* Posts by Ben Liddicott

253 publicly visible posts • joined 24 Mar 2010


Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug

Ben Liddicott

These are not accidents.

That is all.

In a humiliating climbdown, Facebook agrees to follow US laws

Ben Liddicott

Re: Dear Facebook,

Nobody can do targeting. On holiday a couple of years ago, every time I checked out of a hotel I began to get ads for the hotel I just checked out of, in the city I just left.

It's almost like they are bad at their jobs.

Now let's get them to police hate speech. What could go wrong?

Ben Liddicott

But... but... they are a global company! They don't have to obey ANY laws!

Fun fact: If you do business in more than one country you have to obey all their laws.

* Doing business in Russia? Obey Russian law. No promoting equal rights for gays.

* Doing business in Turkey? Obey Turkish law, no insulting Erdogan.

* Doing business in China? Obey Chinese law. No mentioning Tianenmen square!

* Doing business in Germany? Obey German law. No using the swastika, even to mock Nazis.

* Doing business in England? Obey English law. No misgendering confused children!

Customer: We fancy changing a 25-year-old installation. C'mon, it's just one extra valve... Only wafer thin...

Ben Liddicott

Re: The dirtiest four-letter word...

All you need to do is say "Sure, bring it round".

They never do.

Happy for you to go over to their place and fix it, but if it doesn't matter enough to bring it to yours, it doesn't matter enough for you to take the time to fix it.

Slow Ring Windows 10 fragged by anti-cheat software in the games you're playing at work, says Insiders supremo

Ben Liddicott

Why on earth would this be a problem for GDPR?

It's not a magic spell, you can't just say "Abracadabra GDPR! To jail with you!".

You have to articulate in what way you think this does not comply with GDPR.

SQLite creator crucified after code of conduct warns devs to love God, and not kill, commit adultery, steal, curse...

Ben Liddicott

Indeed, the central theme of Christianity may be that all engage in un-Christian behaviour, and all require forgiveness, and all must make continual efforts to improve.

Ben Liddicott

Re: I have a code of conduct

Conflict is inevitable. Then what?

Ben Liddicott

Re: Not the first piece of absurd preaching to come from the SQLite team

This is not an unreasonable requirement for a code of conduct, it's actually really common. For example it's also a requirement in the police and armed forces.

You like HTTPS. We like HTTPS. Except when a quirk of TLS can smash someone's web privacy

Ben Liddicott

Rule 1 of spycraft

These are not accidents.

Atlassian: Look at our ginormous Jira revenues!

Ben Liddicott

Re: Why the hell

Bugzilla was better.

Ben Liddicott

Jira is a Golf Course Sale

Everyone who uses it hates it.

People who buy it, don't have to use it.

Nasty, poorly designed, poorly implemented, slow, memory hog.

Jira is bad software made badly by bad people who drink bad coffee, dress badly, and are bad at their jobs, and should feel bad.

And their dogs are bad dogs.

Seriously, no full text search over all fields? WTF? That was old tech in 1975.

Stop trying to design software. You are no good at it.

Haven't updated your Adobe PDF software lately? Here's 85 new reasons to do it now

Ben Liddicott

Re: Adobe Reader used to be quite good

No. No it didn't. It was always terrible. I was there, I remember.

Ben Liddicott

Re: 85 new reasons to do it

Edge has a perfectly functional pdf reader built in.

Crown Prosecution Service is coming for crooks' cryptocurrency

Ben Liddicott

Money is Goods

Theft Act 1968, 34(2)(b)

“goods”, except in so far as the context otherwise requires, includes money and every other description of property except land, and includes things severed from the land by stealing

One thought equivalent to less than a single proton in mass

Ben Liddicott

Thoughts weigh millions of times more than protons.

The brain uses about 0.15 calories per minute. By relativistic mass-energy equivalence, the mass of 0.15 calories is 6.98e-15 grams. The mass of a proton is 1.67e-24 grams.

That means the brain uses approximately 4 billion protons worth of energy every minute. If a thinking brain uses 10% more energy, and you have ten thoughts per minute, a thought weighs in at 40 million protons.

So yes, protons are quite a bit lighter than thought, I would say.

Do we need Windows patch legislation?

Ben Liddicott

Re: Forced to support forever

Big, bulky, or heavy on tech equipment has been used in the aftermath of Wannacry to excuse (some trusts of) the NHS. But is this really the software we're talking about? Isn't it just a lot of accountancy software, admin systems, data storage, and these kind of systems? Aren't in-your-face-everybody-can-relate-to-that examples (like MRIs, even here on elReg) used to cover for just secretary boxen?


FBI boss: 'Memories are not absolutely private in America'

Ben Liddicott

Not quite.

Not quite: You cannot be compelled to testify *against yourself*.

If you are given immunity from prosecution you can be compelled to give any and all testimony and punished if you refuse.

IBM staff petition for right not to work on Trump's pet projects

Ben Liddicott

Re: Citizens United

A "corporation" is the correct term. Corporate personality is what protects our right to form trades unions and charities, not just to form businesses.

It's a consequence of free association: Not only can I campaign in person and lobby the government in person, I can club together with like-minded people, and hire someone to do it for me. Not only can I say what I like (short of libel), I can club together with like minded people and make a film about it that says it better than I could.

The rule that allows people to club together to make a documentary critical of Hillary Clinton, is the same rule which allows Greenpeace to lobby the government, and the same rule which allows trades unions to donate to political campaigns, and the same rule that protects charities and businesses from having their property arbitrarily confiscated.

"Corporate personality encompasses the capacity of a corporation to have a name of its own, to sue and be sued, and to have the right to purchase, sell, lease, and mortgage its property in its own name. In addition, property cannot be taken away from a corporation without Due Process of Law."

The sharks of AI will attack expensive and scarce workers faster than they eat drivers

Ben Liddicott

Re: WebMD

Of course doctors did that even before the internet - they just called it a Medical Dictionary.

Leaked paper suggests EM Drive tested by NASA actually works

Ben Liddicott

Physical possibilities

Outgassing or ablation of the materials, e.g. glue solvent evaporating, plasticisers in electrical conductors evaporating and so on.

Interaction between electrical currents and earth's magnetic field.

Solar wind

Microwaves or other EM radiation leaking out of the end. They have momentum, after all.

Democralypse Now? US election first battle in new age of cyberwarfare

Ben Liddicott

Re: "delivered selectively, out-of-order. and out-of-context..."

Correct. There is no such thing as unbiased. Media cannot report everything so must always choose what is important, which is a value judgement, which is to say irreducibly ideological.

Candidate A's lies are vital to report because Candidate A represents an existential threat to democracy, so every plausible story which undermines him is important. Candidate B's lies are just the usual peccadilloes of politicians no more worthy of reporting than Obama's breakfast choices.

To the extent there is any solution it is to read competing accounts, to see what other people pushing different angles believe are the important facts. This is the same reason trials have prosecution and defence. It's the same reason scientists try to tear each other's theories to shreds - though this usually takes at least a generation.

If you only hear one side you'll easily be convinced the other side cannot possibly have any merit. If you then conclude it's not worth hearing, there is no way back for you.

Leap second scheduled for New Year's Eve 2016

Ben Liddicott

Re: How to handle leap seconds

Typical crystal oscillators are accurate to about 1-10 seconds in the day.

Most servers only update time via NTP a few times a day, and many only weekly or less or not at all.

The leap second is of the same order as the normal time skew which occurs on commodity hardware.

Nobody is suggesting you should allow the leap second to simply be added to the preceding second.

The proposition is that it is gradually adjusted over the subsequent hour or so, resulting in around 0.05% inaccuracy in duration during the period of adjustment, additional transactions, error comparing time elapsed to wall-clock time and so forth.

Ben Liddicott

How to handle leap seconds


Windows does essentially the same thing: Ignores the leap second an treats the updated time after the event as clock skew, adjusting over an hour or so.

Your junior devs will never be good enough to handle leap seconds correctly.

Your server clock is not that accurate anyway.

It doesn't matter for most applications.

If you are not sure whether it matters for your application, it doesn't. If it did you would know because you would have an atomic time source in your lab.

Oh, ALL RIGHT, says Facebook, we'll let Windows admins run osquery

Ben Liddicott

So like WMIC then?

Ships with windows since 2002.

> wmic process where "Name='explorer.exe'" get Name,ProcessID,ParentPRocessID,ExecutablePath,CommandLine

> wmic process where "processID=9112" call terminate

> wmic process where "processID=9112" call AttachDebugger

Microsoft snubs alert over Exchange hole

Ben Liddicott

Re: it only takes only four lines of code and a local config file

If they can run code as your login they can get your password in approximately a gazillion different easy ways.

Adding a more complicated and difficult method to the list does not make your position worse because your position is already "completely owned".

Ben Liddicott

Re: it only takes only four lines of code and a local config file

Or just read your credentials from where Outlook stores them, or read them by logging keypresses or...

Ben Liddicott

it only takes only four lines of code and a local config file

So it's not a vulnerability as it already requires you to have access in order to take advantage of it.

This is like saying "From the inside of the house I can open the window then go outside and climb in". Sure, but why bother if you are already in?

Remote hacker nabs Win10 logins in 'won't-fix' Safe Mode* attack

Ben Liddicott

Requires local admin = not a vulnerability

If you have local admin you can install a keylogger into the regular mode, you don't need safe mode.

You can also read password hashes straight out of the registry. Because you own the SAM. This includes cached hashes[*[ from recent logins

Seriously who vets these stories?

[*] that's what enables you to log in using your domain credentials while not connected to the network

Great British Block-Off: GCHQ floats plan to share its DNS filters

Ben Liddicott

Don't be daft. They want you to use Tor.

Tor is a honeypot and always has been. The point is to provide a false sense of security while simultaneously identifying people with something to hide.

For example: http://www.theregister.co.uk/2007/09/10/misuse_of_tor_led_to_embassy_password_breach/

TBB bugs are for the FBI. The NSA can de-anonymise any Tor user just based on their overall view of global network traffic.

Why would you think a project planned, founded, and paid for by the US government - the Navy[*] specifically - would protect you from the US government? That's some seriously wishful thinking there.

The question of legitimacy is all about what they do with the information. As long as the culture within the organisation does not permit it to be used except for national security, the ordinary person is safe. That ship has sailed in the UK - this is used for Serious Crime, which includes child prostitution. And fraud. And pot dealing. And copyright violation. And tax evasion. Pretty much everything which isn't a driving offence actually.

[*] The head of the NSA is an admiral of the USN. Possibly coincidentally.

Having offended everyone else in the world, Linus Torvalds calls own lawyers a 'nasty festering disease'

Ben Liddicott

Re: Lawyers

The way scientists do it is also adversarial.

Scientists are not disinterested, they have an enormous amount riding on their theories, far more than mere money. As such they can't be relied upon to find the holes in their own evidence.

That's why you need other scientists with competing theories to pick holes.

Darwinian processes are the only known processes to produce knowledge.

Das ist empörend: Microsoft slams umlaut for email depth charge

Ben Liddicott

Wild guess: Unicode normalisation fail

Possibly doesn't normalise the password when changing it, meaning that it can't be entered subsequently. Or vice-versa. Since we are talking about IMAP it may just be that certain clients don't normalize passwords on entry.

They're not just sequences of bytes, you know.

UK Home Office is creating mega database by stitching together ALL its gov records

Ben Liddicott

Re: Modus Operandi

Not any more. The puritans will leave no loophole unplugged.

US nuke arsenal runs on 1970s IBM 'puter waving 8-inch floppies

Ben Liddicott

Good. Simple is best.

What should they use? USB flash drives? Why not floppies?

Microsoft sets date for SQL Server on Linux

Ben Liddicott

Re: This is actually largely irrelevant

Except.... that if you pay for large scale enterprise support it costs nigh on as much as an MSSQL licence for the same feature set. Just like if you pay for Red Hat Enterprise it costs about as much as Windows Server.

And if you don't buy support you need staff who can support it, which also costs money. If you operate at IBM/Google/Facebook scale it's a saving to support it yourself, but otherwise even for large blue-chips it doesn't make sense.

Products are priced the way they are because that's the most they can charge without making their customers switch. Ergo, at any price point, everything is usually approximately equal value for money..

Google asks the public to name the forthcoming Android N operating system

Ben Liddicott

Nutty Nougat


Magnetic memory boffins unveil six-state storage design

Ben Liddicott

Re: A bit off

Works for me on both Windows 7 and Window 10 calculator, both of which use an arbitrary precision arithmetic engine. I believe that's been the case since Vista.

What are you using? XP?

Destroying ransomware business models is not your job, so just pay up

Ben Liddicott

Re: It is our job to uphold the law

If I'm mugged at gunpoint, that's a crime in progress, but I'll be handing over my wallet all the same. If a child is kidnapped in practice you find that often people do what the criminals want first, then go to the police only afterwards.

Comparing on the one hand, paying an extortionist to retrieve irreplaceable property, and on the other, being too idle to shout "Oi!" at a casual thief, is just silly. They are different.

Ben Liddicott

Re: It is our job to uphold the law

I've upvoted you for the sentiment, but you asked "how is this different"?

If I saw someone breaking into a car and stealing a hard-drive or a camera, I wouldn't ignore that, of course. As you say it is our duty to intervene.

But if someone stole a hard-drive containing my family photographs, or the only copy of (encrypted) customer data, or unencrypted sensitive information, or a camera whose card contains the only copy of someone's wedding photographs, I would pay the thief to get it back.

What's the difference? One is a crime in progress, the other is mitigating the damage from a crime which has already occurred. They are different.

Ben Liddicott

Re: Price of an education...

Snapshots - a feature provided out of the box on Windows Vista and beyond - can be programmatically deleted, because the ability to delete data is a fundamental security requirement.

Sexism isn't getting better in Silicon Valley, it's getting worse

Ben Liddicott

Law vs. real life

If you ask women out when you know they are not interested and find it annoying, that's harassment. Continuing to ask after the second clear "no" for example would generally count. Once, you are probably legally in the clear.

But in real life, you are expected to know whether a woman is interested before you ask her.

This is a social convention to prevent women having to bat away a hundred foolish questions every day. You should be able to pick this up from body language and facial expressions. However if you are poor at body language or you are still not sure, ask mutual friends their opinion before asking her.

If you get a lot of "no" answers, you should learn from that you are poor at interpreting facial expressions and body language, and stick to asking mutual friends first.

Yelp-for-people app Peeple is back – so we rated Julia, its cofounder

Ben Liddicott

Re: UK libel law

No, the Mosley case was breach of confidence not libel.

Hardcoded god-mode code found in RSA 2016 badge-scanning app

Ben Liddicott

We have to stop thinking these things are accidents

Really, why does anyone think this is not on purpose?

Science contest to get girls interested in STEM awards first prize to ... a boy

Ben Liddicott

Re: The question remains ...




Serious, now. This!! FFS! THIS!!!!

"we'll harvest energy from people walking on floors!"

You know how walking on soft sand is harder work than walking on a hard pavement?


Because thermodynamics.

Ben Liddicott

Re: runner up - prior art

Most modern smartphones have a planar surface as the front of the camera, so no adjustment for RI is necessary.

Ben Liddicott

Re: Orwell said it (more or less) ...

What if women want to vote for a man? Will they be forced to vote for a woman?

Or will both men and women have both a male and female representative? What if they would rather have a transgender representative?

Why not just let them vote and let the chips fall as they may?

Windows 10 will now automatically download and install on PCs

Ben Liddicott

Re: It's like a fish taken out of the water...

DCOM not found in current versions of windows? What?


Women account for just one fifth of the EU’s 8m IT jobs

Ben Liddicott

Also sewage worker and bin person

Only discrimination can account for the dreadful underrepresentation of women in these vital industries!

Meanwhile 70% of PR are women, and that's fine.

Jenkins issues code of conduct to keep rowdy automation fans in line

Ben Liddicott

Re: Let's impose a political litmus test before people can do their jobs...

If that's the kind of world you want to live in, the worst I wish you is that you should do so.

Ben Liddicott

Let's impose a political litmus test before people can do their jobs...

See "opal gate" for how this works.

If you don't mouth the SJW Catechism to the satisfaction of the Political Officer then your options for professional development are to be severely constrained. It's unlawful for employers to do this in the EU.

But Open Source has become important, therefore Open Source becomes a power base, therefore Open Source will be colonised by party apparatchiks..