* Posts by Glen Turner 666

244 posts • joined 3 Jul 2009


Apologies for the wait, we're overwhelmed. Yes, this is the hospital. You need to what?! Do a software licence audit?

Glen Turner 666

Hospitals would be attractive for software licensors as they are still open and, notoriously, working at capacity. An audit of software licenses of a shuttered business is more likely to find compliance -- the server and desktops might even be turned off.

It is the software licensee who does the grunt work of collecting the data for the audit. In a hospital context, the hospital's IT staff. An audit is not letting someone in the door and saying "hope your PPE is good", as delightful as that would be. The licensee's staff are safe, working from home, and writing e-mails with references to the contract clauses about software audit obligations.

The cost of an audit to the licensor is low. Basically an e-mail, some administration, and the customer relations staff giving a not-at-all-meant apology.

Whenever I have pressed a software vendor on their audit clauses the sales team have always responded that the clauses would be used "responsibly". That's clearly not the case.

Personally, a software licensor requiring a hospital to do a compliance audit in the midst of a pandemic would, in a better world, have the government solve that issue by issuing a statutory copyright license.

Crowdfunded Asahi project aims for 'polished' Linux experience on Apple Silicon

Glen Turner 666

Re: I don't see why Apple would stand in the way of this

Apple sells around 18m laptops a year. Support for Linux would not increase sales by even a percentage point.

The attraction for Apple in allowing Linux (that is, allowing non-secure boot) would to be to avoid entanglement in accusations of monopolistic practices by US hardware and software manufacturers, practices the EU has been traditionally keen to prosecute and China may be increasingly keen on pursuing.

Microsoft is designing its own Arm-based data-center server, PC chips – report

Glen Turner 666

Re: How many companies have to fail at server-side ARM64 ...

What has happened is the major buyers of sophisticated CPUs -- the cloud companies -- want performance per watt as well as performance per rack unit.

Compare the resulting pricing for AWS: Intel US$4.08ph, AMD $3.70ph, ARM $2.18ph. Graviton2 is about 20% slower than the equivalent Intel server, but about half the cost. Remember this is the second release of Amazon's ARM design up against the decades of tuning of Intel's design, and the difference is only 20%. Obviously that difference has further to shrink.

Other cloud providers will be facing similar pricing, but with the advantage that they use more of their compute cycles for their own services. That is, they can more readily re-target their internal services from AMD64 to ARM64 than Amazon's clients can.

I can't see that any company will take the risk of developing a server ARM chip. As you point out, plenty of startups have been burned. So the market will leave that development to the cloud providers themselves, who have abundant engineering resources to turn ARM IP into silicon.

The major difference between now and the past is Intel's years-long failure to deliver process improvements compared with its competitor TSMC. There is little reason to expect that to change. That failure alters the economics for cloud companies. In the past chips with better architecture would have their performance blitzed by Intel's process improvements. DEC's Alpha being an excellent historical example. So there was no incentive for cloud companies to explore CPU architecture. That blitzing-by-process-improvement is no longer in Intel's power to do. An architectural improvement over Intel's microarchitecture is now a long-run win. So CPU architecture is now worth cloud companies' efforts.

None of this is likely to be reflected in the "enterprise server" market. But that market is becoming increasingly odd and continually smaller. In many ways very much like the IBM mainframe business of the pre-PC 1980s. And just as likely to have a nasty surprise.

Deloitte's 'Test your Hacker IQ' site fails itself after exposing database user name, password in config file

Glen Turner 666

Tweet removed

Twitter removed the tweet from Tillie Kottmann which uncovered this issue. Presumably because the tweet breached Twitter's controversial "Distribution of hacked materials policy".

Linux kernel's Kroah-Hartman: We're not struggling to get new coders, it's code review that's the bottleneck

Glen Turner 666

"Linux has issues with code validation" isn't correct. It is clear where every line of code comes from.

"What would happen without Linus as ringmaster". Linux *has* a succession plan, at the moment that is GK-H. The risk is greater for other OSs: can you tell me who the successor to Microsoft COSINE's Jason Zander is as the engineering leadership for Windows? That's likely to be determined by business and poltiical issues at Microsoft at the time Zander steps down from that role. The same is true for Apple's engineering leadership. I don't know why you demand a different standard for Linux's engineering leadership.

As for resolving competing priorities, the lesson of Linux is that operating systems win by addressing everyone's needs. For example, it turns out that everyone wins if the kernel is capable of realtime scheduling, even if they aren't running a realtime application. Similarly, those small realtime systems win by using filesystems with features initially designed for large enterprises in mind.

"the likelihood of it being aggressively targeted by hackers (both state funded and criminal) is a certainty". Well yes. Because it is has already happened. But you are mistaken that the problem is "all those Application stack DevOps types". The DevOps technologies -- at their heart: easy safe continuous deployment -- makes preventing and responding to security issues much faster. The stronger isolation of Docker and similar technologies is also a win in limiting the fallout from security compromises. The security track record of real world deployment of this technology -- notably in the Google and Microsoft clouds -- is impressive.

Has Apple abandoned CUPS, the Linux's world's widely used open-source printing system? Seems so

Glen Turner 666

Run your own RIP

As the owner of an ancient Samsung ML-1510 laser printer: attach a RaspberyPi to it's USB port. A model with 1GB of RAM or more. Now you can configure CUPS to drive that printer directly (for Samsung, via the gdi driver). But CUPS and Avahi can also represent that printer to the outside world as a IPP Everywhere printer (ie, which is sent PDF files, which is discoverable using mDNS). Which means driverless printing and easy printer discovery from laptops, tablets and phones.

Looking at that another way, it's basically a return to the start of the PostScript era, where the RIP (raster image processor) was a computer separate to the print drum. With the RPi RIP having 1GB of RAM it can print the most complex of PostScript jobs at full printer resolution (for the ML-1510 that hardware is 600 x 600 x 1bit gray but 1GB will also cover 1200 x 1200 x 4bit-gray rasterising and using a RPi to do that was cheaper than a RAM upgrade for my household's other printer, a Samsung SL-M4020ND -- not a recommended purchase).

Glen Turner 666

Re: will drop PPD file support soon

CUPS uses PPD files as configuration files. This made sense when it looked like the printers of the world would mostly be PostScript. The configuration information for all other printers could then be munged to fit in a PostScript worldview, and PostScript used PPD files to describe printers.

But the world didn't end there. Today printers accept PDF and there's a network protocol to inquire about the printer's capabilities.

So it makes sense for a modern print spooler to have printers which don't work network-connected PDF spoolers like that to at least fit into that worldview. That leads to an API with a set of drivers. For older, simpler printers they can hardcode parameters rather than use IPP.

UK tech supply chain in dark over Brexit preparations months ahead of final heave-ho

Glen Turner 666

Re: Latest from the PM

The UK won't "become like Australia". Because we *do* have a comprehensive low-friction trade agreement with our nearest neighbour -- the Closer Economic Relations treaty with New Zealand (and our Constitution has an invitation to New Zealand to join the Commonwealth of Australia). We also have a trade agreement with our next-nearest neighbours, the ASEAN-Australia-New Zealand Free Trade Agreement. As you'd expect we also have FTAs with major trading partners like USA, China and Japan. These treaties are the result of over twenty-five years' sustained effort. Ironically an effort initiated by the UK ending Commonwealth Preference to join the EU (which caused an economic crisis in Australia).

Australia doesn't yet have a trade agreement with the EU. The issues there are around agricultural goods, and especially the ever-increasing application by the EU of 'appellation' to limit competition. So trade with the EU occurs on WTO terms. This is no great drama for Australia as the EU is on the other side of the world -- and thus not tightly integrated into production chains. Whereas for UK firms European firms are a few hundred kilometres away and production processes have become tightly interwound.

Australia's situation is in no way comparable to a UK having no trade agreement with the EU and seeking to trade with close-by nations under WTO terms.

Cisco ordered to cough up $2bn – yes, two billion dollars – plus royalties after ripping off biz's cybersecurity patents

Glen Turner 666

Read patent claims from the back if your trying to understand the invention

You read patent claims backwards. The later claims are the more specific and are the relevant claims. The earlier broader claims are a legal tactic. Once in a while litigation does result in one of the earlier broader claims being accepted, which is one of the many reasons why patent law is such a mess.

Future airliners will run on hydrogen, vows Airbus as it teases world-plus-dog with concept designs

Glen Turner 666

Re: hydrogen engines?

"Wouldn't we have seen them in cars if this was viable?" You mean, like we see kerosene-burning turbines in cars today?

The requirements are very different. Weight is a major concern for aviation engines, less so for terrestrial engines. Fueling for aircraft can be complex, because it can be limited to professionals.

Hydrogen is going to cost a lot, far more than using wind+solar to charge a battery. But it looks like batteries are going to remain too heavy to be economically practical in aircraft. So hydrogen is where aviation finds itself when looking for a power source which is not based on hydrocarbons (which make global warming worse).

Even then the economics are going to be interesting. Airbus are allocating a third of the former cabin space for fuel. That implies ticket prices rising roughly 30%, and likely more. That leads to an interesting regulatory question, with consequences for EU-US relations depending which of Airbus and Boeing have a practical plane available for order.

Hidden Linux kernel security fixes spotted before release – by using developer chatter as a side channel

Glen Turner 666

Linux kernel doesn't do too badly with this intractable problem

The article is talking about two problems. (1) commits fixing security issues, which are intended to be silent at the time, are detectable from comparing Git versus mailing list traffic. (2) the lack of oversight by the wider public allows trusted (but perhaps not trustworthy) insiders to apply commits.

(1) It's hard to know how the first problem should be addressed; short of moving discussion of other commits off LKML, which seems undesirable.

(2) The second problem is simply a fact of life in any software development process -- "Reflections on Trusting Trust" territory.

The Linux kernel have done their best -- encouraging regular committers to use (freely supplied) Yubikeys to sign commits based upon a physical keypress. This goes a long way to inhibit a hacking of the computers used by major Linux kernel contributors resulting in a commit which was not authorised by the contributor. The identity of regular committers is known, and for most has been verified by the sighting of government-issued identity documents at GPG keysigning events at Linux conferences.

As for an untrustworthy committer, we need to be careful in our claims. There *is* oversight: (1) retrospectively; and if the issues are complex, then (2) at the time by other selected Linux developers in a non-public forum. There is not public oversight prior to the commit, and it is difficult to know how that could be done -- do we ask those willing to exploit the bug for evil to exclude themselves?. The claim reported by the article of "code commits made without review" doesn't fairly reflect the complex situation. We can be confident that an untrustworthy committer will be detected after the fact, simply because of the great public interest taken in these "silent" commits.

For the Meltdown/Spectre bugs the kernel developers did a good job of documenting the issue and the fixes. It's easy to retrospectively trace from those requirements to the historical commits. It's likely that this supply of very good documentation will be the practice for future complex security issues. It's the process for "simple" security fixes which needs focus to improve retrospective traceability from CVE to commit (this could be as simple as retrospectively tagging a commit with the CVE it fixes).

Finally, I'd note that the Linux kernel's processes are not inherently inferior to software processes which happen in private industry. There would be few industry development processes which could validate the integrity of the source repository back to SAK keypresses. There are no industry development processes which so many backups of the source code under the close control of so many people, allowing blatant subversions to be detected within hours. The Linux kernel addressing major bugs by using a small tight teams of people with need-to-know is no different to commercial practice.

Facebook rejects Australia's pay-for-news plan, proposes its own idea: How about no more articles at all, sunshine?

Glen Turner 666

So sorry, we can't identify posts...

For a long time Facebook has been saying how hard it is to identify and remove all the posts from nazis. Even well-known nazis. Even well-known nazis who are arranging to kill people.

But it's expecting no issues identifying all posts from journalists in Australia.

Isn't it amazing what an incentive self-interest can be?

Fret not, Linux fans, Microsoft's Project Freta is here to peer deep into your memory... to spot malware

Glen Turner 666

If you run a large public VM farm -- and Microsoft does -- then identifying VMs with malware is important in stopping the VM farm from becoming the DDoS agent from hell. This isn't the only way to address the issue, but no technique has 100% coverage, so I can understand why they're building this method. It has some advantages too, such as not generating data which needs real-time analysis (unlike, say, intrusion detection systems).

This'll make you feel old: Uni compsci favourite Pascal hits the big five-oh this year

Glen Turner 666

Re: pascal was simply useless.

Pascal was useless as shipped. No linkage, no variable-length arguments (despite using them in the language, so a Wirth Pascal compiler couldn't be written in Wirth Pascal), the program needing to be in one source file. All the serious Pascal compilers fixed these shortcomings -- but none of them in the same way, which made Pascal non-portable. Of course standards committees tried to fix this, but usually by inventing yet another mechanism (insert inevitable XKCD).

But Pascal's programming tools were great: good IDEs, good sets of libraries. UCSD Pascal was a good system. Turbo Pascal was superb. This made Turbo Pascal the obvious choice for writing well-performing programs under MS-DOS.

Then two things happened to kill Pascal: UNIX and Windows.

UNIX was a joke. A minicomputer operating system of obscure commands and questionable stability and an odd security model. BSD and then Sun focussed on making UNIX not only a serious operating system, but one at the edge of operating system features. Other minicomputer operating systems didn't come close to what Sun was doing with their workstations. Even the billions spent by IBM and DEC didn't touch dynamic linkage or TCP/IP or NFS. And the language of UNIX was C.

UNIX was so obviously the future that Microsoft acquired a UNIX and used Xenix as the development platform for their MS-DOS products. So it was natural for Microsoft to seek to replace their expensive workstations and servers with PC-based C compilers and linkers, and then natural to sell that C compiler and linker, and then natural to support that C product better than the other languages it offered. In time it was natural for Microsoft to write OS/2 and Windows in C.

What also cemented C over Pascal was PJ Plauger's work on the ANSI C committee. Unlike the equivalents for Pascal, the ANSI C committee did a great job. It codified existing practice, it bought innovation where it was sorely needed and thus readily accepted (eg: function prototypes, the "void" type), it wasn't afraid to adopt a particular vendor's solution whatever its weaknesses (eg: BSD strings.h).

Now we had a language which you could write a program in and it would run on MS-DOS and UNIX: if you were developing programming infrastructure then using C doubled your market; and if you were writing programs then using C meant you had more programming infrastructure available. Many of the GNU tools became available for MS-DOS and people developed a hankering for the real thing: UNIX on their PC at a price they could afford. Moreover the action of AT&T and Sun in seeking to massively charge for their compilers meant that UNIX systems in practice all used the same compiler for applications programming: the free GCC. So not only was there a common language for UNIX at the 10,000ft level, there was a common language at the 1in level, plus autotools papering over the differences in system libraries. Pascal simply wasn't that ubiquitous.

With Windows, C and Win32 became the common choice for applications and Pascal's largest group of users quickly left.

Later the web browser killed Win32. But since C was the language of choice for both UNIX and Windows servers, that only made C more dominant. Then the world tilted and interpreted languages roared back into fashion on the server-side: Perl, PHP and Python. C became a niche language for systems programming and performance-critical paths (and part of the appeal of Python was its ease for putting C in performance-critical paths -- usually by importing a third-party library).

Microsoft doc formats are the bane of office suites on Linux, SoftMaker's Office 2021 beta may have a solution

Glen Turner 666

Re: Zotero

Zotero and EndNote are the two most popular citation managers, so to have Zotero described in this review as "...integration with an open-source citation management system called Zotero" did make me wonder how little academic writing the review's author has done.

If you do academic writing then you need a citation manager before you even begin to read -- then you can let the citation manager record all your sources as you go. Zotero works better than EndNote for modern multi-device users and I'd strongly recommend Zotero over EndNote for PhD candidates (who aren't just writing one essay, but a multi-year series of documents). In response, EndNote offer $0 licenses to current students, but this has the effect of making your years of curated citations inaccessible when you leave the university sector (again, more of a concern for higher-degree students rather than undergrads pumping out disconnected essays they'll never revisit).

LibreOffice 6.4 nearly done as open-source office software project prepares for 10th anniversary

Glen Turner 666

LibreOffice made corporate use of Linux possible

Thanks mostly to LibreOffice, but also to the Evolution email and calendar client, it is possible to use Linux as a client operating system within a large organisation. I think that's a win the article could have mentioned.

The other notable achievement of LibreOffice is it's dedication to reading a wide variety of superseded file formats.

But I'll agree with the article that the main effect has been to keep Microsoft honest with Office pricing and features (such as an easy PDF export).

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer

Glen Turner 666

Re: Surely...

If an attacker wants to defeat the Spectre mitigations then all they need to do is run a tight loop in their code and the mitigations will switch themselves off?

GitHub upgrades two-factor authentication with WebAuthn support

Glen Turner 666

Re: Git servers don't support 2FA on updates from Git clients

The point of WebAuthn is to replace typing that password with a button press, verifiable end-to-end, with no opportunities for keylogging or other MITM. So you'd end up with a better user experience with WebAuthn as well as it being more secure aginst the common issues.

The point of signing commits is a little more subtle. That protects your code from unauthorised modification to the repository and means that you can verify the commits as unchanged, so if GitHub is hacked you can check that your code has no unauthorised changes -- no need to rely upon other parties, such as assurances from GitHub. If all the developers use hardware devices for the GPG-signing (which is a pain to set up but just a keypress to use) then that's pretty unhackable -- essentially there's a unalterable path of trust from that keypress to code later cloned from the GitHub repo.

Typing a password a lot isn't great security -- it multiplies the opportunities for keyloggers, it puts false positives in the logs when people mistype them, effective passwords (>10 random characters) are simply too hard. You'd get more security using a password database which is then secured using a cyrptographic device.

There has been two real advances in security in the past decade: cheap authentication keys (of which Yubikey is the best known) and replacement of firewalls and VPNs with end-to-end encrypted and authenticated sessions (eg, Google BeyondCorp).

Glen Turner 666

Git servers don't support 2FA on updates from Git clients

GitHub's 2FA works on the web interface only (the same is true for GitLab). Once U2F or WebAuthn 2FA is enabled you need to generate a SSH key or a HTTPS token (aka password) to push a commit from a laptop's command line. These methods do not request 2FA. So the use of a keylogger or theft of a developer's laptop still exposes the repository to unauthorised modification.

The GIt command line client could be updated to support U2F or WebAuthn upon a "git push" but this has not happened yet.

Lacking that support at the moment your choice is to secure a GitHub SSH keypair or a HTTPS token using an proprietary authentication key (eg, Yubikey). This is usually a multistep process -- use the hardware key to secure a password database, then that database releases the access token after validation of the hardware key.

You can also securely sign commits by using a proprietary authentication key which implements GPG-signing and set the repository to require GPG-signed commits.

Unfortunately neither SSH, HTTPS or GPG expose the security of the key storage. So the Git server can't tell if the key exchange with with a secured keystore or with something as terrible as a passwordless SSH or GPG keystore. This is the problem U2F and WebAuthn exist to solve.

Pentagon makes case for Return of the JEDI: There's only one cloud biz that can do the job and it starts with an A (or rhymes with loft)

Glen Turner 666

Re: The arguments are solid

You forgot this option: Oracle don't need to win.

JEDI is around $10B of business. Let's say Oracle use $10m on a lobbying effort, and because of the fuss they kick up win 10% of that business. That's a massive ROI and Oracle will cry about losing all the way to the bank.

Google to bury indicator for Extended Validation certs in Chrome because users barely took notice

Glen Turner 666

Re: Security is hard

It *is* a matter of design, and designs around the address bar are poor but cheap. The screamingly obvious design is to prevent people entering credit card details onto a non-EV page.

Bill G on Microsoft's biggest blunder... Was it Bing, Internet Explorer, Vista, the antitrust row?

Glen Turner 666

Re: So which company do you think DID see the future often?

I'd suggest that you are overlooking Apple. It had a pretty remarkable run at computers: Apple II, Macintosh, the aluminium iBook laptops (compare with the competition from Toshiba -- one is a "modern laptop" the other isn't), the iMac. All iconic.

Then there's the non-computer products. The Newton, which although failed said "this is what the future of handheld computing will look like". The iPod, which had a revolutionary user interface and content licensing which meant you didn't need to visit the dodgier side of the Internet. The iPad, which said "this is how slabs work" and has an ease of use the competition still can't touch. Then there's the iPhone -- remember that before the iPhone that Microsoft had spent years as the best smartphone, but was irretrievably blown off that perch by the third iteration of Apple's phone. Along the way were good products in markets Apple have since left: printers and cameras.

NeXT, whilst not a Apple product, was a Steve Jobs product. Designed by ex-Apple engineers.

And isn't that the real concern about the future of Apple after the death of Steve Jobs -- that without his vision and drive that Apple won't see the future and won't be able to bring its considerable design skills to the product?

Dev darling Docker embraces Windows Subsystem for Linux 2

Glen Turner 666

Re: What are the benefits?

It depends upon your organisation. If you're tracking the development in MS Project, using Visio for diagrams, Sharepoint and MS Word for documents, then it makes as much sense to use Windows for Linux development as it does to use Linux for WIndows-oriented corporate applications.

On the other side, Red Hat have done surprisingly well at making CentOS or Fedora into a good corporate desktop: it can authenticate via AD, do email and calendar with Exchange. So your point remains a good one.

You've also got to consider the Microsoft side of things. Companies have some pride, and not being able to effectively program their own Azure product from their own Windows operating systems clients must have stung.

UK comms watchdog mulls 5G tweaks: Operators want moooooar power

Glen Turner 666

Re: Now We Will Need Tin Hats

Are you sure? The document talks of the "terminal power limit" going to 28dBm. "Terminal" being handset.

I read the proposal as widening the spectrum allocation to match that of EU so that the beamforming (ie, active) antennas designed for EU use can be used in the UK.

Table 2 in the proposal gives the base station powers: +65dBm/5Mhz (3150W) EIRP for passive antennas, +44dBm/5MHz (25W) TRP for active antennas (in an active system think of TRP as if each client has their own 25W transmitter on the base station). Note that these aggregate to considerable powers for base stations covering entire 20-80MHz allocations, you could expect the aggregated amplifier output for a basestation high above terrain (ie, no limits to output power, all quadrants active, entire band lit, lots of users) to exceed 10KW.

In any case, the inverse square law means that basestation powers don't matter.

The increase in terminal power is more of a worry but there we've got to go with the longitudinal medical research which doesn't show any effects from extended handset talk use. Fortunately the amount of time smartphone handsets are held to the head is decreasing, so average risk is falling in any case.

Astronomer slams sexists trying to tear down black hole researcher's rep

Glen Turner 666

Boyer explains Dr Bouman's role

There's an excellent essay on Facebook by Misty S. Boyer explaining Dr Bouman's role in the project, with copious references. You'll need to go and find it as I can't paste it here as the text is too large for a Reg comment.


Glen Turner 666

Bryan Cantrill tweets

There was an excellent response by Bryan Cantrill on Twitter:

"This photo of Dr. Katie Bouman seeing the first image of a black hole upon reconstruction is perhaps the most evocative photo of intellectual breakthrough that I have seen -- of anyone, ever. It captures the moment of breakthrough just perfectly: the delighted grin; the eyes that show equal part elation and relief; the clasped hands that still reflect the intense anxiety of just seconds prior. It is a look that says, in short: "IT WORKED!" Anyone who has had such a moment in their life -- of prolonged intellectual struggle followed by breakthrough -- recognizes something of themselves in this picture of Dr. Bouman. That is why this photo resonates; not just because of Dr. Bouman's team's work (though that is obviously incredible!) but because her moment of joy inspires us -- all of us -- to strive for our own breakthroughs. There are regrettably some -- few, but noisy -- who have tried to discredit or minimize Dr. Bouman's role, largely because they have misunderstood what makes it so compelling. My observation would be that anyone minimizing Dr. Bouman upon seeing this photo must not have had that feeling themselves; for these embittered few, the feeling of breakthrough must be as foreign as the specifics of interferometry used to achieve it. Let us choose to collectively ignore these detractors -- and choose instead to be inspired by not just the achievement of Dr. Bouman's team, but by the incomparable elation of breakthrough, as epitomized by Dr. Bouman herself."

Be wary, traveller: There is no going back if you step over the Windows 10 20H1 threshold

Glen Turner 666

Re: Be wary? Don't do it then.

Windows Insider Fast Track is essentially Microsoft's equivalent to Fedora Rawhide. There's a surprising number of generous people willing to run these slicing-edge operating systems. Neither should be run on a machine used for Real Work. The advantage of the Linux alternative is that those people can grow their skills into fixing the issue, rather than merely reporting it.

Ignore the noise about a scary hidden backdoor in Intel processors: It's a fascinating debug port

Glen Turner 666

It *is* a fascinating debug feature. But as the slidepack points out, there's the ability to use it for havoc by using the debugging facilities. For example, burning a fuse to activate a debugging feature of the random number generator, in which the RNG always returns the same number. Being a fuse, that change will survive a reboot.

Buffer overflow flaw in British Airways in-flight entertainment systems will affect other airlines, but why try it in the air?

Glen Turner 666

Not the flight systems, the entertainment system, but still...

Its not a safety of flight issue, but he'd dropped the entertainment system at the beginning of that transatlantic flight people would be rightly upset about the selfishness of entertaining himself at the cost of everyone else's boredom.

Adi Shamir visa snub: US govt slammed after the S in RSA blocked from his own RSA conf

Glen Turner 666

Re: More privacy 200 years ago

If you give the clock another twist, say 430 years ago, then that places you into the reign of Elizabeth I. Where the state took a great deal of interest in what we would regard as private affairs, such as your relationship with your chosen god. The reason for the state's invasion of your privacy? Terrorism.

Cut open a tauntaun, this JEDI is frozen! US court halts lawsuit over biggest military cloud deal since the Death Star

Glen Turner 666

About Oracle's entire future, not just Oracle Cloud v AWS

Well obviously Oracle is upset, because their future is on the line.

Oracle make an expensive on-premises database. AWS make an off-premises compute cluster, which also includes a database API. So the US Department of Defence moving to AWS and re-writing their code to use AWS's API rather than Oracle's API means that the use of Oracle's database ends, which means that the annual licensing fee paid to Oracle also ends.

The threat from DoD's AWS strategy is not limited to DoD. They are a huge employer of contracted IT staff, and many of those contractors will carry their heretical notions into other government departments.

Oracle's complaint that there should have been multiple vendors falls a little flat. It's not the job of DoD to keep Oracle afloat, but to seek to maximise DoD's own efficiency. Which using just one cloud API does. But of course Oracle is going to try it on, after all if they win even 10% of the DoD's business that's still a billion bucks.

It's also interesting to reflect how Amazon owning AWS has allowed AWS to thrive. Oracle's usual strategy would have been to purchase this upstart system, much as they did with MySQL. But Amazon's systems are completely reliant upon AWS, so Amazon can't sell AWS without risking the availability of Amazon.Com's $0.5m per minute.

Use an 8-char Windows NTLM password? Don't. Every single one can be cracked in under 2.5hrs

Glen Turner 666

Re: Plenty of financial institutions need to buck up.

The XKCD algorithm seems suspect to me. Its basic assumption is that people can make a random choice of common words -- without reference to a dictionary and without using any random number generation.

I just asked 15 coworkers to give me three random words -- there were 7 words appearing twice and two words appearing four times. This sample suggests that the size of the in-practice word pool may be small.

Given the skew in lotto number selections, we know that humans can't make random choices from a pool of ~50 selections even when it is in their financial interest to do so.

Given the apparently small size of the pool and human's poor ability to choose randomly, I suspect the in-practice XKCD-algorithm key size may be substantially less than that suggested by the author's back of the envelope calculation. I'd want to see a controlled study before recommending its use.

Glen Turner 666

Re: The only way is OATH

OATH is fine as a second factor but it lacks enough security to stand on its own. It's easily for TOTP to fall to a machine-in-the-middle attack. HOTP looks fine theoretically, but the re-keying after failure is deeply problematic.

Having written this, OATH TOTP is far better than nothing, SMS codes, or an 2FA app. There's some fine clients, not just Google Authenticator. For example, andOTP has no Google-derived code but was written from the specification.

I'd recommend that people look into a secure hardware token. One which does FIDO/U2F for second-factor authentication, FIDO2/Webauthn for account authentication, and does HMAC-SHA1 Challenge Response for securing password databases. Yubikey are the dominant company in this space, but there's a handful of alternatives.

The hardware token provides key material for the password database. Maybe mix that key material with a trivial password so that a lost key can't be used immediately. The result is strong: the token challenge-response and password generate the key material needed to decrypt the password database, and the password database contains maximal-length, actually-random passwords for the websites which need passwords. KeePassXC provides a good implementation, but there are plenty of alternatives.

When configuring websites for FIDO/U2F second-factor authentication be careful to disable weaker 2FA alternatives which the website may also offer, such as SMS codes.

Finally, note that OATH's MITM shortcoming when compared with hardware tokens isn't always a weakness. I use OATH for some accounts as I may need to share the account (eg, some vendor websites only allow one account per client company) or where I may need to read the code over the phone for someone else to log into the account. For those accounts OATH provides better protection than a password alone.

'This collaboration is absolutely critical going forward'... One positive thing about Meltdown CPU hole? At least it put aside tech rivalries...

Glen Turner 666

Re: Why don't people patch?

Your post also misleads. Loading the "spectre" firmware supplied by Intel caused some models of CPU to fail. Therefore, operating systems like Linux could not automatically apply the firmware and it was left to machine owners to do so manually via their machine vendor providing updated BIOS firmaware. See https://www.theregister.co.uk/2018/01/18/red_hat_spectre_firmware_update_woes/

Can't unlock an Android phone? No problem, just take a Skype call: App allows passcode bypass

Glen Turner 666

The only video conferencing which doesn't suck is Zoom. To cut a long story short, it's the product Cisco's WebEx team wanted to build whilst they were at Cisco.

Funnily enough, China fuming, senator cheering after Huawei CFO cuffed by Canadian cops at Uncle Sam's request

Glen Turner 666

China doeth protet too much

Let's not forget that China has history of doing the same. Australian mining executive Stern Hu was jailed by the Chinese for eight years after China wasn't getting its way during iron ore price negotiations and Rio's refusal to admit Chinese company Chinalco into one of its projects.

Pencil manufacturers rejoice: Oz government doesn't like e-voting

Glen Turner 666

Pencils don't leak when stored

We use a pencil because they are easier than pens to store for the long period between elections. If that worries you, well you are permitted to use your own writing device to mark the ballot.

Voter ID will almost certainly disenfranchise everyone living in remote areas. Very few people have their issued documents (birth certificates and so on) and getting replacements when the mail takes three weeks and is based on addresses rather than names isn't straightforward.

A lot of the posts here have poor familiarity with Australia's polling process. The idea that you'd be able to open a ballot box and fiddle with the contents is a little unrealistic. So pencil marks are fine. It's well worth volunteering to be a scruitineer at least once in your life. It is eye opening to see the degree to which Australian elections are secure.

There's little fraud. Partly because the compulsory voting means that the real voter will also present themselves, leading to fraud being quickly discovered. Australian's aren't upset by being forced to appear on a Saturday to vote. They are upset when being forced to appear on a Saturday to vote and then being told they voted twice. That's the sort of anger which leads people to give their full cooperation to the Federal Police, and then not letting the Police slack off.

The undermining of out voting process is really happening through the postal voting system. For example, by political parties putting themselves forward as the agency to approach to obtain the postal voting papers through. The wide range of reasons for postal voting is also too broad: eg, employers should be forced to release people for voting, rather than those staff seeking a postal vote. Postal voting means that incidents close to the election date have less influence then they ought to. You'll remember it was only days before the first ACT election that it started to be known that the leading party was a pack of new right loons. The recent by-election in Wentworth would have been much less close if there were less postal voting, as noted by former PM Turnbull.

Official: IBM to gobble Red Hat for $34bn – yes, the enterprise Linux biz

Glen Turner 666

Re: Patents

IBM already had access to Red Hat's patents, including for patent defence purposes. Look up "open innovation network".

This acquisition is about: (1) IBM needing growth, or at least a plausible scenario for growth. (2) Red Hat wanting an easy expansion of its sales channels, again for growth. (3) Red Hat stockholders being given an offer they can't refuse.

This acquisition is not about: cultural change at IBM. Which is why the acquisition will 'fail'. The bottom line is that engineering matters at the moment (see: Google, Amazon), and IBM sacked their engineering culture across the past two decades. To be successful IBM need to get that culture back, and acquiring Red Hat gives IBM the opportunity to create a product-building, client-service culture within IBM. Except that IBM aren't taking the opportunity, so there's a large risk the reverse will happen -- the acquisition will destroy Red Hat's engineering- and service-oriented culture.

Your RSS is grass: Mozilla euthanizes feed reader, Atom code in Firefox browser, claims it's old and unloved

Glen Turner 666

RSS also useful for enterprises

An interesting choice because RSS is very useful for enterprise applications. It's the easiest way to get "dashboard summaries" into people's browsers (for things like Top Ten open issues, or unread phone messages). So by removing these features Mozilla is pushing their users towards IM clients like Slack.

Linux 4.19 lets you declare your trust in AMD, IBM and Intel

Glen Turner 666

Why CPU rng

A few reasons:

1) The CPU's random number generator can be random, based upon provably random phenomena rather than a pseudo-random number based upon mathematical manipulation.

2) There are some sources of actually-random data in a computer, although they are usually not the same strength as "provably random". An example is the jitter from disk drive events. But these sources are rapidly disappearing as physical devices towards silicon. This is the operational problem with not enough 'entropy' (aka real randomness) being available as a machine starts.

3) It's "too easy" for these actually-random sources of data in a computer to be influenced from outside the computer. Since they are not built as cryptographic devices. Whereas the random instructions within the CPU can include tamper detectors (such as for high EM fields).

4) Timing and other covert channel attacks are simpler against software than against hardware. Those attacks are also simpler against hardware not intended to be cryptographic devices than against hardware designed with covert channels in mind. It is easier in hardware to build a black box where all instances of the instruction take the same time to complete, use the same power, and so on. (As an aside the current issue with CPUs is that the care of design needed to defeat covert channels done for the RDRAND instruction needs to be repeated throughout the CPU design for other instructions.)

These reasons explain the last line of Ted's LKML e-mail: "Note: I trust [Intel's hardware instruction] RDRAND more than I do Jitter Entropy [from the computer's hardware devices]".

Nunes FBI memo: Yep, it's every bit as terrible as you imagined

Glen Turner 666

Steele memo not only source of Russian influence

Note that the Steele Report isn't the sole source. From July 2016 Australia's intelligence agencies were warning the US's FBI of Russian attempts at subversion of their Presidential election. The initial Australian intelligence was gained from old-fashioned "drink the source under the table" espionage.

Obviously this second source doesn't fit into the argument the Nunes Memo is promoting, since it makes the Steele Report irrelevant -- the FBI was going to investigate whatever the provenance of Steele's work.

SHL just got real-mode: US lawmakers demand answers on Meltdown, Spectre handling from Intel, Microsoft and pals

Glen Turner 666

Is that a log in your eye I see before me?

No one wants to deal with the government agency empowered and best placed to deal with high impact cybersecurity issues -- the NSA. Until the US Government fixes this, criticising non-government entities is pointless.

Australia's future technology headlines … for 2019!

Glen Turner 666

Another set of predictions

The development we didn't predict. The reputation of Silicon Valley -- and IT startups in general -- was trashed by their insularity, their poor behaviour towards women, their dismissive attitude towards social responsibility in general, and towards paying taxes in particular.

How my prediction went. Poorly, WPIT didn't make the mainstream press as a potential sinkhole of taxpayer funds and a risk to the nation's economy which needs to be managed beyond the usual levels of IT project executive oversight.

2018 prediction: optical networking prices will continue to plummet, and many corporate networks will insert a WDM fabric under their ethernet transmission. The NBN's powered boxes by the side of the road will look archaic within half a decade. A newer design would use small, cheap, unpowered in-pit WDM muxes. Yes that needs fibre-to-the-premises, but fibre is now cheaper than copper for all but trivial cables.

Related: networking gear from China will become so cheap that bespoke-made items will make sense for large networks.

The Quantum of Firefox: Why is this one unlike any other Firefox?

Glen Turner 666

Fast down the straights but steering not precise

Yes, it's faster. But it's also buggy. Been using it for a day and issues with: Reddit posting, Facebook layout, New York times scrolling. These are not obscure websites or activities. So perhaps wait a while.

Linux kernel hardeners Grsecurity sue open source's Bruce Perens

Glen Turner 666

"If the burden of argument in the US is the same as English law than it would be balance of probabilities". That applies to issues of fact, but the meaning of that clause of the GPLv2 is an issue of law. So the court will determine that matter of law, and if Perens is correct in his assessment of the license then he has a defence of truth for the claim of defamation.

Back to ASICs: Mellanox pumps up Ethernet speed to 400Gbps

Glen Turner 666

Single-flow speed of nBase-xx4 links (was: SFPs + Fiber = cost more than switch?)

"So, that means that the highest possible speed for a single connection is 100Gb?"

No, you get 400Gbps. The nBase-xx4 interfaces run four "lanes" of ethernet symbols. The symbols are round-robined between the four lanes. An ethernet symbol is 64 bits logical, 66 bits on the wire (to allow for clock recovery).

If you are thinking that this means the media carrying the four lanes needs to have exactly the same latency then you would be correct. This is conveniently enforced using fibre assemblies and connectors with multiple fibres.

Oz government wants its own definition of what 'backdoor' means

Glen Turner 666

Warrant for access to a safe?

You can't get a warrant to access a safe from a safe manufacturer. There is no backdoor. They'll just tell you to buy a drill and brute-force it.

You can place a warrant against the safe's end-user. But that's exactly what the feds are trying to avoid here. Because this isn't about access to gain evidence, it's about access to do surveillance. That's why the Five Eyes forum was seen as appropriate by the Australian government, and downright Orwellian to the rest of us.

Well, that escalated quickly: Qualcomm demands iPhone, iPad sales ban in America

Glen Turner 666

Re: I don't get it...

"Intel are claimed to be using protected IP in their product, but Apple are being taken to court?"

Yep. You are thinking along the right track. If you buy a chip from I, and they've used Q's invention without a patent license, then I is the only party from which Q can gain satisfaction. You, as the purchaser of I's phyical product, have no liability (which isn't as great as it sounds, as the settlement between I and Q might well remove from the market the product you purchased, thus lowering its usefulness).

But to this we add the ITC. They can prevent import of a product into the USA based upon a claim of patent infringement. Now toss in some sharp business practice by Q: they ask you for a patent license. Now you can respond "no", upon which Q says "it would be a shame if we made an allegation of patent infringement to the ITC". Now you could choose to fight this out, and win. But a win is not useful if you have been forbidden from selling your widgets for the years the court system can take. So you pay Q.

Moreover Apple are complaining that Qualcomm aren't just seeking at patent license based on the price of the radio chip (bugger all) but based on the price of the iPhone. That is, the patent license fee covers the inventions of others too. That's cuteness by Apple -- you can base a patent license fee on the phase of the moon -- but all the same it is an appealing argument.



Biting the hand that feeds IT © 1998–2021