Posts by eldakka 2353 publicly visible posts • joined 23 Feb 2011
These have been grouped into two logo'd and branded vulnerabilities: Meltdown (Variants 1 and 2), and Spectre (Variant 3).
Other way around, based on the preceding CVE list, it should be "Spectre (Variants 1 and 2), and Meltdown (Variant 3)."
Can't use the corrections link when I don't have an email client installed...
"The production capacity expansion of major NAND Flash manufacturers, e.g. Toshiba, Samsung, Intel, and Yangtze Memory Technologies Corporation (YMTC), will have increasing impacts on the industry, resulting in a possible oversupply in NAND Flash market in 2019."For example:...
Without including the current fab capacities and the new fab capacities or giving % increase in global output of the new/upgraded fabs, this information is useless.
Are there currently 1000 fabs, therefore the half-dozen or so new/upgraded fabs listed here would only increase supply by 10%? Or will these new facilities increase supply by 500%?
Hmmm well, is it really the case that Perens can say what he's saying in perpetuity? If that does end up being detrimental to GR Security, how do they themselves cannot get a fair hearing?
They get a fair hearing by engaging in the same channels Perens has and presenting their side. Just because their presentation and facts on their side are not supporting them, does not mean they have not received a fair hearing.
Court is only a response to actions that breach the law or tort, it is not a venue to express hurt feelings in or disagreement with someone else.
This reminds me of an anecdote about Richard Feynman when he was working on the Manhattan project.
it goes something like:
To relieve his boredom and assuage his curiosity, Feynman taught himself to pick locks, open safes, and so on. A lot of it was social engineering rather than pure 'safecracking' like, for example, using common dates or numbers/algorithms - e.g. some scientists used numbers based on 'e' for example.
So he'd go around Los Alamos picking locks, cracking safes and so on.
In response to this, a Colonel (I think it was) in charge banned Feynman from entering his offices - rather than fixing the safes to make them harder to crack.
This is exactly what the government is trying to do with their new legislation.
Great! But some ISP's including the only one in my region, lock down the router 100%, no passwords will be given out ever etc....
Then put your own router in series with the ISP's router:
your LAN <-> your (packet filtering firewall) router <-> ISPs router <-> WAN
the last 7 years has seen about 5x reduction in $/kwh costThat has as much to do with the economies of scale gained with the increased volume production of lithium-based batteries and the usual attendant benefits as it has to do with battery chemistry changes/enhancements.
@Ledswinger
You seem to have missed the word relatively in "relatively easy to..."
Relatively easy != easy.
Compared to having to throw out the old production lines completely and build brand new ones from scratch using new completely new processes, complete new battery chemistry, etc, to use this technology...if it ever pans out.
What does AMD's PSP (or Intel's ME) have to do with DRM?Apparently it is a key element in allowing 4k HD blu-ray decoding by ensuring a non-user accessible encrypted path from the Blu-ray player (or the HTML5 DRM browser plugins) and the display output. Basically, it is used to ensure that HDCP encryption is guaranteed end-to-end. It is, in many ways, a non-optional TPM module. Since the IME/PSP has full control over your computer, it can prevent/isolate user (well, the computer owner's) access to certain areas/features of the computer.
Does this mean that to be secure, I should only buy machines with AMD CPU's?As has been pointed out in the comments of many of the recent articles regarding Intel's IME, AMD has its own version embedded in its chips/chipsets called the PSP. Therefore AMD-based systems are potentially susceptible to the same types of attacks and privacy and security concerns.
Over the decades of the internet, I've created thousands of 'throw-away' accounts that have used simple passwords along those lines.
Temporary email accounts, one-off accounts on a site that I must register for (and that required me to create a 2nd account - one-off email account - to receive the registration email for) that I felt some one-off need to comment on that particular article, an account I've never used since on a site I may have never visited again.
For those types of accounts, I'm not going to try a complex password I'm just going to put in abcd1234 or whatever reaches the minimum password requirements.
Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.
The problem has always been the fact that a lot of code and applications are simply not available for Power, and there has been little innovation in the application space on Power architecture.
There is actually quite a lot of software that runs on power.
RedHat offer a full RHEL stack for PPC, which includes all the usual open source software from RedHat - JBOSS, Apache web servers, compilers (gcc etc), email clients, browsers, and so on.
Of course IBM offer a lot of its enterprise software on power, DB2, various (although not all) Websphere products (Application Server, Java, DataStage and so on).
Oracle supports its RDBMS system on PPC.
There is an optimized 'R' statistical package for PPC.
And many others.
I don't have MS' stats but I do know that the Linux kernel is roughly 70,000 files with rather a lot of LoC.I think you are missing the irony, this is not a bug in the Operating System itself, the kernel or other necessary modules/process (e.g. file system drivers) that is needed to make a computer perform useful tasks for an end-user. This is a bug in a separate non-OS application that you could - from a using the system perspective - quite happily live without. This applications specific job - it's one and only reason for existence - is to protect the user from opening files containing malware. And yet, that application, in the process of checking a file for malware, becomes the vector that enables malware to not only infect the computer, but to gain privileged access along the way.As it turns out, bugs happen.
It's pretty much like having a hidden safe: Before anyone can even try to break in to it, they have to find it.
Having a hidden safe and telling people you have a hidden safe filled with goodies inside your house defeats the point of having a hidden safe. The primary 'obfuscation' in this case is not letting people know you even have one.
However letting people know you have a safe worth looking for, and a narrow search zone - your house - to find it in has just blown 80% of the security - obfuscation - you are depending on.
Letting people know this secure processor exists is the same as letting people know you have a hidden safe. At this point you can no longer rely on obfuscation, you have to rely on the strength of the security - quality of the manufacture, strength of the walls, hinges, door, locking mechanism, unlocking mechanism. Therefore once the cat is out of the bag about the secure processor, there will be people actively trying to break it, therefore you now must rely on the strength of the security on the processor - no bugs in its firmware, no programmatic attack vectors from the main processors or I/O (can you access it via the USB port? If it's firmware is upgrade-able there must be some I/O channel that has access to it).
As a poster above stated, look how well relying on obfuscation - once it was known such a thing existed - worked for Intel.
I know that more pixels equals better image quality, but given that the phone has a better resolution than my 32" HD telly, I can't help but wonder how noticeable that benefit is on something with a screen a fraction of the size of a domestic TV.
But I bet you don't tend to watch your 32" telly from 12" away.
The benefits (or drawbacks) of resolution depend on 3 things,
1) the resolution;
2) the size of the surface over which that resolution is displayed on (the diagonal screen size);
3) the distance from that surface it is being viewed from.
(of course, the quality of the manufacturing, backlight and so on also do matter, but let's assume we are talking screens of equivalent display quality)
For example, using this TV viewing distance calculator, for a 5.3" display:
1.8 Feet Maximum Viewing Distance for NTSC/PAL(720x480/720x576)
0.7 Feet Maximum Viewing Distance for HDTV(Fully resolved 1080i; 1920 x 1080)
For a 32" display:
11.2 Feet Maximum Viewing Distance for NTSC/PAL(720x480/720x576)
4.2 Feet Maximum Viewing Distance for HDTV(Fully resolved 1080i; 1920 x 1080)
So to get the full effect of 1080 resolution, you cannot view from more than 4.2 feet away a 32" screen or, if you shrink that down to a phones 5.3" screen, you can't view it from more than 0.7 feet away to get the same apparent visual clarity.
If he doesn't like it why doesn't he write it himself?
That sentiment only works when what you have does/does not do something you want it to do.
This is something that someone else has written themselves, and they are quite free to put it in their own fork of the kernel. However, they are trying to foist it onto the mainline Linux kernel, and Linus has told em to eff-off with that. It isn't something in the existing kernel he wants changed therefore it's not a case of "should write it himself".
@CrazyOldCatMan
Hopefully - in sheep counting in the Outer Hebridies.. (sorry - evaluating population density on ungulate species in edge-case northwestern Scottish Island groupings)..
That sounds like an extremely un-stressful job.
I often dream of being a burger-flipper or production-line factory worker. As soon as you leave for the day, you switch off. Now I go home and have work shit runinating in the back of my mind, sometimes dreaming about it. Sometimes coming up with solutions while I'm at home out of the blue. Or worrying over the weekend if the work-arounds we put in Friday afternoon to get us through the weekend are doing that.
I'd love a simple job, turn up for work, do my thing, day over go home. Nothing to worry about or stress about.
As long as there is a decent remote locality allowance, I'd be up for it.
That's what I don't get about the whole "fake news" and "Russian hacking of political parties private, civilian" systems kerfuffle is about.
For the last few hundred years, what we seem to now be calling fake news directed at political interference, was called propoganda.
Everyone did, and still does it.
State sponsored radio/television stations that broadcast into foreign territory promoting you interests. Funding interests groups. Providing arms, money, intelligence, training to rebels. Political assassinations. Treaties with carrot/stick elements (e.g. TPP...) that might influence the potential treaty partners government/bureaucracy/business/citizenry along a certain path. Air-dropping flyers/pamphlets saying how good you are and how bad they are. All the way up to outright military invasion.
Everyone from tin-pot dictatorships to superpowers does it to influence their neighbours. The only real difference is the definition of neighbours - for tin-pots it's usually countries with shared borders, for superpowers it's the entire world.
How about not connecting any flight/control systems to a network that has wireless access?
Flight control, entertainment, and, for example, crew non-control systems (e.g. passenger lists, stock levels of food/drinks, etc.) should all be air-gapped from each other.
developers have had plenty of time to port over their extensions.
Did you miss the statements by others that not all APIs are available yet? Mozilla announced a year ago that this was going to happen, but they didn't release all of the APIs at that time. It's pretty hard to port to, to write the code that uses something that doesn't exist yet.
NoScript requires specific APIs that as of a few weeks ago still didn't exist in the dev/alpha/beta versions of firefox. Maybe they are available now - maybe not - but it means that devs have not had a year to port their extensions.
And considering most of the extensions are done by devs as a hobby - learning new code, implementing some feature that they find useful and releasing that in case others find it useful too - it's not like they need to port it. Maybe they've personally moved on to another browser, so don't feel the need to port an extension they now find unnecessary. Or they've passed that point in their life where they are interested in learning more development - at least web-development - skills.
Maybe they are happy to find a spare 2-3 hours a week on this hobby to port something that will take 100 hours (best part of a year at 2-3 hours a week) to do - but the APIs they need still aren't available. Therefore users might still get the ported extension, 6 months after the necessary API becomes available. Which might be 6 months after those users (and the dev themselves) have moved onto other browsers because they are missing their extensions and couldn't (or wouldn't) wait around to get back something that they already had but was taken away from them.
NS like any other extension is in the process of being ported over to the new extension model forced by Mozilla and so while it continues to function flawlessly, it has been in the process and Giorgio has been hard at work and locked away do it, so it will show up as it becomes ready and stable enough to be released, otherwise he prefers to keep it off instead of releasing something buggy. So, all I can say is be patient, but thank you for letting us know.
One advantage of a universal remote linked to 'the cloud' is that it can transfer your settings to replacements very easily. I've had two versions of the Harmony One and now a Harmony Hub and all I had to do was logon to my account and register the new remotes. I have six devices and five activities and they were downloaded to the new remotes in seconds.
What's wrong with being able to backup the configuration to a file that can be stored locally, or copied/synced to your own preferred, personally chosen cloud storage service (onedrive, google drive, dropbox, whatever service YOU feel happy with using, set up the way YOU like it (e.g. encrypted files stored up there so the service can't see them, etc))? Then being able to load that saved config back into the existing device or a new, compatible device - without having logitech eavesdropping on the entire thing? without having to have an account with Logitech?
And if it's backed up in some sort of config file - XML, json, .txt, whatever - then even if you don't have a 'compatible remote' with that original system, since it's a text file you might be able to convert it (or have 3rd-party programs that can do the conversion) to other formats for use in other manufacturers devices.
Doing it any other way - propriety unreadable formats, have to use their cloud service that requires an account and registered devices from their product lineup - is nothing more than vendor lock-in and vendor spying on you so that on top of having paid them for the product you are also the product as well.
What's that got to do with my point? My point has nothing to do with free speech or political speech.
My point was that if you lack the intelligence to understand the difference between a publisher and a platform, then you shouldn't be on that committee.
If one understands the difference, but still decides to treat them the say way that is one thing, it is an informed decision made based on knowledge, on understanding.
But if one is unable to comprehend there is a difference so lumps them together because they are unable to understand the differences, that is something different, it is a decision made in ignorance.
@Kev99
US Supreme Court Justice Felix Frankfurter once said the right to free speech does not allow you to yell "fire" in a crowded theatre.
Firstly, that comes from Justice Oliver Wendell Holmes, Jr.'s ruling opinion from Schenck v. United States in 1919. And you left out one very important qualifier, the word "falsely". Even under Holmes, you could shout fire if it was true.
Secondly, you have left out that this was overturned in 1969, in Brandenburg v. Ohio, which limited the scope of banned speech to that which would be directed to and likely to incite imminent lawless action (e.g. a riot).
So, the speech has to both incite imminent action - not some theoretical future action - and that action so incited also has to be lawless.
So, while falsely yelling "fire" in a crowded theatre may incite imminent action - fleeing the fire - the action of fleeing a fire isn't lawless action. Therefore such speech would be perfectly legal.
Senator John Cornyn (R-TX) asked: "Why should you be treated any differently to the press?" All three California outfits responded with a version of the fact that they are "platforms" and not publishers, that their content is user-created, and that they protect people's right to free speech and expression. Cornyn made it clear he was not persuaded. "They may be a distinction lost on most of us," he said.
My response to the Senator would have been something along the lines of:
"For anyone who fails to grasp that distinction, I would question their competence to be on this committee"
You supply valid contact info, or you don't get a domain?
This is not about supplying valid contact data, it's about making that data public.
Having a requirement that you have to make your data public or you don't get a domain could run afoul of other laws, especially as domain registrars are monopolies, therefore would face heightened scrutiny over such contract language.
This makes the whole tangent about the MS Office key crack pointless.
The point is that the malware installed by the Office keygen could have been the vector for someone other than Kaspersky getting access to the computer to obtain the NSA malware on it.
how does Kaspersky know what to look for, and upload their find to Russia?
Because hacking tools are usually suites that are built up over time, based on earlier revisions, enhanced, added to, and so on. Therefore, as with any suite, they often have common libraries, common blocks of code (so even if not a library, a copy-paste of working exploits from an older version into the newer version) and so on.
Linguistic analysis can quite accurately tell who wrote a post, or series of posts, of novels, essays and so on. Everyone has their own style, grammar, punctuation usage, same repeated spelling errors and whatnot.
The exact same thing applies to programming. Someone could have a favourite error routine that they've developed over years and reuse in new code rather than writing it from scratch - or using someone else's. The number of spaces/tabs used in indentation, language used in comments, variable/function/class naming styles, all can be used to determine who wrote a piece of code.
Since Kaspersky had earlier samples of NSA malware/exploits, they already have a library of those common routines, styles, and so on to search for. So if they find a file that has a chunk of known code (e.g. still using same exploit_0345 library in the new stuff, or an entire code chunk is the same as a sample they already have - but the rest is different) then any virus scanner worth it's name will flag that as a suspect file. And if the user has enabled (or rather, hasn't disabled) the "send suspicious code back to mothership for further analysis" option that most modern AV have - Kaspersky, ESET, Symantec, Windows Defender, and most of the other big-name ones - then that file, and 'surrounding' files, e.g. an entire zip archive if it finds suspicious files in the archive - will be sent back.
The F-35's mission facing an air defence system worthy of the name is to get well forward into the AD radar envelope without being detected (that stealth thing), detect threats (the massive sensor and comms suite it's fitted with) and provide information to guide missiles such as Brimstone fired from fifty km behind it by ammo mules like F/A-18s and Typhoons into their assorted targets (to begin with the air defence systems and launchers that are stopping the mules from getting forward without getting blown out of the sky). It's a sniper weapon so it's not fitted with a bayonet mount unlike the Warthog's stupid BFG.Errrm, no.
The F-35 is meant to replace F/A-18s, Warthogs, F-16s, Harriers, and all the assorted similar aircraft. It is meant to do the ground strikes, close-air-support and so on of all those other aircraft.
It is stealthy from the forward aspect only. It is the bombtruck. That is the only case where frontal-only aspect stealth makes any sense. It approaches enemy forces head-on, the only place its stealth works, and unloads its weapon loads into enemy positions/oncoming aircraft before they can detect and launch their own missiles/other defenses at it. And it better hope it eliminates all, or enough, of the opposing forces air defence sites or enemy aircraft, because once the F-35 turns away - or passes beyond those points thus exposing its non-stealth aspects to the remaining defences, then those remaining enemy aircraft who carry 6-12 AA missiles (as opposed to the maximum 4 of the F-35 if it wants to maintain stealth) will be able to unload their far-superior loadout capability at the un-stealthy aspects of the F-35.
The F-22 is the F-15, Typhoon equivalent/replacement. The air-superiority fighter, the all-aspect stealth aircraft. The one intended to go toe-to-toe with the latest generation of enemy air superiority fighters. The one meant to penetrate the enemy air defences to go after targets inside the AD zone.
The F-35 is meant to nibble away at the fringes, take out outer shell AD, then once that is eliminated, go after the next inner shell, and so-on.
Well no, if you're willing to write off the £6bn already committed on the carriers.
I would like to introduce you to the sunk cost fallacy.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
