which also split off exits, had to gun it left across like 3 lanes of traffic to get to something like exit 1AC (I saw signs for up to 1AF.) Yep, 32 exits in one mile. The signage was good but there sure were a lot of them 8-).

Henry Wertz 1 Gold badge

Man

Man... as a US'ian, I can say that video is some real hillbilly shit. (I've been to Kentucky, and this doesn't really represent it, generally people there are fine. But man, roundabouts are not that difficult.)

One problem I've seen with the roundabouts in the US though -- there's zero standard for signage, or even a suggestion of what the signage should be, or how they should be set up (...edit: or there is and cities just aren't following it and doing their own things.). The one in the video, that's pretty bad but there appears to be no signage whatsoever. A little sign with a circle and arrows point around it counterclockwise will tell most people what it is, and at least keep them from driving around it backwards. But I've seen one with that, several without it, and several where they decided to get cute and overcomplicated, and have like 3 lanes going in and one going out as you go around the circle or whatever; one of these, the sign is incorrect and shows two lanes going around when actually the right lane splits off with an island, onto a road that has nowhere to turn around (I went about 5 miles and finally did a 3-point turn on the highway, to narrow to do a u-turn; I must admit the 2nd time I got to this roundabout and made the same mistake of trusting the sign, I said "the hell with it" and hopped over the island.) I saw one in Kansas with excellent signage making it very clear what street or highway each exit off the roundabout was, but a freakin' stop sign, making it 100% useless compared to just having a 4-way stop and standard highway signage.

Don't blame rural carriers for buying Huawei, says FCC Commissioner. They couldn't afford the top-shelf stuff

Henry Wertz 1 Gold badge

OpenRAN

OpenRAN does look promising. The short of it, with the remote radio units (on the cell site "mast"/cell tower), software defined radios (at the base), and telco switching equipment (wherever it is), it should be possible to have these be interoperable, but at present they aren't; OpenRAN is spec'ed tightly enough that stuff following OpenRAN does interoperate, and has support from both a bunch of small vendors and (more importantly) several large vendors.

From a technical standpoint, with newer cell phone hardware you've got an SDR setup (software defined radio.) Up on the cell tower/mast with a traditional setup you'd have some antennas, then antenna lines running to radios and such at the base; now those antennas have hardware behind them (remote radio units, RRUs) that do the radio receiving and transmitting (no processing), it's sent digitally via ethernet (fiber if you care about lightning protection, copper otherwise) to the base, and the radio processing is all done at the base.) This means the SDR setup can be updated via software (T-Mo US and Verizon both upgraded their 4G hardware from within the last 5-6 years to support 5G via software update), but the present SDR setups are still proprietary between RRU and base, and there's a good amount of vendor lockin going on.

OpenRAN standardizes the link between RRU and SDR equipment so it can be mixed and matched; allows having the SDR off-site (within about 10ms latency, if the cell co has fiber to the cell sites OpenRAN supports concentrating the processing at one site or some local data center, instead of having beefy computing hardware at each and every site.) And apparently in practice it allows mixing those with whatever brand of telco switching hardware too. Verizon and AT&T in US have both pushed OpenRAN pretty hard, and apparently Nokia & Samsung (if nothing else to get those sales) have pushed OpenRAN pretty hard too, and (even if reluctantly) Erricson more recently inidcated support for OpenRAN. (A nice standard wouldn't be too helpful if the big vendors didn't follow it.)

Linux as root partition on Hyper-V: Microsoft submits patches for kernel 5.12

Henry Wertz 1 Gold badge

Hyper-V by itself?

I'm wondering how you actually get Hyper-V alone? I mean, you're potentially running a Linux root, with Linux VMs on it.... but AFAIK Hyper-V is treated as some component of Windows, so how do you even get a hold of it if you have no copies of Windows in play at all? I'm not trying to be a smartass here, I'm genuinely wondering this since I haven't seen anything shipping that would be just Hyper-V.

As Linux 5.12 released, Linus Torvalds warns next version will probably be rather large

Henry Wertz 1 Gold badge

N64 in mainline kernel

"I'm all for diversity in platforms, but does N64 support really belong in the mainline kernel?"

N64 is effectively an SGI in a console. MIPS CPU, Reality Engine, etc. I think you'll find rather than having a large amount of new code written just to support N64, that the existing SGI code (already in kernel) just had some "ifdefs" and tweaks added in to also support N64. Whether MIPS-based SGI support still needs to be in kernel either is another matter, those are long in the tooth these days too.

I must agree with this being a novelty port, though. The 93mhz CPU is no big deal (obviously it's slow but you don't need much CPU power to have fun), but the 4MB RAM is very tight these days. I used a 16mhz 386 system when I started out with Linux, with 4MB RAM (and later with 8MB), and it sucked, not due to the CPU power but the low amount of RAM. Late 1980s-era UNIX systems had 4MB base and preferably 8MB or more. So mid 1990s with 4MB was command-line only (I could start X and run xclock and xterm but that was about it for X software without running out of RAM... I did have a few fun SVGAlib games though like a nice asteroids game and such.) Slackware back then did not use Unicode (I don't know if any Linux distro did), adding Unicode does make current command line software a tad bigger than back then. I recall on my 40MB HD I started out with, having to set 4MB of it for swap so I wouldn't run out of RAM.

Volunteer-run pirate Manga website attacked, loses hashed passwords, has ‘nobody’ to fix the mess

Henry Wertz 1 Gold badge

No diminshed sales

Yeah, the diminished sales is a weak excuse. These fans tend to get the "unofficial" version of these manga and anime, and actually buy the official translations as soon as they come out; I seriously would guess rather than reducing sales, this probably increases the number of fans who purchase their products. Translations have a healthy cost, so they decide which series they will translate and which they won't... (... I know the "politics" of it makes this impossible, but wouldn't it be interesting if a publisher simply bought the rights, then kicked a couple bucks toward the "pirate" anime/manga sites and simply used their translations?)

Does the boss want those 2 hours of your free time back? A study says fighting through crowds to office each day hurts productivity

Henry Wertz 1 Gold badge

What an outdated view

"He said he believe that remote working does not allow teams to collaborate or businesses to engender a "great culture and an inspired workforce.""

What an outdated view. I suppose next they'll want me to fax some documents over, then look them up on my Rolodex and call up on my landline. Don't get me wrong, I'm sure there's cases where a team really gels in a way where they wouldn't when they're all remote, but I think in most cases this is managers that didn't bother to adopt to using Slack and Zoom wanting everyone sitting around at a meeting table (or, wanting to be able to tell people to stay at the office and put in some overtime.)

Apple faces another suit over its allegedly misleading water resistance claims

Henry Wertz 1 Gold badge

Re: Wouldn't have bought phone

"Since most people are tied to either Android or IOS what phone would Smith have bought otherwise? It isn't like there is a lot of choice of manufacturers offering IOS phones."

But there are manufacturers making actual IP68-compliant Android phones.

GCHQ boss warns China can rewrite 'the global operating system' in its own authoritarian image

Henry Wertz 1 Gold badge

Screw them

So the people behind the internet standards have pushed the availability of anonymity, strong cryptography, fault resilience (being able to route around faults, including "faults" being someone trying to "shut down" internet connectivity.) GCHQ (and equivalents in the US) have directly opposed this, wanting every tool an authoritarian regime would want; then have the nerve to bitch when someone besides themselves decides to take full advantage of this.

Salesman who helped land Veritas UK's 'largest ever' deal was lawfully docked £275k in commission, says judge

Henry Wertz 1 Gold badge

Demotivation

And Veritas will wonder why their sales people are not motivated to go after the larger contracts. Honestly, claiming a fairly large commission (10% seems high to me) but then finding ways to weasle out of paying it is no way to motivate anybody.

University duo thought it would be cool to sneak bad code into Linux as an experiment. Of course, it absolutely backfired

Henry Wertz 1 Gold badge

Legitimate research

I can see the harsh response, for wasting the limited time of the maintainers.

But I do see the research as legitimate research, they wanted to see if code like this was caught at all or not, and what the reaction to it was; well, they sure found out!

Docker Desktop for Apple Silicon is here, but probe a little deeper and you'll find Rosetta 2 staring back

Henry Wertz 1 Gold badge

threading and performance

The problem I ran into several years ago, running x86 and x86-64 binaries on my ARM with QEMU (Acer Chromebook 13) was that ARM has weaker memory consistency guarantees than x86/x86-64; so, running a single-threaded application was 100% fine. Once you got a second thread involved, all hell would break lose, without explicit cache flush instructions ARM in no way guarantees a consistent view of memory between two CPUs, and QEMU's dynamic translation of x86/x86-64 to ARM instructions does not insert these instructions (it's a work in progress, but has been for like 5 years -- put cache flush instructions everywhere and execution would be correct but slow as hell, but putting them just where needed is a trick thus this whole situation.)

As for usefulness -- I threw Ubuntu onto the Chromebook, this had a Tegra K1 (same as in the Nintendo Switch) -- a quad-core 32-bit ARM, and NVidia GPU pretty equivalent to a NVidia GTX 650, altogether using low enough power for a 20 hour battery life. I had full Ubuntu desktop, even flash (some kludge to use the Android flash plugin) and Java, and the NVidia driver supported OpenGL and CUDA. For regular use, it compared worst case to being equivalent to a Core 2 Duo, for typical use it's pretty close to my Core i5 750 desktop (actually bout CPU and GPU wise, it has a GTX 650 in it), for video encoding NEON reallly helps and the quad-core ARM trounced my I5, to the point that I'm looking into reviving the chromebook for this use. Unfortunately, Acer seemed to be quite good at engineering to spec or however you want to put it, after like 1.5 years of flawless service... the battery packed up, power connector got flakey, case started cracking, touchpad started acting up, and SDCard with Ubuntu on it died (can't blame that on them, I supplied the card) all within like 2 weeks of each other.

(Yes, I did find you could use qemu to run x86-64 bins on the 32-bit ARM -- it's cross-compiling anyway, so had no complaint running a 64-bit app on a 32-bit system. I used this for a print driver, and since there was no ARM Android Studio back then, the bulk of Android Studio runs in Java... thankfully since the qemu performance was not blazing by any means... but it runs a few binaries when it buiilds a Java app, so those ran under QEMU.)

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2021