* Posts by oldtaku

216 posts • joined 18 Aug 2011

Page:

US Health and Human Services targeted by DDoS scum at just the time it's needed to be up and running

oldtaku
Devil

At Just the Time

This is exactly when you'd expect the Chinese, Russians, and Iranians to hit it for maximum chaos. No surprise there.

ExoMars team delays 2020 Red Planet road trip after failing to complete all necessary testing

oldtaku
Happy

I admire the ESA's commitment to having this mission crashland in only the best condition.

Having trouble finding a job in your 40s? Study shows some bosses like job applicants... up until they see dates of birth

oldtaku
Meh

Cost and Abusability

Older workers generally have better job skills, better planning skills, and better personal skills (on average, there's always that guy) than younger workers, so this comes down to two things:

- Cost: You can pay younger workers less

- Abusability: Young workers are just willing to completely exploit themselves with crazy (usually unpaid) overtime for the supposed good of the company. Older workers have learned their lessons and are less likely to put up with that.

At some point in the hiring process you're going to run into the first problem, if not the second. Though at the end it sounds like he's admitting this really only will work for low-skill fixed price positions.

$13m+ Swiss Army Knife of blenders biz collapses to fury of 20,000 unfulfilled punters

oldtaku
Stop

Stop backing gadget products, you twits

Book projects generally work out, and physical game projects (though there have been a couple spectacular failures) because producing books and boardgames is a mostly solved problem.

On the other hand, producing an unproven gadget is incredibly risky (as are video game projects). First, making prototypes is fun and easy. Making a production ready design and production line is anything but - suddenly you have to worry about whether that hinge can open 50K times without breaking. During R&D you just swapped out motors when one burned out - you can't do that now, all motors have to keep working. Oops, that molded plastic you used scratches really easy. Finding, characterizing, and fixing each of these things takes time. There are just dozens or hundreds of slow, tedious issues for anything you want to productize. As an engineer I've done it lots of times and it's always miserable and more work than you expected.

Second, if you get enough orders to require third world production, dealing with China is a major nightmare - I haven't had to deal with others like Vietnam but it's probably not hugely different. You might naively expect you can give them the BOM (Bill of Materials), Solidworks files, and instructions. Oh no. First you have to find someone to deal with. They will all promise you to the world. Then there will be lots of flying and calling as you laboriously explain various things and realize they haven't really understood or looked at your schematics, and they will explain to you they can't get these parts, or this part can't be manufactured like that. Lots of expensive prototypes and production test runs.

Then, and this is the worst part, even when things are working perfectly they will decide to randomly swap things without telling you. We had an entire run of printers die in weeks because they quietly changed one of the motors with a cheaper one to save and pocket 5 cents per unit. *To pocket a 1 cent saving per unit, a Chinese factory owner will happily make changes that can kill people* - I've seen it happen! They will be completely lax on quality control because they can use cheaper/fewer workers and send you batches with half the units defective. They will run your production line to make no-brand Chinese knockoffs they will sell cheaper than you. They will sell your design to other Chinese companies and prioritize them so the knockoffs are out before your product. The only way to deal with all this is to keep a manufacturing expert out there all the time to babysit - and best if they speak Chinese. Do you know someone like that?

So with all that, never back a gadget product unless it's a VERY minor refinement of an existing shipping one. And even then, why not just wait for it to be sold as a real product? So you didn't save 20%, one failed project will wipe out five of those.

Is HONK nothing sacred HONK? It's 2019 and an evil save file can pwn much-loved HONK Untitled Goose Game

oldtaku
Devil

How it might work

How the heck can a save file run arbitrary code? Well, I haven't looked at this vuln in detail, but there's a known class of exploits that affects almost any framework that allows you to deserialize arbitrary classes, like PHP, C#, Java, Ruby, etc etc.

- Find a class in the program which does something in its Dispose() method (called when the object should release its resources), say the HonkBonk class.

- If the Dispose() method includes a callback, you're wide open, but there are several things you can exploit.

- There are a lot of .NET classes too, you can abuse those as well as the program's own classes.

- In your malicious save file you put a saved object for the HonkBonk class - for the callback field, put a lambda with your arbitrary code.

- Program tries to read the SaveData class from the save file

- Instead of the SaveData class, the BinaryFormatter sees a HonkBonk object - it creates it (it's a known class!) and reads the fields into it

- When the program tries to cast HonkBonk object to SaveData class, this fails, so you get a cast exception.

- The HonkBonk object is 'lost' (there are no references to it)

- The HonkBonk object gets garbage collected

- Dispose() is called on the HonkBonk object

- Your arbitrary code is executed

- * HONK*

You can use the SerializationBinder in .NET to stop it from attempting to handle completely arbitrary data.

Q. Who's triumphantly slamming barn door shut after horse bolted at warp 9? A. NordVPN

oldtaku
FAIL

Remote Management SYstem

'Creanova said NordVPN knew the remote management system was installed and that NordVPN failed to lock it down. NordVPN claimed it had no idea this God-mode-level access was present in the box'

I know exactly how this probably happened, been there before. Someone from NordVPN wanted access to the box to debug or install something and used TeamViewer / VNC / whatever. Then they finished and didn't remove it. 'NordVPN' knew, but only that one guy knew - and he forgot. And nobody else at NordVPN had any idea. So you've got an old version of [remote access program] sitting there and someone compromised it - for instance, remember that big rash of TeamViewer hacks about two years ago?

Microsoft says .NET Framework porting project is finished: If your API's not on the list, it's not getting in

oldtaku

Re: No WinForms?

Ah, thank you for that. That'll be good enough for us in-house then (all the linux stuff is headless servers).

oldtaku
Paris Hilton

No WinForms?

Has WPF gotten to the point where you can just slap together a simple utility like WinForms? I know you can make stuff prettier with WPF, and there are some database-driven scenarios it makes easier, but the Java-like amount of crap needed for simple stuff, like 14+ lines of code and/or XML just to change the color of a DataGrid cell made it painful for doing simple things. Basically, it was Enterprisey. But that was years ago.

Hundreds charged in internet's biggest child-abuse swap-shop site bust: IP addy leak led cops to sys-op's home

oldtaku
Unhappy

Bitcoin anonymity

If there's one little ray of sunshine in this sickness it's that they caught the other guys because they were using bitcoin. I guess it really is good for something!

Chemists bitten by Python scripts: How different OSes produced different results during test number-crunching

oldtaku
Headmaster

Re: Science

That's the wrong response. You have to make sure that if there's some STRONG assumption in your code, like the ordering of files, that you enforce that.

If you only run the same hardware and OS every time then you might miss that it's completely wrong because you're making the same wrong assumptions every run.

oldtaku
Megaphone

I think they're deciding which OSes 'failed' wrong.

If your algorithm really depends on random files being loaded in some specific order you had better make dang sure you sort those file names before loading.

I think this has less with what OS you're using and more with how you copied the files into the directory. If you unzipped a file you will always get the right results, because the files in a zip have a fixed order, but if you checkout the files from your repository, or checkout then copy them to a directory the order may be semi-random.

For instance they claim Windows 10 worked right here, but I know from experience that python glob on Win10 can return a different order depending on the real (non sorted) order of files in a directory. They just got lucky when they did it based on how they got those files there.

Game over: Atari VCS architect quits project, claims he hasn’t been paid for six months

oldtaku
Devil

Anybody who backed this thing doesn't deserve to get their money back. It was completely predictable (and predicted) from day one.

oldtaku
Headmaster

It's not really Atari

Yes, legally it's Atari, but this is just Infogrammes wearing the dead skin mask of Atari and continuing to crap on its name.

Also, backers have nobody but themselves to blame on this one, it was obviously a shitshow from the very start.

Father of Unix Ken Thompson checkmated: Old eight-char password is finally cracked

oldtaku
Unhappy

Re: few days?

The article is pointing out that the advice is STILL to use 8 character passwords (minimum). Which is a terrible recommendation. You need a lot more than that.

As many as 100,000 IBM staff axed in recent years as Big Blue battles to reinvent itself from IT's 'old fuddy duddy'

oldtaku
Pirate

'Excited about IBM'

'so there's clear excitement about IBM's strategy and direction for the future'

There is nobody excited about IBM's strategy or its future. Maybe a handful of execs. But if you're going to IBM it's because a jerb is a jerb.

One teeensy little 13-minute power cut, and WD you look at the size of that chip supply cut!

oldtaku
FAIL

Just 13 minutes

If you're wondering how they lose $600M of stuff in just 13 minutes, I do vacuum engineering work (as one of the hats).

Generally a setup like this is miles and miles of 'robots'. Not humanoid, but hexagonal with a chamber on each side. Each chamber exposes the wafer to things to build it up (gold), things to etch it, things to cure it. You roll up some wafers, the robot in the center moves one into chamber 1, does a process, then moves it from 1 to 2 and puts a new one in 1, etc, till all of the wafers have gone through the station and are ready for another combined process at the next station.

Critically a lot of these processes are done at low vacuum (like 10 mTorr) and often with toxic gases or worse, pyrophoric gasses that explode on contact with normal air, like silane. Everything is closely timed, and you have to carefully maintain 1) the pressure of the chamber, 2) the rate of incoming substance(s). If you cure the wafers for only 3 minutes instead of 5, you lost the wafer. Now into this happy little juggling act you throw a power loss.

*Honestly, it doesn't matter whether you lost if for 13 minutes or 13 seconds, you're done.*

Your CDGs that measure pressure generally take two hours to get back to correct internal temperature, so they're reading wrong. That doesn't really matter anyhow because your valves failed and you either put not enough gas into the chamber or way too much. If you put way too much in now your chamber is contaminated. And your vacuum pumps all failed, so you lost pressure control. The turbo pumps spin at 75000 RPM and can't handle any amount of thick gas, so maybe you bombed them (shattered the fans). The computers controlling these don't like being hard powered down.

Worse, and this is low probability and means you designed something wrong, but if you got too much silane and it contacted air because your pumps are down, maybe your robot caught on fire. Probably not, but either way you have to check all your turbos, open up all your robots, remove the destroyed wafers, clean your chambers. Oh, and now you need to recover all those process computers.

Nightmare scenario.

Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered

oldtaku
FAIL

What do you expect with Bluetooth?

Q: How do you make a secure device insecure?

A: Put Bluetooth on it.

Such a terrible, terrible protocol. Just because it's been accreted for 30 years rather than designed.

Idiot admits destroying scores of college PCs using USB Killer gizmo, filming himself doing it

oldtaku
Trollface

Talk about efficiency

This guy has radically streamlined the usual outcome of Indian outsourcing. Though only $60K wasted is a tad low.

'Sharing of user data is routine, yet far from transparent' is not what you want to hear about medical apps. But 2019 is gonna 2019

oldtaku
Unhappy

That's the whole point

The whole point of providing a medical app is taking the user's info and selling it to giant corporate a@!#holes. Good luck changing that model.

ProtonMail back up in Russia after regime chokes access over 'terrorist activity'

oldtaku
Meh

Terrists!

And by 'terrorist activity', Putin's goons mean 'free speech,' 'saying things about the Russian kleptocracy that makes them sad,' and most especially 'journalism free of Kremlin spying'.

Brave claims its mobe browser batt use bests whatever you're using. Why? Hint: It begins with A then D then V...

oldtaku
Facepalm

sigh

Well, you had me till the very last paragraph.

Seagate punts external PS4 drive at the millions who uninstalled their game libraries to fit Red Dead Redemption 2

oldtaku
Happy

The superior controller

Because the PS3 controller is a better controller, duh. That was the perfect controller, then they stuck that stupid touchpad on the front (which is now relegated to being a big map button for most games), made the 'options' button a pain in the ass to use, and taped that annoying LED glowstick to the back of it.

Salesforce has named a chief ethics officer and yes, the job description is appropriately woolly

oldtaku
Joke

A problem of ethics

'Gentlemen,our biggest ethics problem is that we're Salesforce'

( 'But at least we're not Facebook' )

Latest Google+ flaw leads Chocolate Factory to shut down site early

oldtaku
Trollface

Tens!

"52.5 million accounts at risk, tens of people are worried"

Don't forget both people who are going to be really outraged about the closure being moved up.

Thought black holes were donut-shaped? It turns out they're more like deadly fountains

oldtaku
Headmaster

Well, the accretion disk anyhow

To be clear, the black hole itself is still extremely spherical. This is the gas around it - the accretion disk mentioned, which now may look like a disk with party sparklers. Hey, it's the only part you can see, anyhow.

Google: All right, screw it, from this Christmas, Chrome will block ALL adverts on dodgy sites

oldtaku
Meh

Still worse than an ad blocker (by design)

It still boggles me that so many people run without an ad blocker. It makes the entire web so much faster and cleaner, besides being safer. It's just basic hygiene.

Of course it's just that people don't know how to install extensions and FF/Google aren't going to cripple their revenue by installing one by default.

Solid state of fear: Euro boffins bust open SSD, Bitlocker encryption (it's really, really dumb)

oldtaku
Facepalm

I'm just going to quote the paper - nuff sed

'The drive's contents is still accessible to anyone in possession of the default Master password... which is an empty string.'

oldtaku
Trollface

Re: This explains it

They also have the software that puts up 'HACKING PASSWORD' in 196 point red letters.

Mac users burned after Nuance drops Dragon speech to text software

oldtaku
Meh

It'll still work fine - for a while

Latest version of Dragon Dictation - which works fine - will still work, you just won't get upgrades.

Once you can no longer acquire it legally, it's perfectly ethical to pirate at that point. Not legal, but 'legal' is corporate bought whoredom and there's nothing wrong with copying software they don't want to sell you. No harm is done.

Of course, things tend to bit rot, so you might want a five year exit plan... if Apple hasn't rolled MacOS into iOS by then or otherwise killed it with neglect.

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection

oldtaku
Unhappy

Internet of Giant S@#$tty Stuff

"as a matter of practice, construction crews should be keeping their cranes and other Wi-Fi controlled equipment air-gapped on a separate, non-internet network with its own firewall. Basically, nobody but crews should even have access to the network, let alone the equipment itself .. if everyone is doing their jobs right a real-world exploit would be extremely difficult to pull off."

Ahahahahaha... ha... *sob* 。゚・(>﹏<)・゚。

Even hospitals don't bother securing their networks and critical equipment properly. The security hygiene I've seen at construction companies could be compared to going condomless in Haiti while suffering from open sores and lacerations, and then rolling around in a sewage ditch for good measure. Nobody is doing security right because that would cost money for a full time guy who knows what he's doing. And then they'd have to tell him when there was new equipment instead of just throwing something together with all the defaults.

Serverless? There’s more than one way to run a function

This post has been deleted by a moderator

Sunny Cali goes ballistic, this ransomware is atrocious. Even our IT bill will be something quite ferocious

oldtaku
FAIL

Anyone want to bet against them still running Windows XP? Because that's where my money is.

Salesforce dogged by protests, leaked emails, and guerrilla blimps on first day of Dreamforce

oldtaku
Happy

Master of Powerpoints

Love it... And the lyrics actually work real well.

Come crawling faster

Obey your master

Your life burns faster

Obey your master

Salesforce

Master of Powerpoints

I'm pulling your strings

Twisting your mind and smashing your dreams

Blinded by me

You can't see a thing

Just call my name 'cause I'll hear you scream

Salesforce

Salesforce

Just call my name 'cause I'll hear you scream

Salesforce

Salesforce

oldtaku
Unhappy

Re: Wait, what? Did I miss something?

They were the best thrash band in the world, period, up to Justice for All. They completely revolutionized metal and rock with their first three albums. Then they realized they could make more money on ballads.

So they had credibility through about 1994 (I'll be generous and give them the black album). After that, forget it.

Imagine Python fan fiction written in C, read with a Lisp: Code lingo Nim gets cash injection

oldtaku
Facepalm

Re: Interesting but ugly

> the identifiers FOO_BAR and fooBar are equivalent...

(((φ(◎ロ◎;)φ)))

BlackBerry claims it can do to ransomware what Apple did to its phones

oldtaku
Meh

We can already do this (on desktops/servers)

We can already do this (and I do) with versioned auto-backup. If anything happens I can roll back to 2:30 PM yesterday (or 1:49, or whenever) with a safe boot or boot disk. Of course if BB can actually make an all devices suite that's reliable, has almost no impact on running systems, and reliably easily restores - sure, why not?

Odds are it'll be bloaty, fragile, overpriced Enterprisey crap, but I'm open to looking.

Smyte users not smitten with Twitter: APIs killed minutes after biz gobble

oldtaku
FAIL

Typical

It's nice to see that Twitter is as consistently terrible at dealing with other companies as it is with dealing with their users.

'What? Was that bad? Should we not have done that?'

HPE CEO pledges $4bn Edge R&D splurge

oldtaku

Re: And things go round

Joking about HP aside for a moment, there's a bit of difference in theory and intent.

The intent, basically, is that the edge computing devices only contain transitory data, while all permanent data is still in the cloud.

You want edge computing when there's a firehose of locally generated data, like you've got hundreds of sensors hooked up all over your buildings generating video, temperature, proximity, etc etc. What you're trying to do is avoid having to send every byte of data back to the cloud and only send it the *interesting* data.

Or let's say you're doing facial recognition on that video - sending all the streams of video back to the cloud and having the cloud tag faces is silly. Maybe you'd LIKE to have all the video from all the cameras, but if you don't have the NSA's budget you need to make some tradeoffs. So you'd have local machines which are configured from cloud data then just tell the cloud which people they see and video only for Persons of Interest. Then you keep the streams local for a month before deleting.

This isn't all that different from things we've seen before, but it is different from a local data center in that the local data center is intended to be The Canonical Repository, but now that's the cloud. And if you have a bunch of local data centers that coordinate to be the canonical repository, well that's a cloud.

oldtaku
Trollface

Re: Another use of the word EDGE

Careful Tim Langdell doesn't lawsuit your ass, mate.

oldtaku
Stop

Good luck with that.

Yeah, good luck with that. What do you want for edge computing? Great performance with low power in a small form factor, so you don't have to send as much data back to the cloud.

What is modern HP completely incapable of making? Anything that isn't a bloated enterprisey hot mess. Sorry, your edge router's going to need a Xeon, 32GB of RAM, and a 512GB SSD just to run HP's drivers and management suite.

I got 99 secure devices but a Nintendo Switch ain't one: If you're using Nvidia's Tegra boot ROM I feel bad for you, son

oldtaku
Happy

Pwned? This is great!

Nintendo might by pwned here, but if this lets us boot custom firmware and Nintendo can't block it that's a big win for users. Or the few who even know what that means. It's why I still have my bigass launch PS3 instead of one of those cute tiny later versions.

Oracle sued over claims of shoddy service, licensing designed to force adoption of its kit

oldtaku
Devil

This sounds deeply familiar

Anyone who's ever dealt with Oracle should be nodding about now. It can't be bargained with. It can't be reasoned with. It doesn't feel pity, or remorse, or fear. And it absolutely will not stop... ever, until you are giving them all your money!

It's 2018 and… wow, you're still using Firefox? All right then, patch these horrid bugs

oldtaku
Devil

Firefox really is the worst

Except for Chrome, Safari, Opera, and Edge.

Chrome is a bloated pig that chokes and dies like an infant with how many tabs as I leave open, Safari is long dead on my platforms, Edge is right out because of lack of extensions, Opera is somehow grossly overfeatured and underfeatured at the same time (though it'd be my next choice), and don't even talk about the Linux only browsers.

You picks your tradeoffs. Which is why sometimes my browser is Lynx.

We translated Intel's crap attempt to spin its way out of CPU security bug PR nightmare

oldtaku
Happy

Thanks - I was eyerolling at the 'corrupt, modify, or delete' misdirection when I read the press release, but it's much funnier (har har, sob) when you do the whole schmear.

Boffins foresee most software written by machines in 2040

oldtaku

Re: We've been here before...

I still know and use x64 and ARM assembly (and a bunch of 8-bits, but sadly never get to use them) for things like patching binaries we don't have source for and the occasional really timecritical thing - like getting cycle count cheap. It's why I said 'almost nobody' and not 'nobody'. I also know from trying to hire people that that skillset is incredibly rare.

oldtaku
Meh

We've been here before...

Yes, you may be able to get rid of code pigs - you may have something that does all the Java scutwork for your standard business reporting crap. Progress comes from encapsulating things - almost nobody needs to know asm any more, you don't need to draw your own UI windows, C# has data structures out the wazoo. But you're just moving the work higher, and then the work gets more complex. Maybe in the future database stuff will be so pedestrian it's seamlessly integrated.

But now you're going to need someone to specify exactly what you want - and people asking for things are notoriously, provably, bad at not knowing what they actually want. I remember the last time AI was going to get rid of programmers, and it ran right up onto the shore on this problem (and terrible performance, but we'll assume we have enough horsepower now).

If you assume maybe the generic stuff is good enough for most cases. You're still not going to be able to get rid of the software/system engineers - engineers solve general problems given constraints, and if you solve /that/, you've solved problem solving - and 'no programmers' will be the least of the impacts on society. No deep learning network has demonstrated anything like general problem solving or any penchant for it. If you could perfectly encode every bit of your problem and required software solution in an input and output vector one could understand, and you could do the same thing on all existing software to train it, maybe it would surprise you. But software is not minor fault tolerant like images, and who are you going to get to do that?

Is the ratio of code pigs to engineers 4:1, giving you 80%? Maybe. I find Jeff Bigham's comments more believable. AI will let software engineers tackle bigger and better problems and not worry about the lower level stuff.

Crumbs! Crunchyroll distributed malware for a couple of hours

oldtaku
Devil

I'm surprised it took so long

Security has never been a priority at Crunchyroll. They even make you use use fecking Flash to view video on their site for gods sake. So they're lucky they got off so easy.

Unless, of course, they've been pwned for months by someone more clever who's still undetected and still has hooks in their shite player...

Video games used to be an escape. Now not even they are safe from ads

oldtaku
Devil

What do you expect from mobile F2P?

F2P is a sh#$hole, mobile F2P is an open cesspit, and they hate you.

It's more disturbing when it turns up in premium games, because you paid for the game. As others have noted, though, this used to be much, much worse in the 90s.

And of course AR is going to be living hell. People have predicted that since it was conceived. There's nothing other people can't ruin.

Bluetooth bugs bedevil billions of devices

oldtaku

Re: It just wasn't designed for this - it wasn't designed

A mediocre (not bad, most are just mediocre) programmer can chug through a clean standard and implement it without doing too many bad things. But when you hit them with a terrible spec they just get completely frustrated and throw their hands up and do whatever just to make it 'work' because they're overwhelmed and confused. Can't get this to work properly? Let's just have it run arbitrary commands.

I've seen this personally with things like people implementing the terrible (and terribly named) 'Simple' Network Management Protocol - mostly with the MIBs and lack of transaction support. These guys had produced decent SMTP code, but I just had to throw their SNMP code out.

Obviously good programmers would do better, but even they make mistakes when the protocol is a nightmare. It's not the only factor, but it's one of the compounding factors.

oldtaku
Unhappy

It just wasn't designed for this - it wasn't designed

The problem is that Bluetooth just wasn't designed for anything nearly as complex as what it's doing. It was just supposed to be wireless RS-232 (serial port) for a single un-encrypted point to point audio link!

Then, since it was there (oh hey, we've got a wireless data stream?), people just started cramming more and more 'features' and s@#$ into it. So it was never designed - it was accreted. Obviously parts were designed, but that's no substitute for a system vision. And once you get an industry consortium involved it just explodes in complexity as they all try to parasitically infect the standard with their own internal protocols / standards, and often succeed.

Given all that it's stunningly, stupidly complex for no good reason. One of the worst protocols I ever had to work with and a security nightmare (because, like Flash, it wasn't designed with security in mind) There are tons more exploits lurking in the stacks.

Why does everyone still use it? Because it's an existing cross-platform standard (chicken and egg), and it mostly works if you beat your head on it enough.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2020