Posts by ElReg!comments!Pierre 2714 publicly visible posts • joined 22 Jun 2009
You are obviously right. The people who put the system together are still in need of a good spanking though. That's not even a beginner's mistake, that's dilettantism of the worst kind. Surely "let's try and sneak system commands in the input" is the very first thought of anyone trying to compromise a world-facing system. And surely that's the very first thing any admin worth his salt <db db db db db> any admin at all would consider.
"to have launched such poor quality code into a live application implies that the leadership wouldn't know security if it slapped them with a wet fish."
That's why we should be glad that the system never went live, I guess.
There's still a serious problem as flaws of this magnitude should not even have reached the testing level, but chill dude, it never went live fo' realz.
Management may still be at fault, because according to some other comments here the project is only a few weeks old (I can here middle-management types say "OK, we spent the last 2 years discussing it without telling you, and we finally agreed that we need an online voting system up and running by next month. Make it happen. How hard can it be?").
... that a configuration error was discovered month before the system went live.
That sounds like a rather straight support for OSS to me. Thank you Robert Hill!
At least with closed source the flaws don't surface until it's far too late. That's good, right?
Just kidding of course, as the current issue has nothing to do with the software -as should be obvious to any non-luser type: it's a classic PEBCAK case. Of course you wouldn't know...
"examined so well it was hacked with a month to go before elections!"
Examined so well that it never went live, CONTRARILY to the closed-source machine which went live without examination, were shown to be skewed after the fact a few years ago and which irremediably and deeply undermined confidence in the electoral process.
What was your point again?
I believe it is technically possible. First idea that springs to mind would be the use of a separate server generating one-time credentials from non-falsifiable user data. The separate, tightly regulated server would take user data and return strong random one-time credentials, while storing both the user input data and the delivered credentials in separate, unlinkable databases. There are quite a few requirements for the credential-issuing (auth) server:
-the user data must be at least as strong as physical ID is. Passport number + physical adress + some other kind of verifiable but unrelated ID, like social insurance number or anything that the state would already know but virtually unguessable by a third party.*
-the issued credential must be very strong (100s of random characters will do the trick. Think strong-encryption key)
-the issued one-time credential ("key") MUST be independant from the user data (no "clever" hash allowed, just generate a strong pseudo-random key for each request and compare with the list of previously-issued keys until you get one that you didn't already issue).
-user ID and issued credentials must obviously be stored. (to avoid duplicate connections or duplicate keys)
-But they MUST be stored in separate databases and be ABSOLUTELY impossible to link to each other AND impossible to link to the actual voting process. For this, it is absolutely necessary that ONLY the user ID be stored in the user ID base, and ONLY the issued key be stored in the key base (forget IP, time of connection, ordered database indexes and all that crap). Both databases should be shuffled at random with each new entry, just to make sure**
-connections to and from the key-issuing server must be strongly secure. That problem needs to be discussed, but here is not the place.
-connectivity MUST be assured at all time.***
Requirements from the voting server:
-must have access to the "key" database on the "auth" server to verify the authenticity of the vote.
-must be denied access to anything else.
now for the actual voting process: connect to the "auth" server, enter your credentials, get a one-time key. Connect to the voting server using your key****, enter your choice, disconnect.
Simples
You read it here first, folks.
(come to think of it, if I was a whore I would patent that).
* That's probably the hardest nut to crack. It depends on what info your state already has that a felon can't guess. Of course you don't want to go all big-brothery but you need some kind of data integration to beat the crackers. Tough choice.
** just a half-arsed paranoid attempt. ANY type of possible cross-link between databases should be avoided, including the entry order. I'm no DBA, so that's mainly a wild guess.
*** Second in the "hardest nut" contest. Vote anonymity and verifiability means you won't have a second chance. In the physical space you won't be thrown out of the bureau halfway, on the internet you must not experience random disconnections.
**** The most secure way would probably be using the delivered key with SSL, but that might be out of the reach of non-tech punters. Copy-paste might be acceptable as long as all connections are kept secure. (yeah, I know, but let me believe!).
None of the open source components were hacked, right? It was just a matter uf unsanitized data input (i.e. poor system design). Actually the system was not even "hacked", a design flaw was exploited. From a pure technical point of view, the system behaved exactly how it should have (i.e. how it was designed to behave). No software flaw is at fault. Ask bobby tables (http://xkcd.com/327/) what he thinks about it.
Nt nt nt. Trolling title if I ever saw one.
"people owning American domains must not do anything that breaks American law"
As many have found, given that the US have the master key to domain names, your registration may be arbitrarily terminated regardless of the TLD you use. It suffice that some small town's tribunal in the middle of Arkansas gets upset with the content of your site and point out that you site CAN be accessed from the US. Even if your website doesn't break the law where registered nor where the servers are located.
There are other formats that do these things perfectly well and arguably more securely. pdf was never meant to be an interactive format, Adobe just keeps bolting badly thought-out features on it in their effort to one-up HTML. That's why it's so dodgy. Also, whoever finds that a "3D" pdf is more explanatory of the nature of a 3D object than a couple of good technical drawings needs an IQ check. As long as the support remains 2D, "3D" renderings are just for the fun and have no technical value.
As for your bird book and stuff, you sound like a 1990 teen who just discovered HTML. Sure its great (although not "endlesss" great: the delivery gadget is usually a big limitation) but with great power comes great... on second thought fuck that, we're taking about Adobe after all.
An ornithology book with actual chirping in it sounds like a TERRIBLE idea (with emphasis on terrible). Bird songs vary from territory to territory, they also vary with time (both periodically and linearly). Not to mention inter-individual variations. On top of that, manking came up with a shitload of means to overcome the limitations of "indirect" media to describe objects and sounds (think of it as regular expressions for the real life) which means that any birdsong you include in your book will be hugely less usefull than a standardized, written, boring, description of the same. Same for floras actually. Did you ever wonder why all the good works on plants an animals feature drawings and written descriptions, not actual photographs and sounds? That's because the latters can only show one particular example while the formers are able to capture the essence of the whole species.
As for interactivity, it's an interesting debate (switching back to entertainment here). Which is more interactive, written words that let you build your own representation, or a pre-made, same-for-everyone rendition? I let you decide: I have no pre-made answer to this one (see what I just did?).
You dirty, dirty *NIX user. Last time I checked, Acrobat Reader could not render ps at all, let alone *only* ps. You'd be surprised at how many people (even top-educated people) stick with chunky, unresizable graphics and chunky *text* documents just because the mainstream software providers today think that vector graphics and human-readable formats are not fashionable.
It actually enrages me because I have to put up with multi-MB "office" documents with fancy coloured comments and corrections where a KB-sized text with inline comments would be so much more efficient. Especially when mailing stuff back and forth on a thrice-dayly basis. And especially when the actual layout has to be reworked thrice-dayly too, because not everyone has the same fonts or the same version of the software.
Other pet-peeve of mine: since PDF has a "digital signature" feature, everyone and their dogs think its cool to digitally sign their PDFs. All well and good, except that it doesnt prevent anyone worth their salt from tinkering with your docs AND the Acrobat Pro wont let you merge signed documents so you actually HAVE to bypass that "security" feature if you want to do any kind of collaborative work. Which kinda defeats the initial purpose, doesn't it? (not that such "hacking" is even remotely challenging to begin with, but still). BTW, people: pretty much all the PDF-manipulation tools not from Adobe dont give a shit about digital signatures and will let a third party include derogatory comments on your boss' wife in all your signed PDFs so why do you even bother?
These guys may be kind of fruitcaky, but you can't deny that killbots allowed to open fire without human supervision are a serious concern. Not that humans are unable to eradicate a whole city block because someone had a camera...
"US drone bombardments in Afghanistan and Pakistan will cease (and be replaced no doubt by hugely bloodier and more destructive strikes from manned bombers)."
Now you're just bein gsilly. Appart from the fact that drones don't take the decision to open fire by themselves -yet?-, right now the US get away with a few hundred civilian casualties only because public opinion think of drone raids as "surgical" and "clean". As surgical and clean as an appendectomy with a chainsaw if you ask me (no-one bothered yet. Asking me, I mean). But they probably wouldn't get away with levelling entire towns to get to a single individual.
That is when every device we own will have it's own direct fat satellite link, or some kind of new wireless "surface" transmission.
And even so, most of it is drivel anyway. Time-sensitive tasks (such as, erm, vision, as in binoculars maybe) will always be better performed locally. Not to mention that you can have as many pixels as you want, and very good ones too, and petaflops to process the signal, with crappy lenses you're always going to get crappy images. Unless Nvidia can somehow redefine the laws of physics.
My tuppence: in 10 years, things will be pretty much the same except that your pencil will have it's own IP adress and GPS and will insert random ads in what you write. I can also see a lot more domotics, linked to and operated by the like of Google ("for your convenience") that will adapt the add displayed on the toaster to fit your mood based on the data collected (e.g. an add for Cialis after an all-too-quite night, maybe?).
You worded that backwards. It's "expect the rising tide of junkware to continue rising — BECAUSE most users don't care about apps".
Most users will make do with what is preloaded on their handset, and even if they don't use your preloaded apps they will not be upset by them. Ergo, if you want to push your apps, preload craploads of them on the handset, you can't lose.
In other words, you can just put your apps in a store and reach 12.4 % of the market (and 12.4 demanding % at that, who will sling massive amounts of turd your way if you do anything remotely wrong).
Or you can preload your apps and reach 87.6% of the market (100% minus the aforementioned 12.4%, assuming they will all go get something else from the store just to piss you off). And they will be quiet, docile consumers ready to take whatever you feel like giving them (you in the back, stop murmuring "Mac users").
If I had apps to push and no morals I know which way I'd go.
(Sorry for the somewhat offensive title, I've been waiting for this one since I read about the Morón airfield on El Reg!)
Anyway, you do realize how much that traffic must annoy the hosting provider -if not the ISP-, right?
What he did was akin to putting up a big "I'm a vacation, don't bother stealing my fancy furniture, jewellery, home cinema system and 3 macbook pros since It won't bother me at all" sign on his house. If you do that and get robbed, your insurance company will probably charge you through the nose. Same here. Except that it¯not even HIS house, nor his furniture.
>If every request to a company's PR department was responded to then the company would fairly soon be doing nothing else.
The PR department's job is to answer requests, ESPECIALLY from journalists. Well, not in Apple's case obviously. But in every other company in the world that's what they do. Now if the Big Man Himself in could take the time to answer 3 times from His Shiny iPhone of Power, maybe some lowly PR drone could have spent 3 minutes gathering some material and let the girl dig through it. Mind you, more like 10 seconds as they probably already have canned answers for most cases, because that's the very first thing a PR department would do when coming in existence: prepare canned answers. Even before they get an internet connection.
That confirms what we already assumed, but as you say, facts are always better than assumptions.
A few questions though:
-you say you used an external keyboard and a stand most of the time. Didn't it feel like it killed the portability of the thing? I know I would probably hate to fumble through my carry-on bag to retrieve 3 items instead of one for example. Or am I mistaken?
-"And since the iPad is effectively just a screen, it was certainly easier to lug around and use while standing, for example.". I find that EXTREMELY hard to believe. I am well used to read and type text, prepare overhead presentations and even do some image editing on my Eeee 900 while standing in the (moving) metro or bus, and I really can't imagine how I would do to hold the thing one-handed while typing and clicking if not for the ~right-angled screen+keyboard configuration (not to mention the obvious absence of keyboard on the iPad in "standing" use). Or do I lack imagination?
The externally-powered USB only thing is a no-no for me, although the battery life would be a big plus. Having to find a power socket every 3 hours is annoying. Usually not difficult, but irritating.
Icon mostly for the question mark (although I'm quite sure that Paris does own an iPad).
More like science and agriculture these days... most things you can find in the US is made somewhere in Asia. And the rest sucks.
Although come to thing of it European agriculture is more productive actually so make it just science. And Japan and various European countries might have an objection there, too.
OK, so you're really famous for an aggressive military approach of international affairs, commercial cinema, and finance.
And software/ITservices. (Also hardware? As seen in Boston last week: "Boston is home of the first computer in the world (MIT)". Yeah, you keep telling you that.)
"A simple GPS + computer hooked up to your release mechanism could do this"
No, it very much couldn't.
"how about jailbreaking an iPhone or Android phone"
How about NO? That wouldn't be ingenuity, that would be LOLkiddie showoff. Plus, it wouldn't work anyway.
... for the glass syringe idea then. I thought it was really elegant, simple, robust, light and small, and some vacuum grease would have solved both the leak and stiction problems (the one you used here would most probably have worked, did you test that?).
But at least with with this latter design you can use duct tape! So please, do.
Not a religious one.
Find me somewhere in sacred text where it is even mentioned. Go ahead.
So yeah it's frown upon in France (not banned, just not accepted in schools). But so is stoning adulterous women to death. Is that a bad thing? Freedom of religion being suppressed?
We DEMAND our stonings! Or not?
Well I used to vote for AMD with my money (for the last 10 years or so), never disappointed, always got more grunt for my bucks with them than with Intel. But I'm stepping away from the x86 architecture these days, so although I still don't waste my money on Intel crap I cannot really endorse AMD anymore... they DO try and provide other types of chips, but they are just not very good at it. Yet?
Plus I hold sort of a grudge against ATI, so it doesn't help that AMD bought them... and didn't fix the mess...
But what would happen if the fine Intel had to pay for keeping AMD out of the market was given to AMD? What, AMD would have made a 1.41 bn profit instead of a 43 m loss , and that's not even considering long-term effects?
So, Intel was right then. Bribe your competitors out of business, whatever fines you might have to pay are well worth it in the long run!
Booh AMD booh!
I wonder how much it would cost (in fines and legal expenses) to have the entire board and developpment team of the competition physically eliminated. Probably worth a try, what are a couple billion dollars in penalties compared to running the opposition into the ground for 20 years? Plus they would be dissed by El Reg for not making trillions instantly after you had to pay said penalties to whichever judiciary would have you convinced. If any.
... now that you mention it the email-firing habits of Stevie J. do share a few characteritics with the 30 mm garden variety cannon.
But you are right, I might have loosed control over my letter-repetition disability in this case. Is it to late too say its the spell-checker's fault? I mean these things are not very reliable. You could even say that their intentionnally bobby-trapped. Damn, I guess its to late for that excuse now, I should of though of it earlier. Etc etc...
Nothing is intrinsequely intuitive, it's down to education. Something will FEEL intuitive if it obeys the same laws as something you already know. I always fire up my desktop calculator in reverse polish notation mode because I've learnt to thing effectively in stack-like mode. Your garden-variety user will feel that very counter-intuitive because they learnt basic math as <operand1> <operator> <operand2>. No method is more intuitive per se, it's just the way you're used to thinking at it that makes one or the other more intuitive.
When it comes to PCs (including Macs, as it should), there's another layer that comes into play: the line between "so intuitive that it does what you want without you having to learn COBOL" and "so intuitive that there is absolutely no way to tell what will be the output for a given input". I call the latter "luser-intuitive", and sadly that's how most "intuitive" UIs work nowadays. Then there is the "windows-intuitive" way, which sounds a bit like "so intuitive that you can crap your system completely without ever knowing how you got there". Sadly, that last level gains ground even on "serious" systems, as the Linux consumer-oriented commercial outfits see it as a way get into Wintards' pants.
So the really important thing is not "intuitiveness", it's giving the right tools to the right people.
If you are going to be your own sysadmin and you need to squeeze every drop of performance juice from your system (which means that you're on a tight budget, as otherwise you'd get a better system, obviously) then both Windows systems and anything from Apple are out of the question. Get an ugly thing from wherever and install a *NIX system on it (avoid the like of Ubuntu, PCBSD etc like the plague. Build your own tailored system with only the tools and services you need. When you choose your desktop environment don't even dare thinking about Gnome or KDE). For desktop-like use I would advise a Gentoo, or a Slackware. A Debian if you are prepared to fend off all the bells and whistles that will be thrown your way, but it can be difficult for a geek. The idea is that you will have to learn how your system works (how it really works, not how you can sometimes trick it into doing some stuff). so that you will be both able to use it efficiently AND to maintain it whithout doing too many stupid things.
If you have a sysadmin (Note for the retards: that means NOT you and NOT that guy next door who spends half his days on /. but is really supposed to type numbers in spreadsheets), then use whatever they tell you to and shut your trap. They DO know better. Actually, they're PAID to know better. And even if they did NOT know better, they WILL be the ones fixing your stupid mistakes so you REALLY want to be using a system that they know well. Even if it's a piece of shit.
If you never got around to learn how computers work, and you won't have anyone holding your hand through the configuration process, and you know that the only three pieces of software you could ever possibly need are available for Mac, and you've got more money than need for real computing power, then get a Mac. What could possibly go wrong? It's premium quality, lovingly assembled by asian workers from generic parts, and it's not like they ever got cracks or DOA problems or anything. At least the OS won't let you do anything blatantly stupid if you don't specifically ask it to. Actually some say that the OS won't let you do anything AT ALL, EVEN if you specifically ask it to, but these are lies. Or slight exagerations, at least.
If you're a cowboy at heart and would sooner die than read a manual, forget everything and install Windows. Preferably the alpha-test version (The one which is often cheekily labelled "Beta"). You can do it. Yes you're THAT good, don't listen to them. Knock'em dead tiger!
With these specs and price, I bet it wouldn't have made the 40% bar. Maybe 45% for the design. But Apple lives in a different world, folks. Get used to it. Whatever the score is, don't calculate it, double the estimate, devide by the maket share of apple relative to Microsoft, multiply by the I Want To Have Steve Jobs Babies factor, multiply again by the Apple News Tidewave Factor, add 20 just for the fun. Here you are, 80% or such. And everyone who doesn't agree just prefer chunky old IBM Thinkpads. and thus should be dismissed.
"( And yes, I know I am opening myself up to replies saying thieves have got taste etc etc hardihurhur but face it, if they can flog it they'll nick it)."
So you're just saying that they reckonned they couldn't possibly flog the dead horsebook nor the dead horsepad. I bet they took the old stereo though. Some things never lose value.
This cannot be an El Reg Hardware review, I must've landed on cosmopolitan.com by mistake.
Don't read this wrong, I have nothing against people shelling out large sums of cash for devices that I would not touch with a barge pole, but surely "It's pretty and the touchpad works well" cannot be considered an exhaustive review by a techie rag?
And no, "Oh look I can open it" and "It even has a DVD writer" don't count as noteworthy enough to warrant a pic. Not for the past 10 years, at least.
The repeated assertions of it being a "consumer" only hold as long as you "consume" almost exclusively web-based content as the display resolution, the HDD size and the available ports won't let you do much more (not in a satisfactory manner anyway). This is clearly an internet-and-family-pics device. Which is fine by my book; it might have been mentioned in the article though.
Oh and I hate to spoil it for you but Sony and others make very stylish laptops with the same kind of specs or better, for about the same price, for those who prefer their devices with more style than grunt. So you can probably stop feeling like a pretty pretty princess.
«From the Smithsonian website, "The Smithsonian Institution, the world's largest museum complex". Note "complex".»
And it is important because?
«Also, you must have been not paying attention whilst at the Smithsonian. An article published in 2007.»
Ah, I think you misread the paper as the sign in the museum clearly states that the statues are representations of the elders and look towards the land to protect their people and that they were the main actors of huge summer festivities in which the natives filled the eyes with corals and flowers to increase fertility. Plus some other stuff. From memory.
Or, oh wait, maybe, just maybe, the person writing the article was not the same as the person writing the sign in the actual museum? Maybe the largest museum (or "museum complex" if you like) in the world employs more than one single person after all?
«You'll be pleased to know that Europeans and Asians make the list.»
Well of course, I don't know why they wouldn't. If you re-read my post I think you'll find that I was singling out the US not for their mistakes but for their tendency to not read scientific reports from anywhere else in the world, leading to a periodic re-inventing of the wheel.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
