* Posts by Ozzard

92 posts • joined 15 Dec 2011

Page:

Sick of Windows but can't afford a Mac? Consult our cynic's guide to desktop Linux

Ozzard

I've spent quite a long time trying to port a moderately complex WinForms app so that it will run under WINE. I have access to the source, and it's .Net (presently Core 3.1) and, as far as we can, adheres religiously to the published APIs with no weirdness.

It doesn't port cleanly, because one third-party library (DevExpress XtraRichEdit - I ain't writing my own word processor!) does something deep in its innards that causes WINE to display cross-hatched scrollbars.

WINE might change that, but it's going to have to do so app by app, and it'll be hard to shift the line-of-business apps because at the moment the DevExpress and Infragistics of this world couldn't care less.

Ozzard

Frame Maker for me, given the choice. But that's due to ancient history.

Ozzard

Re: choose how the OS will annoy you

No. It's the lack of Microsoft Office.

Microsoft revises software licensing, cloud policies amid EU regulator scrutiny

Ozzard

"We will ensure our public cloud meets Europe's needs and serves Europe's values."

CLOUD Act says that you can't do that.

Blizzard co-leader Jen Oneal leaps into escape pod after just three months in the role

Ozzard
Alert

Pratchett, as ever, had it right

The term for this in our household is "Doing a Rincewind", after that wizard's habit of running *from* at the first sign of trouble and only after that working out what happens next.

De-identify, re-identify: Anonymised data's dirty little secret

Ozzard

Re: Change the way it's done

* You can turn off querying from organisations that break the rules.

* You can bring down the portcullis completely if you want.

* You can put a human between the request and the response, running the query past the Caldicott guardian in healthcare for example.

I was the architect of one such system.

Tachyum's Prodigy emulator achieves first boot, runs Linux and says 'hello, world'

Ozzard
Boffin

Amulet (and Spinnaker)

An ex-housemate worked on AMULET. Apparently Steve was really quite peeved that the first silicon had more than zero bugs in it, as everything he'd previously designed had come back bug-free first try. I mean, the design was only an order of magnitude bigger than anything asynchronous that anyone else had ever attempted...

The spiritual descendant is really Furber's Spiking Neural Network (Spinnaker) work - neuron simulation using only kilowatts of power, rather than megawatts. Worth the look.

Start or Please Stop? Power users mourn features lost in Windows 11 'simplification'

Ozzard

I'd love a foldable phone... sort of

As I get older and my eyesight gets worse, screen real-estate becomes more and more valuable. I'd love a device that I can fold to put in a pocket, then get out and open to tablet size so that I stand a chance of reading it. Doesn't need 400ppi, just needs lots of degrees across my field of vision with my varifocals!

Having trouble getting your mitts on that Raspberry Pi? You aren't alone

Ozzard

Believe me (I'm in that market) it isn't, because you can't get the parts. We're being quoted 1 October for 500 Pi 4B, 2022Q3 for the components for 500 of the custom boards we have for the same application. We're re-tooling from custom to Pi.

Zoom incompatible with GDPR, claims data protection watchdog for the German city of Hamburg

Ozzard
Black Helicopters

Far more entertainingly, Zoom may route call traffic between non-EU nodes

GDPR says nothing about whether or not personal data is encrypted; merely that personal data is processed.

Zoom is not a peer-to-peer network; it uses traffic routing nodes worldwide, and explicitly states in its T&Cs that it may use any node or combination of nodes to route traffic.

Net effect: your video traffic, even if allegedly "end-to-end encrypted" (show me the code, the design, and the architecture), may be processed through one of Zoom's US routing nodes on the way from an EU source to an EU destination. And if video traffic ain't personal data, I don't know what is.

Then add in users who use VPNs and deliberately appear to be in different countries, and EU offices of US organisations where the Internet traffic from the EU users pops out of a US Internet peer. Zoom has no way of knowing where any given user is physically sited, so its only recourse would be a re-architect of its entire system that routes all video and audio traffic peer-to-peer (and doesn't provide cloud recording or transcription services). Then it would only have the more common kind of user data to worry about... :-)

Sysadmins: Why not simply verify there's no backdoor in every program you install, and thus avoid any cyber-drama?

Ozzard

Possible? Clearly yes, for small enough and/or critical enough projects. One ex-colleague of mine wrote his own BCPL compiler for PDP-11, which he bootstrapped from his own PDP-11 assembler, which he originally hand-assembled. Then he wrote his own OS using that compiler. I didn't check what he used for storage and access to the PDP-11 while doing this, but it wouldn't surprise me if he went from scratch there as well.

Practical? That's a cost-benefit analysis :-).

Ozzard
FAIL

Your mission, should you choose to accept it...

... is to verify:

* the processor and system architectures for side-channel attacks, such as power or speculative execution;

* the microcode on the CPUs;

* the code on the management processor on each CPU die;

* the firmware on the network cards, disk controllers, and everything else that can DMA or can affect data ($deity help you with Thunderbolt);

* the microcode and firmware running on the flea on each server;

* the BIOS;

* the entire code of the kernel you're running and any loadable modules;

* the entirety of the user space of the operating system(s) you're running;

... and *then* you can get onto your own application(s) and the third-party libraries on which they depend.

No, you can't rely on these being checked against some suitably complex hash (remember that MD5 and SHA-1 are both considered compromised, so it'll have to be better than those) - how did you obtain that hash, and how do you know your channel to obtaining that hash hasn't been compromised?

No, you *really* can't rely on downloading the application and then comparing against the hash that you... wait for it... *downloaded from the same site*. Pure security theatre.

No, you can't rely on the browser or program you are using to download code or hash being uncompromised. Or, for that matter, the code you are using to calculate the hash.

No, you can't rely on your firewall. How do you intend to verify its firmware and its application definitions?

No, you can't rely on your network switches for data transfer. How do you intend to verify the switch's data and control planes, and its management software?

No, you can't rely on printouts. How do you intend to verify the application producing the printed version, the printer driver, the printer firmware?

No, you can't rely on your verification tools. How do you intend to verify them?

Second point: "Doing it right" would cost more than the entire revenue of most businesses - which means 100% chance of failure of the business. That's a higher chance of failure than "ignore it and hope it never happens to us". So, quite correctly, businesses try to hit the sweet spot of minimum overall chance of failure of the business - which means the standard risk management approach of choosing which ones you even bother trying to mitigate.

Final point: Overall - and I expect to be roundly downvoted for this - if the risk management is done without rose-tinted glasses, *this laziness is good for humanity*. There's no point spending more effort on verification than it takes to recover from the attacks that succeeded due to missing or failed verifications.

Faster Python: Mark Shannon, author of newly endorsed plan, speaks to The Register

Ozzard
Devil

First define your supported backward-compatible surface; the rest is "mere engineering"

I think that backward compatibility is going to be an awful lot of fun to define.

Imagine, for example, the race conditions that nobody has ever found in their multi-threaded code because the existing code has particular performance characteristics such that one thread always gets there ahead of the other / the code is slower than the hardware being controlled. Now consider a project that *only* varies timing, and makes no other change. You've already lost backwards compatibility, in that code that work{ed,s} in the old environment no longer works in the new one.

I confess I'm going to sit back, grab the popcorn, and watch the fun, continuing to avoid as far as I can the trio of Topsy-ish "just growed" P languages that were originally fucked by their lack of architecture and are now *utterly* fucked by their requirement for backward compatibility: PHP, Python, and Perl. Spawns of Santa, all of them, hence the icon.

Microsoft defends intrusive dialog in Visual Studio Code that asks if you really trust the code you've been working on

Ozzard
FAIL

"No, I absolutely don't trust all the code in this workspace, as there are eleventy-thousand build scripts and bits of Typescript compiler and packer downloaded from FSM-knows-where. But there is no model anywhere that would allow me to determine what I *could* trust. So what do I do?"

Audacity fork maintainer quits after alleged harassment by 4chan losers who took issue with 'Tenacity' name

Ozzard
Boffin

Re: Seriously?

Assume one person in 100,000 is sad enough to do something like this.

Assume you are in a city of 1 million people.

The law of large numbers applies, unfortunately.

Audacity users stick the knife – and fork – in to strip audio editor of unwanted features

Ozzard
Thumb Up

"Pluck" wins for me

Congratulations, Richard - I reckon a name that is closely related to Audacity, the plucking of a project out of the jaws of the Muse group, and plucking of stringed instruments is an excellent choice. And therefore guaranteed not to be the one chosen :-(.

Microsoft wasn't joking about the Dev Channel not enforcing hardware checks: Windows 11 pops up on Pi, mobile phone

Ozzard

If true, I'm going to make a small fortune selling tiny USB warts that are class-compliant with USB cameras and microphones, speak all the right protocols, and contain neither a camera nor a microphone.

Control the hardware and you control the system.

Microsoft releases Windows 11 Insider Preview, attempts to defend labyrinth of hardware requirements

Ozzard

Check out Pi-Hole - run on a VM if necessary

Our remaining Windows boxen and VMs are finding they're having a hard time of it reporting telemetry back to the mothership; they suddenly can't resolve any of the DNS names. Might have something to do with me blocking 53 outbound for anything except the household DNS server, which is running Pi-Hole... *innocent whistle*

Ad-free on mobile is another blessed relief.

Hubble’s cosmic science is mind-blowing, but its soul celebrates something surprising about us

Ozzard

And just like Arecibo, it will eventually fall victim to budget cuts.

Report picks holes in the Linux kernel release signing process

Ozzard

Threatening with a $5 wrench is effective in the short term but will be reported within minutes to weeks, at which point the team will take countermeasures.

That's not what most people who are interested in hacking the Linux kernel are after. They want to be an advanced, persistent threat.

Ozzard

Well done to the Linux Foundation

It's never much fun to invite independent auditors in who you know will publish their findings openly. The first time you do that, you *know* there's going to be stuff you hadn't seen hauled out into the open, and a certain amount of egg on face as a result.

Much kudos to the folks who chose this approach, and co-operated with it, despite the inevitable findings.

University duo thought it would be cool to sneak bad code into Linux as an experiment. Of course, it absolutely backfired

Ozzard

It touched the IRB - which is an alternate name for an ethics review board

https://en.wikipedia.org/wiki/Institutional_review_board is worth the check.

As the article noted:

"The paper describes how the authors submitted what's described as subtly subversive code contributions that would introduce error conditions into the operating system software, and it claims the researchers subsequently contacted Linux maintainers to prevent any bad code ending up in an official release of the kernel.

"It further states that the experiment was vetted by the university's Institutional Review Board (IRB), which determined that the project did not constitute human research and thus granted an ethical review waiver."

Ozzard

Serves the UMn ethics committee right

That was a clear "Don't be so bloody stupid" moment for UMn; perfectly reasonable that the Linux kernel folks should do what the UMn hierarchy didn't. And, given that UMn allowed this once, perfectly reasonable to ban that behaviour again.

Browser tracking protections won't stop tracking, warns DuckDuckGo

Ozzard
Black Helicopters

*checks Firefox add-ons*

AdBlock Plus (blocked 3 items on this page)

NoScript (blocked 6 items on this page)

DecentralEyes

Facebook Container

Containerise

HTTPS Everywhere

Privacy Badger (blocked 2 items on this page)

Don't Track Me Google

... yeah, no wonder Google doesn't want add-ons being able to access arbitrary features of your browser; some of these would be impossible in upcoming Chrome versions.

Big problem: Nominet members won't know how many votes they're casting in decision to oust CEO, chair

Ozzard

Re: You know what will be transparent?

"Real pork?"

"Well, genuine pig product!" said Dibbler.

Ever felt that a few big tech companies are following you around the internet? That's because ... they are

Ozzard
Black Helicopters

Re: Dogfood

Also admedo.com, ads-twitter.com. And that's presumably *after* my ad-blocker has run its sights over it. Privacy Badger reports attempted trackers from Doubleclick, Admedo, and Google Analytics. At least Decentraleyes is tolerably happy *sigh*.

Microsoft announces a new Office for offline fans, slashes support, hikes the price

Ozzard

Microsoft owns the de-facto interchange format, so can do this indefinitely

As I've said on a number of occasions in these comments, the *only* way to stop this is for someone to spend a few million to a few tens of million to set up a bug-for-bug-compatible free and/or open project that exactly tracks Office. No "improvements". No "doing it our way". No "but that's patented", even. A drop-in replacement so that users don't need re-training, investment banks can be certain that their traders' complex derivatives (many of which are *defined* in Excel spreadsheets) will keep the same values, and designers can round-trip documents without fear of formatting whoopses.

Until that point, Microsoft wins.

Nominet vows to freeze wages and prices, boost donations, and be more open. For many members, it’s too little, too late

Ozzard
FAIL

"Good, robust debate" - how?

From the article:

"I welcome a good, robust debate on all these points, conducted in the right way."

... without any way of conducting the debate because, of course, the members' forum is no longer available. I wonder what the Chairman believes "the right way" to be?

The killing of CentOS Linux: 'The CentOS board doesn't get to decide what Red Hat engineering teams do'

Ozzard

Re: Validated environments...

Oh, indeed - there's a reason anything "healthcare" costs 10x more than non-healthcare, and the validation and consequential license fees are one part of that. That said, we chose CentOS over RHEL because a) we knew what we'd be paying for features like virtualisation, and b) we could bring support in-house if absolutely necessary. We chose Linux over VMware for our virtualisation layer because of VMware's complete lack of LTS; having to upgrade your virt layer every couple of years to retain support sucks.

Ozzard

Yep. "Phone home" inside the lab setup with which I work would be looked on... poorly.

Ozzard
Boffin

Validated environments...

If you're working in healthcare, or a number of other areas, then you may need to "validate" your environment according to ICH-GxP or a similar standard. You really, really, *really* do not want to have to go through this more often than you have to. You have to revalidate *every time you change anything about the system*. Generally, this means re-testing everything you care about, with test scripts, with each step on each test script initialled to say it has been run and each script signed and dated and run by someone who has demonstrated the knowledge, skills, and experience to run that script and understand what they're doing. This can easily take a couple of months. Then there are days of paperwork to release onto the production systems.

Monthly security patch cadences are far too fast for validated systems. Annual... maybe, but only if you can make them coincide with other updates and test the whole lot in one go.

Another Rust-y OS: Theseus joins Redox in pursuit of safer, more resilient systems

Ozzard
Mushroom

Oh look, the principles don't hold in the real world

"Yeah, it almost works, but we had to break the principles for the filesystem."

Well... yes. And anywhere else you need to drive hardware concurrently and across multiple calls. Good luck getting a multi-tenant GPU driver working entirely in a principled way, such that you can have some cores used for (say) a physics sim, some more to render to textures for an external display that ships pixels across USB, and the rest for a game.

Lenovo ThinkPad Carbon X1 Gen 8: No boundaries were pushed in the making of this laptop – and that's OK

Ozzard

Another "yes" here - I still can't get used to a touchpad, especially one that takes input from my palms while I'm typing. Awful things.

Cats: Not a fan favourite when the critters are draped around an office packed with tech

Ozzard
Boffin

Fanless PCs are *wonderful* if you have pets

We usually have 2-3 cats around the house, plus two long-haired humans. We both appreciate low background noise, so both our PCs (actually midi towers from QuietPC) are fanless apart from some large slow-spinners on the graphics cards that are stopped unless we're playing 3D-intensive games. The PCs tend to last 5-7 years before needing replacement - if you're buying fanless, it's so bloody expensive that it's worth buying further up the market and extending the useful life of the boxes.

One of the unexpected advantages over the several previous generations of fanned machines is the sheer lack of crud that gets into the system. We don't get appreciable dust/fur/hair/crud/PLA wisps from the 3D printer buildup even over that lifespan.

We've paused Sigfox roof aerial payments, says WND-UK, but we'll make you whole after COVID

Ozzard
Happy

Just got paid :-)

Ancient history, I know; but WMD have paid me.

Ozzard

Re: At the moment, I'm giving them the benefit of the doubt

Yup. One of the better ways of the company folding is for it to lose its revenue because its network goes offline due to pesky suppliers turning off their supply :-). I've had a few hundred quid from them so far; I don't mind risking a few tens to reduce the chance of that bankruptcy. But let's see how the other suppliers behave.

Ozzard

Re: The Race to the Bottom

Wouldn't surprise me; it's difficult to see where they're going to get £400/yr of subscriptions in this area in order to pay me for the one that's presently on the side of the house. Not impossible, but it's going to take quite a number of devices using the network.

The installer don't seem too fussed about placement, either, so I suspect *actual* cover will be patchier than the pure base station map would suggest. Probably 90 degrees of mine is shielded by roof, and another 90 degrees by a tall nearby tree. Installers appear to be paid a fixed fee for the installation regardless of its quality, so there's an incentive to do a fast, sloppy job.

Ozzard
Go

At the moment, I'm giving them the benefit of the doubt

I have one of the units on my chimney (and, yes, it's an omni dipole). It eats a few tens of watts, and I'll keep it running for quite a few months yet rather than risk missing a payment. Neat little thing, installed in around an hour.

Take Note: Samsung said to be thinking about killing off Galaxy phablet series

Ozzard
Unhappy

That's annoying, I like the stylus

Unsurprising but annoying. I really appreciate being able to sketch things like architecture diagrams on something that captures them immediately but fits in my pocket - that's worth money to me. As my eyes get older, the "phablet" screen size also becomes more relevant!

Can I have a foldable phablet with a stylus and a wireless KVM, please, because at that point I may be able to get away with not carrying a tablet or laptop to many meetings, which means I can also ditch the rucksack?

He was a skater boy. We said, 'see you later, boy' – and the VAX machine mysteriously began to work as intended

Ozzard
Go

Re: The need for speed

Even the earlier Mondeo TDs had that issue if you normally drove politely - the recommendation from the garage on mine was to take it to the local motorway, luckily only a couple of miles away and quite high above the land, and floor it up the slip roads a couple of times before taking the vehicle for its MOT.

Also ideal for burning off boy racers at the lights - diesel is unexpectedly torquey at low revs, and I've occasionally seen some very surprised young faces through the clouds of black crud in the rear view mirror.

Ozzard
Mushroom

Nylon knickers: a whole new problem for "Britain's first supercomputer"

My father worked as a commissioning and maintenance engineer on London Atlas in the early '60s. Apparently they needed to ground the operator's chair and other bits of the environment once nylon knickers came in, lest said operators knock the machine out with a static zap.

That said, the panel into the machine at the side of the operator's chair was frequently removed: it was where the chilled air entered, and hence a perfect place to keep the shift's stash of (also recently introduced) Ski yoghurts.

(https://www.youtube.com/watch?v=6TRfy70DqD8)

The National Museum of Computing flings opens its non-virtual doors

Ozzard

Well worth a visit if you've not been. Sometime, I really must see if they want any of my old bits and bobs - a PDT-11, plus my father's fine collection of early pocket calculators.

Google Chrome calculates your autoplay settings so you don't have to - others disagree

Ozzard
Black Helicopters

Repeat after me: Firefox, NoScript, a good ad blocker, Decentraleyes, Containerise, Facebook Container, HTTPS Everywhere, Privacy Badger.

Here's a sprite idea: PC pokers push pixels to LED displays with Microsoft's new platform for non-verbal comms

Ozzard
Boffin

Four bits, 15 colours

1 bit R, 1 bit G, 1 bit B, and 1 bit to halve the level of all three outputs, called "Dark". Which leads to colours like grey (dark white) and, of course, the wonderful combination of Black and Dark Black.

Nope, still no "old fart" icon :-).

We give up, Progressive Web Apps can track you, says W3C: After 5 years, it decides privacy is too much bother

Ozzard
Big Brother

Fixable with browser extension

"Trivial"* fix with a browser extension** from someone like EFF, where the extension sends the start_url (with no other user information) to a central server. If the server sees a high proportion of unique start_urls for a particular second-level or top-level domain, it responds that there may be fingerprinting going on, and the extension can warn the user.

* Relies on user installing extension, but the same is true of pretty much anything of this kind, including Privacy Badger.

** Assumes a browser extension can examine (but not manipulate) such requests. If not, perhaps the browser manufacturers should consider that extension point.

.NET Core: Still a Microsoft platform thing despite more than five years open source

Ozzard
Boffin

C# and .Net Core are wonderful for some classes of application

I lose count of the different languages and environments I've used - somewhere over 30, anyway. All trade off features. These days, I tend to develop over-10-line software in one of three languages:

1) Smalltalk (Squeak, these days) for pure prototyping where I only care about implementation speed. As the original team opined, it is "an exquisite personal computing environment" - crazily productive.

2) C++ where I need close-to-the-metal data layout and can't afford garbage collection. Arguably I should investigate Rust for this. Interestingly, performance in modern .Net environments is usually close enough to C++ that I no longer care about the difference.

3) C# for everything else, linked through to a platform UI library if I'm not doing web. Nice clean deploy across many different platforms - there aren't many languages where you can write an algorithm and have it run unchanged on your GPU, both major phone OSs, and all three major OSs on x64 and ARM. That's worth quite a lot to me.

Horses for courses; the ecosystem around C# works for me for quite a lot of the courses.

University ordered to stop running women-only job ads

Ozzard

*reads back*

Wow. I invite anyone interested to read the comments on this piece and take a guess at the gender bias of El Reg commenters. Then we should run a quick study to check that ;-).

Ozzard

Re: While humans are involved

Congratulations to the Aussie Public Service (APS) for its positive discrimination. Unfortunately, a) the study doesn't say what the *absolute* effect of deidentification is, merely the *relative* effect; and b) I'm unconvinced that it's relevant outside of the APS. Certainly I'd love to see the same thing tested in the UK.

Moore's Law is deader than corduroy bell bottoms. But with a bit of smart coding it's not the end of the road

Ozzard
Boffin

Re: "it beggars belief that the x86 instruction set has not been completely overhauled"

Take a look at the PDP-11 instruction set vs. the M68000. You might be surprised by the similarities - nothing new under the sun.

(Nope, still missing the "old fogey" icon)

So you locked your backups away for years, huh? Allow me to introduce my colleagues, Brute, Force and Ignorance

Ozzard

Re: Seen in the wild

The old 10Mbyte drive attached to our (6801 and M68000) processor emulator at Racal in 1985 would occasionally do the same thing, and a swift half-inch drop onto the bench would deal with it.

The Sun engineers were a little more wary of the new 1.3G 5.25" full height disks in about 1991. Apparently the oil in the bearings could get a little too viscous if they were left powered down in a cool room for too long, so the advice was to lift the box and *gently* rotate it to start it spinning up.

Page:

SUBSCRIBE TO OUR WEEKLY TECH NEWSLETTER

Biting the hand that feeds IT © 1998–2022