* Posts by Starace

352 publicly visible posts • joined 16 Jun 2007


Ford SYNC 3 infotainment vulnerable to drive-by Wi-Fi hijacking


Re: firewalled

From what I remember from having a poke at mine, the interface to the car was one PCB, the main processor is a different PCB, and there's a sort of shared memory datapool structure between them with fixed functionality/variable definitions.

So the operating system not only had no access to a CAN interface but the data that it could access was predefined and it had no way to vary it.

So I guess more of a data diode than a firewall?

Thanks for fixing the computer lab. Now tell us why we shouldn’t expel you?


Brings back memories

Back in the day my account on the main network somehow had no quotas, no audit, and didn't even appear in the active users lists when I was logged in.

No idea how that happened, the only real useful bit was the unlimited storage space.

Hawaiian Airlines to offer free Wi-Fi via SpaceX's Starlink


Believe it when I see it

If they haven't already got hardware in place then it's going to come as a shock to all involved just how difficult and expensive it will be to design, produce and qualify the bits for an aircraft.

Even when you already do avionics and related kit this is not a trivial job. And satellite trancievers for aircraft are a particularly nasty problem - I've heard the horror stories.

I have a horrible feeling someone has dived into offering this to customers without anything to back it up and are hoping to wing it as usual. Sadly for some things that doesn't work.

UK arm of Sungard Availability Services goes into administration


Re: The general state of the economy

The thing with barbers, and certain other sorts of businesses, is they're great if you need to do a bit of laundry for your real cash generator.

That's one reason you see so many places of certain types pop up despite a total lack of actual demand.

Had some locally get shut down for it so not just an urban legend.

Why Nvidia sees a future in software and services: Recurring revenue


Leaves a bad taste

It was bad enough when they pulled this stuff with the data centre products, charging a massive premium for the hardware and then decided it was a great idea to start charging on top for you to actually use it. Puts you right off and makes you look for any possible alternatives. A bit like the reaction you have any time you get near Oracle.

I'd be happy if it was cost neutral somehow - others managed when their pure hardware play went to hardware plus subscription - but this stuff about $1000/user/year points away from that.

And $1000/year? They've started to believe the hype from their inflated GPU prices...

IPv6 is built to be better, but that's not the route to success


Give up

All these years later and they're still arguing and trying to get people to use it. Yet even shiny new stuff mostly ignores it.

They built a solution that's too complex to use and aims for a utopian ideal of all those billions of devices existing in a nice flat world where everything is individually addressable - and we know that isn't how the world works and never will be.

It might be antique but IPv4 is good enough and it works so it'll stay for most things forever.

UKCloud acquired: Public sector specialist finally bags investment from current chair and private equity after reporting steep losses


Re: Choosing not to report

It was a waste of time not reporting. Anyone who cared, customer or creditor, was already well aware.

This isn't a client base that needs journalists to tell them what's happening.


We all knew about it

Everyone with any interest in UKCloud already knew what was happening all those months ago and acted accordingly, even if El Reg decided to keep quiet. So that didn't help them at all and the self censorship was utterly pointless.

The big problem is that while they provide a specialised service that was useful for some things they're stuck in that unhealthy spot of being much smaller than the usual players - so not so useful for the bulk vanilla stuff - and at a scale where you might use them for niche or PoC but for bigger 'special' stuff you may as well roll your own private cloud solution as actually being better and cheaper and easier to manage. Been around that loop more than once, and it turns out renting cloud is surprisingly expensive and compromised, while building is quite reasonable and tunable. At least if your workload isn't transient and you have specific goals in mind.

It's not a nice feeling leaving a company and they were good at partnering but there comes a point where you need to go with what works best for you and doesn't add risk. For me that isn't AWS/Azure/whatever either - went a different direction - but the UKCloud thing just wasn't sustainable.

They did nothing wrong but it's an awkward place to be stuck.

Billionaires see wealth double during pandemic as tech bros lead the charge


They actually believe the money exists!

They don't honestly believe that money is real do they? Just because something like Tesla was pumped to the $1trillion mark doesn't mean you can actually squeeze that cash out of Musk. It's amazing he's even managed to liquidate a fraction of his holdings so far.

Open source maintainer threatens to throw in the towel if companies won't ante up


Maybe the support isn't worth paying for

Is it maybe possible that if no-one wants to pay for your support maybe it just isn't good enough? There's plenty of projects where the support is excellent and well worth it but also plenty where it's either worthless or just far too expensive for what it is. Especially when more than one person offers support.

If you want to be a commercial operation you need to provide commercial levels of service. Not suddenly decide you want to try to take your toys home because you think your one man band can charge like Oracle on a perpetual basis and others disagree.

You'd think all maintainers were saints from the way some of them talk. Some are. Others are bloody useless, and will leave all sorts of problems (and submitted fixes) hanging while they pursue whatever their current interest is without letting anyone else contribute.

There are projects that are basically baseline functionality these days & embedded everywhere where the concept is good, the support (commercial & otherwise) plentiful yet you still have core maintainers who basically refuse to maintain beyond their current pet feature, and when you start poking you find that what looks superficially well designed & documented with plenty of testing is actually a mess where the features don't work and the tests don't test. And when the bugs (and fixes) go in they'll sit forever ignored...

No one makes you do these projects and if you don't want to then fine. But don't scream because you went in trying to look altruistic and the cash you actually wanted didn't roll in. If you wanted money then choose a commercial model from the start instead of moaning that the grasping bastards aren't charitable enough.

Log4j doesn't just blow a hole in your servers, it's reopening that can of worms: Is Big Biz exploiting open source?


Whinging ideologue developers

If you do something and hand it out for free you can hardly expect to whinge when people use it; if you want to be paid for your efforts then charge, otherwise just accept that your stuff will be 'exploited' if you haven't excluded that option through a contract.

The other issue with projects with a small developer team - and especially when one or two people drive most of the dev - is that they tend to become very protective of their project and ignore or reject any offers of input. External bug reports and code submissions get ignored. So even when the evil corporate bastards spend the time to check the code, find the faults and provide assistance it doesn't get accepted.

Funnily enough lots of OSS does get plenty of support and submissions from corporates spending engineering time on them, it's only certain things that stay stuck with the 'volunteers' who own the project. So maybe it's a people issue not a philosophical one?

Nextcloud and cloud chums fire off competition complaint to the EU over Microsoft bundling OneDrive with Windows


Re: Wrong angle?

It was seeing the AGPL license and the locking down of the documentation and the strong arm tactics to push buying (expensive) licenses that made me jumpy.

I don't mind if it's a known quantity out of the box but it all felt very commercial for something that still leaves you to bolt together a solution from a pile of bits or having to rely on third parties for some sort of packaged solution.

Throwing lawsuits around isn't exactly brilliant either, especially if they look weak. I'll use your stuff if it's better.

Wondering what to do with those empty offices? How about a data centre?


You what?

So the idea is to cram obsolete inefficient kit into buildings without the power, cooling, communications, security or floor load capacity to support them? And to dress this idea up with some sort of environmentally friendly cover?

I'm sure there's a small flaw in there somewhere.

Do you want speed or security as expected? Spectre CPU defenses can cripple performance on Linux in tests



For aerospace you tend to run a scheduler per core without any bells or whistles like speculative execution - or sometimes even caching - so you can maintain determinism.

But you don't need a special CPU for that. You just turn off the bits you don't need and run a bare minimum initialisation rather than using the OEM code.

If you want a simple CPU you just use it in a simple way.

VC's paper claims cost of cloud is twice as much as running on-premises. Let's have a look at that


Just like any rental

Great for short term demand but if you have a permanent need for something it almost always works out cheaper to own it.

Cloud *platforms* are great wherever you put them, paying a cloud provider maybe not so much.

Depends on your scale though.

Meme crypto-coin literally going to the Moon, if Elon Musk is to believed, on DOGE-1 mission courtesy of SpaceX Falcon 9


Smells dodgy

It's what, about $3 million in a joke coin funnelled through what is ultimately a small manufacturer of rubber gloves.

Just as likely it all comes back to Elon himself as any other crypto pumper.

That's assuming it actually happens when so many other Musky statements go nowhere.

OVH writes off another data centre – SBG1 – and reveals new smoking battery incident


Re: You get what you pay for

Maybe cheap, but definitely not cheerful right now.

Royal Navy and Air Force get low-code bridge in UK military recruitment saga



Don't know why anyone else bothers to bid - Capita get gifted contracts they can't deliver then have to immediately sub work out to the opposing bidder to get a working solution, while sitting back taking a cut.

And people wonder why these things end up such a mess and late...

Singapore reveals open-source blockchain COVID-test result tracker, eyes uses as vaccine passport app


Why blockchain?

As with many things it's a solution, then again you can achieve the same result much more easily in other ways - it's just a reference number lookup after all.

Most applications of blockchain are just an excuse to apply it but beyond the techno wankery are difficult to justify.

I guess it generates an easy story but it's still a solution searching for a problem.

I'm fired: Google AI in meltdown as ethics unit co-lead forced out just weeks after coworker ousted



Googlers think they work in an environmental where their specialness will be tolerated.

They're then shocked to find our they work for a giant corporate multinational that doesn't like people biting the hand that feeds them, or people making demands, or people search their networks for information.

They're worker drones, and whatever gender, colour or whatever they are Google *doesn't care*. They don't discriminate but they don't tolerate either.

I think some people want a nice free startup/academic environment and they're in totally the wrong place for that.

Supermicro spy chips, the sequel: It really, really happened, and with bad BIOS and more, insists Bloomberg


Who benefits?

Seems a bit of a coincidence that the supporting 'evidence' comes from people with affiliations with a company that includes commodity whitebox servers among its products.

Or do the words 'Altera' and 'a major semiconductor company' not point in a very particular partisan direction?

Tesla axes software engineer for allegedly pilfering secret Python scripts after just three days on the job


Tesla have a QA department?!

I thought one of their innovations was doing without that sort of thing, at least that's what the state of their product suggests.

Not surprised by this incident though, if only because anyone with a brain steers well clear of working for Tesla these days.

Sloppy string sanitization sabotages system security of millions of Java-powered 3G IoT kit: Patch me if you can


Well the problem was in Gemalto kit so take a wild guess...

As for the drones you're better off asking Elbit.

Talk about a control plane... US Air Force says upcoming B-21 stealth bomber will use Kubernetes


But why?

If you want to run a compartmentalised containerised scalable workload on avionics there are already properly designed and standardised options available, with proper deterministic realtime schedulers underneath.

Though running a Kubernetes type setup on a mission support system might happen, you can put some odd things on stuff that doesn't affect flying or weapons. Though I'd still have thought security requirements might get in the way of Kubernetes being used.

Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers


More high quality 'research'

So it's maybe possible to spoof the transmissions and get the system to respond as designed.

Just a shame it's utterly impractical to spoof the transmissions in any useful form except on the bench, and they didn't even do that. In other words more bollocks security 'research' pointing out a flaw that doesn't actually exist except on paper.

Also the not so minor point that they tried everything on a sim - shame that even on the Type 7 / Level D devices code for a lot of the (non-rehosted) systems is there to recreate the training effect and *IS NOT A FULL REPLICA OF THE REAL SYSTEM* so any results mean very little. Been there, wrote that, ran the flight acceptance tests... That said I remember using real TAWS boxes on sims before (which have built in TCAS) because it was easier than trying to process their terrain databases etc.

SpaceX's Elon Musk high on success after counting '420' Starlinks in orbit and Frosty the Starship survives cryo test


Re: When will Starlink become operational?

3 months maybe, 6 months definitely.

Never heard that *exact* promise from Musk before, oh no. Usually translates into 'never'.

Other news isn't pointing to a lot of functionality being available soon beyond something very minimal.

Chinese carmaker behind Volvo and Lotus ships first two satellites for planned IoT ‘OmniCloud’


Re: Only two?

Ask Musk who actually paid for that Chinese factory of his, and why that part of the business is structured the way it is.

Why build a rival to Musk when they already own him?


Pascal, it might help if you knew what you were talking about. All sorts of manufacturing already moved to (or already existed in) other countries.

Vietnam is a popular location right now, everything from Samsung phones to underpants come from there.

All we'll see is an acceleration of the moves away from China that rising costs and threats of tariffs had already kicked off.

We're all stuck indoors, virtual reality tech should be hot. So why is Magic Leap chopping half its workforce?


Decent AR, at a price

The Varjo XR-1 does a pretty good job of AR, none of those stupid optics either - the optical combiner route is just never going to work well enough to really 'augment' reality.

Then again it is properly 'incredibly expensive' at €12k to get one in your hands. Plus the cost of something with enough grunt to drive it.

Excellent toy though if you're able to talk someone into buying one for you for 'development'.

Consumer reviewer Which? finds CAN bus ports on Ford and VW, starts yelling 'Security! We have a problem...'


Re: "Ford and VW"

Somewhere around here is a post I made which is somehow approved but hidden.

Basically good luck fiddling the buses from the Ford infotainment, the hardware is partitioned and the QNX bit has no access to CAN, it goes via datapool in shared memory to another board that can explicitly only read and write specific messages.

And you can't fiddle the infotainment software without either getting straight to the eMMC or having the correct certificate to sign any file you want to upload via the USB. But reading what's built into the factory image is easy because it's all in the upgrade packages you can freely download. There is/was a discoverable root password but the production image has no way to connect a debug console (doesn't try to start the ethernet dongle) so that's pretty useless too.

And funnily enough the CAN is all partitioned so you can't just wander around trivially, and some of the critical control buses are physically isolated. You can get around the general access security (though not the stuff needing privileged access) by reverse engineering the workshop tool protocols but that doesn't gain you much beyond what the workshop tool already does, except the ability to accidentally brick the modules.

Hur hur we canz hack it isn't quite as simple as it appears when it comes to actual exploits.


Re: Just a reminder here...

Yeah right.

It's one thing to emulate a button being pressed over the bus, it's quite another to make a module do something it's explicitly designed not to do - you'd have to replace the firmware with something utterly different and that's a whole other game.

If you're going to enter into the realm of fantasy there are easier ways to achieve the same result.

French pensioner ejected from fighter jet after accidentally grabbing bang seat* handle


Must have grabbed on hard

For obvious reasons the force required is set quite high to stop simple accidents, on the basis that when you really need to pull it you'll be motivated to do it as hard as you can until something happens.

On another note it's surprisingly easy to snap the steel cables inside the handles when you give them a suitable yank.

The sad thing with this story is that it's far from the first time someone has had a problem during a joy ride due to a long chain of carelessness, and also not the first time that things could have ended in an even worse way if not for a random event as things went wrong. At least they survived. I bet after the enquiry some were really feeling sorry for themselves.

Remember Tapplock, the 'unbreakable' smart lock that was allergic to screwdrivers? The FTC just slapped it down for 'deceiving' folks


Buy a proper padlock

*Looks at solid closed shackle Ingersoll 10-lever padlock*

A proper lock isn't cheap, but you won't get it open easily. The really good ones are built to take serious attacks and have some expensive lock cores in them.

What do a Lenovo touch pad, an HP camera and Dell Wi-Fi have in common? They'll swallow any old firmware, legit or saddled with malware



Signed firmware is a nice feature to have.

It also has a significant cost impact if you need to select an embedded controller that supports the required features to make it work, and there's usually an impact on boot time and also on how long it takes to program the kit - not so much a problem for the customer doing updates but a big issue for manufacturing.

A lot of specialist effort has been expended looking at this and it isn't trivial to sort it out even for things that cost a lot more than a webcam.

It's also worth mentioning that while signed firmware is nice to have it's not going to protect you against a truly capable opponent, it just removes the lowest hanging fruit.

Shipping is so insecure we could have driven off in an oil rig, says Pen Test Partners


And yet...

Despite all these horrible security flaws no particular sign of anyone taking advantage?

It's been nearly 40 years since Superman 3 yet no one seems to have done the 'hack ships to do stuff' thing in anger.

SpaceX's next Starlink volley remains stuck on Earth to glee of astronomers everywhere


Re: Planned IPO

Given that the Starship assembly looks like the sort of setup that would embarrass a backstreet workshop in Kabul (blokes on iffy ladders with cables trailing around working in a tent), and that they've scrapped or unintentionally blown up everything they've built so far I'm not expecting a lot of Starship action anytime soon.

Now if he'd built something more like Sea Dragon instead of a shiny comic toy mockup there might be something worth looking at. Would have managed the super-heavy lift, reusability and steel construction and maybe even have worked.

Black Helicopters

SpaceX launches

Some people might wonder if their eagerness to throw their junk into the sky is linked to the planned IPO and lots of spare launch capacity as they seem to have a collapse in demand from paying customers?

Demos of the system actually working might be a good idea too? So far all we have is lots of highly visible satellites (accident or useful way of proving they're up there?) but not a lot showing their fancy network in action.

Not that I'm cynical but Musk is involved so...

Cache me if you can: HDD PC sales collapse in Europe as shoppers say yes siree to SSD


'Primary storage'

So basically the same as we've had for a while now, SSD for the boot/system device and HDD for cheap bulk storage?

Sooner or later SSD will be cheap enough to use for everything but for the D: bulk cold store for all the junk had still has a role.

I do wonder though how many people know the difference between a cheap commodity SSD with low life & IOPS and a decent high grade NVMe one? A lot of the cheap stuff is slow garbage.

Internet's safe-keepers forced to postpone crucial DNSSEC root key signing ceremony – no, not a hacker attack, but because they can't open a safe



I just hope they didn't do what matey in the photo was trying and think they can open the door by pulling on the side with the hinges on it.

Netgear's routerlogin.com HTTPS cert snafu now has a live proof of concept


No problem here

My Netgear router fixed this problem by blowing itself up on the same day the warranty expired.

Not been tempted anywhere near one since.

UK contractors planning 'mass exodus' ahead of IR35 tax clampdown – survey



Not sure about elsewhere but around my way the specialist contractors we used on and off for years seem to have vanished in favour of a swarm of replacement contract staff shipped in from offshore.

Shame they're all absolutely useless, quite possibly worse than the last offshoring experiment from 14 years ago.

What an absolute shitshow this whole thing is turning out to be from whatever side of the contractor/customer relationship you sit on.

Google Chrome to block file downloads – from .exe to .txt – over HTTP by default this year. And we're OK with this


Misguided paternalism

So yet again a small self-selected group decides that they think something is a bad idea and they'll forcibly stop everyone doing it because everyone else is just too stupid to think for themselves.

Centrally managed word/content filters next, tuned to a suitably Googly world view?

MWC now means 'Mobiles? Whatever! Coronavirus!' as Ericsson becomes latest to pass on industry shindig


Smart move

Looking at how things are progressing in China by the time MWC kicks off we'll have moved past 'Contagion' and be well into The Stand.

Windows 7 back in black as holdouts report wallpaper-stripping shenanigans


Re: Just MSFT things

QA? They've heard of it but they can't spell it.

Whoa, whoa... Tesla slams brakes on allegations of 'unintended acceleration' bug: 'Completely false and was brought by a short-seller'



I'm sure I remember seeing a hardware analysis on this that blamed a voltage regulator reset on an integrated motor controller that was causing swings on the supply to the throttle sensors?

Pushing the wrong pedal isn't exactly rare but the statistics suggest something must be happening, and it being more than the idiots behind the wheel and overly rapid acceleration.

Copy-left behind: Permissive MIT, Apache open-source licenses on the up as developers snub GNU's GPL



I know that anything I've looked at recently tends to treat a GPL license as a poison pill. The lawyers look at it and see risk even for innocuous use cases.

It's a shame but that's the reality of it.

OpenAI's GPT-2 secret life as a pawn star: Boffins discover talkative machine-learning model can play chess


So just like its other output

Everything GPT-2 has ever produced (like fake news articles) is quite convincing at the start then quickly wanders off into garbage.

It just isn't that good, and definitely struggles to stay on track. A convincing opening can just be cribbed straight from training data but getting past that...

Intel teases NUC-leheads with new desktop-class graphics systems and a fast i9 CPU


Too expensive

They're nice little gadgets when you have a use for them, but the prices are always steep for what you actually get.

When you need that specific niche filled great but otherwise it's difficult to justify the cost.

Rowhammer rides again as FPGA attack, RSA again reportedly up for sale, anti-theft kit to nuke laptops, etc


Tesla 'security'

If you want a proper laugh have a look at how simple it is to gain remote access to a Powerwall, and then shudder at the destruction you can cause once you're in.

2 more degrees and it's lights out: Mercedes-Benz Grand Prix's toasty mobile bit barn


Overselling it

That 'mini dstacentre' would be what, half a racks worth? Maybe a whole rack if you really wanted to push it and have lots of spares. Hardly extreme.

And you don't treat the possibility of no aircon by having no aircon; you have aircon, you have backup aircon, then you have contingency cooling. You don't just skip to the contingency straight away.

Not a big shock though, often the team budget for these things is actually derisory. And no one actually wants the jobs as the pay and conditions are rubbish as the expectation is that 'working in F1' is a reward in itself. Hint; after the first week it isn't.