Re: NAT is not a firewall
(basically, block all incoming connections but allow all outgoing).
Glad you aren't doing my firewall, that is incredibly naive for anything except a home/SMB, and even then easy but not ideal.
Posts by eldakka
1743 posts • joined 23 Feb 2011
Page:
Watchdog slams Pentagon for failing – for a third time – to migrate US military to IPv6
Wednesday 3rd June 2020 14:04 GMT 
While in an ideal world, that's what you'd do, the problem with government agencies, especially if they have any security role, is certification. Especially security-related devices (firewalls etc.) could have a very short 'certified devices' list, with certification taking years, and being quite expensive to undergo therefore you only tend to find larger companies on it as a small organisation isn't wlling to stump up the $20k+ it could cost just to get certified, with no guarantee of sales volume.
2 years ago, an organisation starting widely using an internal CA for internal environments (dev, testing etc.). But getting a certificate signed was a very manual process. So someone had a bight idea, why don't they buy a Hardware Security Module (HSM) to store the CA keys and make signing automated. There are decent ones availabe for only around $2k, perfectly suitable for lower value dev/test cert signing.
But then someone pointed out to that any such device had to be purchased from an approved supplier with a certified device. So the catalog was found and perused, and the only single certified HSM on it, certified 2 years prior, that was $40k.
Well, that bright idea faded fast.
And, if it goes to tender, you'll have fun issues (if it's of any significant value) like with the current cloud tender that's been going on for a couple years now with multiple court cases. Or the Boeing v Airbus KC-45 tanker fiasco.
'Beyond stupid': Linus Torvalds trashes 5.8 Linux kernel patch over opt-in Intel CPU bug mitigation
Wednesday 3rd June 2020 02:25 GMT
I'm probably misunderstanding this:
Singh replied: "I am not so sure. A user can host multiple tasks and if one of them was compromised, it would be bad to let it allow the leak to happen. For example if the plugin in a browser could leak a security key of a secure session, that would be bad."
But as a user, I can run a debugger or dtrace or something and read the memory of any process running under my userid.
Therefore, couldn't one process running under my ID, if it was being deliberately malicious, just exec a debugger or dtrace (or include that functionality within its codebase) and hook into and read the memory of any other process I own anyway?
Wednesday 3rd June 2020 02:25 GMT
Re: git broke English
Both "huck" and "chuck" were used in Australia, though I think 'chuck' is more common.
Interestingly, WikiDiff's article on the differences lists a more extensive set of meanings for "chuck" vs "huck", and note that one of the meanings of "huck" is:
Verb(informal) to throw or chuck
Which implies to me that since chuck has many more potential meanings, and that one of the meanings of huck is chuck, that "huck" derived from chuck by just dropping the 'c' to have a word that has a more specific subset of "chuck".
e.g. chuck steak (steak from the shoulder), chuck steak (throw/toss some steak)
Whereas "huck steak" really has only one meaning (I think, IANALinguist), to throw some steak.
Choose your own adventure: HP's new Omen 15 gaming laptop offers choice between AMD and Intel processors
Nokia's reboot of the 5310 is a blissfully dumb phone that will lug some mp3s about just fine
Linus Torvalds drops Intel and adopts 32-core AMD Ryzen Threadripper on personal PC
Saturday 30th May 2020 19:44 GMT
Re: AMD Dreams
No. It was already and had been for a long time, possible to do that. Address lines rarely map directly to the the instruction size (they don't for the AMD64 current architecture, either) and physical memory addressing is orthogonal to instruction size. There is no "4G (sic)" limit. It's true that you need more than 32 bits for a memory address higher than 4 GiB but that's actually nothing to do with the processor's instruction size - 32 bit processors were addressing more than that long before people were worrying about it being a problem. PAE was the standard that addressed it, and it dates to 1995 (Pentium Pro), it also was directly extended to form the standard for memory addressing used in the AMD64 architecture.
PAE extended memory addresses to 36bits, which allowed the processor to address up to 64GB of physical memory. However, individual processes were still limited to a virtual address size of 4GB. So with PAE on pre-64-bit processors you could have multiple processes that require 4GB each to run, but none of those indvidual processes could address more the 4GB. Therefore in the OPs example of DB/2, that is directly referring to DB/2 process image sizes larger than 4GB, and java JVMs greater than 4GB, and so on. PAE didn't allow that, and being able to have an 8GB, 16GB or more individual process image is a huge boon for workloads that need large data sets, such as databases or statistical software like 'R'.
Saturday 30th May 2020 19:43 GMT
Re: AMD Dreams
But in the end, it failed even on technical grounds - it just didn't perform. It relies heavily on static analysis which is very inflexible.
Which is the job of the compiler on IA-64, which is what I meant by:
(among other things, like the concept never working as noone could get a proper optimizing compiler to work well on it);)
Tuesday 26th May 2020 08:04 GMT
Re: AMD Dreams
The big gain in the move to x86_64 was the ability to directly address more than 4G of RAM. At the time ('05?) that was becoming important. IBM had it in POWER and it really made a difference in DB/2.
There was a delay in bringing 64-bit addressing to x86. As you noted POWER had it before x86, as did SPARC (1994), Alpha, and Intel's own IA-64 (Itanium). But that was intentional by Intel.
Back then, as now, Intel loved to segment the market, to be able to push more SKUs with slightly differnet feature sets to better monetize their products (read: screw over the customers by ripping them off). Now there are different editions of essentially the same Intel CPU that have different memory support, not different types of memory, different sizes of memory.
Take for example the current 8280, 8280M and 8280L, which are essentially the same CPU. They are all 28c/56t, 2.7GHz-4.0GHz, 6 channel memory, 205W TDP processors. The only difference is 1TB, 2TB and 4.5TB respectively RAM support, costing approximate list price1 of $10k, $13k and $17k. Purely so Intel can charge a premium for greater RAM capabilities, there is no technical necessity in the different RAM limits or cost to Intel in supporting 1TB vs 4TB2.
In the early 2000's Intel was intentionally segementing the x86 market into low-RAM 32-bit x86, and if you wanted high-RAM 64-bit you'd go IA-64. It took AMD's AMD64 to break that, and Intel adopting AMD64 as x86-64 in its own processors to counter AMD was a major setback for their IA-64 (among other things, like the concept never working as noone could get a proper optimizing compiler to work well on it).
__________________________
1. no-one ever pays list price. It's the starting point for negotiating on price. Anyone buying one of these processors will pay substantially less, like 20% less. Anyone buying a significant volume, say fitting out a data centre with scores or hundreds, will pay 50% or less in all likliehood. But the ratio difference between the different memory support models remains in effect.
2. As evidenced by AMDs server-processor model where every server CPU can support 4TB of RAM. There is no RAM capacity segmentation.
Software bug in Bombardier airliner made planes turn the wrong way
After 30 years of searching, astroboffins finally detect the universe's 'missing matter' – using fast radio bursts
Surprise! That £339 world's first 'anti-5G' protection device is just a £5 USB drive with a nice sticker on it
Boeing brings back the 737 Max but also lays off thousands
Friday 29th May 2020 12:34 GMT
Re: It still doesn't look good for air travel
People have short memories,
Ted Danslow (Ernest Borgnine) said it best in Baseketball
Friday 29th May 2020 12:33 GMT
Re: "more than a dozen initiatives focused on enhancing workplace safety and product quality"
My guess would be that Boeing has a bunch of customers with contracts signed many years ago that are obligated to either take the aircraft -- certified or not -- or pay a substantial contract cancellation payment.
Bad guess. They have long-running contracts with customers for airworthy 737 MAX aircraft. If an aircraft is not certified, it is not airworthy, therefore Boeing would be in breach of their supply contract.
There was an article in the Seattle Times (Boeing's "home town" newspaper, therefore they have a local interest in Boeing journalism) about large cancellations of 737 MAXs vs Airbus aircraft (A320's) from the same airline (i.e. airline A had both 737 MAX and A320 orders, and they cancelled or reduced their MAX orders but leaving A320 ones untouched) because it was easier for airlines to get out of their purchase contracts weith Boeing because they could cite Boeing for non-compliance, where they had no such get-out with Airbus-ordered.
Ah, found the article, Boeing takes new blow with Avolon scrapping $3.8 billion 737 MAX order and this is the relevant quote:
“I do expect this to be the start of loads of deferrals and cancellations. I suspect that the Max is easier to cancel, and get back your deposit, as its been grounded for almost 13 months now,” said Nick Cunningham, an analyst at Agency Partners in London.
Friday 29th May 2020 12:31 GMT
for the inevitable bail out they be getting at some stage
They won't be getting a bailout any time soon, as they have had an injection of $25B through private investment and debt raising in April.
Boeing rules out federal aid after raising $25 billion of bonds
Boeing’s company debt now larger than New Zealand’s after huge bond sale
Boeing’s ‘monster’ debt offering is a double-edged sword
If that money runs out within 24 months they will be so debt-laden I doubt they would be recoverable as a going concern at all unless the government nationalises them. They would probably go into bankruptcy and be split up and sold off as multiple independent business units, say military aircraft to LM or another large - solvent - defense contractor.
IBM's sacking spree reaches Australia – and as staff wait to exit, they're offered AU$4k to find new workers
You E-diot! Formula E driver booted off Audi team after getting video game ace to take his place in online race
Wednesday 27th May 2020 10:18 GMT
Re: Integrity?
"Integrity, transparency and consistent compliance with applicable rules are top priorities for Audi...'...except when it comes to diesel emissions testing, obviously."
Or :
"Integrity, transparency and consistent compliance with applicable rules have now become top priorities for Audi since we realise there may be consequences for it being otherwise"
eBay users spot the online auction house port-scanning their PCs. Um... is that OK?
Wednesday 27th May 2020 09:55 GMT
It'll likely be used, along with other information, to assign a probability of fraud to the actions you're talking.
That is how threatmetrix works, yes. They calculate probabilities, and pass that on to their client (ebay in this case) as a threat rating, and it is up to the client to decide what to do with the threat rating. So, for example (random non-specific), usually you don't get prompted for 2-factor authentication when making a purchase on checkout. But for this transaction, for some reason they require 2-factor. It's likely something like threatmetrix (or similar service) has told ebay that this transaction has a higher threat rating than usual, but not so high as to just block it entirely.
Wednesday 27th May 2020 09:49 GMT
Re: Isn't this the same company that has users download DLL-files?
Any file extension in a URL is not necessarily tied to any particular file type, server-side.
Any file extension anywhere is not necessarily tied to a particular file type. A file extension is nothing more than a part of the name of a file, and some systems (looking at you Windows) make assumptions about a file based on a file extension.
Record-breaking Aussie boffins send 44.2 terabits a second screaming down 75km of fiber from single chip
Tuesday 26th May 2020 17:25 GMT
Re: Only part of the problem
75Km is not very far.
Hate to break it to you, but undersea cables currently have repeaters/amplifiers every 70-150km on them already. It's not a single unrepeatered/unamplified run of 5000km (or whatever the actual distance is, I don't have a ruler that long) across the Atlantic.
75km puts it within the range of current, unamplified distances (at the lower end sure, but still within the range).
Dude, where's my laser?
Capture the horrors of war in razor-sharp quality with this ruggedised Samsung phone – or just lob it at enemy forces
Monday 25th May 2020 01:39 GMT
Re: Vocab
The wikipeidia article is weird, I think it's broken.
In the 'introduction' of the article, it says 1972 is the first recorded usage of chaebol, but in the actual 'Entymology' section it says the 1980's.
The 1972 date is referenced from merriam-webster dictionary reference [2]), whereas the entymology is from the Oxford dictionary (reference [1]) that doesn't include the date in its reference. So not sure where the author of the wikipedia article got 1980's from, as that date is in neither of the supplied dictionary references. but the 1972 one it.
Friday 22nd May 2020 12:50 GMT
Re: Vocab
Not to mention that the word has been around for 40 years, as per wikipedia's article on the word:
The word chaebol derived from the McCune–Reischauer romanization, chaebŏl, of the Korean word jaebeol (재벌, from jae "wealth or property" + beol "faction or clan" – also written with the same Chinese characters 財閥 as Zaibatsu in Japan).[2] The word entered English use in the 1980s.[1]
UK's Ministry of Defence: We'll harvest and anonymise private COVID-19 apps' tracing data by handing it to 'behavioural science' arm
Facebook to surround all of Africa in optical fibre and tinfoil
'iOS security is f**ked' says exploit broker Zerodium: Prices crash for taking a bite out of Apple's core tech
Meteorite's tiny secrets reveal Solar System's sodium-rich, alkaline liquid past – a clue to formation of life
Thursday 14th May 2020 01:38 GMT
Re: Amino No!
Both the RNA polymerase complex which reads DNA into RNA and the ribosome which reads RNA strings to make proteins are largely made of RNAs.
From my casual reading, a polymerase is an enzyme, an enzyme is a protein, and a protein is an amino acid residue. Therefore no amino acids, no amino acid residues, no proteins, no enzymes, no polymerase, no replication.
Note that there is no scientifically accepted consensus on the definition of life. There is onging, current debate on whether, for example, viruses are considered 'alive' or not. About the only consensus is on what basics (in terms of molecules) are needed - but not necessarily sufficient in and of themselves - for life.
Russia admits, yup, the Americans are right: One of our rocket's tanks just disintegrated in Earth's orbit
Wednesday 13th May 2020 23:38 GMT
Re: Elon Musk isn't helping, is he
Maybe the first few starships sent up should be converted into Sanitation Cruisers?
Australian contact-tracing app sent no data to contact-tracers for at least ten days after hurried launch
Monday 11th May 2020 14:13 GMT
Re: It also highlighted that Australia Government doesn't have control over National Data Soverienty
It could end up with Amazon execs suddenly finding they can no longer travel to countries which used to have Amazon bitbarns for fear of arrest.
By not complying with the Could Act, they could find themselves in jail in the US, therefore the question becomes "jail in the US or not being able to travel to certain foreign countries"
I've seen things you people wouldn't believe. Spacecraft with graphene sails powered by starlight and lasers
Monday 11th May 2020 14:13 GMT
Re: Calling Isaac Newton...
The problem is that the closer you get to another star the more pressure it exerts on your sail in the wrong direction. That’s why you need the laser. However you need to focus your laser on a 14m2 area at a distance of ~4 LY. Not exactly a trivial design requirement.
Not really, you'd use the lasers as a boost phase, not a continous acceleration until the destination star. The boost phase would be much less than a lightyears distance from our system.
Then you'd use the destination stars light-pressure to slow down. The slow down phase would be much longer, and more gradual, as you don't have the high-power lasers used for initial acceleration available to slow it down, therefore it has to rely on a lower-pressure, but longer duration, deacceleration phase.
For initial probes, they don't even need to slow down enough to enter orbit of the destination system, just slow enough to gather some data as they go through the system. Just like the Voyager and Pioneer probes, and New Horizons, haven't entered the orbit of any of their targets, they've just done flybys.
Nervous, Adobe? It took 16 years, but open-source vector graphics editor Inkscape now works properly on macOS
Thursday 7th May 2020 01:45 GMT
That doesn't really apply here, given that Inkscape uses SVG as the default format.
I'm not sure if you are the same AC as to the post I was replying to, but that post explicitly expanded the issue into a more general issue, making the issue greater than just "here's" Inkscape, i.e.
From OP (emphasis mine)
... but it's still going to have the three main issues that GIMP et al have faced for years ...
Wednesday 6th May 2020 16:51 GMT
1) Cost doesn't matter when it's the company, not you paying for it.
...
3) ... Unless a rival product works 100% exactly click-for-click like the current system, people won't want to use it. ...
Linus Tech Tips did a video on going to Adobe alternative products to save their $10k/year licensing for Adobe, only a week or 2 ago. I've linked to the summary at the end of the video.
But, basically, their editors reckon that the alternative products were 90% as good as the entire poroduction pipeline of Adobe products. And they have 7 editors, paying about $420k a year for them. 90% as good means $42k loss of productivity, which would have to be covered by either making less vidoes (reduced revenue) or hiring another editor, which means more cost - more wages, more equipment, more office space, etc.
Also, since it is a creative industry, collaborating with others, you can't expect other organisations you do business with to "... not everybody out there in the great wider world has the tech savy, or the willingness to deal with your snowflake file format ..."
There's a black hole lurking within 1,000 light years of Earth – and you can see stars circling it with the naked eye
Wednesday 6th May 2020 16:51 GMT
If this thing has escaped detection up to now, and its practically parked on the bloody driveway next to the Green Waste Bin, and theres probably millions of them, then zipping across interstellar space at breakneck pace might turn out to be a bit more dangerous than we imagine.....
As Douglas Adams said:
“Space is big. You just won't believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it's a long way down the road to the chemist's, but that's just peanuts to space."
Even if there were 1000 black holes in a 1000 light-year radius of us, that volume of space is so big and stellar-mass black holes are so small (if there were supermassive blackholes that near they would have been seen by gravitational lensing by now even if they are quiet), that you'd have more chance of finding a specific grain of sand (3-dimensional volume of beach, not just 2-d surface) on a beach than of randomly smacking into a black hole.
Three things in life are certain: Death, taxes, and cloud-based IoT gear bricked by vendors. Looking at you, Belkin
Thursday 30th April 2020 17:56 GMT
Re: Never buy IoT kit
You expect the retailer not to lie through their teeth?
Doesn't matter if they lie or not. If a retailer says a device has X capability, and it doesn't, even if written on the box it doesn't, then the retailer's statement supercedes whatever is written on the box. By saying it has X (or does not have X), a retailer has entered a legally binding contract with the purchaser to supply a product that meets those claims.
Thursday 30th April 2020 00:12 GMT
Re: Never buy IoT kit
how is the average consumer supposed to tell if a piece of kit requires an external network to operate?
Any packaging for the device should contain a notice of some sort, usually listed amongst the requirements, e.g.:
Windows 10
...
Internet access.
...
If you see a device has that "Internet access" requirement, either don't buy it or do more research into the device.
Also, ask the retailer it is being purchased from, this is one of the only good reasons to buy from bricks and mortar these days, so you can ask in-store any such questions, and if the answers turn out to be wrong, you can return it to the retailer for a refund.
Aussie immunology legend consults Twitter for his local off-licence opening hours
Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard
We're in a timeline where Dettol maker has to beg folks not to inject cleaning fluid into their veins. Thanks, Trump
Sunday 26th April 2020 06:51 GMT
Re: "Orange Man Bad!"
HOW FUCKING STUPID ARE YOU?!
@Dr. Ellen seems to be an unquestioning Trump supporter who isn't even capable of finding the myriad videos of the conference on youtube or on the many news sites that host it (obviously not Fox and friends, whiuch is probably the only news sites this person reads) to see for themselves what the fake president said. What more answer do you need?
Geoboffins reckon extreme rainfall might help some volcanoes pop off
Friday 24th April 2020 06:22 GMT
Re: The magma's several km deep
My PhD was in modelling infiltration into unsaturated soils (that 'Dr' part of my attribution isn't medical). ...(Relevant PhD qualified) Bloke on Internet.
Which is probably worth mentioning when initially expressing an opinion, e.g.:
"As someone who has a PhD in modelling infiltration into unsaturated soils, I have the following issues ..."
Otherwise, when a random comment is made, why would anyone take it at more than face value? It is the internet, after all, therefore the safest assumption is to assume everyone is just some random person on the Internet ;)
GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps
Friday 24th April 2020 03:28 GMT
Re: El Reg (or the readership) really has changed
No real expert will be insulted by seeing his familiar jargon explained to others.
The other advantage it has is it explicitly puts everyone on the same page. Maybe some person thought GCC stood for something else, Global Cat Catastrophe or something.
The problem with jargon is that the same phrase or acronym could mean different things to different professions. Not to mention "casual" usage v. technically correct usage, e.g. "sounds good in theory" vs "Theory of ... says ... ".
You have one job, Australian PM tells contact-tracing app, and that’s talking to medicos
Friday 24th April 2020 03:28 GMT
Cold Comfort
Australian Prime Minister Scott Morrison has said that the government he leads will never see the data on the nation’s imminent coronavirus-busting-and-contact-tracing app.
Considering the PM turnover rate in Australia over the last decade, this statement will only have a valid lifetime of, what? 12-months at the outside? Then there will be a different leader, and all bets are off.
"... into a national data store that is fully encrypted and the Commonwealth Government has no access whatsoever to the information.”
Considering in Australia the government has the legal authority to issue decryption orders, something being encrypted is no protection from the government.
I haven't seen mention of how long the data will be retained for, therefore whether he or his or the current or even the next government may never access the data, what about a different near-future government?
And has the My Health Record fiasco shows, the government (this government) is fully capable of changing its own laws it finds inconvenient. For example, the original MyHR Act had it as an opt-in service. However, take-up was so low the government changed the law to make it opt-out. Therefore their word or any current legislation they pass is meaningless, as they have a proven history of going back on their word - and their own already enacted legislation - and change it and the legislation to do what they promised they would not do.
Vivaldi browser to perform a symphony of ad and tracker blocking with version 3.0
Thursday 23rd April 2020 06:27 GMT
Re: Vivaldi is great
but it's impossible to enable it now without also having the standard tabs across the top of the window.
Not true, you can remove the tabs across the top, although it's not a simple toggle option in the Firefox Settings UI.
Sorry about the formatting, below is an unformatted copy/paste of my notes I made for myself on how to do it after some research:
FIREFOX
=======
If using Tree Style Tabs and want to get rid of top tab bar, (after enable about:config toolkit.legacyUserProfileCustomizations.stylesheets true)
put the following in <profile directory>/chrome/userChrome.css:
#tabbrowser-tabs {
visibility: collapse !important;
}
#titlebar {
margin-bottom: -34px !important;
}
#titlebar-buttonbox {
height: 32px !important;
}
#nav-bar {
margin-right: 180px;
}
#main-window[sizemode="maximized"] #nav-bar {
margin-right: 138px;
}
To test "live" without updating the userChrome.css, enable the options about:config OR in developer tools (F12) (press the '...' button on the right and select Settings)
Advanced Settings:
(ticked) Enable browser chrome and add-on debugginr toolboxes
(ticked) Enable remote debugging
about:config equivalent to above
devtools.chrome.enabled = true
devtools.debugger.remote-enabled = true
Then open the Browser Toolbox (CTRL+ALT+SHFT+I or Tools -> Web Developer -> Browser Toolbox).
In the "{} Style Editor" tab, you can add a new stylesheet ('+') and type in the styles above (or others) to test.
Lockdown endgame? There won't be one until the West figures out its approach to contact-tracing apps
Academics: We hate to ask, but could governments kindly refrain from building giant data-slurping, contact-tracing coronavirus monsters?
You're a botnet, you've got a zero-day, so where do you go? After fiber, because that's where the bandwidth is
Facebook's Libra Association tries again at this digi-cash game, with more modest ambitions after global flop
Second-wave dotcom Uber-investor Softbank forecasts gargantuan losses as world economy faces slump
Wednesday 15th April 2020 08:34 GMT
Re: Business models
I know plenty of people who hate taxis, but love Uber.
Are these 'people' consumers of the Uber service, i.e. the people who 'catch' Uber transport, or the drivers themselves?
Because plenty of people love cheap clothes enabled by the sweatshop clothing manufacturers, but not many of those staff who work in them like them.
For the consumer Uber is great, but like with a sweatshop, it achieves that consumer-greatness by screwing over its 'workers', the Uber drivers.
