* Posts by Brian Miller

1298 posts • joined 3 Jul 2007


Bot army risk as 3,000+ apps found spilling Twitter API keys

Brian Miller

Re: I wonder how much blame can be attributed to poor code examples

There's a big difference between a temporary key in a URI parameter and a key hard-coded in the source. Dumping strings from an object is old hat. Keys in source code is never a good idea. Keys in hardware is only a good idea if the key is stored in a manner that it can't be directly read, only used.

Security is supposed to be like an onion, not a waving wiener.

There is a path to replace TCP in the datacenter

Brian Miller

Re: Translation.

No, not quite at all.

My secondary shell is Wireshark, and I've been doing network programming since, ah, 1992 or so. There is much to be desired about what is going on upon the wires. The TCP start takes three packets before the actual data stream starts. If it's a secure connection, then more packets are exchanged. As the stream progresses, acknowledgement packets must be sent back relatively frequently, enough to be a burden on the traffic.

The RFCs have plenty of solutions that have been tried over the years. Simply using UDP can be just fine, but all of this takes programmers who really know their stuff. Bluffing doesn't cut it with network performance.

I haven't read all of John Ousterhout's paper, but there isn't anything in there about HOMA being published in an RFC. At least there's a GitHub project: https://github.com/PlatformLab/Homa

Engineers on the brink of extinction threaten entire tech ecosystems

Brian Miller

"I mean the EE wages are not much different from someone flipping burgers"

Nearly true, a local company wanted to pay only $75K for an EE with decades of experience. So of course the fellow declined to be hired for that wage. If the companies that need the talent can't be bothered to pay a decent wage, then of course people will leave EE and go with software.

Give us a CLU: Object Oriented Programming pioneer arrives on GitHub

Brian Miller

Re: Oh no

What, you can't use FTP at the command line? But it's so simple!

THX Onyx: A do-it-all DAC for the travelling audiophile

Brian Miller

Re: hmm really

To put it simply, my hearing has fallen off. 15K seems to be my upper limit now. So when I see things like, "to 40KHz", I know that #1 a young human can't hear that high, and #2 the source signal never had that information.

Top quality microphones are rolling off at 20KHz. A Neumann is not a slouch microphone. If the audio information isn't there in the recording, then it definitely shouldn't be there during the reproduction.

8 years ago another billionaire ploughed millions into space to harvest solar power and beam it back down to Earth

Brian Miller

Re: Tall poppy syndrome

There is a big difference between "good economical idea" and "infeasible project."

Beaming power down from space would have to be economical in comparison to building effective power plants on dirt. And honestly, a power plant Earth-side is still necessary, because the RF will still need to be converted to something the electrical grid can handle.

The conversion loss is significant. First, the solar energy must be converted to electrical energy, which is then used to power the RF transmitter. Then there is the transmission loss between space and ground. Then there is the conversion loss in the power plant. And of course, that power plant in space is going to need servicing.

So which is more economical? Taxing the shit out of excessive power usage to drive people to save power, (change your light bulbs, buy machines that can't run Crysis or mine Bitcoin), or tossing up power plants in spaaaaaaaaaace?

Russia tells UN it wants vast expansion of cybercrime offenses, plus network backdoors, online censorship

Brian Miller

Re: Why not go Orwellian?

"... suggest that everybody must have a camera and microphone implant installed in the eyes and ears."

Wasn't that Google Glass? And all that's needed, really, is to do away with that pesky HTTPS, and all that encryption nonsense.

D'oh! Misplaced chair shuts down nuclear plant in Taiwan

Brian Miller

The shield prevents a face- or palm-plant action, not an oopsie-slide-it-up-bump action. I'm guessing that the chair arm could come up over the edge of the console, and bump things.

On the positive side, the power plant should be shut down in a couple of years.

Malaysian Police crush crypto-mining kit to punish electricity thieves

Brian Miller

Ah, all the fun!

How many times I've wanted to do that to old kit. But of course, with the current price of Bitcoin, I'm guessing the fines really didn't amount to much. The loss of their houses and mining rigs was more substantial.

NASA fixes Hubble Space Telescope using backup power supply unit, payload computer

Brian Miller

Re: Great news....until.

... Until the deorbit mission fails. That's when there will be real problems!

Imagine a world where Apple shacked up with Xerox in the '80s: How might it look today?

Brian Miller

Ethernet on 6502? Apple and Xerox?

Ah, I don't think so. Really, I don't think so. I doubt the author spent "quality" time with a 1MHz 6502 processor, even if it was at the whopping max of 64K. The network card would have to be a whole 'nother computer, and probably more expensive than the Apple II. This was the heady days of audio tape for files, and 5-1/4" floppy drives that whirred and clicked. For through-hole circuits, the network card would be sitting in its own case.

Yeah, I remember my first 300-baud modem. And when I was in high school we used a real Teletype with acoustic couplers.

No, the alternate reality that should have happened was when Apple did team up with DEC. For us, nobody in those companies thought anything of that alliance. But if both companies had the right management, it would have worked.

The James Webb Space Telescope, a project dating back to the late 1900s, may launch this very century

Brian Miller

[A] project dating back to the late 1900s

Wow, to think that something could be so ... last century! Well, in CPU years it was a long time ago, but no, not really that long ago.

Yeah, great to think that the telescope might finally make it to orbit. Of course, if 10 beeelion dollars were spent on a ground telescope, it would be really great, except for the clouds of microsatellites obscuring the view. Who knew we would lose the stars just to watch cat videos...

Hoe yes he did: IT pro record-botherer balances garden tool on his head for 2.5 hours

Brian Miller

Simon will beat this

You know that Simon will beat this, or better yet con his boss into beating it. You know, a team building exercise? On the balcony railing? Remember to think those happy thoughts!

Boffins say they've improved on algorithm for dynamic load balancing of server workloads

Brian Miller

Playing with their balls, in bins


In dynamic load balancing, we wish to distribute balls into bins in an environment where both balls and bins can be added and removed. We want to minimize the maximum load of any bin but we also want to minimize the number of balls and bins that are affected when adding or removing a ball or a bin. We want a hashing-style solution where we given the ID of a ball can find its bin efficiently.

So server A is less than 10% more burdened than server B. If B has 50, A has 50-55.

Radioactive hybrid terror pigs break out of nuclear hellscape home and into people's hearts

Brian Miller

Re: What a Muppet movie this would make

And it would feature exiled zombie Napoleon, waiting on the moon to renew his conquest of the Earth!


One good deed leads to a storm in an Exchange Server

Brian Miller

Happened in the Exchange team

Me, too! Me, three! And thus the Exchange server for the Exchange team was brought to its knees, and was face down for three DAYS while the queue cleared.

Someone was testing distribution lists, and made up some lists with lots of names on them. Then someone decided to mail the whole list, asking, "What is this list for? Why am I on it?" And then things when down from there, with all the other idiots on the list also replying with something stupid.

I've seen three mail storms like that at Microsoft. And for some strange reason, nobody got fired.

Things that needn't be said: Don't plonk a massive Starlink dish on the hood of your car

Brian Miller


Had to look elsewhere for the pic, I don't have a Farcebook account. But that's a ridiculous spot to mount an antenna. I can understand if it was mounted on the roof, but the hood?? Really short hood, and the person plonked it in the middle.

International law enforcement op nukes Russian-language DoubleVPN service allegedly favoured by cybercriminals

Brian Miller

That would be the one you've set up by yourself, without telling anybody about it beforehand. Otherwise, I'm sure that all VPN providers log data. It's just a matter of who gets it, and when.

Microsoft faces up to an old foe with out-of-band patch for PDF weirdness

Brian Miller

Bork Bingo or Clue?

"Internet Explorer 11 and the Adobe Reader plug-in?" On the desktop?

Most of the time these things read sort of like a whodunit, with a different ending based on what random thing happened. And then after the software is "retired," it's frightening to see how long it's used without updates. I think my landlord is still on Windows 7...

Will containers kill VMs? There are no winners in this debate

Brian Miller

J27 wrote: "Containers are VMs..."

Uh, what? From Docker: "A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another. A Docker container image is a lightweight, standalone, executable package of software that includes everything needed to run an application: code, runtime, system tools, system libraries and settings."

A CPU VM is a hardware virtual machine, which is supposed to be isolated from everything else by hardware. It is not a package, it is an isolated virtualization of the base hardware.

One is a package. One is hardware. The package requires a host operating system, and does not stand alone. The VM stands alone.

As for makes things easier, well, only if certain vendors decide to keep their crap up to date. I work with AWS CloudHSM. The client packages for that are woefully behind for Ubuntu, and that makes a Docker image for Ubuntu currently useless. I just finished switching our Docker images to be based on AWS Linux, as I'm hoping they will keep their own crap up to date.

Yes, I agree with others, good packaging is something that is overlooked. However, that was something that has been "taught" in the workplace, and when managers with no clue are put in charge, along with "newly-educated" "software engineers" then disaster strikes. Again and again.

BOFH: Oh for Pete’s sake. Don’t make a spectacle of yourself

Brian Miller

Re: Ah, Threat-Detecting Boots

What you have to watch out for is that charlie-horse from the military years that just happens to grab, and yank your leg up straight at someone's crotch...

No, it isn't spiffy like the threat detection technology, but you couple that with PTSD, and you're good to go.

Ireland warned it could face 'rolling blackouts' if it doesn't address data centres' demand for electricity

Brian Miller

So much for Moore's Law

Yeah, as if processor efficiency makes up for inefficient use of the CPU. New Irish regulations: No script languages allowed, no AI, no Bitcoin, etc.

Tiananmen Square Tank Man vanishes from Microsoft Bing, DuckDuckGo, other search engines – even in America

Brian Miller

Re: Should we rename...

Honestly, I don't remember "bing" being an American word. There's "bingo" but not "bing". But then again, I grew up around lumber mills, not coal mines.

Azure services fall over in Europe, Microsoft works on fix

Brian Miller

Re: A 'transient issue'

Maybe a squirrel got into something. Literally. Again.

For the marketeer that has everything – except a CPU fan

Brian Miller

Re: Sign

Actually, I bet the fan is frozen. When the BIOS displays that message, the fan should be running at full tilt. But since the fan was a cheap dodgy thing, costing less than 25p, it ran until it froze. So, like, maybe a month or so. Then the CPU overheated, rebooted the system, and there it sits.

India’s vaccination-booking API criticised for excluding millions, containing bugs, and overflowing with elitism

Brian Miller

Privacy Policy??

What's wrong with no distinct privacy policy? "Your data is public, shared with all interested, paying associates, and may be scattered across the globe when someone downloads the SQLITE database." That's an honest privacy policy. All of the dishonest policies claim that your private data is safe with them. Yes, so very safe.

US declares emergency after ransomware shuts oil pipeline that pumps 100 million gallons a day

Brian Miller

Re: Lessons learnt? I doubt it.

It depends on who does the learning, and who does the managing of what has been learned. Usually there is a village missing its idiot, who is to be found wearing a suit and tie.

One time I had a brief chat with a fellow who worked for Big Oil, and he said his main job was to play "hide the (huge) profits." It's not like these companies lack resources, they lack managers who will do the job they were hired to do.

I'm guessing that the whole PC network got infected, and then it doesn't matter that the actual controllers are fine. The PCs are the machines that are used to communicate with the critical infrastructure. Even if a PC is used just for its browser, if you can't use the browser, then the PC is toast.

It's past time to move back to punch cards and paper tape! Let the miscreants try to take over OS/360 and a stack of punch cards!

Which? warns that more than 2 million Brits are on old and insecure routers – wagging a finger at Huawei-made kit

Brian Miller

Is all data equal?

"and your data porn's flowing through these"

Based on what people actually visit on the web, the idea that a home firewall/router is out of date is not exactly an existential threat to much. Yes, somebody could hack it to mine Bitcoins. Someone could hack it to execute a DDOS attack. Etcetera.

Now, as for your data being "at risk" from dodgy router software, I'm absolutely sure that the larger security vulnerability for your data is the malware already on your computer, the malware already on the server you are accessing, and the APIs and data that have been left open to world+dog by developers who haven't mastered copy-and-paste from StackExchange, and of course that you've used the same password for, like, just ever, and it's been published at least 47 times from different dumps from said server data.

And you want to blame the poor router in the corner, blinking its lights in that lonely, forlorn pattern. (Yes, a pattern...)

Ex Netflix IT ops boss pocketed $500k+ in bribes before awarding millions in tech contracts

Brian Miller

Don't trust those with purse strings!

Money breeds corruption, it just does. But the alternative is a barter system, so we're stuck with it.

Swap out people on a regular basis, that's the only way to make sure that if one starts it, then it's found out soon enough. Letting your organization become static is always an ingredient for disaster.

China cracks down on ‘excessive’ user data harvesting, gives 33 apps ten days to clean up their acts

Brian Miller

Re: Yes?

I think you mean "¥€$"

If the companies are "transparent" as the Chinese government would like, then all data is aggregated on the government's behalf, without any withholding. Or maybe it could be called data hoarding.

No, all of this data is sold on for advertising, in the vain belief that more data means more sales.

Lambda School, a coding bootcamp that takes a cut of your next tech salary, now takes a 30% cut in staff

Brian Miller

Re: Identured Servitude Agreement

"I can't wait to see what Slavery will be modernized euphemistically into by these clowns."

Bail bonds. I've been told by a person who worked in the "industry" that it's the closest thing to slavery that's legally permissible.

Microsoft joins Bytecode Alliance to advance WebAssembly – aka the thing that lets you run compiled C/C++/Rust code in browsers

Brian Miller

Re: Oh f❄︎❄︎k, they're reinventing ActiveX!

"This is a bad idea." "Yeah, let's do it differently!" (later) "This is a bad idea." "Yeah, let's do it differently!"


Traffic lights, who needs 'em? Lucky Kentucky residents up in arms over first roundabout

Brian Miller

Drive on the right? Hello??

I was absolutely shocked to see the locals driving on the left, the right, and wherever. This is a place that needs a sign, "STAY THE F*** RIGHT". There are roundabouts in the greater Seattle area, and I have never seen driving like that in the video. Sure, I have seen people driving over the circle, but never hanging a left like that.

Really, the cops should get out there and hand out tickets for idiots driving on the wrong side of the road. Or just use it as a driving test: if you can't figure out a roundabout, you lose your license for life. Move to another state and try again.

Foxconn's showcase Wisconsin LCD factory becomes aspirational 'manufacturing ecosystem'

Brian Miller

Stop paying bribes to corporations

These "incentives" are just bribes to corporations, paid for by the taxpayers. The Wisconsin voters need to throw their bums out, instead of buying into their lies.

UK.gov wants mobile makers to declare death dates for their new devices from launch

Brian Miller

Force open source instead

Instead of publishing a death date, force the manufacturer to publish the OS as open source, so we don't have to toss a good device into the landfill.

Yeah, I know, that isn't so popular with the manufacturers, either.

You put Marmite where? Google unveils its latest AI wizardry: A cake made of Maltesers and the pungent black tar

Brian Miller

Safely Ingestible

Like "mostly harmless," this is at least safely ingestible. Some of the recipes that AIs have churned out have not been fit for human consumption.

(No, I'm not a fan of marmite.)

BOFH: Bullying? Not on my watch! (It's a Rolex)

Brian Miller

Re: Hummmm sounds familiar...

"Change the rules on the fly ..."

If the rules were, in fact, actually written upon a fly, that would be a very good set of rules. They would be very few, and also unreadable. Therefore, the rules could not be enforced.

The silicon supply chain crunch is worrying. Now comes a critical concern: A coffee shortage

Brian Miller

Re: A year on from the great bog roll hoarding ....

It depends on the coffee, doesn't it? I recently bought 65 pounds of Ethiopian at $3.80/lb, and the batch before that was Tanzanian at $2.15.lb. So it depends. Yes, I could get Vietnamese robusta at $0.75/lb. And I've bought Hawaiian Kona-grown coffee at appx $25/lb.

Sure, it's green coffee, roast it yourself. But it does last a very long time when it's green. And freshly roasted coffee tastes soooooo good. Just ask James Hoffmann, who drank coffee from the 1950s for his channel audience.

SQL now a dirty word for Oracle, at least in cloudy data warehouses

Brian Miller

Re: Looking forward to the LowCode era

Barrier? What barrier? Low-barrier programming actually means "any idiot who can both edit text and invoke a compiler."

Right now I am working with the result of what looks like a CLIP+BigGAN AI wrote the code. However, it is 100% human generated. To produce a "working" program, all you need is time. And then somebody has to clean up.

Microsoft kills broad entry-level IT certifications, replaces them with all-Microsoft curriculum

Brian Miller

Re: Srsly, who cares?

Unfortunately, incompetent people care. Just like, "do you have a degree?" it is not proof that someone can do the job, and do it well. It just means they have a stamped piece of paper.

I wish I could 'fsck -y /dev/management' but there is no device there...

Let's Encrypt completes huge upgrade, can now rip and replace 200 million security certs in 'worst case scenario'

Brian Miller

As someone who works in the area of motherboards, chips, crypto, and bare epoxy boards, the Bloomberg article reeks from hell to high heaven. "Oh, these flashing ethernet lights show that it's being hacked." Uh, no. "This chip can be sandwiched between layers." Without a trace??? Yeah, some of those chips are small, but they can't just be "slipped in" at a whim.

And on and on.

Bloomberg stooped to supposition and speculation, and reported such as fact. Seriously, the worst presentations at Black Hat are better than the Bloomberg article. "Quod est demonstrata" does still have relevant meaning.

Nespresso smart cards hacked to provide infinite coffee after someone wasn't too perky about security

Brian Miller

Absolutely appalling that someone would want an unlimited supply of bad coffee.

It's 2021 and you can hijack a Cisco SD-WAN deployment with malicious IP traffic and a buffer overflow. Patch now

Brian Miller

Re: A buffer overflow parsing packets?

"It's ____ and you can ___ a ___ with ___."

Lather, rinse, repeat.

The problem with input parsing is that #1, you need programmers who care about that, and #2, who will care about testing said code. Most of the time, like nearly all of it, #1 and #2 are nowhere to be found, so that old phrase is apt, again.

This isn't rocket science, but it is computer science that isn't being taught in schools. There are lots of good books about writing parsers, and software engineering for said software. The problem is getting management and programmers to pay attention, before it's headline news.

Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes

Brian Miller

"cunning VBScript"

If Visual BASIC is your threat, then dump BASIC! As for hiding something within another process, that's sort of old hat. Also, for naming their files to "blend in" with Windows, what did they expect? A file name of "EvilL33tCodzHere.dll"? That's another trick that's very old hat.

Really, the only part here that required effort was the attackers writing their own in-memory loader. The rest of it was just going through the motions.

Cyberpunk 2077: There's a great game within screaming to get out, but sadly it was released 57 years too early

Brian Miller

Re: Disks?

Ah, the days of paper tape, it takes me back. Kids these days, they don't truly appreciate the smell of hot machine oil.

(Yes, I've played Cyberpunk2077, and I gave up on it. I simply thought it was stupid, and buggy.)

Dell Wyse Thin Client scores two perfect 10 security flaws

Brian Miller

The code review for Marketing is, "Uh, that looks like code." The design review is, "Uh, that looks shiny!"

After all, we all know that Marketing has been polishing turds since time immemorial.

SolarWinds releases known attack timeline, new data suggests hackers may have done a dummy run last year

Brian Miller

Re: Signed updates

What the report (or SolarWinds) doesn't mention is how the binaries were signed.

Where I work, I'm the one who worked out our signing process. We use a HSM, very limited access, and the access tokens are valid for a short window. For our system, basically the final binaries would have to be swapped out at the final stage of the build, before the signing happens. Possibly feasible, but the binary would have to also match the development-release binary, too.

Using a HSM means the private signing key can't be exported, so it's at least locked to that box. The limited access means that the account of the authorized individual would have to be compromised, which is, of course, feasible. There are a number of checks of the final signed binary before release, so that cuts down on the probability that a rogue binary would be delivered to customers.

Could a nation-state hack us? Possible. It's just a question of what windows of opportunity in the process are open, and how to shut as many of them as possible.

Google Cloud (over)Run: How a free trial experiment ended with a $72,000 bill overnight

Brian Miller

Not so free after all

free Firebase plan had been "upgraded due to activity in Google Cloud" and that this "initiated billing"

Wow! Instead of an expected shut-off of services, Google's real policy is to very unexpectedly put the customer on the butcher's hook.

China bans encryption exports – including quantum and key management tech

Brian Miller

Cat? Bag? Horse? Barn?

Some of the stuff that has banned has been passing across borders for quite some time, in cell phones. What is the point of the ban, when Chinese factories are literally the source of so much of what they think will be banned?

BBC picks SiFive RISC-V chip for Doctor Who programming-for-kids kit – with Jodie Whittaker narrating

Brian Miller

Re: Showing my age.

Oh, and the sun just shines outta yer bum, Pilate's pet! 1MHz, 4K, Commodore PET 2001N, the first 6502 I got my hands on at school. And when the VIC-20 came out, that's what I bought on Christmas sale. Cassette player for three years with that, until I bought a C128 and a floppy drive. Oh, the speed, the speed!



Biting the hand that feeds IT © 1998–2022