* Posts by Lee D

3496 posts • joined 14 Feb 2013

Nervous, Adobe? It took 16 years, but open-source vector graphics editor Inkscape now works properly on macOS

Lee D Silver badge

I keep trying to use Inkscape but my needs are limited and yet it's rarely capable of performing.

One of the things I want to do is import and break open PDF format maps (not complex, simplified maps that you'd find in a brochure or advert), delete unwanted elements, save the result as a SVG or similar. Or grab a scalable logo out of a PDF.

It's a job that I used to use Serif for. I'd never touch Adobe, far too expensive. But the affinity software just whinges after install and never runs, it's been like that since their beta period for me, and they have no solution (three different machines, three different versions of Windows).

It's perfectly capable but it's a "go away and have lunch" operation - it imports, you wait. It draws, you select (and it comes in as a huge group). You ungroup, go have a cup of tea. You return, select again, ungroup again, another cup of tea. Then it runs like a stunned sloth while you try to edit, delete and save.

I'm going to literally download it now and try:

- Windows, 64-bit, .EXE.

- Install (DON'T ADD TO MY SYSTEM PATH, what is this, 1980?)

- Run.

- Ungroup

It's slightly faster but it's still clunky.

Nine million logs of Brits' road journeys spill onto the internet from password-less number-plate camera dashboard

Lee D Silver badge

Not true under the old DPA, let alone GDPR.

Many, many, many organisations have been sued where no actual access of data could ever be proven, but where only the potential for such existed (e.g. posted a disc of data and losing it in the post).

Lee D Silver badge

DPA/GDPR lawsuits don't care about the actual consequences, they care about the potential consequences.

Hospitals were sued for millions successfully because they posted a disc which was lost in the post and couldn't PROVE that it had been encrypted and/or that the data was not available to people it shouldn't be.

Schools too. People are very lax on it, and yet the law is quite clear - the leak of actual data doesn't matter, it's the potential. Potentially even allowing you *theoretical* access (i.e. you could have got in without a password, but nobody ever did) is prosecutable under the same laws. This is one of my big-wig reasons for not giving local administrator access to any user. They can complain all they like, the letter of the law says I can't give it to them if it might reveal any data that they don't explicitly need to perform their job.

I imagine government departments get the usual light slap, but I know if my reg was on there, I'd be filing a claim via the Information Commissioner's Office for a GDPR violation of personal data (and, no, it doesn't have to have my name on there - it just needs to be data that can be linked to a particular person or persons).

Happy birthday, ARM1. It is 35 years since Britain's Acorn RISC Machine chip sipped power for the first time

Lee D Silver badge

Re: Cheers...

Spotted the engineer.

Internet root keymasters must think they're cursed: First, a dodgy safe. Now, coronavirus upends IANA ceremony

Lee D Silver badge

So they're not going to know if the keys are in the parcels and work and that they have them until the day of the ceremony?

Anyone else spot a problem here?

And surely, if this stuff was ANYWHERE NEAR secure, those parties could all have an HSM of their own with which they could verifiably sign a key with another that only they could possibly be in possession of (the HSM and it's associated authentication) and then those keys - if they are in any way secure - can just be transmitted over the Internet (I would add the caveat of "avoiding DNS use" but that much should be obvious).

Safe and locks and stupid procedures opening envelopes in front of webcams is just ludicrous, I'm afraid. Unless someone can compromise 12 - or however many - independent people worldwide simultaneously, grab their HSM, torture them all for their signing info and private keys and passcodes, and sign off something fake without ANYONE noticing... even if they have to do that part of it one-by-one on a web video link...

They've had one near miss. They've set themselves up for another here. It's not going to be long before they totally screw it up because of some other instance they hadn't considered and it'll be game over for DNSSEC.

Education tech supplier RM smacked by UK schools closure

Lee D Silver badge

Re: If you cant sell virtual learning environments

Let me enlighten you:

A VLE is an intranet with a content management system so the school can put files on there, assign them to kids, the kids can login from home, view the files, submit answers or new documents, etc.

That's not the kind of thing you slap in at the last moment if you don't already have one (instead, you jump on something like Google Classroom, which is free to all schools), it's not the kind of thing you just run setup.exe and it works (server provision, port forwarding, security, LDAP integration, etc.), and it's not the kind of thing you want to sign up for a year for just because you didn't have one and think you need one to cover corona.

Lee D Silver badge

Re: Garbage

They stopped making gear years ago.

Their software is mainly just software-as-a-service type nowadays, all web-based.

As a mathematician, computer scientist and school IT manager let me just say:

IT: Good riddance, generally speaking.

Mathematician: RM Maths was actually educationally very good.

IT: RM Maths sucks (install, maintain, users, expense, etc. etc. etc.)

BT's Wi-Fi Disc ads banned because there's no evidence the things work

Lee D Silver badge

The ad watchdog -- the people in charge of verifying advertisements

Puts the telco -- the telecommunications company

On the naughty step -- in trouble

Over (their) --- because of

range-extender promotion. -- their promotion of a range-extender.

I mean, it's really not that hard. And telco isn't really even a British word, we don't use that much, it's come from the US. The rest is just literal English words used to form slightly silly headline.

SpaceX beats an engine failure to loft another 60 Starlink satellites

Lee D Silver badge

Re: "Shows value of having 9 engines"

Unfortunately, SpaceX are not the only entity at risk if they have failures in launch, insertion or orbit (or de-orbit).

Lee D Silver badge

Re: "Shows value of having 9 engines"

"four more recoveries than anyone else has..." risked, because they knew it wouldn't be viable to do too many and there were too many variables and too much money at stake to just let the things blow up because someone didn't service them properly between.

Capita hops on UK's years-late, billions-over-budget Emergency Services Network to keep legacy system alive

Lee D Silver badge

Re: EE Data

I think it's stupid in this day and age to deal with only one vendor.

They're the government. They could literally pass a legislation: As a condition of your 4G/5G operating licence you MUST provide... whatever... on all cell towers, no matter the network.

The extra cost would be reflected in a lower price at the spectrum auction, but I bet it's not £3bn lower.

Then nobody gets a network that's "picked on" in an emergency, the emergency workers get guaranteed access wherever it's theoretically available, and the telecoms operators know exactly what's happening and there are no favourites taking backhanders.

Of course... the latter reason is exactly why things aren't operated in that fashion.

Corporate VPN huffing and puffing while everyone works from home over COVID-19? You're not alone, admins

Lee D Silver badge

Re: Split-tunnelling? Security madness, surely?

What if you're a school or a secure area who, say, requires their web filter to log and filter all inappropriate accesses?

Lee D Silver badge

Re: Not just VPN accounts

Isn't that what Terminal Services was made for?

Then they can literally run their stuff on anything, and the internal corporate network is still secure from whatever junk they've bought/used/borrowed.

How does Monzo keep 1,600 microservices spinning? Go, clean code, and a strong team

Lee D Silver badge

Re: Wow

You'd rather have one big bubble that any little spike inside it can pop the entire thing?

Lee D Silver badge

Re: Banking isn't really a highly computational process

"To put this into context, every fixed line call in Germany has to go through a complete lookup of the portability database. That's a database listing every number that has ever been ported. That's millions of datasets. The lookup works with a simple barely optimized program which rarely takes more than a millisecond to look up a dataset, even on a very modest computer."

I should damn well hope so. Sorry, but it's 2020, and you're doing a lookup from a list of, say, millions of numbers to retrieve a small set of data associated with it?

There's no way it's searching one-by-one... it's hashing prefixes and following trees. If it touches 13, 14 entries for comparision, I'll be amazed. And at 3GHz, even, that's literally taking fractions of a millisecond, even if it takes hundreds of thousands of instructions on an in-memory lookup (a million data rows is NOTHING to keep in main memory).

All the IT ladies (all the IT ladies), all the IT ladies (all the IT ladies), now put your hands up! Oh, still not many here

Lee D Silver badge

When I went to university 20 years ago, there was precisely one woman in the lectures for the CS department, so less than 1%. The maths side, which I was also studying, had something approaching a 40% ratio.

After 20 years in IT working for schools, I have worked under precisely one woman (in a technical sense, not in a "they were the headmistress of the whole company"), who was an outlier and had been in banking IT for decades before and was nearing retirement. All the applicants for her replacement were male. Every time I've put out job ads (and HR are scrupulous about being equal-opportunity), from apprentices up, every single applicant was male. Every IT department I've visited has entirely male staff. We have employed women briefly, but in the "anyone can carry a computer" tier of jobs... not through want of trying, but we just don't get the applications from female applicants. Schools I've worked in have been majority-female staff in general. It just doesn't feed down to IT.

I refuse to let my department become toxic masculinity personified, so we are often the haven of staff, male and female alike, when they want some sanity. But I don't get any female applicants responding to widely-published, heavily-advertised, neutral descriptions of a job that involves nothing gender-specific, even in a female-heavy workplace. Yet we have female staff in finance doing high-level Excel and SQL, and I've worked with female teachers more than capable of teaching coding (some of them ex-COBOL programmers), and there's literally nothing in the job that's female-offputting.

There is obviously some disconnect somewhere - at some level women are discouraged from a career in IT or CS. And short of saying "female applicants welcome" or something (which is going to be construed as sexism or "looking for totty only"), as someone who hires IT staff, I can't do much more.

Helpdesk roles are perfectly well gender-neutral... anyone can man a helpdesk. Anyone can follow a procedural sheet. You don't even need to be in an office, helpdesks often operate remotely. I do speak to a number of helpdesks throughout the working day, but generally it's male. I hate to say it, but the female staff tend to be in the minority, not stretch past first-level support at all, or are literally "secretarial" staff who were answering the phone and just recording details for the IT people (almost exclusively male) to follow up on later, just so that the phone isn't ringing for too long.

I've met more female IT trainers than any other sub-profession. The techy staff, and especially the most-techy staff, tend to be male. And I say that not from a position of ignorance - I worked under a female IT Manager who taught me more than anyone else I've ever worked under, and I've worked with female teachers who were ex-COBOL programmers and who could happily geek out with me for ages. But the fact is that they are really in the minority. Whether that's manning the phones at a print service company, or programming up apps, or building servers in datacentres. Technically, I know more transgender women in the profession than I know women (I'm sure someone will complain about my wording there somehow implying that they aren't women, etc., and I'm sure my transgender friends will tell them to shut up because "he's okay" and they know what I meant).

How we fix it, I don't know. Going into schools and telling them that IT is a career for women just reminds me of Sheldon from Big Bang on his school visit where he tried to encourage the class of girls to get into science. I can't see it having much of an impact.

Researchers trick Tesla into massively breaking the speed limit by sticking a 2-inch piece of electrical tape on a sign

Lee D Silver badge

Re: Sigh.

You can literally fail your driving test for "failing to make adequate progress".

Guess how I know.

30mph on a stretch of road with multiple *hairpin bends* that were national speed limit... I protested most strongly.

Don't use natwest.co.uk for online banking, Natwest bank tells baffled customer

Lee D Silver badge

I gave up on Natwest many years ago when they told me that I couldn't use any other browser as I had to use Internet Explorer (4?) as it was "more secure". When in reality their online banking consisted of an ActiveX plugin putting a fake padlock icon into a frame that was really just an insecure site.

I mean, it wasn't quite the dark ages of the Internet, but even they should have known that that was a really bad way of doing things, and I knew enough to complain.

I moved my accounts as soon as I realised they were serious and wouldn't be changing any time soon.

I can't imagine their IT has come on any better since then, to be honest.

I've slowly worked my way through all the major highstreet banks for similar things - everything from literally laughing in my face when I applied to a mortgage (so I went to the place next door and got one basically the same day, for exactly what I was asking to), deliberately holding onto cheques for the maximum clearance period despite 10 years of paying them in (because on that ONE occasion delaying it would take me overdrawn for a fraction of a second before the next payment cleared) and don't even get me started on the 2FA device that I "had to" change to a smartphone app, but couldn't without first receiving... a 2FA device in the post that I literally used once to put the code into the app and then threw away.

I've ended up on Monzo, but I'm sure that won't be the last move. At least they do seem to have some semblance of understanding of a secure interface, however.

Ofcom: Rule change to force UK comms providers to tell you when your contract expires

Lee D Silver badge

I'd like to point out:

I don't *WANT* the very cheapest contract every damn time. The whole concept of cheapness being good is something I can't fathom. USwitch will recommend me a bunch of companies that I've blacklisted because their service is just so shite (e.g. TalkTalk Broadband).

The constant race to the bottom, with government-backed initiatives, is something that I don't understand the utility of. Do we only ever buy the cheapest car? Cheapest flat? Cheapest carpet? Cheapest fridge? How many people *ONLY* ever want the cheapest thing?

What they are supposed to be combating is long-term customers getting a worse deal than new customers, really. You don't do that by encouraging companies to constantly push the fact that they're not the cheapest in the customer's face.

I don't *want* to switch utility companies every month, or have you waste advertising and other money on services for me to do so. I want the damn company I've chosen to not raise prices artificially or "after the contract ends" any more than it would cost for someone to get a new contract.

"You could get a better deal by switching to an awful company that's a penny cheaper" isn't good economic sense for anyone.

Let the market operate itself, but put in legislation to enforce that *newer* customers should get no better a deal than is already advertised and available to all *existing* customers of those companies, and which either can switch to at any time.

The one service where I really don't give a damn how cheap and rubbish it is so long as I have it is car insurance. If I've got a properly-underwritten certificate that makes me road-legal, that's it, that's all I care about. And for some reason, every single year, it's cheaper to switch to arbitrary random companies ranging from the co-op to Halifax to the RAC - who all use the same underwriters, all have the same details about me, all utilise the same centralised self-service portals from the same company, and yet my insurance price will double once I've been with them for a year for no reason, and everyone else will be even cheaper than I got last year. It makes no sense, even if you assume they're gouging for customers who then are too lazy to ever move again. Why would the RAC, for example, put their name to something that next year they know the majority of their customers will flee and likely never return because they forced their prices up artificially?

Regulate the damn market, not force companies to try to make you move to the cheapest deal ever year, spamming you each time. If I want to move, I'll move. If I'm unhappy with the service or price rises, I'll move. If the price stays the same but doesn't follow the lowest on the market on a stupid race to the bottom... then unless I particularly care about that, I really don't see why they or I should care, when a 5 -minute check will tell me if I'm being conned. Or I might just decide "Hey, their service is really good, I'll stick with them".

What do we want? A proper review of IR35! When do we want it? Last year! Bunch of IT contractors protest outside UK Parliament

Lee D Silver badge

Re: Offshoring IR35

Because that doesn't sound like an arrangement that the tax office would like to investigate and / or stop being possible at all...

B-but it doesn't get viruses! Not so, Apple fanbois: Mac malware is growing faster than nasties going for Windows

Lee D Silver badge

T'was always a rubbish statement. Nothing is virus-free for as long as there is ever a single, solitary security hole in any component of it.

I hear the same now about Chromebooks and that's just as laughable.

Microsoft ups the ante with fix-fixing patch that leaves some Windows Server 2008 machines unable to boot

Lee D Silver badge

Reason #12497438 to not have Windows Automatic Updates turned on to automatically apply on whatever schedule they like.

Oh... but with Windows 10 you don't get a choice... because... feck-you-why?

Maker of Linux patch batch grsecurity can't duck $260,000 legal bills, says Cali appeals court in anti-SLAPP case

Lee D Silver badge

Re: No actual damage

You know that the case has NOTHING to do with the GPL, right?

One guy said "I'm gonna do this".

Another (world expert) said "I don't think you can do that".

The first guy then threatened to sue.

The expert then said "Please don't. I will fight it, it won't go your way. It's an opinion. I'm happy to just drop this now."

The first guy still sued.

Expert won the case. Filed counter-claim for, basically, being a frivolous lawsuit.

Guy appealed.

Expert won the appeal.

Guy now on the line for $250k for his own stupidity.

That the opinion was about the GPL is literally nothing to do with the case - the courts have literally said that the merits of that argument are nothing to do with the case at all, it's whether an expert was expressing his opinion or not. And they ruled it was just an opinion.

However, the GPL is quite literally the most popular open-source licence for a reason. If you want to benefit from code under the GPL, it says that have to give that benefit back to everyone else who uses that code. If you don't like it, don't contribute to GPL code. Hell, you can still use it, it doesn't change the way you use it - only the way you *distribute* it or the way you *contribute* it.

It's quite clear and obvious.

There's a reason that Linux is supported by the world's largest IT companies despite that "payback" clause, and not FreeBSD, etc. They don't like paying back any more than anyone else. But they use it for a reason. My IBM Bladecenter server officially supports Linux, on an equal par with Windows Server. It doesn't have *any* official support for any BSD whatsoever.

Don't like it? Don't use it. Or use it but don't distribute or contribute to it. Strangely, even with that restriction, THOUSANDS of times more people choose to contribute to Linux than to the "open" BSD.

Lee D Silver badge

Couldn't happen to a nicer guy. grsecurity is, basically, just one guy.

From conversations online, he comes across as the biggest twat since Joerg Schilling and his cdrtools "why can't ordinary people just specify every device by it's full SCSI path, no we'll never accept a patch to take a normal device name".

Last time I looked into it, he had to declare how large that organisation is for a Navy software contract... and it's basically one guy without even the money to pay these kinds of legal bills. I'd like to know where he's getting the money from.

And though it doesn't establish Bruce's assertions to be fact, it does prove that they aren't *categorically wrong*. They are just an untested opinion. And, as far as anyone I know is concerned, Bruce is right. You can't impose additional conditions on GPLv2 contracts. And he can't offer the code under *any* other contract as it's a straight derivative of the kernel code. What he tried to do was make a HUGE patch to the kernel to "secure" every single avenue, which is highly tied into the kernel code. A patch which he has thus far refused to break down properly and submit to the usual Linux kernel approval paths. He just expects everyone to take his mega-patch and put it in the kernel outright in one lump. But they won't. So people started breaking it down for him, and taking bits to put into Linux (which is perfectly viable - it has to be GPLv2). He took exception, threatened to cut people off from his code if they did that, including removing their access to it. Then prohibited people distributing his (GPLv2) code.

When someone called him on it and offered a legal opinion, he tried to sue them for defamation.

The guy's a moron who just wants everything his way and must always be right. $260k is a small price to pay for such action, when he could have just said "I disagree".

There. Sue me for that.

This AI is full of holes: Brit council fixes thousands of road cracks spotted by algorithm using sat snaps

Lee D Silver badge

So are you suggesting that satellite-images (of active roads with vehicles) pumped into AI is somehow better than a guy poodling down every road at 10-20mph, actively looking, or even walking the streets, segwaying, skateboarding, whatever?

How the hell are you going to see any more from a satellite than a guy actually driving down the street?

And guess what - if a driver looking for them going down a road looking for potholes, and able to stop and check any time he likes (hi vis optional), doesn't see them... either he's not doing his job, or they don't affect the roadway, or the satellite ain't gonna see them either (e.g. under a parking space).

Lee D Silver badge

Seriously, how much does it cost to employ a guy 40 hours a week to drive round in a van, taking in EVERY road over the course of... hell... a month, let alone a year... and press a GPS tracker button whenever he finds one.

If this is "money-saving", then it's still a ridiculous waste of money.

I'll do it for £50k + vehicle expenses + £30 for the tracker + £20 a month for always-on data connection.

I make that about a £350,000 saving... AT LEAST over the AI, let alone whatever bureaucracy ritual they were doing before.

Very little helps: Tesco flashes ancient Windows desktop on Scan-As-You-Shop device

Lee D Silver badge

Looks like one of these:


Looks like people have been playing with them for years (this mentions 2009):


Looks like we still haven't learned that obsolete general purpose operating systems "just running" an app you want them to, incidentally to all the other background stuff that's left on there, is going to be the way that cyber-apocalypse will compromise us. Not advanced hacking and breaking encryption, but finding Wordpad running on a scanner connected to a corporate network improperly.

What is WebAssembly? And can you really compile C/C++ to it? And it'll run in browsers? Allow us to explain in this gentle introduction

Lee D Silver badge

Re: Dummies guide:

Emscripten literally has a console - and can feed into either a separate frame on the HTML page, or into the browser's console itself.

printf() and scanf() work as expected.

The only thing that wouldn't work at all would be in-line assembly.

Maybe play about with it before you comment?

Lee D Silver badge

Dummies guide:

What is WebAssembly?

Javascript. Or thereabouts.

And can you really compile C/C++ to it?

Yes. Same as Javascript. It's just a "virtual machine" / "state engine" in effect. Have been able to do this for years, this is just slightly more standardised than asmjs etc.

And it'll run in browsers?

Yes. In the browser security DOM. So when you "open file", it has to be preloaded into the browser by a specific action, you can't access the hard drive or download stuff willy-nilly, or anything stupid. You can't talk out on arbitrary network ports (but you can set up a WebSockets server on your end if you wish to "talk" to the same server as the code was downloaded from over HTTP/HTTPS). Audio works (subject to browser control), video and GL works, keyboard input, etc. work. You can do everything that a normal website can do, and everything else is emulated. Libraries like SDL have supported it for years (so you can convert SDL games to the web relatively easily).

If you want to have a play, download Emscripten, and use it to compile some C code and see what happens. Everything from Hello World to full OpenGL games can work if you know what you're doing and cut out the stuff you're not allowed to do (e.g. convert networking code to use Websockets). You might even want to look at websockify, which can turn a normal program into a web-socked version (e.g. run Client in the browser, via WebAssembly, communicating with Server at your end running websockify... the two will talk as if they were connected via normal networking, but it will all go over secure Websockets).

Honestly, try it. It's fun if you're a coder to see 20-year-old SDL C99 code load up in a browser and run as fast as you remember it.

Problems at Oracle's DynDNS: Domain registration customers transferred at short notice, nameserver records changed

Lee D Silver badge

Another company that, the second Oracle got their hands on it, I moved everything away to a rival.

Honestly, how do they not understand how badly every takeover they've ever performed is to the users of those services/product?

It's a no to ZFS in the Linux kernel from me, says Torvalds, points finger of blame at Oracle licensing

Lee D Silver badge

Re: Hypocritical

"Linux, quite happy to thieve anything from anybody when it's convenient then try to place a viral license on it."

I think "thieving" ZFS would be extremely convenient. They won't touch it through *principle*, not convenience.

For reference, many things could have been put into Linux for convenience but literally never made the grade. Go ask PaXTeam / grsecurity. It would have been very convenient to take the work that they wanted the kernel to pick up and just put it in.

Instead, after over a decade, the Linux people *went out of their way* not to, because it wasn't done by the right procedure, and rolled their own solutions instead. For years, people were trying to get grsecurity into the kernel and with the licensing they could have just slapped it in any time they liked. They didn't. Instead they reinvented the wheel and put their own in.

And they have literally no choice about the licence. They haven't had for decades. It's GPL-v2-only, now and forever, and cannot possibly change without rewriting huge portions of it all over again. It's a fait accompli, and there's nothing anyone can legally do to change it now because of all the work of dead, uncontactable or unwilling contributors meaning you can't ever change the licence. You can't even GPL-v3 it, it's that tightly bound to the code now.

Microsoft wields ML to catch child predators, city drops 7-year facial-recognition experiment after no arrests...

Lee D Silver badge

"San Diego has ended its seven-year experiment with facial recognition"

Yup. Could've told you that. I'm sure someone enriched their pockets by doing it but it's pointless as the false-positives are far too high, and far too important to leave to a computer system alone.

Every trial I've read, the only "arrests" come from random incidental things - i.e. they stopped a guy on a false positive for a mugger, but he just so happened to have some weed on him, so they nicked him. Nothing at all to do with any success of the system.

UK data watchdog kicks £280m British Airways and Marriott GDPR fines into legal long grass

Lee D Silver badge

Re: What's the point?

Your first example is literally enforcing the laws. One minute / small violations are still violations. Don't do it, you can't be fined.

Your second example is literally illegal.

Neither are good reasons for not funding a government enforcement agency looking after millions of citizens data properly.

Why is a 22GB database containing 56 million US folks' personal details sitting on the open internet using a Chinese IP address? Seriously, why?

Lee D Silver badge

Re: And closer to home?

"US contractors may have copied data to the US. That is not the same as the UK giving the data to the US."

In the eyes of UK and EU law, that step you missed is more important and damning than anything else.

You cannot just give that data, covered under UK or EU DPA's, to foreign contractors. That's literally illegal, and even with an "agreement" in place if the data is ever exposed YOU are liable for all the fallout (and the very act of allowing it may be illegal whether or not it's exposed).

This has been drummed into everybody who deals with DPA or GDPR for years now. You can't just say "Wasn't us". You gave it to them. You shouldn't have. No matter what promises were made to you, it's YOUR responsibility. If you've been irresponsible, expect major fallout as if you'd done it yourselves (but actually worse than that, because it wasn't incompetence, it was basically deliberately done against all advice).

You can't give UK/EU data to other countries, it's that simple, and every person you give it to is your responsibility no matter who they are.

Hash snag: Security shamans shame SHA-1 standard, confirm crucial collisions citing circa $45k chip cost

Lee D Silver badge

Re: Is there a database somewhere keeping track of these 'deprecations' ?

I keep saying that we need a website, with a queryable API, that returns things like:

MD5: Insecure.

WEP: Insecure.

SHA-1: Vulnerable.

SHA-256: Viable.

And that everyone can query. Then you can have things like deprecation warnings for any software that is using them and cares to check as soon as vulnerabilities come to light.

GSMA report: Sorry, handset makers, 5G is not going to save the smartphone market

Lee D Silver badge

Re: For a mobile device, 4G is more than fast enough for me.

I don't have broadband at all, I just use a 4G dongle.

I do 100-200Gb a month, which is way within the average broadband use for a home.

Never do I see a "speed limit" (i.e. buffering, stopping, pausing, things just not streaming, games jerking, etc.) but it's not the fastest thing in the world (I have 1000 games on Steam, though, so there's quite a bit of downloading large updates every now and then).

Also works out a damn sight cheaper: £20 a month, all in, on a monthly-rolling contract for unlimited amounts of data (stated "action" only happens over 1000Gb a month).

5G would be interesting to me, just to up that base speed a little, but other than that... who cares? And, technically, if they bothered to use 4G properly (which we never do in this country) then you could easily reach any speed that I could desire with it.

When a 5G router, 5G SIM and still-unlimited data is available for a reasonable price? Maybe I'll upgrade. Until then, my smartphone is only on a 4G sim and sees basically zero data use (I just join it to the wifi to take advantange of the above unlimited package, so the only data I use is if I'm actually out and about and I don't tend to stream HD movies in the car or places where there isn't already wifi).

5G signals won't make men infertile, sighs UK ad watchdog as it bans bonkers scary poster

Lee D Silver badge

Re: effects on lab test animals and not on humans,

Was once yelled out by a parent at a school asking me if I knew "that I was frying children's brains" by installing a (802.11b) wireless network.

Who then got on her phone, hand-clamped it to the side of her head, loaded her children in the car, and drove off still rabbiting on it...

Thought 5G marketing was bad? Cable industry sticks with ridiculous 10G branding as another year rolls around

Lee D Silver badge

Re: Stop this nonsense.....

If you don't *know* the difference, I suggest that you don't ask but go research it for yourself.

If you don't *understand* the difference, even after trying to research, chances are that you won't understand any explanation and it's never going to affect you and you can treat it as any other marketing term to mean, essentially, nothing in particular.

If you know and understand the difference, why are you asking me?

Linux in 2020: 27.8 million lines of code in the kernel, 1.3 million in systemd

Lee D Silver badge

Re: I've had .....

Your incoming email chime is so loud that it drowns out the movie you're watching.

The music you want to play in the background means you can't hear what the software you're using is doing, or the game you're playing.

I hate to say it, but it *is* potentially useful - which is why you would think alsmixer actually acted like a mixer and let you change levels of all playing channels out of whichever output you would like. It does the latter, not the former.

P.S. Windows has had per-process audio volume control since... what? 7 / 8? You can then make sure that your MP3 is louder than your game, that you can have the volume up to hear alerts but don't get deafened by every window click or program startup jingle or Chrome notification in the world, and you can actually choose WHICH programs you want to hear from, ever, at all, in any way.

Lee D Silver badge

What's right for the kernel programmers isn't necessarily right for the operating system users.

Despite being a programmer, having used Linux since the days of 0-numbered kernels and Slackware, and not being afraid to get my hands dirty in bash or anything else, I have absolutely given up with systemd. It either works or it doesn't, and when it doesn't, I stop caring and use something else. Diagnosing it is ridiculous, it interferes with everything, it has complete apathy to my desires (e.g. if I want to use another DNS resolver), and is just a blackbox that interferes in every possible system.

And along the way, I've lost simple abilities. Like the ability to choose the name of a device in /dev/, for instance. If it's a network card, I can rename it. If it's anything else I can't. And that's been put into the kernel and can't be changed. So when you have a device that appears as /dev/somethingrandom, the best you can do is symlink it from what you want it to be (and god help you if there's already something else in that name, because you can't overrule the kernel).

Hell, it takes me minutes to find relevant logs, find out why a service didn't start, etc. whereas it used to just be starting the service and watching that name in /var/log (even via a recurring cat or other basic tool).

I tried to find out how to make a systemd service the other day, I literally gave up and did it via the old backwards compatibility with runlevels.

Just because it makes your life easier does not mean it makes anyone else's. Just reminds me totally of the whole "cdrecord must have a full scsi path and you can't use, e.g. /dev/sr0 even if that's where the device lives" shite that plagued that bit of software for no sensible reason. I'm sure it make the author's life easier, but everyone else was just screaming "I just want to burn the damn CD!".

Systemd is a damn nightmare of usability, readability, capability and culpability. It's improved absolutely nothing my end, and destroyed all kinds of things that were working perfectly fine. I'm sure if you have a thousand services spread across dozens of machines it makes something simpler, but if you're just a guy with a personal computer it's a fecking nightmare from every angle. And literally *every* advantage it gave could have been done the old way, with the same kernel functionality (e.g. cgroups) exposed to the bash shell to let it happen.

Systemd solves no problem that I ever had, but is such a problem in handling that just the name is enough to make me give up now.

Hell, I tried to make a little gaming box the other day. Guess when I realised that there's literally NO WAY to move another device to become, say, /dev/input/js0 when a program is specifically looking for that path if a kernel driver has already claimed it. Literally, your device naming order depends on device discovery order and is pretty immutable unless you want to go hard-moving dev nodes around after every single boot.

It merges kernel and user-space, it destroys the init process's replayability, it doesn't do anything any faster, or any more securely, and it literally throws a paddy if you want to have anything other system systemd's named in place (plus a million and one other "essential" daemons that just seem to take over existing programs while providing less functionality and flexibility).

Honestly, I was never so disappointed as to hear that the Debian project voted to keep it "but explore alternatives" recently. It's a heap of junk.

'Tis the season to be wobbly: HSBC online and mobile banking services suffer not one but two major outages in 12 hours

Lee D Silver badge

Re: Cash is King.

And also an absolute pain in the arse.

Sod paying my car tax, council tax, TV licence, gas, water, electricity, telephone, broadband, car insurance, etc. in cash every month.

I basically live a cash-free life. Hell, in the last three years, I literally accumulated only £65 of change... and I paid that into a bank only because I go annoyed with it building up (people giving me money for things, change from notes, buying things online for people who don't like doing things online, etc.).

Hell, I bought a Square reader cheap off Amazon for if anyone feels they need to share a bill with me.

Your cash can't be used for a lot of things, is entirely impractical, a theft target, and has no more stability or value than a number in a bank account.

Just do what any sensible person does with *any* money they have - don't keep it all in the same place. Or, given it's an IT site: Always have a backup.

Why is the printer spouting nonsense... and who on earth tried to wire this plug?

Lee D Silver badge

Re: Dynamo Dan, the Electric Man

I was in the house on my own.

I had my whole arm inside a hole in the floor.

I was adhoc-grounded by a number of things near me - a radiator I was leaning against, the cables I was installing, etc.

I would not have been able to let go, I was not expecting it, and there was nobody to help. And I thought all the upstairs power was off (it was... apart from this rogue cable which I only later figured out the fuse for).

Lee D Silver badge

1) Hired a Part P-certified electrician to fit a 32A Commando connector to the outside of my house. I didn't have any plugs yet (they are a larger variant of the standard building site connector), but he demonstrated it working by plugging a lamp into an adaptor. Signed off.

When the electric kiln and other things that I later wanted to put on this didn't work, I spent weeks taking it apart and getting the electrical diagrams from the kiln manufacturer. It was only when my "commando -> mains" lead would light up an extension lead but wouldn't power anything that I started to get suspicious. A voltmeter read 18v across live/neutral, but 240v across live/earth.

Turned out that there was an incoming live, neutral and earth from the house. The earth was directly connected (correct). The live was connected through the external weatherproof switch (correct). The neutral came out of the house, into the box, into a terminal block designed for it. And then there was a short piece of blue cable to go from that terminal block to the switch. Except he'd put the incoming into one slot of the terminal block, and the outgoing short cable into another slot... so there was no actual neutral connection whatsoever.

Given that I had the certificate, and the guy was an idiot anyway, I just turn off the fusebox, rewired it, and turned it back on. Worked fine ever since.

2) Once had a room in a workplace that would fuse all the time and trip the RCD. Couldn't get to the bottom of it. Turned out to be pseudo-related to the timings of a fan heater being used. Was just about to condemn it, when I had an idea. Yes... fan heater went into an extension lead, extension lead wasn't overloaded... but did have live and neutral reversed. Switched them back, and never had a problem since.

3) Massive electrical blowout, UPS goes mad and just hard-shuts-down. Does it three/four times. Related to a catering hot-serving thing being used. Turned out that the lights for the servery used one plug, and the heater another. Also turned out that they were plugging them into two different wall sockets. Wouldn't have been an issue. Well, not if those two wall sockets had been on the same phase, anyway.

4) Moved into a new house. Put hand under floorboards when trying to put in some network cable, came back with a bundle of open-ended live twin-and-earth that fed nothing and had just been lying bare under the floorboards. Very lucky not to be dead. The next week, I was inside the under-stairs cupboard, there was a metal-backbox on the wall, with a faceplate. Thought that would be a good place to pinch some power for something low-power (a clock or something, I can't remember). Took off faceplate to reveal... a bare, live, twin-and-earth cable literally touching the metal backbox. Anyone who touched that box would have been dead too.

Learned never to take anything for granted, even if installed by qualified electricians, people you trust, or it comes with a certification. Test everything. Assume nothing. Occam's Razor is that the other guy was a fecking idiot.

GlaxoSmithKline ditches IR35 contractors: Go PAYE or go home

Lee D Silver badge

"Vessey noted that Glaxo risks losing experienced and skilled staff with detailed knowledge of the firm's systems"

That's true anyway.

And a salaried member of staff is far better in that regard that a random contractor who's in and out of all your competitor's systems too. I mean... they are contractors, right? So they only work when contracted, right? So they could disappear as soon as that contract ends, right?

IR35: If you're affected, raise your prices or go full-employed. It's really not that hard.

Oi, Queenslander who downloaded 26.8TB in June alone – we see you

Lee D Silver badge

Re: "We cannot see any content access or information sent over the internet."

Exactly this!

My workplace uses SSL interception (via a man-in-the-middle certificate on all authorised devices). I can, in theory, see absolutely anything that happens through our connection, not to mention have administrator access to everything else, including finance, HR, etc.

Though it's *always* made clear that the connection is monitored to all staff, we don't stop them going to and booking flights or whatever they need to do, so long as it doesn't interfere with their job.

The amount of people who assume I must just be sitting there reading everyone's email, reading every file they make, and looking at every website they log into makes me think three things:

- They're doing something they shouldn't be.

- They themselves would be snooping if *they* could.

- They think I don't have a life.

Honestly, you're barely worth the log-space for the basics, let alone any deep analysis, and even that's basically because it's required in my industry.

Lee D Silver badge

Ah, the days when I used to go into university to use their (I think) 1Gbps line back in the late 1990's.

Me, a travelcard, and a bunch of ZIP disks and floppy disks, with a spanned zip archive and an extreme knowledge of PKZIP command line parameters.

Then go home, spent the evening unzipping them all and hoping you didn't get a dodgy disk. Was literally faster than the only dialup available to me at the time.

Best bit was when they kept publishing who was using up their resources and because they didn't have the equipment to monitor such a connection, they basically equated home-folder-storage-size-used with who-is-using-up-our-line. I escaped any scrutiny for years by downloading everything, filling up the home storage, moving it all off onto disks, deleting it, and avoiding the script that ran at a well-known time (it was in the logs that they emailled the major culprits as evidence!) so that my home folder was empty at that time.

I filled a huge thick book full of CD-Rs with all that data (no, not that kind!), still have them to this day.

Lee D Silver badge

Re: "We cannot see any content access or information sent over the internet."

You can't see the URL.

You *may* be able to *infer* the domain, but that's not given (it depends on SNI and other protocols, not to mention a dearth of other secure websites on the same IP).

You *can* see the destination IP, but that's obvious.

You can't see DNS requests if they're using a number of secure DNS services (not least things like DNSCrypt etc.).

You can see source addresses but that's little help at all.

And when they say "we cannot" it doesn't mean "we couldn't". It means "we're not allowed, and our customers would throw a fit and sue us into oblivion if we routinely did that". ISPs and back-end providers aren't even allowed to do as much as any government black-box, for example, themselves.

I can't just dig into my workplaces finance database and change numbers. It's easily *possible*, no doubt, as I have full and total access to the software, administrative rights, and the underlying storage. But I *can't* do it, legally. Nor can the ISP.

And good luck anaylsing terabytes of data for even a single customer like that. Even a torrent client running 24/7 could do what he's done, and you'd have basically no way of knowing what it was that he was torrenting if it was done on a private secure tracker, for example.

Hell, he could be VPNing into his other house or a rented server and using that for everything (or even be misconfigured and accidentally his default route!).

If you're worried about surveillance, use the technology that stops it.

If you're not worried, why do you care?

If they revealed any info on this, you'd be all over them for snooping on the poor guy, even if they dug into it out of curiosity.

Because they say that can't do that (which doesn't mean it's a physical impossibility, it means they can't do that and stay within their contract with the guy / the ISP), you're complaining?

In tribute to Galaxy Note 7, BBC iPlayer support goes up in flames for some Samsung TVs

Lee D Silver badge

Buy dumb TV.

Buy smart boxes to go into the TV.

At least then you can change things without having to upgrade / obsolete your TV.

WebAssembly gets nod from W3C and, most likely, an embrace from cryptojackers online

Lee D Silver badge

Java ran with full permissions to the user, and then had it's own "security" (in your Control Panel modules, etc. no less).

WebAssembly is Javascript-compressed. It can't do anything that Javascript couldn't already do. And it runs inside the browser DOM, which literally doesn't have certain capabilities (if it did, Javascript would have had them too).

Lee D Silver badge

Re: I will not use this

No worse than anything else.

It's basically the same as the Javascript (ECMAScript) permissions - given that WebAssembly has its roots in the "virtual machine" made in Javascript.

Seriously, the problem is not what technology you choose, but how stupid your browser manufacturer's are.

P.S. You've had a webassembly-enabled browser for several years now, I guarantee it.

Go play with Emscripten, which has been compiling to Webassembly for a long time already. It's basically bound by the browser DOM security model. If that was broke, it really doesn't matter *what* language you've been using.

But you'll notice that you can't access local files, you have to run code from remote websites (so you can't just be pointed at something compromised on a local network machine), that permissions to audio, video capture and everything else are: the same damn permissions you've got available to every website and are denying/allowing already. It doesn't allow arbitrary file, memory or resource access. Hell, you have to jump through hoops just to preload files from a website and access them in a virtualised storage in order to do anything on them, and the performance hit is enormous because of the way it's done (but still more than viable for 99% of things you want to do in a browser because, hey, it's a browser).

The only interesting thing is WebSockets, but that's no different to the myriad of websites that talk back in the same way over HTTPS already.

Honestly, if your browser is dumb, it doesn't matter what language it's dumb in.

WebAssembly is just Javascript-compressed. That's it. If there's a vulnerability in it, you had that vulnerability for the last 10 years in your browser already.

But with Javascript, it's a pain in the arse to write a full 3D FPS (or, say, something like Sketchup for the Web). In WebAssembly, it's just another target for a compiler.

And, no, if you compile a memory-unsafe language (say, C99) to WebAssembly, all that happens is that your code falls over inside the WebAssembly virtual machine. Arbitrary memory pointer access is actually faked by allocation of a giant array, for instance. There are some things you just can't do because the browser DOM and the inherent absence of a capability in WebAssembly stops you.

Focus on the problem (browsers which don't implement proper security for their page interpretation) not the brand name on the language that exposes that (e.g. Javascript, WebAssembly). And, no, it's not even close to Java. Java plugins in browsers worked by Java having arbitrary access to the machine and then imposing its own (broken) security model. That's why Java plugins are basically dead now.


Biting the hand that feeds IT © 1998–2020