* Posts by Concrete Gannet

68 publicly visible posts • joined 6 Jul 2010

Page:

Under CISA pressure collab, Microsoft makes cloud security logs available for free

Concrete Gannet

These two paras in https://www.microsoft.com/en-us/security/blog/2023/07/14/analysis-of-storm-0558-techniques-for-unauthorized-email-access/

are very scary. (MSA is a Microsoft account, so the self-service identity you can create whenever you want, for example by creating a new mailbox on outlook.com) .

"Storm-0558 acquired an inactive MSA consumer signing key and used it to forge authentication tokens for Azure AD enterprise and MSA consumer to access OWA and Outlook.com. All MSA keys active prior to the incident – including the actor-acquired MSA signing key – have been invalidated. Azure AD keys were not impacted. The method by which the actor acquired the key is a matter of ongoing investigation. Though the key was intended only for MSA accounts, a validation issue allowed this key to be trusted for signing Azure AD tokens. This issue has been corrected."

"As part of defense in depth, we continuously update our systems. We have substantially hardened key issuance systems since the acquired MSA key was initially issued. This includes increased isolation of the systems, refined monitoring of system activity, and moving to the hardened key store used for our enterprise systems. We have revoked all previously active keys and issued new keys using these updated systems."

They're not owning up to how the key was obtained. Either a Microsoft employee stuffed up, or a vital key management system was compromised. Either one is bad news.

By "inactive", do they mean they were leaving older keys lying around when they weren't actively using them, so they would be less likely to notice if an attacker had obtained that key?

It seems up until now they thought it was OK to manage their signing key for personal accounts in a sloppier way compared to the accounts within an organisation's Azure AD (Azure AD is currently being renamed to Entra). And yet that key was able to be used for signing Azure AD tokens!

I think this is a big deal and Microsoft are lucky - there could easily have been a larger and more vehement response and criticism. They really need to do better.

ReMarkable emits Type Folio keyboard cover for e-paper tablet

Concrete Gannet

Re: I have a Remarkable 2

Yes, the Remarkable stylus is deliberately designed to be soft and wear down over time, to give pencil-like feel and to avoid any scratching of the screen. The downside is you have to replace the stylus nib periodically, but it's a sensible design decision.

I don't know about the Staedtler, but I understand your concern.

Get over it: Microsoft is a Linux and open source company these days

Concrete Gannet

FAANG^H^H^H^H^H FAGMA

Whoever came up with the FAANG acronynm must have been a publicist for Netflix: they simply do not belong in the same league as Amazon, Apple, Microsoft, Alphabet/Google and Meta/Facebook. Stop talking about them as peers to the behemoths. FAANG is not a useful concept - maybe FAGMA?

https://medium.com/quantum-economics/famga-what-we-learned-in-2016-from-the-5-big-mega-cap-tech-companies-39ca2edfe8a1

Current market caps (https://www.tradingview.com/markets/stocks-usa/market-movers-large-cap/):

Apple 2.4T

Microsoft 1.9T

Alphabet/Google 1.4T

Amazon 1.1T

Meta/Facebook 430B

Netflix 78B

ARPANET pioneer Jack Haverty says the internet was never finished

Concrete Gannet

"At one of the quarterly meetings Vint Cerf came in and dropped a bombshell on us: he said TCP had become a standard. Our immediate reaction, or at least my reaction, was 'Wait: it's not done yet. We have this long list of things we still have to figure out'," Haverty recalled in his speech.

I'm reminded of talking to somebody who participated in the efforts to produce the first standard for C++ which emerged in 1998:

"They don't want it right. They don't want it complete. They want it Tuesday."

Gartner on cloud contenders: AWS fails to lower its prices, Microsoft 'cannot guarantee capacity', Google has 'devastating' network outages

Concrete Gannet

Re: Big Blue

"Full cloud encryption" implies other clouds don't encrypt something. What?

To the best of my knowledge all the big cloud companies encrypt data at rest and in motion. "Full cloud encryption" isn't a differentiator. What am I missing?

The Wrath of Amazon: JEDI wars rage on after US Department of Defense affirms Microsoft contract

Concrete Gannet

Re: Not just clouds

Agreed. AWS's objections seem to be a combination of assertions "we're years ahead, how could anybody be remotely competitive?" and "see that corner of the requirements, one thousandth of the overall spec and dollar value? Well Microsoft didn't precisely meet them. In our judgement."

I think any other large customer contemplating a deal of this scale will be marking AWS down. They are not respecting the customer at all. AWS should eat humble pie on this one, recognise customers don't see their product in the same way they do, and work out what to do differently next time.

If customers can't immediately see the innate superiority of their product, maybe that's because it isn't there.

Not Half bad: Microsoft back to 16 bits with new storage-saving type in .NET 5

Concrete Gannet

Not bfloat16?

All the cool kids are using bfloat16 (https://en.wikipedia.org/wiki/Bfloat16_floating-point_format), with an 8 bit exponent, so a wider range but less precision than Half. Why not that, as well as or instead of the IEEE half-precision type.

Xen Project's plan after AWS goes KVM: Talk up embedded future

Concrete Gannet

Three years on ... KVM enabled much faster custom ASIC hardware for critical I/O

See this story: https://www.forbes.com/sites/janakirammsv/2019/03/10/how-an-acquisition-made-by-amazon-in-2016-became-companys-secret-sauce/#7e61c6632f67

AWS acquired Israeli company Annapurna which makes custom ASICs that dramatically speed up I/O for virtual machines. KVM was important to make it all work. So Simon Sharwood was on the money to report on this in November 2017.

Concrete Gannet
Thumb Up

No contradiction - the real story is they let KVM in at all

I agree with AC above: there is no contradiction.

I'm a Linode customer, and it was a royal pain rebooting servers every couple of months because yet another security hole was found in Xen. Linode abandoned Xen and the world is a better place: https://www.cio.com/article/2937714/cloud-computing/why-linode-moved-to-kvm.html .

My take on this story... AWS have come to the same conclusion: Xen is a dud. As general policy, they will create new images based on KVM. For now, they will not disrupt the stack of existing images, and minor variations could still use Xen. I suspect the P3 is an example of the latter.

"We asked AWS if the introduction of KVM had to do with any issues with Xen; an AWS spokesperson responded with a statement that the P3 instances on sale since October use Xen, and the company will continue to heavily invest in Xen."

Note the spokesperson did not directly answer the question. "Heavily" means whatever I want it to mean.

We must speculate because Amazon will not give us a definitive answer. They have no need to broadcast in detail what they're doing. Most customers don't care. Over-detailed descriptions give competitors a shortcut - instead of doing their own research and testing, they can just copy AWS. A bit like the Scottish fast food chain doing intensive research on the ideal site for a store, and the competition simply opening up next door.

AWS will be supporting and indeed fixing Xen for the foreseeable future, so it would be stupid to disengage from the Xen project. Jeff Bezos and the gang are not stupid. Weaning themselves off Xen will take years, and will happen by natural attrition anyway as they introduce new, more capable and more cost-effective images. No need to make a song and dance about it.

A year from now, Xen might be improved and AWS might revisit this decision. I doubt they will change their minds. No, the really significant thing is *letting KVM into the stack at all*. That's the real story, and Simon Sharwood is spot-on to notice. A non-answer from a PR person in Amazon does not contradict his story.

And can I say one of the reasons I read and like The Register is their bulldust detectors are pretty good. I think being based in the UK and not the US helps. There is a level of scepticism, even cynicism, when other IT publications (*cough* TechTarget *cough*) are too ready to copy-paste PR guff.

This PDP-11/70 was due to predict an election outcome – but no one could predict it falling over

Concrete Gannet

Happy days

Those were the days. Jumper pins 4 and 5, and jumper pins 6, 8 and 20.

This book: https://www.amazon.com/dp/0137498705/ had details of how to make over 800 different devices work with the RS-232 "standard".

Chinese tat bazaar Xiaomi to light a fire under Amazon's Kindle with new e-book reader

Concrete Gannet

Can Xiaomi make a go where Sony gave up?

Sony withdrew from the e-reader market in 2014. If they can't make a go of it, can Xiaomi?

Languishing lodash library loophole finally fitted for a fix: It's only taken since October to address security bug

Concrete Gannet

Supporting critical open source

Critical open source with too few to maintain it is a serious problem, but people are working on it.

The Ford and Sloan Foundations are supporting research to understand the issues: https://www.fordfoundation.org/campaigns/critical-digital-infrastructure-research/

In particular, have a look at Nadia Eghbal's report: https://www.fordfoundation.org/media/2976/roads-and-bridges-the-unseen-labor-behind-our-digital-infrastructure.pdf

OpenSSL is a prime example. Google, IBM, Microsoft, Intel and Facebook are now contributing to its maintenance: https://arstechnica.com/information-technology/2014/04/tech-giants-chastened-by-heartbleed-finally-agree-to-fund-openssl/ .

Microsoft programming chief to devs: Tell us where Windows hurt you

Concrete Gannet

You shouldn't have to ask

"So, tell me your pain points" is the wrong question to ask.

Microsoft have zero institutional memory. People move too often and anything the previous person committed to is forgotten when someone new takes over. The question and attitude is symptomatic of that. Surely research and understanding has already been done, but Ms Liuson imagines she can start with a blank slate. Do not throw away what Microsoft as an organisation already knows.

Just throwing out the question will only attract answers from people who imagine that answering will be productive. People who have seen it all before will ignore it.

Platform change is the killer. If we have to make a wholesale change for an application to work on this year's "strategic platform", we may well abandon the platform altogether.

Concrete Gannet

Re: "We want to ask developers, what is your pain point"

"How about an easy way, consistent to embed and probe versions numbers of everything present on a machine?"

There is such a thing. You can use a Windows Management Instrumentation (WMI) query to discover what has been installed. If some piece of software isn't found by that, the vendor is not following Microsoft's guidelines and it's more their fault than Microsoft's.

This thread might be useful: https://stackoverflow.com/questions/673233/wmi-installed-query-different-from-add-remove-programs-list

Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC?

Concrete Gannet
Happy

Don't stress, LKML is mirrored in many places

Like any well-known mail list, LKML is mirrored in other places, e.g.

http://linux-kernel.2935.n7.nabble.com/

and anyone who cares can use tools like PonyMail (https://ponymail.incubator.apache.org) to create their own archive.

So while the home location might be fragile, it can be re-established in days or weeks, and the history won't be lost.

Lenovo spits out retro ThinkPads for iconic laptop's 25th birthday

Concrete Gannet
Thumb Down

Why oh why only 1080 ?

All other specs for computers advance over time. Why are we so locked into 1920x1080 for screen res? I understand it would cost more, but I for one would be willing to pay a premium. Everything else about the Thinkpad 25 is fine, but that screen res is a dealbreaker.

Concrete Gannet
Boffin

How to fit old keyboard in newer Thinkpad

People have worked on retrofitting the old seven-row keyboard in newer Thinkpads:

https://www.youtube.com/watch?v=Fzmm87oVQ6c

http://www.thinkwiki.org/wiki/Install_Classic_Keyboard_on_xx30_Series_ThinkPads

Google routing blunder sent Japan's Internet dark on Friday

Concrete Gannet
Mushroom

Similar in Australia in 2012

In February 2012, Dodo (a smallish ISP) sent a BGP change to Telstra (by far the biggest in Oz) implying Dodo was the entire Internet.

https://bgpmon.net/how-the-internet-in-australia-went-down-under/

At the feet of the Great Monad, or, How the functional programming craze plays out

Concrete Gannet

Re: Been there, done that

"if it can't be done in Fortran 77, it's not worth doing" - Almost a direct quote from "Real Programmers Don't Use Pascal" - http://web.mit.edu/humor/Computers/real.programmers

Concrete Gannet
Thumb Up

Pleased to see Verity has graduated from "Bootnotes" to "Software"

Verity's oeuvre on El Reg has been listed under "Bootnotes". Until now. Today she graduates to "Software". Congrats Verity, well deserved!

Open Sorcerers: Can you rid us of Emperor Zuck?

Concrete Gannet

Open-source-equivalent-of-SAP is Apache OFBiz

Apache OFBiz (ofbiz.apache.org) is an open source ERP system with a thriving community and broad ERP capabilities.

Concrete Gannet

Re: Maybe Open Source grew beyond expectation

Savings vs risk? Risks due to vendor lockin are huge. "Maintenance" fees may double. Vendor may be bought (ERP Graveyard at http://www2.erpgraveyard.com/tombs.html shows some products acquired four times. What expertise would still be there?)

Nobody wants to dig in forums? Dead right. Open source enables a competitive market for support.

Samba man 'Tridge' accidentally helps to sink request for Oz voteware source code

Concrete Gannet

Re: First past the post

Used in Australian Capital Territory too

Concrete Gannet

Yup, but you just rigged one millionth of the vote, not the entire election.

Concrete Gannet

Re: Somewhat disingenuous headline

An FOI request is cheap and, if successful, would achieve the goal with minimal effort. Now it's clear the AEC won't part with the code, we need to lobby politicians to change legislation, either to 1. mandate open source software where the public interest is strong enough, such as for elections; or 2. change FOI legislation so that public interest trumps commercial considerations, and not the other way around.

Either change would be difficult to achieve and would require a public awareness and lobbying campaign, instead of an FOI request by one person. Michael Cordover did things in the right order.

Concrete Gannet

Re: Is source code necessary to validate correctness?

Michael Cordover has made associated FOI requests for test plans, test data and test harnesses external to EasyCount itself. If the sole purpose of the AEC's objections was to preserve the commercial-in-confidence status of EasyCount itself, they should have had no objection to making their tests freely available.

But they haven't. My guess is the tests aren't all that good.

Concrete Gannet

Re: Can someone from Australia fill us in

Yes, the Australian Electoral Commission is a statutory agency of the Australian government (http://www.aec.gov.au/About_AEC/index.htm).

As well as conducting Australian elections, it conducts elections for other bodies like trade unions and I seem to recall it has also made some export sales of EasyCount. The EasyCount software at the heart of Michael Cordover's request is a money-making product for the AEC.

As others have observed here, it seems AUD 18m a year of revenue trumps the right to verify that elections are fair.

Sadly, public sector agencies in Australia often try to derive commercial value from their assets. There is considerable institutional resistance to open data. For example, the public sector mapping people have only just made geocoded address data freely available (https://blog.data.gov.au/news-media/blog/geocoded-national-address-data-be-made-openly-available); it used to be very expensive to get access to that data. Vital statistics registries have made profits from publishing birth, death and marriage data for family history researchers.

My understanding is that in the US there's a general culture of "the taxpayer has already paid for it, so the taxpayer should have it without further expense". That hasn't been the case in Australia.

While it's conceivable an incumbent government might attempt to tell the AEC to rig an election, it would be nigh-impossible to pull off. The AEC is an arms-length independent body. It determines electoral boundaries, and we don't have gerrymandering. If there is any flaw in EasyCount that allows an election to be miscounted or even rigged, I think it likely it would be by accident and not design.

The dev-astating truth: What's left to develop? Send in the machines

Concrete Gannet

Re: "According to some observers, there's still some way to go"

Yes, we're nowhere near maturity, but you miss the scale of the problem we're trying to solve.

You don't want to *change* important subsystems in your car almost every day.

In contrast, software is soft. We implement software systems precisely so they can be changed. The right analogy is not your car, but trying to reconstruct the plane while it's still flying (https://www.youtube.com/watch?v=L2zqTYgcpfg).

This is an ambitious goal, and it's not at all surprising that we haven't achieved it. What is interesting is the progress we've made.

Concrete Gannet

Four bullet points is not a framework

"There's even a question as to whether Agile is a framework in its own right..."

It is not, no question.

The Agile Manifesto (http://agilemanifesto.org/) that started it all has four bullet points and talks about principles, not practices.

Agile is a very broad church. There are many more prescriptive processes like XP and Scrum that add more detail and might be regarded as a framework.

Microsoft's equality and diversity: Skimpy schoolgirls dancing for nerds at an Xbox party

Concrete Gannet

Microsoft have form (no pun intended) here. In 2010 they had scantily-clad "meter maids" at their Tech Ed conference http://www.smh.com.au/technology/technology-news/meter-maids-stunt-backfires-at-microsoft-geek-gathering-20100826-13t2f.html .

Microsoft has crafted a switch OS on Debian Linux. Repeat, a switch OS on Debian Linux

Concrete Gannet

Embrace, extend, ...

It's hard to extinguish a hundred-headed hydra.

Concrete Gannet

Re: Linus Torvalds: 'If Microsoft ever does applications for Linux it means I've won.'

What you are saying is that Microsoft have changed from being an irrational profit-making company to a rational profit-making company.

In what way is the new Microsoft different from every other profit-making company you do business with?

Concrete Gannet

Re: "Microsoft will stop at nothing to pervert what it touches."

To separate configuration *data* from *code*. The latter, if well-written, should not change, or should not change often. Code can be supplied by a third party.

You make your own decisions about config data, and may want to change it more frequently. The code re-reads your updated config data.

Too many systems mash these two together, which means an attempt to modify config data risks breaking code that was working perfectly well and did not need to change.

Earth wobbles on axis as Google rebrands

Concrete Gannet

Pun on pseudo?

Typewriters suck. Yet we're infinitely richer for those irritating machines

Concrete Gannet
Happy

Matt Ridley's book "Rational Optimism" supports the case that we really are richer. If you look at how many hours of labour it takes to light your home, that number has decreased by tens of thousands in the space of two centuries. There's a nice summary here:http://www.rationaloptimist.com/blog/reader's-digest.aspx

Tony Abbott says food importers deserve help denied to telcos

Concrete Gannet
FAIL

Two words...

National Party

Moto 360: Neat gizmo – if you're a rich nerd

Concrete Gannet

How about a watch that has the correct time?

I think it is insane that the time is instantly available to phones, Wifi access points and so on, and yet I have to adjust my *watch* by hand. In my part of the world, we don't have low frequency radio time signals, so a so-called "atomic" watch isn't an option.

The killer app for a smartwatch is that it will have the correct time, automatically.

Jodee 'One.Tel' Rich spruiks .CEO sites for email LIKE A BOSS

Concrete Gannet

Jodee "One.Tel" Rich is also Jodee "Imagineering" Rich. His companies seem to have a habit of overgearing and collapse.

'Fatal flaws' in Google's revised search antitrust overhaul, says Foundem

Concrete Gannet
Thumb Down

What Google does with "GM"

Type "GM" and click on "I'm feeling lucky".

Sorry, you're out of luck.

You might have expected General Motors, one of the largest companies in the world. Or perhaps Genetically Modified food, a major topic of environmental and political discussion.

No, the best match for GM is Google Mail. And they have an objective Algorithm that decided that. Yeah right.

SAP: We just can't gobble BlackBerry. We're stuffed with 'mobile solutions'

Concrete Gannet
Thumb Down

SAP buying Blackberry makes about as much sense as...

SAP buying Sybase.

Is the IT industry short on Cobolers? This could be your lucky day

Concrete Gannet
Headmaster

Integration Services replaced DTS in *2005*

Dominic,

I take your general point that ETL tools can be useful during conversion between different languages and systems. But DTS died *eight* years ago! The replacement is SQL Server Integration Services. If you want your candidates to be up to date, maybe you could be too. Hmmm?

Cheers

Concrete Gannet

Lenovo deal to buy IBM x86 server biz moving along fast

Concrete Gannet
Holmes

Operating

It's easy to achieve "at least $20 in operating earnings per share" if you control the number of shares. Just buy back enough of them, job done.

Can we have a substantive and meaningful goal please?

NBN collapses* into chaos*

Concrete Gannet
Thumb Up

Re: Bye, bye copper!

Like the freeway (motorway) system, the NBN is for business, and consumers getting some benefit is secondary.

While you can sort of download video over ADSL2+, upstream speeds are hopeless.

Businesses will leap at the ability to send digital content to clients, to have feasible remote backup, to update their web site in a reasonable time, to remote desktop into their systems, to have videoconferencing, ... in short, to create bits as well as consume bits. The NBN's wholesale price for 100Mbps down and 40Mbps up will be $38 per month. That is revolutionary. Any digitally aware smaller business will get this the moment it becomes available.

Oz Bank share price dives after reveal of IBM/Oracle plan

Concrete Gannet
FAIL

Re: good thing I don't bank there ...

"Irrelevant minnow"? Horse feathers.

NAB is 36th largest by assets in the world. All the Australian big four are in the top 50 banks in the world, see http://www.bankersaccuity.com/resources/bank-rankings/ .

Australia's banking sector is very concentrated, so the big four are very big banks in global terms.

Optus to shutter Unwired

Concrete Gannet
Facepalm

What now for WiMax smart electricity meters?

One of the electricity distributors in Victoria, SP Ausnet, is using WiMax for communications to and from smart electricity meters. See http://www.dpi.vic.gov.au/smart-meters/publications/reports-and-consultations/advanced-metering-infrastructure-cost-benefit-analysis/3.-technology-deployed-in-victoria .

This always seemed dumb from several perspectives:

- making a bet on the winner in mobile broadband standards wars

- an electricity company building its own base stations when perfectly good ones already exist built by people who know how to do it

Now WiMax is dead for any other purpose in Australia, surely SP Ausnet should rethink?

Pacemakers, defibrillators open to attack

Concrete Gannet
Alert

See Karen Sandler's talk

Karen Sandler is currently Executive Director of the Gnome Foundation and previously worked for the Software Freedom Law Center, so she has a considerable background in open source software.

She also has a heart condition and her cardiologist advised her to get an implanted defibrillator. Which contains software. She asked to see the source code to independently verify the quality of the code that purports to possibly save her life. As the original article says, this code just might kill her.

Here's her story of what happened next.

http://www.youtube.com/watch?v=5XDTQLa3NjE

Register SPB hacks mull chopping off feet

Concrete Gannet
Headmaster

Re: Converting to old fashioned units

Hear, hear.

"Baumgartner jumped from an altitude of 29,455m (96,640ft), hitting 586.92km/h (364.69mph)" and "in a pressurised 1,315kg (2,899lb) capsule".

No. Nobody measured the height to a precision of a metre, or speed to a precision of .01 km/h. If you quote two significant figures for a number, you're within one percent. Stop there. Expressing a round number in one system of units as a number with many significant figures in another implies a level of precision that almost certainly wasn't there in the original measurement.

There's the old joke about the curator in the museum who was asked how old the dinosaur skeleton was, and said "66 million and 4 years". When the visitor expressed surprise they knew the age that precisely, the curator said, "Well, when I started here they said it was 66 million years old, and I've been working here four years now."

I am always amazed in debates about metrication in Britain and the US that nobody looks at what happened in Australia. The sky didn't fall in, people. Really it didn't.

Home-grown drone finds ‘missing’ hiker

Concrete Gannet
Thumb Up

Great video here on the team's plan

The article doesn't mention that the winning Canberra time are open sourcing everything they do. In other words, their competitors next year will be able to build on another team's winning entry this year.

There is a great talk on the team's preparation by Andrew Tridgell of Samba fame at

http://www.youtube.com/#/watch?v=ML__e_ZcWiQ

Page: