* Posts by Simon Brady

56 posts • joined 27 Jul 2010


Apple patches 'actively exploited' iPhone zero-day with iOS 15.0.2 update

Simon Brady

What about iOS 14?

If you're using an iPhone, install the iOS 15.0.2 update immediately

Apple haven't released a corresponding update for iOS 14.8: does this mean it's not affected, or are we looking at a mandatory upgrade to 15 to get the fix? You'd think there would be an authoritative "affected versions" list, but even the CVE reference leads nowhere.

Apple hardware priced so high that no one wants to buy it? It's 1983 all over again

Simon Brady

Buried treasure

Apple quietly buried its remaining unsold stock of some 2,500 Lisas in landfill in 1989

They may not inspire the auction frenzy of an Apple I, but has anyone ever considered digging them up for a retro sale?

Florida man stumbles on biggest prime number after working plucky i5 CPU for 12 days straight

Simon Brady

Re: $3k prize?

This raises an interesting question: what does BTC need to trade at before it's more profitable to spend your compute power hunting for primes? (Choosing an appropriate unit of compute to base the comparison on, e.g. general-purpose CPU/GPU throughput or FPGA gate count.)

Uncle Sam fingers two Chinese men for hacking tech, aerospace, defense biz on behalf of Beijing

Simon Brady

Coordinated attribution?

Not sure if this represents a Five Eyes-wide decision to publicly point the finger, but New Zealand's NCSC has chosen today to also attribute recent attacks to China (APT10 isn't named in the press release, but it's strongly implied by the link to previous NCSC guidance).

Huawei gets the Kiwi 'yeah nah'* as NZ joins the Chinese kit-ban club

Simon Brady

Trust but verify

A couple of theories that spring to mind:

(1) The GCSB is doing its job. They have access to classified threat information that can't be discussed in public, but it leads them to the unavoidable conclusion that it's less damaging to NZ's national interests to interfere with healthy commercial competition than to let Huawei kit in.

(2) The GCSB isn't doing its job. For murky reasons that involve keeping our Five Eyes partners happy they're screwing Spark and the country's future infrastructure over, under a smokescreen of "trust us, we know what's best for you." Or maybe they just like Vodafone.

(Or, more depressingly, (1.5) The GCSB is doing its job. They've made the hard-nosed decision that the Huawei "threat" is Trump Administration bluster, but Five Eyes is valuable enough that it's better for the country overall if we play along.)

The problem is that none of these theories are refuted by the known facts. As an NZ citizen I'd very much like to believe (1), and as a grown-up I grudgingly accept that (1.5) isn't outside the bounds of realpolitik. However, with the massive loss of public trust that the intelligence community brought upon itself with the Snowden disclosures you don't need a tinfoil hat to accept the possibility of (2). I do have some sympathy for the GCSB here, because even if they could declassify all the evidence behind their decision they'd still be accused of selective disclosure and nothing would change.

Ultimately though, it's irrelevant. Whether thanks to conspiracy or cock-up (here's looking at you, Cisco), we have to assume that any technology we import can't be trusted to behave in our national interest. I just hope that the people responsible for risk mitigation view all vendors as sceptically as they do Huawei.

Check your repos... Crypto-coin-stealing code sneaks into fairly popular NPM lib (2m downloads per week)

Simon Brady

Where old software goes to die

Reading the comments on the GitHub issue, I can sympathise with Tarr saying "I no longer wish to be burdened with responsibility for this code, no matter how many people may have come to depend on it." Far too many of us who consume open source software feel entitled to upstream support even though that's not how the contract works (I'm guilty myself of muttering imprecations at authors of code which has cost me precisely nothing).

That said, fading support and ambiguous deprecation is a real problem, both with OSS and non-free products (non-free vendors seem a bit better at formally ending support so at least you know where you stand, but there are plenty of exceptions). If "the community" needs to maintain the integrity of an abandoned project, then we need a process for reliably doing that, but first we need clarity that the project has been abandoned - that includes walking the dependency tree to see if there's buried reliance on code that hasn't been touched in years.

Maybe that's a useful function of repositories like NPM, to help people assess the risk of using packages they host?

Microsoft Azure looks to make cloud-native payments SWIFTer

Simon Brady

There's no I in team, but there's AI in fail

Machine learning algorithms, which seem to be compulsory in any new technology, validate the instruction before sending it on to SWIFT via Microsoft's SWIFT installation in the cloud.

Let's hope they've been trained on the headline-grabbing instructions that have emanated from North Korea...

Google now minus Google Plus: Social mini-network faces axe in data leak bug drama

Simon Brady

Absence of evidence

...is not evidence of absence. According to the WSJ article:

During a two-week period in late March, Google ran tests to determine the impact of the bug, one of the [unnamed WSJ sources] said. It found 496,951 users who had shared private profile data with a friend could have had that data accessed by an outside developer, the person said. [...] Because the company kept a limited set of activity logs, it was unable to determine which users were affected and what types of data may potentially have been improperly collected, the two people briefed on the matter said.

So it might in fact be true that the vulnerability was fixed before it was exploited. But the claim "Google know for sure no harm was done, therefore they had no obligation to tell their customers" simply isn't justified on the face of what we know. The hypocrisy is indeed strong here.

Remember that lost memory stick from Heathrow Airport? The terrorist's wet dream? So does the ICO

Simon Brady

Re: How hard can it be?

Yet again I’m left asking why an organisation allows an employee to copy data to a USB stick.

Maybe the stick was labelled "Lady Gaga".

Secret IBM script could have prevented 11-hour US tax day outage

Simon Brady

Damned if you do, damned if you don't

Up to a point I can sympathise with the people making the call on the microcode upgrades. A firmware upgrade on any enterprise storage kit is a Big Deal with huge potential for problems, and nobody wants to be the customer who discovers the lurking data corruption bug in the latest release. It doesn't help that all the release notes I've seen are written from the firmware developer's perspective, so the customer is caught between vendor support saying "of course we recommend you upgrade to the latest release" and a list of micro-detailed fixes that give no clear risk guidance to the end user.

Maybe what's needed is for something akin to CVSS scoring for security updates: I don't care which low-level firmware component had obscure bug XYZ, I want to know (1) how likely is it to to affect me, (2) how bad will the impact be if it's triggered, and (3) how risky is implementing the fix. Otherwise you're left making the best call you can, and inevitably some of those calls will be wrong.

Holy macaroni! After months of number-crunching, behold the strongest material in the universe: Nuclear pasta

Simon Brady

A fitting tribute


Mad scientist zaps himself to determine the power of electric eel shocks

Simon Brady

Shoddily-set-up Elastisearch hosting point-of-sale malware

Simon Brady

Re: This doesn't make sense

"Their data" may mean "our data" and nobody should be able to leave that exposed.

I completely agree - by "should be able to" I meant "with the current implementation as I understand it, the worst I expect to be possible is that..." rather than "it's acceptable for an incompetent admin to be able to..." Upvoted both for the principle expressed and for catching my sloppy wording.

Simon Brady

This doesn't make sense

Both this article and the Kromtech post are missing something critical. It sounds like they're talking about Amazon's managed Elasticsearch Service offering, where you point and click (or not) through the console to have a cluster set up for you. But that service doesn't give you host access and it doesn't even let you install ES plugins of your choice, even if you are enough of a muppet to not configure any security.

The worst a dumb customer should be able to do is leave all their data exposed for the stealing and/or deleting. But Kromtech claim "the lack of authentication allowed the installation of malware on the ElasticSearch servers." If those managed ES versions can be remotely compromised through their REST APIs, wouldn't that be a fairly obvious thing for a provider to have patched?

If on the other hand we're talking customer-built (unmanaged) ES clusters, then the majority of the article is misleading if not downright wrong.

Google's Chrome is about to get rather in-your-face about HTTPS

Simon Brady

Security and obscurity

So if the Chrome team's mission is to help users be secure, why has Chrome ca. 56 made it so much harder to view certificate details? Up until recently you could right-click on the "Secure" marker in the address bar and go straight to the cert - now all that gives you is a link to a generic help page, and you have to drill down into the Developer Tools UI to find this information.

In what world is this an improvement?

Oi, Mint 18.1! KEEP UP! Ubuntu LTS love breeds a laggard

Simon Brady

Re: You can change that behaviour

Preferences -> Screensaver -> Customize -> Ask for a custom message when locking the screen from the menu

Could YOU survive a zombie apocalypse? Uni eggheads say you'd last just 100 days

Simon Brady

Re: The first thing that occurs to me

Don't be so quick to dismiss the topic - Canadian academic Robert J. Smith? (yes, the question mark is deliberate) has modeled zombies and Bieber Fever as well as his more serious work on mathematical epidemiology:


Mathematicians care about the abstract model, not pesky little application details. And when the zombie apocalypse strikes, you'll be glad their work got funded.

$17k win for man falsely accused of a terrible crime: Downloading an Adam Sandler movie

Simon Brady

Re: Well thought out strategy

She ruled that Gonzales was right to bill them for the 55.2 hours of lawyer's time he had paid for.

What about the parking fees? Trust El Reg to leave out the most important part...

Online advent calendar offers mystery VM every day until Christmas

Simon Brady

Well played indeed

I for one welcome our 16-bit virtualised overlords.

AWS chucks 2TB X1 instances at SAP memory hogs

Simon Brady

Re: Must stop glancing at headlines

Well for all we know, there could be 2,046,820,352 ZX81s providing that 1952GB, with 15,990,784 clustered together for each vCPU (because not even Amazon with their "everything fails, all the time" design philosophy would trust those dodgy RAM expansion cartridges).

Obama to admit Moon landing was faked?

Simon Brady

Re: The bet on aliens landing

It's all in the wording, folks

As our friendly El Reg headline-writers know well:


30 years on from Challenger, NASA remembers the fallen

Simon Brady

Re: "Killing season"?

Agreed. I appreciate a witty Reg subheading as much as the next reader, but this one was poorly chosen and detracts from the otherwise respectful tone of the article.

Oracle drops 248 – count 'em – 248 patches, to fix ... something

Simon Brady

CVE details? Yeah right...

Oracle gives its risk matrices to everyone but keeps the details of individual CVEs (Common Vulnerabilities and Exposures) to users with log-ins to its support portal.

This is incorrect. The Patch Availability documents linked to from the announcement are just that - they detail which patches to download for which product versions and link to other support docs for known issues, non-standard patching instructions, etc. They don't provide paying customers any more detail on the vulnerabilities than what Joe Public can infer from the risk matrices, which shouldn't be surprising:


(I have my own support contract with Oracle as an independent consultant, so the above is based on first-hand readings of the docs.)

Coding with dad on the Dragon 32

Simon Brady

Re: Learning.

In the unlikely event I ever bump into Frank Ostrowski I'll be more than happy to compensate him for any alleged loss of licence fee at the time (I was 11 or 12 so my pocket money would not have extended as far as ordering software from Germany) and buy him as many pints as he can sink in a night.

Well said, sir. A good chunk of the troubleshooting skills that keep me employed today trace right back to breaking copy protection on games I could never afford as a kid. For all it's cold comfort to the vendors of yesteryear who went out of business, it would be an honour to meet them and repay my childhood debts.

Boffins clock MONSTER BLACK HOLES inside quasar-hosting galaxy near Earth

Simon Brady

Type mismatch error

Dear Reg,

100,000 is read as "one hundred thousand". "Few one hundred thousand" != "Few hundred thousand". Please stop making my brain hurt this early in the morning.

Thank you.

Five lightweight Linux desktop worlds for extreme open-sourcers

Simon Brady

When size really matters

For even more resource-constrained environments there's Tiny Core Linux (http://tinycorelinux.net). A basic FLWM LiveCD image weighs in at 15MB and it'll run happily in 64MB RAM. Obviously that doesn't give you a lot of functionality, but it has a nice fine-grained package system that you can tailor to get exactly what you want and nothing else.

I'm not sure I'd be game to use it for my primary work machine (mostly because security updates are ad-hoc, AFAICT), but for special-purpose boxen it's hard to get more lightweight that this.

Polish plane IT attack? Apparently not, just a simple DDoS

Simon Brady

Meh, who needs hackers when a network failure can take down all your ATC radar at once:


Dossiers on US spies, military snatched in 'SECOND govt data leak'

Simon Brady

Form 86

The IT questions in Section 27 are interesting:

Have you illegally or without proper authorization accessed or attempted to access any information technology system?

Have you illegally or without authorization, modified, destroyed, manipulated, or denied others access to information residing on an information technology system or attempted any of the above?

Have you introduced, removed, or used hardware, software, or media in connection with any information technology system without authorization, when specifically prohibited by rules, procedures, guidelines, or regulations or attempted any of the above?

If you're applying for clearance to work at the NSA, the correct answer is presumably "yes".

Is that a graphics driver on your shop's register – or a RAM-slurping bank card thief?

Simon Brady

Life imitating art?

Meanwhile, in the background, MalumPoS uses regular expressions to sift through memory and locate fresh credit card information.


Average enterprise 'using 71 services vulnerable to LogJam'

Simon Brady

The sins of the fathers

... the LogJam flaw shows how internet regulations and architecture decisions made more than 20 years ago are continuing to throw up problems.

Headlining El Reg in 2035:

"Modern internet vulnerable thanks to mid-2010s panic over paedophiles and terrorists. Also, Paris."

Are we looking at the first domain name meme? Neigh

Simon Brady


That was worth a Ctrl-U, just to learn that the Stupid Sh*t No One Needs & Terrible Ideas Hackathon is actually a thing.

Colleen Josephson, we salute you.

OpenFlow busts out of the data centre with 15,000-route Pacific test

Simon Brady

Re: what?

[Citation needed], but I'm guessing that's a reference to section 48 of the Telecommunications (Interception Capability and Security) Act 2013:


This requires network operators to advise the GCSB when they make changes within "areas of specified security interest" as defined in section 47. That section lists things like interception capability, storage of customer or network admin credentials, and parts of the network that aggregate large volumes of customer data (in flight or at rest). I'm neither a lawyer nor a network engineer, so hopefully someone better qualified can explain what this all means in practical terms.

OMFG – Emojis are killing off traditional 'net slang

Simon Brady

Re: Emoji vs emoticon

I'd always assumed that "emoji" was a portmanteau of the "emo" in emoticon and the Japanese "ji" meaning character (as in "kanji", literally "Han [Chinese] characters"), but it's actually a Japanese word in its own right.

Kenkyusha's New Japanese-English Dictionary (5th ed.) defines it as "a pictorial symbol; picture writing; a pictograph" and gives the kanji 絵文字 (絵 "e" means picture, as in the famous ukiyo-e art style, and 文字 "moji" means written character). According to the Japanese Wikipedia article on 絵文字 the first encoded emoji was the baseball symbol in CO-59, a 1959 interchange code used by a group of large newspapers (carried into Unicode as U+26BE).

How a hack on Prince Philip's Prestel account led to UK computer law

Simon Brady

The Hacker's Handbook

The Hacker's Handbook was one of my most prized possessions as a spotty teenager. Reading the text now (http://www.textfiles.com/etext/MODERN/hhbk), I have to smile at gems like this:

"Hacking is an activity like few others: it is semi-legal, seldom encouraged, and in its full extent so vast that no individual or group, short of an organisation like GCHQ or NSA, could hope to grasp a fraction of the possibilities."

They sure got that right...

Canadian bloke refuses to hand over phone password, gets cuffed

Simon Brady
Big Brother

Not just Canada

Here in NZ they want a blanket right to demand passwords even without reasonable cause:


But it's okay, they promise not to disclose any lawful content and we all know government agencies never abuse their powers.

Your hard drives were riddled with NSA spyware for years

Simon Brady

Use the source, Luke

Is there really "zero chance" the malware authors could hack drive firmware without access to the source code? Sure, publicly available firmware binaries are probably obfuscated in nasty ways and would require a lot of reverse engineering even after decryption, but why should that be beyond the ability of a well-resourced organisation like the NSA? There's a long tradition of amateurs hacking DVD-ROM firmware to disable region locking, for example - if J. Random Hacker can do this in the comfort of their own basement, why can't the professionals do it on a grander scale?

Solaris fix-it firm offers free Bash patch for legacy Oracle kit

Simon Brady

I'm no lawyer, but their Support Terms of Use make it pretty clear that you can't access the site for the purpose of giving your customers something they aren't entitled to themselves:

"You agree that access to the Support Portal, including access to the service request function, will be granted only to your designated support contacts and that the Materials may be used only in support of your authorized use of the Oracle product and/or cloud services for which you have a current support contract. Except as specifically provided in your agreement with Oracle, the Materials may not be used to provide services for or to third parties and may not be shared with or accessed by third parties."

Where it gets murky is the situation you've described, where you pick up knowledge in the course of your authorised access that happens to be helpful to a third party sometime in the future. My guess would be that saying "oh hey, I have a downloaded copy of a support article that might come in handy here" is out, but saying "I've hit this problem before and I remember what the fix was" is ok - unless Oracle want to claim they own the part of your brain holding their content, of course...

It sounds like the behaviour described in the article, offering patches you've written yourself without access to licensed support material, is quite different from what they're squabbling about in the lawsuit. Whether it contravenes some other license clause is a whole separate question.

Scientists skeptical of Lockheed Martin's truck-sized fusion reactor breakthrough boast

Simon Brady

Gentlemen, you can't fight in here! This is the War Room!

Interesting that out of all the potential applications they chose to highlight powering aircraft. With the level of scepticism they must have expected, surely the last thing they need is to remind people of the 1950s atomic-power-will-solve-everything optimism that fuelled the Aircraft Nuclear Propulsion programme. Then again, if they could demo this puppy in a B-36 I for one would buy tickets to watch.

(Mine's the one with the lead lining.)

Intel's SECRET Xeons: tell us what you think Chipzilla's hiding

Simon Brady

Re: Close with Z80 - but what about the 6502?

"Or better yet how about one which spins up half a million Z80 instances, half a million 6502, and none of those instances would talk to each other?"

Just the ticket for anyone wanting to virtualise half a million Commodore 128s (and who doesn't?).

IBM Hursley Park: Where Big Blue buries the past, polishes family jewels

Simon Brady

On the A3090

Good address for an IBM site.

As WinXP death looms, Microsoft releases its operating system SOURCE CODE for free

Simon Brady

Re: Are you insane?

"Black hats would be combing it over for vulnerabilities applicable to Vista, 7, 8, and 8.1 too."

So the same as MS-DOS 1.1 then.

HPC geeks ponder 100 petafloppers and quantum supercomputers

Simon Brady

Re: How do you rank them?

I propose a new unit of unquantifiable performance, the Wally:


Thanks, NSA: Amazon sales of Orwell's 1984 rise 9,500%

Simon Brady

Re: Orwell vs Huxley

> TOTALLY! Shades of Pink Floyd's "The Wall" HA!

Or the Roger Waters solo album Amused to Death, which was inspired by Postman.

Are you in charge of a lot of biz computers? Got Java on them?

Simon Brady

Re: Upgrading from JRE 1.6

To be fair to Oracle, EBS has been certified with JRE 7 since December:


The Metalink notes say they also support IE9 and Firefox ESR 17 on Win7. I have a lot of gripes about how Oracle handles certification and patching in general, but in this case the criticism isn't justified.

Maybe don't install that groovy pirated Android keyboard

Simon Brady

Re: "Should custom Android keyboards even be allowed?"

Of course not, because why would any phone user ever need an input method for a language that doesn't come pre-installed by their provider? If English was good enough for Our Lord it should be good enough for us.

6 London boroughs haul all their kit to 1 Oracle biz product

Simon Brady

What could possibly go wrong?

This worked a treat in Western Australia:


Apple launches three-pronged education assault

Simon Brady

Somebody think of the mathematicians!

In maths TeX and its cubs are pretty much the standard for writing technical books. Surely Apple know the education sector well enough to realise this, and don't expect serious authors to use drag-and-droolware?

Now Russians can't even contact their busted Mars probe

Simon Brady


Am I the only one who hears the Quake 3 announcer voice when they read the probe's name?



Biting the hand that feeds IT © 1998–2021