* Posts by RichardBarrell

45 posts • joined 11 Oct 2010

Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too


Re: Is there any advantage left by using commercial certs?

As chroot mentions in the other comment, browser vendors eliminated the visual differences between EV and non-EV certificates a while back.

Empirical experiments were run & demonstrated pretty conclusively that nobody was checking for (or cared about) the extra UI widgets browsers used to put in the address bar for EV certs. In general, people do notice negative security indicators ("not secure", red bars, etc) but they don't notice the absence of positive security indicators (like https markers).

(When I say "nobody", I mean really, nobody. Not just lay audiences: people in IT, programming and information security too.)

Apple gives Boot Camp the boot, banishes native Windows support from Arm-compatible Macs


> the lack of an ARM-native Chrome was the biggest issue with Windows 10 ARM

Mildly surprising, since so many Chromebooks are ARMs.

Frenchman scores €50k compensation for suffering 'bore-out' at work after bosses gave him 'menial' tasks


Thank you for explaining.


I have a dumb question. Why was the constructive dismissal (by trying to bore him to death) forbidden but there's no mention here of sacking him because of a health issue being illegal?


Re: Horrible flashbacks

Perhaps the reason your slow days were really bad is that you were overstressed from the fast days and actually needed the time to recover? What you're describing sounds similar to how people often talk about intermittent burnout.

Western Digital shingled out in lawsuit for sneaking RAID-unfriendly tech into drives for RAID arrays


Re: up to 2TB, it makes no sense to go mechanical

I think you only get SMART disk failure warnings about 1 time in 3.

When Google published large scale statistics on mechanical hard disk failure rates in their server fleet (enough years ago that I feel old thinking about how long), one of the conclusions they mentioned was that SMART disk monitoring have them almost no false positives but lots of false negatives.

As I remember it, pretty much every time a drive announced an error via SMART, it died soon after. But when a drive failed, only about one third of the time was it preceded by SMART monitoring errors.

Linus Torvalds drops Intel and adopts 32-core AMD Ryzen Threadripper on personal PC


Re: New PC

FWIW if you're ever having difficulty finding PC cases that don't look like a disco ball covered in neon lights, I can strongly recommend Fractal Design. They have a whole range that all look like solid black monoliths from 2001.

Microsoft! Please, put down the rebrandogun. No one else needs to get hurt... But it's too late for Visual Studio Online


On the bright side, at least this time the new name is clearer than the old one.

What's vexing Linux-loving Gophers? A few things: Go devs want generics, easier debugging


Re: Link the world

I notice that with big projects written in Go, where you might have a couple of command line utilities, they all get bundled into one executable with "subcommands". Say, instead of having "foo-create", "foo-list" and "foo-delete" as separate executables, they'll output a single binary called "foo" that you run as "foo create" or "foo list" or "foo delete", so the file size overhead of static linking doesn't get multiplied up.

This has no real cost in performance, complication or convenience, it's just mildly interesting. Seems to happen with every language that uses static linking by default.

Plus it's microscopically trendy: you also see programs opt to use this style which are written in languages whose hello world binary is <10kB.

April 2020 and – rest assured – your Windows PC can still be pwned by something so innocuous as an unruly font


Fonts aren't innocuous

Fonts are about as non-innocuous as file formats can get. They have code embedded in them for hinting which font rendering engines often have to run. There is a long history of RCE vulnerabilities in font parsing and rendering software (on all platforms as far as I can remember). NoScript bans custom web fonts in its default configuration because NoScript's authors think they're a plausible vector for drive-by malware.

OK brainiacs, we've got an IT cold case for you: Fatal disk errors on an Amiga 4000 with 600MB external SCSI unless the clock app is... just so


Re: This can be easily explained

PC relative addressing came back into vogue in the last decade or so because of address space layout randomisation :)

Your mission, should you choose to accept it, is to save data from a computer that should have died aeons ago


Re: This sounds more like an On Call than a Who Me? column

Must've been a shortage. Maybe nobody committed any sins this week? :D

Game over, LAN, game over! Windows software nasty Emotet spotted spreading via brute-forced Wi-Fi networks


Re: Home WiFi

Not at all. None of them do anything like that. You're only going to see that kind of feature in shiny expensive enterprise setups that include an IDS.

With home routers, you're lucky if they're not accepting telnet connections on the both the WAN and WLAN with hardcoded unchangeable password 'root'/'root'.

We surrender: SAP yields to customers, extends support for Business Suite 7 to 2027


Re: What's next?

This is what's confusing me. Why are they talking about 2027 and 2040 as end of support dates? ERP system integrations break entire enterprises when they go wrong, so obviously nobody wants to touch it once it's working well enough. Why aren't SAP talking about perpetual support for all their products, or at least support dates through the next couple centuries?

Personally, if I owned a SaaS business which had a profitable install base of totally locked-in customers paying subscriptions, I'd be pleased as punch to let them continue handing over money to me for whatever they're running now forever. Scale back development on the obsolete version(s) to security fixes, legally required updates, y2038 fixes and operating system compatibility only.

As I understand it, this worked great for Basecamp - they wrote their core product from scratch several times without ever making existing customers update. They still have lots of customers on obsolete versions which have maintenance programmers but get no feature updates. (Of course the customers who've built custom processes around old versions don't really even want any new features that might break their stuff anyway.)

Brit brainiacs say they've cracked non-volatile RAM that uses 100 times less power


Re: RAM clear on power off ?

The story was that researchers worked out a trick for this where you spray the RAM chips with an aerosol to cool them down. The contents decay slower when they're colder, so the time to steal the data can be extended to minutes. :)

Snakes on a wane: Python 2 development is finally frozen in time, version 3 slithers on


Bloody good headline.

That is all.

Bose customers beg for firmware ceasefire after headphones fall victim to another crap update


I believe the acronym is purported to stand for "Buy Other Sound Equipment".

Running on Intel? If you want security, disable hyper-threading, says Linux kernel maintainer


Props to Kroah-Hartman for giving credit to the OpenBSD people for getting paranoid about SMT first. ;)

I'm not Boeing anywhere near that: Coder whizz heads off jumbo-sized maintenance snafu


Re: Did anyone bother to test the RS6000 code?

It's plausible that this bug might only show up (at seemingly-random points) when you fed the software a manual with hundreds of pages, and most testing would likely have been done with quite short manuals.

Nix to the mix: Chrome to block passive HTTP content swirled into HTTPS pages


I thought Chrome already did this, at least sometimes?

...or maybe I'm thinking of a different browser.

I'm almost sure that I've seen at least *one* browser automatically block http requests on https origins.

Good change, yay, well done and let's have all UAs do this. :)

Multitasking is a myth: It means doing lots of things equally badly


The English language includes support for lists

Have you considered using the word "and" to describe your career? You're a writer, an editor, and a journalist. Easy and it doesn't make it sound like you're peeing on anything. If anyone asks "what kind of job title is that?" you just tell them that it's several job titles. You do several things.

As a side benefit it gives you more opportunity to assert the ascendance of the Oxford comma.

Clutching at its Perl 6, developer community ponders language name with less baggage


Python 2 has a backticks feature, but all it ever did was call repr(). It never invoked a command in a shell like backticks do in bash, Perl or Ruby.

In Python 3 the backticks feature was taken out because it's so rarely used that most Python users didn't know it exists - and the thing it did wasn't particularly useful, and it was kinda confusing anyway. You can just type repr(), it's only 4 more bytes. :)

We will hack back if you tamper with our shiz, NATO declares to world's black hats


I'm a tad confused.

Everyone, everywhere, is already hacking everything all of the time.

Are they planning to backdate all the declarations of war?

Python the latest language to slither into Microsoft's serverless Azure Functions service


Someone crueller - but also someone equally cruel. :D

Anyone for unintended ChatRoulette? Zoom installs hidden Mac web server to allow auto-join video conferencing


If I understand correctly what you mean, then no.

In the scenario described, the malicious traffic on tcp port 19421 isn't going through your site perimeter (by which I assume you mean a router at the edge of your network). It's going over the loopback device on the individual Mac being attacked. You're not going to block this in a router.

The attack goes roughly like this:

- I, a person who has once used Zoom, visit an ordinary website like https://www.evilbadguys.com/evil.html

- that website has a bit of HTML (or a bit of JS that generates HTML) in it like `<img src="http://localhost:19421/evil_bad_url">`

- now my browser generates a HTTP request to localhost:19421

- some badly written software running on my Mac is listening on :19421 for incoming connections, and does something unwise in response to that HTTP request, causing me to get spied on

- so the HTTP request which causes the bad thing to happen is going from my machine to my machine, just over the loopback device, without going through the perimeter at any point

- the only traffic that went through the perimeter was on tcp ports 80 or 443, because this was triggered by an ordinary website

Blocking connections to tcp 19421 at your perimeter isn't going to hurt anything but it also isn't going to fix anything. A firewall on the Mac itself which blocks traffic to port on the loopback device could block it. I think the firewall that comes with Mac OS can do that (but I can't offhand remember if loopback traffic skips it. I would expect not.).

Oz watchdog claims Samsung's leak-proof phones ad campaign doesn't hold water


I think a couple of features might stop working. The capacitive touchscreen may have trouble: a quick test with my Android and a bit of cellophane suggests that they're not good at picking up fingers through plastic. I'd expect the WiFi and Bluetooth to stop working too, since water is mostly opaque to signals around 2.4GHz?

That this AI can simulate universes in 30ms is not the scary part. It's that its creators don't know why it works so well


The link to the paper is broken

The link to the paper in the article goes to https://www.pnas.org/content/early/2019/06/21/18214581162 which is a HTTP 404.

I think you wanted to link to https://www.pnas.org/content/early/2019/06/21/1821458116 instead.

When virtual mittens sell for thousands, of course gamers are ripe targets for cyber shenanigans


This isn't a *new* thing, though the scale of it may be, and the paper value of the virtual heists is going up. Stealing peoples' accounts in order to steal their in-game loot is about as old as MMOs.

Malware spotted doing unspeakable, filthy things to infected Macs – injecting Bing results into Google searches


Re: Flash is still required

Try using Chrome or Safari but changing the user-agent so that it reports itself as being an iPad?

I've seen this work before on e.g. the BBC's website a couple years ago. They were doing UA sniffing to decide whether to try to show you the news video via a dirty dirty SWF or a nice cleanHTML5 video tag.

I'll just clear down the database before break. What's the worst that could happen? It's a trial


Re: never trust a PM

Surely you couldn't have fit 8GB RAM into a P2 box back then - that'd be about 6 grand's worth of (the cheapest possible available) chips at year 2000 prices?

8GB disk, maybe?

'Evolution of the PC ecosystem'? Microsoft's 'modern' OS reminds us of the Windows RT days


Re: If you want seamless updates...

When you dynamically link in a .so file, it's opened (read-only) and mmap()'d with the MAP_PRIVATE flag. This gives you a copy-on-write mapping. If you try to write to one of the pages in that mapping, the kernel will transparently stop you, make a copy of the page, then resume you with your own copy of the page. If a bunch of processes all link in the same .so file, they'll all share all of the pages in it that none of them try to write, and they'll each have their own private copy of each page that they do write.

In contemporary unixes, the pages from the text section ("text" in ELF land means "executable code") get marked as read-only by default, and the pages from the data section get marked as read-write by default. You can call mprotect() on the executable pages to make them writeable if you really want to (though this is considered a bad idea, and things like AppArmor or SELinux might stop you.)

For things like JITs that do runtime compiling of code, you're encouraged to do something like: call mmap(NULL, size, PROT_READ|PROT_WRITE, -1, 0) to get some pages that you can write but not execute, then write some code into them, then mprotect(addr, size, PROT_READ|PROT_EXEC) to mark them executable but no longer writable.

Having pages that are marked as writeable and executable simultaneously is allowed (unless you've got a super restrictive config set up with something like AppArmor or SELinux), but considered kind of a bad idea because it makes it easier to exploit things like buffer overrun vulnerabilities to get RCE.

Do not adjust your set, er, browser: This is our new page-one design


It looks a bit nicer than before. The behaviour on narrow screens is noticeably improved. I'm not sure what but something has improved in the way the front page layout handles titles with uneven lengths, and this version seems to be much less prone to putting strange big gaps on the page when someone's editor indulges their very-long-headline habit.

It looks similar enough to the previous design to still feel familiar, which is a big plus in my book. Thumbs up! :)

Microsoft's most popular SQL Server product of all time runs on Linux


Programmers' workstations

One place that may be the origin of a lot of downloads is that you can use the MSSQL server docker image to do development against a copy of MSSQL on your workstation in order to test code that uses the DB cheaply and easily before pushing code to staging servers on Azure. (Just set it to "developer edition", which it defaults to, and DON'T DEPLOY TO PRODUCTION because the EULA expressly forbids doing that.)

At least, that's what I'm using it for. It's really nice because you can a) run it on a Mac via Docker-for-Mac, b) use Docker's functionality for snapshotting the entire SQL server state, for repeatedly testing destructive operations, since SQL Server doesn't currently support that very well AFAICT. The slowest part is waiting about 6 seconds for the SQL server daemon to load and become usable.

PC repair chap lets tech support scammer log on to his PC. His Linux PC


Re: For the phone scammers ...

A conservatory on a 5th floor flat would look really cool though! Glass structures seemingly suspended in the sky are beautiful. That's why I always love to build them like that in Minecraft.

What do you mean, unrealistic structural mechanics? :)

Broadband internet in New York is so garbage, the state's suing Charter


The sub heading made me giggle. Well done. ♥

LG's $1,300 5K monitor foiled by Wi-Fi: Screens go blank near hotspots


Re: Did someone not do their EMC/FCC/CE testing then?

> "can even cause the connected Macs to freeze, requiring a restart." (? what's freezing here: the screen, the Mac, both?)

At a guess, it could be something like: the monitor goes faulty and repeatedly attaches and detaches from the display output on the Mac's video card; the Mac has to change the window manager & video card state when a monitor is attached or detached; the rapid toggling tickles a bug in the video driver or window manager, leading it to freeze; and you don't normally experience that bug because it's not normal to be able to repeatedly plug and unplug a monitor that quickly without a hardware fault.

Or maybe when the monitor's bugged it does something amusing like sending totally bogus EDID information that tickles a bug somewhere. "I have a width of -3200 pixels and I want to be driven at 4MHz" or something equally silly.

Given the complete uselessness of faulty hardware, bugs which only occur when you have faulty hardware plugged in aren't top of the priority list to fix. It's pretty reasonable that a problem like that could be left lying around for years.

WTF is OpenResty? The world's fifth-most-used Web server, that's what!


Re: Counting

Tumblr host sites on lots of domains. If you own a domain name and have a Tumblr blog, you can configure both so Tumblr will serve your blog on that name. e.g. http://tumblr.snipe.net/ is one - the domain doesn't end in ".tumblr.com", it belongs to someone else. These probably are the ones being counted. It's very plausible that as many as 160k domains have been set up like this; Tumblr have lots and LOTS of users.

Tumblr also have a lot of subdomains, which must not have been counted. Tumblr serve every blog on its own subdomain. e.g. http://dooktrain.tumblr.com/ is a blog posting pictures of ferrets (and maybe other stuff, I didn't look). Tumblr have a LOT more than 160k registered blogs: as far as I can tell, well into the hundreds of millions. One estimate I saw put it at 300 million this July.

Google machine-guns unpopular social products


Google Gears

Google Gears wasn't a pile of social network-ey "Web2.0rhea". It was the prototype sandbox for a whole load of nifty client-side things, many of which have now made their way into the HTML5 standard. Like localStorage, for instance.

Mixing network traffic types on Ethernet


Disk traffic trumps voice. Voice is still soft-realtime, but people won't notice a 5ms delay in their voice traffic. You darn well will notice sluggishness if someone adds 5ms extra delay to every disk seek.

Experts suggest SSL changes to keep BEAST at bay


No. They do the javascript injection on some other site that doesn't have HTTPS turned on.

So you've got one browser tab on https://paypal.com, and another browser tab on http://any.other.site.com. Rizzo and Duong perform a MITM to inject some javascript into http://any.other.site.com, and the javascript on that page causes your browser to make more requests to https://paypal.com for them to eavesdrop on.


3DES is just fine, Michael.


No, SSL 3.0 has exactly the same issue that TLS 1.0 has.

You can think of TLS 1.0 as SSL 3.1 if you like. They're very similar. The name changed when it went from being led entirely by Netscape to being a standards-committee process.

LG whips out dual-core Android smartphone


Re: "And how come no 2.3 already?"

2.3's stable release was only just this month. That isn't *nearly* enough time to put it (and all of LG's inevitable customisations to it) through anything like proper QA testing on the device.

Intel plays Switzerland in the cloud wars


No love for software hippies?

'Whenever someone starts waving "standards," it is always a prelude to war.' - are you sure about the 'always' here? I mean, there are software hippies like the nonprofit Apache and Mozilla people, and they both seem to be pretty keen on standards.

Commission proposes new EU cybercrime law


Re: Surely

You don't need to connect systems to the 'net for them to become compromised. Stuxnet has spread largely through infected USB sticks.


Biting the hand that feeds IT © 1998–2020