* Posts by Spamfast

344 publicly visible posts • joined 23 Jun 2010

Page:

Raspberry Pi Pico cracks BitLocker in under a minute

Spamfast

Re: D'oh!

Actually, I hadn't realised that the TPM actually gives the CPU software the keys which is inherently insecure even using ephemeral keys. I'd rather assumed that the CPU would pass cipher/plaintext on-the-fly to the TPM and the TPM would return it converted but I guess doing that over the sort of bus they're using would be prohibitively slow.

I used to work on sat-TV boxes and they have a device called a crypto DMA controller on the system bus with access to the main RAM.

Instead of the CPU decrypting the data stream from the dish, each chunk in RAM containing both the audo/video & ancilliary crypto TP stream packets that prevent replay attack is passed to the cryptoDMA which decrypts in place if it passes muster. The cryptoDMA has to be periodically unlocked with information both from the TP streams & the user's credentials otherwise it stops playing.

The point is that symmetric encryption/decryption keys and PKI private keys are generated within the crypto DMA and never, ever leave it. If it's designed suitably tamperproof, there's no way to get those keys simply by getting hold of the device.

Satellite service provides are very serious when it comes to protecting their content! :-)

Spamfast

just out of curiosity - if you are going to buy a laptop what is the best way to find out if the CPU and TPM are on the same chip

Ideally, the TPM & CPU need to be on the same wafer within the IC package which should also be manufactured in a tamperproof fashion such that any attempt to shave off the top to reveal the wafer will destroy it so that electron microscopy can't be used to observe the internals. Similarly, it should be hardened against voltage rail, EMC & X-ray susceptibilities.

Spamfast
WTF?

D'oh!

Unbelievable.

As others have pointed out, it's perfectly easy to have an encrypted channel over whatever bus lies between the crypto device and the main CPU doing the on-the-fly en/decryption. At boot, the CPU software & crypto negotiate an encrypted channel with a new set of keys using standard techniques. (Look them up.) The crypto rejects any weak methods from the CPU software. When setting up disk encryption, the CPU hashes the user's credentials and passes these to the crypto module over the encrypted channel. The crypto generates and stores keys with that hash and passes the keys back over the encrypted channel. The CPU encrypts whatever isn't yet encrypted. On subsequent reboot, the CPU software sends the same hash over the new encrypted channel and if it tallies, the crypto returns the keys to the castle over the encrypted channel. As long as the crypto IC is designed to be tamper-proof, if the whole lot is stolen, the perp will still need those credentials to decrypt.

However, this reminds me of the huge hole in chip'n'pin payment cards. While a lot of the comms between the card and the retailer's POS machine is encrypted, the message that comes from the card to tell the POS that the PIN the user entered is correct is neither signed nor encrypted. So, you steal someone's card and plug it into a reader in your backpack and have an MITM between that and a card with the appropriate dimensions and connections to talk to the POS that simply tells the POS that whatever the customer has typed in is the correct PIN. Someone built a proof of concept rig with wires up his sleeve but you could probably miniturize & make it wireless using short range digital radio modules.

This is a bit like PS1 mod chips that looked at the bit stream from the CD-ROM and replaced the appropriate section that nornal CD burners couldn't duplicate with the required sequence.

Systemd 255 is here with improved UKI support

Spamfast
Unhappy

K.I.S.S.

I can see the reason behind systemd to streamline boot up. But I have to remember the original mantra of "do one thing and do it well". Systemd seems to have become a tentacular monster and a poorly documented, non-deterministic one as well. At least with System V initscripts I can follow what happens and when without having to reference a gazzillion man pages for each type of /*/systemd/system/* file.

Regulator says stranger entered hospital, treated a patient, took a document ... then vanished

Spamfast

Re: Fine but not fine....

I totally agree about the pointlessness of one government body fining another.

That's why it needs the management to be personally liable for their decisions. If they're found to have acted in a knowingly reckless way (think 'depraved indifference'), then their assets and liberty should be at risk.

I appreciate that the details are a bugger and it'd be feathering the lawyers' nests again but for the life of me I can't think of anything else that would work, both in the public sector and the private.

Spamfast
FAIL

Every healthcare organisation should look at this case as a lesson learned ...

Yes. And the lesson is that there is no personal comeback on those in charge of physical and IT security so carry on as you were administrators.

NASA reschedules Boeing's first crewed Starliner flight for mid-April 2024

Spamfast
FAIL

Cutting corners?

Such basic errors as using flammable tape and designing a parachute coupling that breaks under representative load fill me with confidence.

I appreciate that hindsight is always 20-20 but I do have to wonder what other bad choices are waiting to surface in Boing's (let's hope that at worst it goes 'boing') design. Has anyone checked the computer-assisted flight controls yet?

Something goes wrong at SpaceX they say "oh dear, but we can learn from that." The parachutes fail to open and Boeing says "It's fine. Nothing to see here. Move along."

I might get into a Crew Dragon. I certainly wouldn't get into a Starliner.

Millions of people's data stolen because web devs forget to check access perms

Spamfast

Re: Web devs forget to check access perms :o

Absolutely.

Sadly the commonest pattern is for the server-side app code to have a configuration file with a single set of credentials (usually plaintext username/password) that grants it blanket read/write/create-table etc. access to the whole database or often the whole database server. These credentials are used piecemeal by database accesses sprinkled all through the business logic and UI code of the application.

I don't often do this kind of development (I prefer real-time embedded) but my solution where there is not already a robust layered security system in place is always to write a separate daemon between the app-server code and the databases. The daemon does the credential validation and issues the session user-ID token to the app and then requires that token as well as the query which it can then check before allowing the query to run.

The daemon can concentrate on the rules for what user-ID has what level of access to what rows in the database and can have a fully-automated test suite. The app meanwhile can concentrate on the user interface and its functionality.

To infinity and beyond, with a swarm of tiny computers costing under $1K each

Spamfast
Happy

Von Neumann Effect

Don't forget to equip them with the ability to self-replicate.

Berserker Base here we come. (Or Mantrid Drones if you prefer.)

Google's next big idea for browser security looks like another freedom grab to some

Spamfast
Thumb Up

Re: ODFO, alphagoo.

That's how the Internet works.

Hallelujah. That's how any comms channel should work.

Anything coming from a source or through a comms channel that isn't completely under your control needs to be treated as potentially hostile and validated and sanitised to death. You can never assume otherwise or you end up with the Morris Worm, SQL injection, JSON-as-JavaScript injection, buffer overflow exploitation (worm again) or whatever.

As a bonus, your systems will be more reliable and robust.

If you can't design your end to detect when the other is 'cheating' then you've done it wrong.

Oracle's revised Java licensing terms 2-5x more expensive for most orgs

Spamfast
Trollface

Re: with 49,500 employees, all of whom are applicable

Why then do Java-based back-ends for continuous integration, bug tracking, collaboration etc. always seem to require five times the resources than ones using PHP, Perl, Python or Ruby for the same type of service?

Maybe Java programmers just aren't very good?

Spamfast

Re: with 49,500 employees, all of whom are applicable

Or just decontaminating completely as we have done.

Amen.

It baffles me why anyone uses Java in new projects and why existing ones aren't switching to Python, Ruby or JavaScript/ECMAscript or, well, practically anything else.

I've got nothing against the language syntax itself - in fact it's quite nice. But the compute requirements for things like Jenkins or JBoss or whatever are bananas.

ChatGPT study suggests its LLMs are getting dumber at some tasks

Spamfast
Happy

Re: Stochastic parrots

Thanks for the reference.

I love that the originator's surname is 'Bender'. "Kiss my shiny metal ass" comes to mind.

Post-Brexit tariffs on cross EU-UK electrical vehicle imports still going ahead

Spamfast
Trollface

Re: Fuck business

Ah, but look what we've gained. Instead of faceless EU bureaucrats telling us what to do we've got Rishi Sunak, Jacob Rees-Mogg and quite possibly Boris Johnson again looking after our interests. What could possibly go wrong?

Twitter rate-limits itself into a weekend of chaos

Spamfast

Tech vendors have been hiking prices by up to 24% amid inflation

Spamfast
Pirate

Spivs

There's a word for this - gouging.

At the sniff of publicly reported increased upstream costs, the first reaction of many a big business is to pass the costs on but with a fat bit of padding.

Supermarket chains, energy suppliers, vehicle fuel station franchises - I'd be surprised if they haven't been lured into doing this.

And of course it feeds back.

And yet there's bugger all reporting of how the wholesale commodity prices for gas, oil and the rest have actually dropped significantly throughout late 2022 and this year.

UK smart meter rollout years late and less than two thirds complete

Spamfast
WTF?

Ker-ching.

We're now into gen2 'smart' meters (aka SMETS2) yet they stil only save money for the power companies by allowing them to fire all the meter readers. So we've ripped out and binned millions of perfectly function gas & electricity meters, some of them twice, with no appreciable benefit to customers other than a dinky little display box.

We'll be doing it again when an over the wire protocol for smart appliances is agreed so that the meters can ask fridges, aircon, etc. to modulate their energy use to avoid having to switch in less-green baseload supplies.

And all the time the government & industry have been lying when they said that the consumer won't be paying for all this. Of course we're paying for it in increased standing charges, more residual power usage by the meter itself and the wireless infrastructure.

File Explorer gets facelift in latest Windows 11 build

Spamfast
Happy

Re: Would anyone like any toast?

I'm sure that the toaster would remind you itself if someone thought to put some AI in it. What could possibly go wrong?

"Talky's the name, and toasting's the game! Anybody want some toast?"

Cunningly camouflaged cable routed around WAN-sized hole in project budget

Spamfast
Thumb Down

Re: 'A reader we’ll Regomize as "Leif"'

Except that the Scandinavian name 'Leif' is pronounced like the English word 'life' not like 'leaf'.

My step-son is called Leif and hated it when he and his mother moved to England and even his school teachers wouldn't bother getting it right even after repeated correction.

Her name, by the way is 'Dagmar' which is okay because she's half German and that's how it's pronounced there with a hard G. However if she'd preferred the Danish pronunciation - which is closer to 'Dowmar' (my apologies to Danish-speakers for the over-simplification) - she'd have had a lot of repeating herself to do!

Ford in reverse gear over AM radio removal after Congress threatens action

Spamfast

Re: The only question remaining is ...

WTF don't cell phones have an AM receiver[0] built in?

AM is no longer used in many parts of the world. Even FM has been shut down in some countries such as Norway in favour of DAB+.

I'd like to see mobiles (aka cell phones or Handys) have SDRs capable of AM, FM & DAB+ and the rest. Mine - a few years old - still has an FM radio but that might be useless if the UK government takes the backhanders from certain parties and follows Norway.

Spamfast
FAIL

Rivian, meanwhile, told us it "offers free access to AM and FM radio services in all Rivian consumer vehicles that come standard in each vehicle. AM radio service from local and national stations is provided via digital radio platforms (thus ensuring enhanced audio quality.)"

I think they've rather missed the point there. It's not the content that needs to be available, it's the technology. In the event of a problem, AM transmitters may well still be broadcasting when wireless Internet ones have been taken down.

Microsoft and Helion's fusion deal has an alternative energy

Spamfast
Facepalm

Re: Build SMRs instead

It's been calculated that current SMR designs produce considerably more nuclear waste per watt generated than conventional ones. As with those the public will end up having to pay for the clean-up when the company making the reactors dissolves itself over the costs after taking the government subsidies & customers' money and giving it to the upper management and shareholders.

No historical, current or proposed uranium or plutonium fission reactor has ever made or will make a profit once state subsidy, decommissioning and long term waste storage are factored in to the costs. Building new ones will not help the current climate problem because they won't come online in time and by the time they do, they'll be providing some of the most expensive power on the grid.

Nuclear fusion and nuclear fission, perhaps using thorium reactions, may be worth pursuing but it's just a distraction to suggest they can help with the pickle into which we've currently gotten ourselves.

If we are going to state-subsidise the energy industry, we should be removing all the breaks the fossil fuel companies are still getting, take that and all public money currently being spent on new fission build and fusion research and invest that in both the installation of existing renewable capture and storage facilities and research into improving them. This would be faster gain and much lower risk.

Asahi Linux developer warns the one true way is Wayland

Spamfast
Facepalm

Re: Nope

VNC, which requires each desktop you want to run to be manually set up in a config file and tied to a specific port.

Actually, on Linux you can run a TigerVNC daemon listening on a single port on a remote machine that uses PAM authentication over TLS and creates a new virtual framebuffer for each connecting client in which you can run up a desktop environment.

The only problem being that many Linux distros now only allow a given UID to run a single GUI session at a time because all the software bus configuration gets wildly confused otherwise.

But that's a flaw in the desktop implementation not in VNC.

Hubble spots stellar midwife unit pumping out baby planets

Spamfast
Thumb Up

Mavel Tov!

Damn, I missed the party on Friday.

Oh well, we can always wet the babies' heads - there must be an ethanol gas cloud somewhere in the neighbourhood.

Spamfast
Trollface

Re: Confused

still feeling sympathy for poor depreciated Pluto

Not this again?!

Get over it.

Spamfast
Coat

Hubble spots stellar midwife unit pumping out baby planets

What midwife unit?

I see the mother. She seems to be doing well without help. It's clearly a home birth situation.

Don't medicalize childbirth for heaven's sake!

Tsk. Typical male reporting.

A right Royal pain in the Dallas: City IT systems crippled by ransomware

Spamfast
Thumb Up

Re: Somebody was behind on their patches and updates

Having briefly worked in gov IT. I will never make that mistake again. Well, unless I'm starving and facing eviction, of course..

There are soup kitchens and flop houses, you know? ;-)

Elizabeth Holmes is not going to prison – for the moment

Spamfast

Under federal truth-in-sentencing laws he must serve at least 85% of it, which would be nearly 11 years.

Except that it'll get watered down by Flywheel, Shyster, and Flywheel. And/or they'll get transfered to a minimum sec 'oh I can't go out at night' facility.

Spamfast
IT Angle

If you can't do the time, don't do the crime.

Alternatively, use the money you bilked from a bunch of gullible idiots to pay for a solid legal team.

Let's see how long her partner in crime actually spends in jail on that 12 year, 11 month sentence.

Rich white collar criminals seldom pay even when caught.

Apache Superset: A story of insecure default keys, thousands of vulnerable systems, few paying attention

Spamfast
FAIL

How difficult is it for the installer to generate a random key on installation? How many networking kit breaches are caused by hard coded backdoor telnet (!) or ssh logins? The company officers need to personally liable for this nonsense.

Balloon-borne telescope returns first photos in search for dark matter

Spamfast
Flame

Re: Helium is cheaper than rocket fuel

Helium is a natural product of radioactivity, alpha-particles are essentially Helium nuclei, so the Earth emanates Helium all the time, all we have to do is collect it. I expect there will be enough for several years to come.

Not at the rate we're squandering it. The helium produced by surface background radiation goes into the atmosphere from where it would be fiendishly expensive to harvest and also from where it diffuses into space. We get our helium from fossil sources, which are replenished very slowly by the Earth's internal radioactivity.

You could equally argue that we'll never run out of oil & natural gas because there will be some more along in a few hundred million years.

If you don't get open source's trademark culture, expect bad language

Spamfast
Coat

I have vague memories of MIcrosoft setting rules for something like this. IIRC you could call your product Optimiser for Windows, but not Windows Optimiser - or was it the other way round?

Optimizer for transparent wall sections?

Florida folks dragged out of bed by false emergency texts

Spamfast
FAIL

Re: Big Brother has another way to cock things up.

It's not an app, genius. It's a cell alert that's part of the infrastructure. That a phone might have an app that specifically handles it is completely separate from the alert itself.

Phone masts can transmit all sorts of things but without software in the receiving device they do nothing.

When I bought my phone, it did not have a settings page for emergency alerts.

Now it does.

Therefore at some point an update installed a piece of software (an app) to respond to the alerts.

It even appears in the list of 'apps' if I enable 'show system apps' and allows me to see - but not to change - its permissions. Take a looks - on Samsung phones it's called 'Emergency alerts'.

You do know your phone has to run a piece of software to make calls, don't you? Or to send text messages?

Spamfast
WTF?

Big Brother has another way to cock things up.

I am really annoyed about this system.

Basically it's an app that was installed by stealth on all our phones at the order of our governments.

Apparently the UK one prevents any use of the phone until the alert has been acknowledged so it must have fairly high privileges. I am not able to uninstall it, disable it or change its access settings. I can only disable notifications but there's nothing stopping it from re-enabling them.

I was relieved when the buggy, insecure Covid apps were opt-in. Why the hell isn't this one too? I'm being spied on by Google & Samsung already but at least they're relatively competent. The UK government and its contractors have a well documented history of gross negligence with anything IT related.

Linux 6.3 debuts after 'nice, controlled release cycle'

Spamfast

Re: Giving it a try

Ccache might help but if just building the kernel takes two hours then you need to invest in new hardware.

I Yocto-build an entire openembedded deployable in about twenty minutes, using locally cached git repos for the various userland porcelain, on a 12-core 24-thread Ryzen, 64GiB RAM & a 2T SSD.

YMMV of course.

UK government scraps smart motorway plans, cites high costs and low public confidence

Spamfast

Well, I am so not a fan of Mr Sunak, a corrupt self-serving politico. But shutting down the idea of a) making motorways more dangerous and b) expanding our addiction to CO₂ gets my approval. The UK government (of whichever stripe) talks about the climate but still spends way more of our money on fossil fuel guzzling projects than ones that will mitigate the problem, generate jobs & revenue and make our environments better places in which to live.

By order of Canonical: Official Ubuntu flavors must stop including Flatpak by default

Spamfast
WTF?

Re: Snap/flatpack needs to go away

Snap/flatpack needs to go away

Hallelujah!

It's drifting towards MS .Net (which release?) and Metro (ditto) and containers. Let's add another layer of abstraction - what's the downside? Everything becomes an entire environment to support what it needs with all the storage, memory & CPU overheads that implies. Never mind that they're all using the same libraries - they have to have to work to that specific version so have to have their own copy. How many loop mounts do you want?

Microsoft had 'DLL hell' and bodged around it. Linux doesn't have that problem - if a library has a breaking change it is bumped and both can co-exist.

Stick with apt or yum or ./configure && make && sudo make install. Otherwise I don't want your product.

No more free love: Netflix expands account sharing restrictions

Spamfast
Headmaster

€‎3.99 in Portugal and €‎5.99 in Spain

Hey, Reg, get with it. In general in Europe the currency symbol goes after the amount, not before.

3.99€‎ in Portugal and 5.99€‎ in Spain

New York gets right-to-repair law – after some industry-friendly repairs to the rules

Spamfast
Happy

Re: Perspective

My new Samsung 75" TV's screen failed after just over a year, but luckily still in warranty.

In the UK at least, the Sales Of Goods act states that items must be 'fit for purpose'. I've had full refunds on electronic goods that went south several years after purchase without requiring a warranty from the manufacturer. If I buy a TV I have a right to expect it to keep working for five years or more and will take it back to the retailer and if necessary threaten them with Small Claims Court action if they try to give me the run around. I've never actually had to start proceedings. It seems standing at the customer service desk with a copy of the relevant legislation and a stubborn attitude is enough to make them give me my money back.

YMMV of course.

BBC is still struggling with the digital switch, says watchdog

Spamfast
Trollface

Where are my waders?

I'm as guilty as the next person but broadcast TV - digital or analogue - is an order of magnitude more environmentally friendly than all of us streaming from servers at our own whim.

Fuck the planet so I can watch Game Of Thrones is not a great solution.

Orion snaps 'selfie' with the Moon as it prepares for distant retrograde orbit

Spamfast
WTF?

Re: that selfie...

Like the supposed pictures of the lunar module taking off from the surface of the moon.

I hope you're joking.

Otherwise, have you not heard of tripod-mounted video cameras with a radio transmitter?

Spamfast
Stop

I'm insulted.

there are no animals on the moon (except the odd rogue Clanger),

Dear Sir,

I'm insulted. We Clangers do not live on your moon. We have our own planet.

How would you like it if we told the Iron Chicken that humans live on Venus?

Yours faithfully,

Major Clanger

Spamfast
FAIL

What's wrong with this statement?

to propel Orion at 8.9 feet per second

First, 8.9 ft/s relative to what?

Second, (as commented elsewhere) stop using daft non-SI units for engineering reports. Only the Usains and a few others are still using obsolete units and there are only 280 million of them, call it 500 million tops including the rest. There are now 8 billion of us on the planet.

US Supreme Court asked if cops can plant spy cams around homes

Spamfast
Black Helicopters

Re: Just one question

to who do they serve the warrant

First off, it's "to whom".

Second they don't serve the warrant. They go to a judge and convince him/her that they have probable cause and so obtain permission - aka a warrant - to proceed with the surveillance. It doesn't have to be served on anyone. In days of yore this was the process by which the cops obtained the right to tap someone's phone. It would be pretty useless if the surveilled had to be informed beforehand.

Not that I condone state surveillance - almost all of it is egregious and illegal.

Microsoft leaves the Office, rebrands everything as 365

Spamfast
FAIL

Re: Survey missing option

And LibreOffice doesn't crawl its way into every nook and cranny of the registry.

The registry, by the way, which is one of the most collosal cock-ups of computing in modern times. An undocumented, fragile, non-normal-form, quadratic access database of items many of which can crash the OS if corrupted or left in the wrong state by a crappy uninstaller.

NASA sets November date for next SLS Moon rocket delay, er, launch

Spamfast
Flame

I'm not a fan of Elon Musk as a person - basicly he's a creepy uncle/Bond villain - but I admire SpaceX and to some extent Tesla, minus the faux 'autopilot' crap.

Provided RUDs don't kill people - as they did twice with the US Shuttle programme if you remember - then they're par for the course. You collect the data and correct the problems.

I like the idea of multiple suppliers - redundancy is good for scheduling & price haggling - but the ratio of money given to SpaceX compared to NASA's old buddies for SLS is indiciative of the pork barrel/political contribution mentality that still rules US space funding.

Scientists, why not simply invent a working fusion plant using $50m from Uncle Sam

Spamfast
FAIL

Nuclear fusion is impossible because electron removal is unthinkable. We are dealing with a scam.

I look up in the mornings and see evidence that nuclear fusion is entirely possible.

I also look up at night and see even more of the reactors.

(Unless you think they all run on coal?)

What we've not been able to achieve is sustainable confinement, temperature & pressure even using deuterium/tritium rather that proton/proton fusion. However, recent use of deep learning algorithms to point to the plasma control is interesting.

But we've been here before of course.

Is it time to retire C and C++ for Rust in new programs?

Spamfast

Re: One thing that make me wary of rust

When I'm on a new (usually bare-metal embedded) platform using C/C++ the first things to get integrated into the build tree are boost, pcre and a decent JSON library such as RapidJSON. That usually covers 75% of my requirements apart from protocol stacks. (Think lwIP/mbedTLS, Lely CANopen etc.)

For embedded Linux once I've got buildroot or yocto to behave the options are much broader of course.

Spamfast
Meh

It's just another high level language. Big whoop. If I have to, I'll use it. Who cares?

Those screws on the Apple Watch Ultra are a red herring

Spamfast

Re: Muppets

I'm guessing that they've never taken anything apart with 100m rating before. Do they think it's Steve Jobs' tears that make it water proof?

That's 10 atmospheres.

I have a thirty year old Tissot watch that is 100m ratred and yet my horologist can remove & replace the backplate to change the battery while maintaining its integrity.

Page: