* Posts by James R Grinter

158 posts • joined 5 Aug 2009


Apple may have to cough up $1bn to Brits in latest iPhone Batterygate claim

James R Grinter

Users will complain about anything

I remember when one of my older phones would shutdown with a high percentage of charge left, and of course it turned out the battery was on the way out and could not meet the power demands.

I’m glad they started throttling, as shutting down is far more disruptive than going slow. Though the PMs involved should have thought about the “PR” and had it advise the user to get their battery replaced.

Europe's GDPR coincides with dramatic drop in Android apps

James R Grinter

Re: Fuck Google harder

Got to fund the development of the new releases, for existing phone owners, somehow.

Apple's grip on iOS browser engines disallowed under latest draft EU rules

James R Grinter

Err, Safari works fine for the user. If the experience was really sub-par Apple wouldn’t be selling us lots of iPhones. Just because it doesn’t implement every latest experimental feature does not make it bad.

I’d posit the restriction on rendering and script interpreters has its origins in preventing developers skirting the App Store rules by disallowing apps that can execute dynamically delivered code (and JIT, necessary for JavaScript performance, requires memory pages to be able to be modified and then marked executable - another feature undesirable for security reasons).

If I wanted a choice of dodgy apps I’d buy a different brand of phone ;-)

JavaScript survey: Most use React but satisfaction low

James R Grinter

Re: What do we want? Static typing!

It’s a problem a developer may not have, but you can bet the users will encounter it (unfortunately they won’t know that’s why the page is entirely blank or unresponsive).

NixOS and the changing face of Linux operating systems

James R Grinter

Re: Back to the past

Common to a number of London offices of investment banks and, as I understand it, all the fine work of the same person.

Docker Desktop no longer free for large companies: New 'Business' subscription is here

James R Grinter

Re: Curious target audience

A lot of dev teams, particularly those who use containerisation in production, will use Docker Desktop as a means to get the run-time Docker tools onto their developers’ machines, to stand up a local copy of their own software for development and debugging. Images for deployment would be built by CI systems (with Docker build, or kaniko, Buildah, etc)

But, as someone else said, it’s a hard task to sell software that is perceived as “free”. Docker Desktop will be a ground-up choice (development teams making their own lives easier) rather than a business-led choice (a technology that improves the bottom line), so if there’s little or no development tools budget - or it has already been allocated to IDEs - then Docker will be SOL.

(I personally wouldn’t begrudge paying for Docker Desktop for Mac if they’d integrate networking on macOS. Having to manually configure and run “tap” is a big annoyance)

SCO v. IBM settlement deal is done, but zombie case shuffles on elsewhere

James R Grinter

it’s been a long time since I was actively following this case, but as far as I know the entity calling itself SCO was always unwilling (unable?) to actually divulge this. It was always the nebulous umbrella term “Intellectual Property”.

Sysadmins: Why not simply verify there's no backdoor in every program you install, and thus avoid any cyber-drama?

James R Grinter

Re: Linux proves that doesn’t work

Back in the day, we systems programmers built almost every third-party tool ourselves from source. Even the C compiler. But we sure as hell weren’t reading and comprehending all the source, not even checking for common sources of mistakes (printf without format args, popen calls, etc), and you’ve only got to recall Ritchie’s seminal paper Reflections on Trusting Trust to see the elephant in the (GCC) room.

Software is necessarily more complex these days because capabilities are higher and we demand more, and that will almost always involve many more third party dependencies, which in turn may have more. That cat is not going back into the bag, because it’s just not feasible, or wise - trivial string padding routines aside - for a development team to rewrite all those themselves (crypto, maths, graphics, UI, kernel, etc).

The solution isn’t to ditch the “uncontrolled” open source dependencies, either, and go back to commercial (commercial C++ libraries were all the rage in the 90s and early 00s), because we’ve seen with SolarWinds, Kaseya and many others that if you’re a high value target you *will* get attacked and compromised at some point for leverage into other networks. You need to have in place methods to prevent, mitigate or detect it when the time comes.

You can forget your fancy ERP customisations because that's not how it works in the cloud, SAP's Oliver Betz tells users

James R Grinter

Re: Tenant isolation ?

At the end of the day, it’s the “configuration vs. customisation” debate. It’s the same thing that gets you stuck on an old release, unable to upgrade because you’ve tweaked it up the wazoo and no one who knows how it works is still working for you (or, those that are, know better than to want to get involved).

ServiceNow, with their SaaS workflow, were already having that challenge with customers over 10 years ago, and as far as I know (I’m no longer working in that orbit) they’ve addressed it by being more restrictive in what you can change/how you can change their stuff.

BBC makes switch to AWS, serverless for new website architecture, observers grumble about the HTML

James R Grinter

Re: Not all is well.

Serverless is essentially “I don’t have to patch the OS”.

Which is actually quite an attractive idea, tbh. One less thing to have to keep an eye on, if you’re confident your vendor has the capability. Gripes with AWS aside, I think we can agree that they do.

UK finds itself almost alone with centralized virus contact-tracing app that probably won't work well, asks for your location, may be illegal

James R Grinter

Re: Might want to check your facts...

My understanding, reading between the lines and knowing the APIs available, is that they’re both transmitting BLE messages and also registering to listen for them. You might know this as iBeacons.

You can listen for Beacons from your family in the background, the OS APIs make it easy and battery friendly.

You can’t transmit beacons in the background so easily, transmitting also requires more power.

James R Grinter

Re: Co-traveller

Cos that approach would obviously be acceptable in an AppStore submission, not to mention burning a 0-day.

James R Grinter

Re: Apple and Google have too much control

The world of malware shows why, with many billions more of mobile devices, there’s a need to treat things differently to how we historically did so on personal computers.

(On iPhone, I can prevent an app from having Bluetooth access even if it asks for it. Likewise Location. My Android phone stopped getting updates, but even it had some controls that let a user turn features off. If the App doesn’t then function, well that’s down to differing opinions of the app developer and you, the user. Not much you can do about that, if you cannot write your own or pay someone to do so.)

Auf wiedersehen, pet: UK Deutsche Bank contractors plan to leave rather than take 25% pay cut for IR35 – report

James R Grinter

Re: Change Manglement

It isn’t the usual description of IT Infrastructure Change Management, but who knows how the “business” IT has chosen to use the term.

Don't use natwest.co.uk for online banking, Natwest bank tells baffled customer

James R Grinter

ISTR NatWest’s forays into investment banking played a part in their downfall.

“ in 1997, NatWest Markets, the corporate and investment banking arm formed in 1992, revealed that a £50m loss had been discovered, revised to £90.5m after further investigations.”

Wikipedia also reminded me that they’d tried to do a merger with Legal & General, which went down like a lead balloon, and seems to have been the final straw.

All worked out well for RBS, in the end, eh? ;-).

Sophos was gearing up for a private life – then someone remembered the bike scheme

James R Grinter

Only thing Sophos ever quarantined on a Mac, for me, was an old, spam, mailbox file that apparently had some Word doc attachments containing Windows-only macro viruses. And that was on an external disk I was copying to another. ¯\_(ツ)_/¯

Surprise! Copying crummy code from Stack Overflow leads to vulnerable GitHub jobs

James R Grinter

Re: Chicken or Egg

Particularly as there are a lot of SERPs out there throwing up code samples from existing open source projects (and, sometimes their unit tests are the only place to find an API example.)

Just what we all needed, lactose-free 'beer' from northern hipsters – it's the Vegan Sorbet Sour

James R Grinter

Brodies’ Elizabethan

Was officially 22%, though when it was still being drunk a few years later it’s hard to say. It was very nice, though.

Stuart Howe, then of Sharps, did brew his Turbo Yeast Abomination from Hell, https://brewingreality.blogspot.com/2010/01/3-turbo-yeast-abomination-from-hell.html, I did get to try some but I don’t remember what it’s final gravity was.

Please stop regulating the dumb tubes, says Internet Society boss

James R Grinter

Re: IWF Handwringing

A lot of TLS web sites are hosted on shared services these days: think anything on AWS S3, for example.

There’s separate work going on to prevent them being enumeratable (i.e. to prevent the domain names being disclosed via the certificate when you connect to them)

This will lead to some suggesting the answer is to “man in the middle” every TLS connection, I’m sure.

James R Grinter

Isn’t PiHole just a DNS resolver that you configure, via DHCP or statically, as your device’s DNS server? It may then make those onward requests, for domains it deems “good”, over DoH but by that point it’s looking up only what it wants to anyway. Essentially it’s doing what some paternalistic ISPs servers are doing, only under your control.

DoH is about your privacy, stopping a middleman from snooping on what domains you are resolving under the guise of “it’s just metadata”) Also, about stopping those paternalistic ISPs from further meddling with your DNS lookups.

Don't make a FOSS: Apache Software Foundation Board bids farewell to co-founder and two big hitters

James R Grinter

Clearly the board exist to oversee the operation of the foundation and are not product managers of every single (or any, unless they happen to be) Apache Project (as you note, there a lot. More, if you include those in incubation).

Projects are managed by Project Management Committees (clever play on words, there), take it up with them - or join them!

It's now officially the WhackBook Pro: If the keyboards weren't bad enough, now MacBook Pro batts are a fire risk

James R Grinter

Re: This is not the Macbook Pro with the butterfly keyboard.

The Mid-2015 McBook Pro (the model involved in the recall) does not have the “butterfly” keyboard.

It was introduced on the lightweight MacBook of that era.

Uber JUMPs at chance to dump load of electric bikes across Islington

James R Grinter

Re: Chinese bikes already here

Ofo went ages ago. Any you see now are in the hands of local kids and scallies.

UK Ministry of Justice: Surprise! We tested out biometric tech in prisons and 'visitors' with drugs up their bums ran away

James R Grinter

Re: Is it just me ?

How automated are those gates? Anecdotes I’ve heard suggest they are very reliant upon humans looking at multiple screens.

HPE wants British ex-CFO to testify in UK Autonomy lawsuit before Uncle Sam sentences him

James R Grinter

Any readers ever worked for a customer of Autonomy?

I’ve always been curious - maybe I missed previous discussions - but I’ve personally never met anyone whose employer/ organisation was a customer. I have even worked for companies who have “one of everything” and they didn’t use it.

Any readers able to tell us anything about it?

You're on a Huawei to Hell, US Sec State Pompeo warns allies: Buy Beijing's boxes, no more intelligence for you

James R Grinter

Re: If everything's encrypted, what's the problem?

If you have the server private key then you can decrypt the captured TLS sessions (including at a later date, e.g. if you steal that key), *unless* they use a cipher scheme that implements perfect forward secrecy.

Then you can’t.

But you certainly can’t break TLS just by sniffing the packets as an independent observer, unless you can “break” the maths behind DH.

https://security.stackexchange.com/a/42350 has a pretty good explainer

Apple yoinks enterprise certs from Facebook, Google, killing internal apps, to show its power

James R Grinter

Re: "but it also treats mobile users like adults capable of making their own decisions"

Yup, and I’ve seen comments elsewhere on this debacle to the effect that one should be able to consent to what Facebook was doing (“if they pay me enough”, said someone)

But IMHO there’s no way they can obtain legitimate *informed* consent from an average user. With the installed root cert and a VPN Facebook were in a position to read *everything* between the phone and any other TLS protected service that wasn’t using certificate pinning (and probably break those that were), riding roughshod over security best practices, laws, and user agreements.

Requests for info, gag orders and takedowns fired at GitHub users hit an all-time high last year

James R Grinter

Not just source code

Not everything posted to github, gists, or pages, is code.

It’s quite possible for them to end up hosting dubious or illegal content, or just something that is objectionable to another.

Royal Bank of Scotland, Natwest fling new bank cards at folks after Ticketmaster hack

James R Grinter

Re: Ticketmaster should be financially responsible for card replacements

Indeed, they may well be getting a less favourable transaction fee now. Unfortunately we’ll end up paying it in “booking fees”.

(In my case it was my Amex card number that got stolen, but it only came to light after the subsequent BA incident. I haven’t flown with BA in years but it seems someone started testing the numbers they had to see which were still working... it’s good to get alerts on card transactions!)

Begone, Demon Internet: Vodafone to shutter old-school pioneer ISP

James R Grinter

Re: Wild West Days

Is that you, Fis?

Another greybeard has left us: Packet pioneer Larry Roberts dies at 81

James R Grinter

Small correction

It’s *Leonard* Klenrock.

Total Inability To Support User Phones: O2 fries, burning data for 32 million Brits

James R Grinter

Re: Other mobile operators around the world are also affected?

SoftBank did. Presumably they were running one of the old software versions too.

What the #!/%* is that rogue Raspberry Pi doing plugged into my company's server room, sysadmin despairs

James R Grinter

Re: easy pickings

Its actually a good procedure (or would be if they’d done it intentionally) - the returning person may not be doing the same job as before so giving a new account name can avoid giving access they used to have but no longer need.

Amazon tries to ruin infosec world's fastest-growing cottage industry (finding data-spaffing S3 storage buckets)

James R Grinter

About bloody time!

I think it isn’t truly appreciated just how easy it is for an authorised piece of software to upload an object - with an “everyone can read it” ACL - and completely undo any attempts to keep the bucket secure.

(Yes, you could craft a policy that blocked anything with open access from being created, but you couldn’t block everything already there.)

'The inmates have taken over the asylum': DNS godfather blasts DNS over HTTPS adoption

James R Grinter

Re: Paul Vixie is correct

The malware authors are gonna love this new feature, as a way of avoiding even their C&C lookups from being seen.

British Airways hack: Infosec experts finger third-party scripts on payment pages

James R Grinter

I've never lost out as a result of fraudulent transactions on any credit card and there have been a few over the years (I don't think I've ever had my debit card ripped off: I don't use it anywhere but ATMs.)

It's just the inconvenience of having to get cards replaced, but Amex were quick (reported Saturday, arrived Tuesday) on the last occurrence - which was probably the miscreants testing cards stolen via Ticketmaster but after the BA hack and publicity.

'World's favorite airline' favorite among hackers: British Airways site, app hacked for two weeks

James R Grinter

Re: Missing from the press release -- CVV status

Co-inky-dinkly, my Amex card just got abused last night. At least twice, before I was able to make the call and get it blocked.

Nothing massive, just a couple of online services taking a preauth - possibly an abuser “testing” the numbers. Now I’ve not flown BA for a while: I probably have used that card number with them in the past, though it would be a different expiry and CID.

But there’s a few other orgs that held that card’s details, at least three of which are “big enough” to have been storing numbers themselves instead of a third party system. I hope none of them have been hit, for that would be very messy indeed.

UK Home Sec Amber Rudd unveils extremism blocking tool

James R Grinter

Re: Machine learning.

Adversarial attacks on machine learning are the new hotness!

Here’s an idea: develop or improve some video encoding software, get lots of folk using it, and then flip a switch. Now everyone’s uploading “terrorist content”.

UK security chief: How 'bout a tax for tech firms that are 'uncooperative' on terror content?

James R Grinter

Re: So if I pay, it's OK?

Perhaps he’s one of those politicians that consider all fines to be taxes? (It’s not just some politicians that think this way, of course)

Russia threatens to set up its 'own internet' with China, India and pals – let's take a closer look

James R Grinter

Re: Wait what?

Rubbish. It should take a maximum of whatever the TTL was on the record you are changing, and that only if someone looked it up for the first time just before you changed it (unlucky!) and only for those querying that nameserver.

There is no “percolation” in DNS.

Badass alert: 1 in 5 Brits don't give a damn about webpage crypto-miners

James R Grinter

Re: An ounce of prevention.

Hosts files don’t work like that.

As Google clamps down, 'Droid developer warns 'breaking day' is coming

James R Grinter

Re: Rinse and repeat

Yes! I think the lesson we should all take from this is that APIs for mass market products need very careful consideration and design, including some thought on “how would someone exploit this for personal gain?”

James R Grinter

If you read what the poster said, it wasn’t that all push notifications were the issue.

It was a statement that the only way to get a new email notification for an Android email client, since changes that have affected background apps, was to have some central system be logging in and checking the emails too. Yeah, that sounds suboptimal.

Amazon's answer to all those leaky AWS S3 buckets: A dashboard warning light

James R Grinter

Re: “accidentally left open” is incorrect...

It only takes use of a tool uploading an object with a “public” ACL to make some content public.

It’s easily done: one of my colleagues had it happen with some autogenerated CI reports, not fully appreciating the significance of HTML in an S3 bucket that they could directly access via a web browser (it had a “complex”URL path, but required no authentication)

You can write an S3 policy to prevent public ACLs on objects, at the expense of breaking tools like the above, but it’s hard (impossible?) to write one that enforces access to only IAM users from your account - unless you are willing to modify the policy for every user you add or remove.

Apple's 'shoddy' Beats headphones get slammed in lawsuit

James R Grinter

Re: People compare apples to oranges, as usual

They don't look like they'd be suitable for running in, but they may be fine for at a desk.

Alas, discontinued- any ideas of the replacement model?

CrashPlan crashes out of cloudy consumer backup caper

James R Grinter

Re: Crashplan alternative

Ah, useful. I hadn't come across Duplicacy in my reading since the big CrashPlan announcement.

They could be just what I need, for some Linux systems I have, and using one product across Linux and Mac would be easier (Arq was the leading contender, for the latter)

Solaris admins! Look out – working remote root exploit leaked in Shadow Brokers dump

James R Grinter

The first rule of Solaris on the internet was always to disable every tooltalk and any other non essential rpc daemon, and block off the rest from remote access. If you tell that to the kids these days...

TCP/IP headers leak info about what you're watching on Netflix

James R Grinter

Viewing figures?

I can imagine Nielsen, and others, will be dashing off to try and implement this to get viewing figures for their customers that are currently unavailable to them.

US ISPs, with their new freedom to sell off aggregate customer data, will be ideally placed to provide the network access.

Now UK bans carry-on lappies, phones, slabs on flights from six nations amid bomb fears

James R Grinter

Re: Cameras

It's not being in the hold that you need to worry about, it's the journey there!

You see some horrific baggage handling out on the tarmac, sometimes.

UK to block Kodi pirates in real-time: Saturday kick-off

James R Grinter

Re: Real cost of sports subscriptions

I saw some numbers shared recently by an analyst for US based cable and sports- calculated as the sums paid to the sporting bodies divided by total cable subscribers. The payment per subscriber, that's regardless of whether they actually had that sport in their "package", was huge!

Here it is, https://twitter.com/asymco/status/839495399052308480



Biting the hand that feeds IT © 1998–2022