* Posts by Brian Miller

1229 posts • joined 3 Jul 2007


In Rust, we lust: Security-focused super-C++ language still most loved among Stack Overflow denizens

Brian Miller Silver badge

It's a worthwhile endeavor if you think it is. Really, people learn all kinds of languages. It's a different perspective on how to do things. I learned Rust using the online tutorials, then I went and implemented N-Queens solution and a more complex dining philosophers solution. Do I use Rust at work? No, but I would like to do so. I think it's a decent language, although the lifetimes stuff can be a PITA.

Learn it, use it, and implement something. Have some fun!

Galaxy S20 security is already old hat as Samsung launches new safety silicon

Brian Miller Silver badge

Re: A chip helps but doesn't make something secure

The ARM TrustZone is a joke, and it's a rather bad one. If Samsung has implemented their cryptography properly, and if the firmware and OS use it properly, then it goes a long way towards eliminating a lot of threats. Positive identification of a phone really isn't that big of a deal. The big deal is to keep malevolent code from running on the device.

'I wrote Task Manager': Ex-Microsoft programmer Dave Plummer spills the beans

Brian Miller Silver badge

Why wasn't it in by design?

The one thing I couldn't understand about Windows was why didn't they design in so many good ideas from Unix land? After all, they had Xenix. Apparently they ignored Xenix completely during the development of all of the Windows incarnations. "kill -9" should have a song written about it.

TensorBlow? Data boffins struggle with GPU shortage in Google Cloud, opposition offers to help out coders

Brian Miller Silver badge

Re: So... the cloud...

No, they're falling on their GPUs.

But really, it's all a non-issue. How much research is really needed into AI recognition of cat videos in order to drive cars and fly airplanes? Just let the cats grab the wheel, and keep the laser pointer steady.

If you don't LARP, you'll cry: Armed fun police swoop to disarm knight-errant spotted patrolling Welsh parkland

Brian Miller Silver badge

Re: Plague Doctors?

Why worry about that? The "doctor" was wearing a face mask. Since the regulations around my neck of the woods "require" a mask, even if it's a scarf, then anything counts.

Yes, the Darth Vader mask is valid in my book.

Driveway karaoke singer who wanted to lift lockdown spirits cops council noise complaint

Brian Miller Silver badge

"They call him the streak, fastest thing on two feet ..."

Just remember to run when giving "performances" and then they probably won't know where you live.

(Thanks to Ray Stevens for that song)

DEF CON is canceled... No, for real. The in-person event is canceled. We're not joking. It's canceled. We mean it

Brian Miller Silver badge

Re: Do you have to dial into their zoom call

Everybody dials into Zoom calls. Those are boring. So are yours. Could you please put something interesting on your computer?

GitHub Codespaces: VS Code was 'designed from the get-go' for this, says Microsoft architect

Brian Miller Silver badge

Re: And so the rush back to dumb terminals with subscription access continues

Let's see, according to the title, that would mean Multics.

While IBM did have support for TCP and web servers on their mainframes, it was always just insanely expensive. That gave Sun an edge, but that edge was lost when Linux got good enough to do the job. Now it's pretty much all derived from System 7, and an open source reimplementation of System 7. Makes one wonder what it would be like if AT&T had either clamped down from the get-go and never let System 7 out the door, or never paid any attention to K&R's efforts at all.

FYI: Your browser can pick up ultrasonic signals you can't hear, and that sounds like a privacy nightmare to some

Brian Miller Silver badge

It's the microphone, not the browser

The microphone is doing the conversion of sound waves to electrical signals, not the browser. It would be best to limit the microphone in Android or iOS, not mess with a spec. While there isn't a snowflake's chance of building a ski slope in hell of it happening, it's a better chance than changing a spec or API.

There's a black hole lurking within 1,000 light years of Earth – and you can see stars circling it with the naked eye

Brian Miller Silver badge

Re: Starman on his way...?

When a black hole enters our solar system, yeah, sure, Starman could go in. However, there's a far likelier chance of one of the Voyager probes taking a dive into one, since both Voyager 1 and 2 have entered interstellar space.

Sweet TCAS! We can make airliners go up-diddly-up whenever we want, say infosec researchers

Brian Miller Silver badge

Re: But how?

Could a drone of some sort carry something to spoof the transponder signal? Or maybe balloons could carry a box with SDR.

Caltech to Apple, Broadcom: You know that $1.1bn you owe for ripping off Wi-Fi patents? Double it, hotshots

Brian Miller Silver badge

Reinstate the Xerox lawsuit

If the Xerox lawsuit was reinstated by presidential fiat, then Apple would really have something to worry about! But this is how much of iPhone sales?

OK, so you've air-gapped that PC. Cut the speakers. Covered the LEDs. Disconnected the monitor. Now, about the data-leaking power supply unit...

Brian Miller Silver badge

Yes we know they squeak

We've all known for years that power supplies can squeak. Not news. And of course you'll have to be using SSDs intead of HDDs, and make sure that the fans always run at max because you don't want data exfiltrated through RPM changes.

At some point, we just can't have nice things out in public. Just the way it is nowadays.

Latvian drone wrests control from human overlords and shuts down entire nation's skies

Brian Miller Silver badge

Re: "During a controlled test flight ..."

Well, it did have somebody twiddling knobs and such. Just because the on-board system decided that it was a great time to take a holiday shouldn't be seen in a bad light.

Rise of the machines: we're off to the beach. You fleshies can keep working.

Google is a 'publisher' says Aussie court as it hands £20k damages to gangland lawyer

Brian Miller Silver badge

But isn't a fact exactly that, a fact? The lawyer was charged. Fact of action, by the police, and is public record. It doesn't matter if the charges were dropped later. The charges were filed.

This looks a lot like 1984, where the past gets scrubbed and rewritten.

Prank warning: You do know your smart speaker's paired with Spotify over the internet, don't you?

Brian Miller Silver badge

Spotify declined to make an on-the-record statement...

No, really? After all, this isn't a vulnerability, and it's not a bug. It's a global feature that just everybody on the planet wants! Yes, everybody wants to play music to a speaker that they can't possibly hear.

Really, the speaker should have some kind of control to revoke who accesses the thing. Maybe a factory reset will do the trick. Use the button activated by a sledgehammer.

I'm doing this to stop humans ripping off brilliant ideas by computers and aliens, says guy unsuccessfully filing patents 'invented' by his AI

Brian Miller Silver badge

No ETs, no problems

"What happens when a highly advanced extraterrestrial civilization visits Earth?" Thaler told El Reg.

If they actually bother to visit, they'll just nicely wipe us out and preserve the rest of the planet for their own exploitation. We're just not that amusing.

The question is, who trained the AI? Betcha it was Thaler and partners. Thus, it was their efforts that went into the creation of what the AI generated.

Now, the real question is, who owns the invention when the AI was trained on the summation of English literature, and then the AI churns out an invention and files a patent? The AI needs to do everything on its own, and then when the patent office rejects the application, the AI can sue the patent office.

Based on the current state of what AIs actually produce, that isn't going to happen for a very, very long time.

Rust core devs mull adoption of alternative compiler front-end for improved IDE support

Brian Miller Silver badge

Simple code, simple solutions

When one is writing simple code, then simple solutions are easy. I doubt these features would have been useful for either of my post-tutorial projects, which involved threading. Getting help with lifetimes would be nice, but I have my doubts about advanced Rust and "helpful" IDEs.

In Rust we trust? Yes, but we want better tools and wider usage, say devs

Brian Miller Silver badge

Re: "vim, make, gcc, gdb, strace etc"

But that's the environment I've been using with Rust, just not with gcc and make.

I have used Rust a bit, and I've found that I can get a mutex lockup using their standard library. Really, sometimes a mutex doesn't release when it's supposed to. I've had no problems with the parking_lot mutex, though.

The language is tricky, and the "helpful" error messages can very quickly lead a person astray. The checking up front is great, and there's other good concepts.

Grab your Bitcoin while you can because Purse.io is shutting up shop in June and you could lose the lot

Brian Miller Silver badge

Ran out of magic?

Collect garden gnomes -> magic??? happens -> profit

There is much irrational exuberance (still!) around Bitcoin and ilk. Could also blame multiple business closures on Covid19, too.

Stack Overflow banishes belligerent blather with bespoke bot – but will it work?

Brian Miller Silver badge

Will it work? See YouTube...

YouTube has a lot of automatic moderation. How effective is it, really? That depends. Say your video has a randomly generated background. Well, the bots can flag your video just because someone else put up a randomly generated background before you. And you lose revenue until a human gets off their but and presses a button. Your video uses content within the law of copyright and DMCA, but you can get flagged regardless of that.

There are no good options.

'Come 75,000 workers, join us!' says Amazon. Just don't dare complain about the boss or you're out on your ear

Brian Miller Silver badge

Highest turnover in the industry

And what do you expect, employee retention? Amazon is one of the best places to quit!

RAND report finds that, like fusion power and Half Life 3, quantum computing is still 15 years away

Brian Miller Silver badge

Quantum vs COBOL

Ok, so the US just might be vulnerable to encryption being cracked by quantum computing. Maybe. If there is usable quantum computing...

The thing is, the really sensitive government stuff is protected by encryption that is not public. The problem is one for the rest of us out here, who are actually far more vulnerable to a chair and rubber hoses than encryption being broken by quantum computers. And because some mainframe back there is running COBOL, doesn't mean that it has information that is sensitive enough to warrant the expense of being cracked using a quantum computer.

Current encryption is far more vulnerable to math and GPU attacks than the alleged eventual arrival of quantum computers.

Sunday: Australia is shocked UK would consider tracking mobile data to beat pandemic. Monday: Australia to deploy drone intimidation squads

Brian Miller Silver badge

Bleating and babbling, we ...

"We'll see how long it takes before someone breaks and smacks one of the buggers with a crowbar. "

"When cometh the day we lowly ones, Through quiet reflection, and great dedication Master the art of karate, Lo, we shall rise up, And then we'll make the bugger's eyes water."

Self-driving truck boss: 'Supervised machine learning doesn’t live up to the hype. It isn’t C-3PO, it’s sophisticated pattern matching'

Brian Miller Silver badge

Re: Finally, a proper description of what the media dubs "AI" actually is

But why is this news? All along "AI" has been pattern matching, and has always been shown to be pattern matching. I remember early demonstrations of AI telling the difference between headshots of men and women, and then being confused when given headshots of the Beatles.

The real question is, can we use pattern matching to reliably navigate a multi-ton object without human intervention? Sure, if the object is on rails, and isn't subject to major random interference.

Forget James Bond's super-gadgets, this chap spied for China using SD card dead drops. Now he's behind bars

Brian Miller Silver badge

Re: Money-laundering?

$5k + $5k + $5k + $5k = $20k, no problem, no report to the feds.

I, too, am surprised to see such a light sentence. If probation is a factor, then he might only see a year in jail.

Looming ventilator shortage amid pandemic sparks rise of open-source DIY medical kit. Good thinking – but safe?

Brian Miller Silver badge

Re: It's not just the mechanicals that are needed

However even a positive pressure air system ventilator that's kitbashed together, and works acceptably, can help a less serious case and can be the difference between recovering at home and ending up in hospital.

Hey, I'm set! If I get sick, all I need to do is run a hose from my case fans to a mask, and game until cured or dead!

Tinfoil hat brigade switches brand allegiance to bog paper

Brian Miller Silver badge

Re: you'd still struggle to get through a couple of rolls

A roll a week? How?? I'd have had to have eaten a mess of things that would run through my gut like the 24 Hours of Lemons race to do that. Of course, I don't work from home. Ok, now that my employer has screamed "OMG it's a pandemic! Watch out for these symptoms!" (None of which would catch even one zombie, mind you) that I'm here at home with a new defacto mouse and keyboard farm.

Seriously, at roll lasts a minimum of two weeks, usually three.

It is 50 years since Blighty began a homegrown and all-too-brief foray into space

Brian Miller Silver badge

Black arrow is red and silver?

For some reason, I would have thought they would paint the rocket black, instead of red and silver. Especially with the nose cone such a bright shade of red, as in, "this end up."

Life in plastic, with a classic: Polymer £20 notes released into wild sporting Turner art

Brian Miller Silver badge

Re: Offensive?

No, use criminals on death row for a source of tallow. That's sure to offend far more people!

Austrian foreign ministry: 'State actor' hack on government IT systems is over

Brian Miller Silver badge

Source article interesting, kind of

The attack of the 4-byte file

The entire attack on a target network starts with a tiny command line module that sends a TCP request to an external command / control server, the command consisting of only four bytes of text [!]. This command brings in a so-called “dropper”, which then places the subsequent trojan in disguise.

This is just sooooooooo bogus! They make it sound like it only takes four bytes to hack a server, and it's done with a request. What were they expecting, a treatise on nihilism?

The attack starts because somebody in their network has said compiled code on their computer. The code from Kaspersky looks like something done as a demo of the attack, not the attack code itself.

Many years ago, a programmer made the point that firewalls should be able to whitelist only connections to known services, not just any old thing out there. Since 13277 is off in the weeds, disallowing outbound requests on that port would stop the problem.

Crypto AG backdooring rumours were true, say German and Swiss news orgs after explosive docs leaked

Brian Miller Silver badge

Re: Spies gonna spy

"moral high ground": There is no high ground in a pig wallow.

The spies do act for the government they stand for. Thing is, they may stand for a number of governments at any one time. They're just flexible like that.

Microsoft's little eyes light up as Oscar-winning Taika Waititi says Apple keyboards make him 'want to go back to PCs'

Brian Miller Silver badge

Show a PC keyboard?

Clue for the clueful: that's a C64 there! Really now, show an original PC keyboard! You know, the one with the 5-pin DIN cable and the IBM logo!

Arm gets edgy: Tiny neural-network accelerator offered for future smart speakers, light-bulbs, fridges, etc

Brian Miller Silver badge

Re: Oh No...

So what's to stop your IdiOT from still sending all that wonderful data back to the mother server for integration into the silicon all-mind for the purpose of optimizing advertising to change your mind about which toilet paper to buy?

(Hint: just steal your toilet paper from work. They have plenty.)

Super-leaker Snowden punts free PDF* of tell-all NSA book with censored parts about China restored, underlined

Brian Miller Silver badge

3.6Mb download, copy, paste, read

No problem, I can't speak or read Chinese, but I can download a 3.6Mb file, open it, copy and paste into Google Translate, and then read it just fine. Takes a little bit of effort, but not that much.

Forget the Oscars, the Solar Orbiter is off to take a close look at our nearest (and super-hot) star

Brian Miller Silver badge

Sun, science ...

What, not studying the Frog Star? Sun, sand, suffering!

RIP FTP? File Transfer Protocol switched off by default in Chrome 80

Brian Miller Silver badge

Re: File Transfer Potocol

Clue: When logging in as user 'anonymous' and your email as your password, the security of the data is rather irrelevant.

And when we wanted to do business securely, we used a physical thing called "cash". When we wanted to send confidential data, we encrypted it first, and/or sent it on a physical medium through registered mail.

Grasshopper, when you can snaffle the data transferred by punch cards in the TEMPEST room, etc., etc.

Boss planning to tear you a new one? Google Glass is back: Weird workwear aimed at devs, but on sale to all

Brian Miller Silver badge

640x360 display??

All these advances over the decades, and we don't even get CGI resolution??

Google's OpenSK lets you BYOSK – burn your own security key

Brian Miller Silver badge

Don't roll, buy

The Nordic dongle is simply a NFC CPU dev kit. This is not a solution I would recommend, and you could substitute just about any CPU on a USB key here. I could probably take the project and dump it on that Linux-on-a-business-card kit without too much difficulty. Good excuse to buy a SMT oven, though.

I do recommend the Microchip ATECC608A and ilk dev kits, though. I wrote a Python interface for their AT88CK590 dev kit, it wasn't that hard. The chips are good.

Yeah, side-channel attacks are a PITA. The company I work for runs tests for that on our chips, and has revved the prototype designs a couple of times to thwart that. All of the crypto operations look exactly the same.

Brian Miller Silver badge

Re: It's all very fascinating

OK, clue time here: the private key is generated inside the hardware itself. There is no external generation of the private key. You send the chip a command, it performs the command, and it keeps the results of the command inside it. Then you perform cryptographic operations with that value for external use. There are a few really good crypto chips that do that.

Some chips do, indeed, require a programming step with external data. And some HSMs don't have a lot going on inside them other than running Linux with everything floating around in plain text while the device is in operation.

For simply doing things like 2FA, etc., there's at least two I2C chips that fit that bill. Otherwise, you're running everything in an OS of one flavor or another.

Oh buoy. Rich yacht bods' job agency leaves 17,000 sailors' details exposed in AWS bucket

Brian Miller Silver badge

We trusted them!

Crew & Concierge director Sara Duncan blamed "the team of developers we had hired" for the bucket being left open, saying she had trusted the devs to "do a competent job" of securing "personal and sensitive personal information relating to our registered crew".

Okay, which part of "productive idiot" did you miss?

It doesn't shock me to see this, again and again. I have worked with many productive idiots, and managers who have no idea of the basic concepts of software development, let alone something like architecture and security. I hate web projects because pretty much the whole area is a shambles. The web giants don't care, the devs don't care, nobody cares because they don't feel any liability. If the local mechanic did a similar job on your car, you'd be up in arms with lawyers, etc. It comes down to devs doing garbage work, and managers letting it slide when they've been told again and again that it's going on.

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

Brian Miller Silver badge

Re: How?

I am simply aghast at this rookie code. Seriously, there are two errors here: spawning shell each fscking time an email comes in, and trying to sanitize the address. Here is how to sanitize an address: do not do it, encode it, and keep it encoded, or hash it, and use the hash.

But, oh, spawning /bin/sh ... they should be put into stocks. Really.

Pop quiz: Who's responsible for data protection compliance in the cloudy era? If you said 'dunno', you're not alone

Brian Miller Silver badge

Point scores based on what?

"Conceal information with lock screen" gets 27 points. Why 27? It's like getting experience points from a dungeon master. What's the rationale for it? I have no clue.

The problem with all of this cloud computing is that so many use it like it was plugged in locally. It isn't. And a lot of the server software, like Nginx, wants important secret things, like private keys, out in the open. Sorry, encryption for important private data is available, but the server just doesn't support that. Why?????

So much of this is based on one lame hack after another. One would hope that the major corporations would come out with a brilliant product, but I think we've all been through the muck that is IIS. I am waiting for adversarial neural networks to learn to write code. We just might wind up with something better than the usual dreck.

IoT security? We've heard of it, says UK.gov waving new regs

Brian Miller Silver badge

Re: One big mistake

"Future is looking more Mad Max than Star Trek."

"I AM THE HUMONGOUS!!!" -- big fat guy with megaphone

It's not easy in a company that gives a **** about security to keep things on track, let alone a company that just wants to get a brick of **** out the door. Laws only provide a penalty phase, not actual prevention of someone doing something wrong. Putting product security into the realm of product liability for damages would be an incentive to improve.

That said, when I went to BlackHat I saw a live demo of them walking through a firewall due to one IPv6 port exposed, zipping onto a HSM and grabbing all of the secrets due to bugs in the PKCS11 implementation, and many other acts of tripping the light fantastic with a wire hooked to a Claymore. It is not easy doing security, and product testing can't be conducted by someone who doesn't care about digging into the product.

Call of Duty: Modern Warfare fragged our business VOIP: US ISP blames outage on smash-hit video game rush

Brian Miller Silver badge

Re: So

Actually, "legacy" means "our original equipment was analog over copper, and we can't find the QOS settings."

And some "legacy" VOIP software doesn't set QOS in the packets.

Well, well, well. Internet-of-Things speaker biz Sonos to continue some software support for legacy kit after all

Brian Miller Silver badge

Drop support, make it open source

Simple concept here, just drop all support and make it all open source. The newer products won't be backwards-compatible, so what's the harm?

Spanking the pirates of corporate security? Try a Plimsoll

Brian Miller Silver badge

Re: A decent backup strategy is very expensive.

No, the rigor of the exercise is "expensive." The cost is not in tape drives and scheduling, for that is minimal. The cost is getting the fscking users to close their apps is what is "expensive." "Oh, I can't do that!" Even though they are going home for 16 hours.

It's the users, not the equipment, that stand in the way of good backups. And yes, managers are users.

What Travelex should face is the managers should be fired and barred from management positions for life. That is how regulation should work. You may not have that job because you have proven yourself to be a danger.

Behold the Internet of Turf: IoT sucks waste energy from living plants to speak to satellites

Brian Miller Silver badge

Re: Uh-oh! Where's the Rise of the Machines tag?

"Surely only a matter of time before the Matrix has you?"

No, it's only a matter of time before the flesh-eating DOD robots have you. Plants now, fleshy humans tomorrow. Those who are cyborgs will have their brains scooped out, and become upholstery for robots running Windows on a 6502.

Intel teases NUC-leheads with new desktop-class graphics systems and a fast i9 CPU

Brian Miller Silver badge


... with the PS4 Pro displacing 5.3 litres, and the Xbox One measuring 4.3 litres.

This is the first time I have seen figures on how much a computer displaces, as if they need to be powered by steam or gasoline. Used to be that displacement and performance were not linked when it came to computers. How things change.

You leak our secrets? We'll leak your book sales, speech fees – into our coffers: Uncle Sam wins royalties fight against Edward Snowden

Brian Miller Silver badge

Use a different publisher?

Instead of using a US publisher, why not use a publisher in a different country? I supposed a lawyer would have to chime in.



Biting the hand that feeds IT © 1998–2020