* Posts by Paul Johnson 1

101 publicly visible posts • joined 14 Jun 2013


OVH founder says UPS fixed up day before blaze is early suspect as source of data centre destruction

Paul Johnson 1

Who, me?

I look forwards to reading the "who, me?" story on this one.

Microsoft settles £200,000+ claims against tech support scammers who ran global ripoff from cottage in Surrey

Paul Johnson 1

And prosecution?

So these people have paid some money to Microsoft, but what about criminal charges? Have they been arrested and charged with fraud? If not, why not?

Supreme Court mulls whether a cop looking up a license plate for cash is equivalent to watching Instagram at work

Paul Johnson 1

Re: nothing that would get a cop convicted for looking up people's license plate numbers for cash

The article here doesn't mention this, but the cop was also convicted of "honest services fraud", which covers that angle.

Paul Johnson 1

Background information

The Electronic Privacy Information Center (EPIC) has more information here: https://epic.org/amicus/cfaa/van-buren/

Quote -------------------------

The FBI charged Van Buren with honest-services fraud and felony computer fraud. A jury convicted him on both counts. On appeal to the Eleventh Circuit, Van Buren argued, among other things, that the jury instructions were incorrect and that there was insufficient evidence to support his convictions. The Eleventh Circuit reversed and remanded the honest-services conviction because of an error in the jury instructions, but affirmed the computer-fraud conviction. The court determined that it was bound by its prior ruling in United States v. Rodriquez, where the court held that a Social Security Administration employee who accessed the personal information of seventeen individuals in an agency database for personal reasons “exceed[ed] authorized access” under the CFAA.

Van Buren petitioned for review in the U.S. Supreme Court, arguing that the Eleventh Circuit’s decision deepens a circuit split over the interpretation of “exceeds authorized access.” The Court granted review on the question

Whether a person who is authorized to access information on a computer for certain purposes violates Section 1030(a)(2) of the Computer Fraud and Abuse Act if he accesses the same information for an improper purpose.

End quote --------------------

Note that he was also convicted of "honest services fraud". The "reversed and remanded" means that it got sent back to the original court for a retrial. That retrial will probably also result in a conviction.

Paul Johnson 1

No, "legislative history" means what the lawmakers in Congress said about the law, what it meant and why they passed it. "Precedent" is what judges decided about it since then, which is completely different.

This PDP-11/70 was due to predict an election outcome – but no one could predict it falling over

Paul Johnson 1

Field engineers...

How do you recognise a field engineer with a flat tire? He's the one swapping all the wheels to find out which one is flat.

How do you recognise a field engineer with an empty fuel tank? He's the one swapping all the wheels to find out which one is flat.

Bite me? It's 'byte', and that acronym is Binary Interface Transfer Code Handler

Paul Johnson 1

Re: Colour me square

That is the kind of thing that happens when you don't have the locked-down version management stuff in place. Given the risks its a sensible trade-off. Merely blaming the user for not testing it is like blaming a Tesla driver for not paying attention to the road when on autopilot. Yes in *theory* they should, but in practice they very predictably don't.

Paul Johnson 1

Colour me square

Colour me square, but I just don't ever type any inappropriate language in to any work-related application, even if nobody else is going to see it. There have been too many cases like this (anyone remember "Dear Rich Bastard"?) and the momentary giggle isn't worth the risk.

Watchdog slams Pentagon for failing – for a third time – to migrate US military to IPv6

Paul Johnson 1

Re: NAT is not a firewall

Home Internet ISPs will carry on providing router/firewall/Wifi boxes so that Grandma can connect to the Internet as securely as she does now. IPv6 doesn't make a difference there.

Small businesses will do likewise.

Anyone above that level will be hiring people to look after their IT.

Paul Johnson 1

NAT is not a firewall

Repeat after me: NAT IS NOT A FIREWALL.

If you want a firewall in IPv6 you can have one. In practice NAT and firewall functionality have such big overlaps that NAT boxes generally include firewall settings too, but creating an IPv6 firewall with default settings that resemble IPv4 NAT is a trivial job (basically, block all incoming connections but allow all outgoing).

If you bought a CRT monitor, TV 13+ years ago, hold on a little longer, there may be a small check for you

Paul Johnson 1


Yes, you can have your refund. We just need to see the original sales receipt.

Oh dear, you didn't keep it. More fool you. You don't pass go, you don't collect $2.

Lenovo certifies all desktop and mobile workstations for Linux – and will even upstream driver updates

Paul Johnson 1

How much money off do you get for not buying Windows?

Do you still pay the "Windows tax" even if you don't want Windows?

The shelves may be empty, but the disk is full: Not even Linux can resist the bork at times

Paul Johnson 1


Run level 3 means that all networking and "user space" processes (web server, time daemon, login daemon etc) have started, but X Windows has not. A user can now log in at the terminal or via SSH (or probably TCP, given the obvious age).

At a guess the failed processes are part of a log writer, so probably /var is full, since that is where the logs go. It depends on the distribution, but probably /var is just part of the root file system. There should be a log rotation and expiry job run by cron once a day which deletes anything older than a week. At a guess, this hasn't been running.

Want to own a bit of Concorde? Got £750k burning a hole in your pocket? We have just the thing

Paul Johnson 1

Way ahead of me

Thats what I like about El Reg. I saw the sub-head about "static display only" and instantly thought I should post "yes, but that doesn't mean you couldn't fire it up". But no, you got there ahead of me.

The Wristwatch of the Long Now: When your MTBF is two centuries

Paul Johnson 1

Beware survival bias

No doubt there were lots of watches made 200 years ago that stopped working 6 months later. We don't see those. We only see the ones that have lasted 200 years, and we marvel at how reliable they are.


AMD really, really wants you to know its chips are doing OK without any help from Intel and its supply issues

Paul Johnson 1

For once, its not just spin

Between Intel's on-going security issues, the high core-count of AMD parts and their superior single core performance I had already decided to make my next upgrade an AMD one, despite having opted for Intel for the last couple of decades. There is no question which is the better CPU at present.

Why is the printer spouting nonsense... and who on earth tried to wire this plug?

Paul Johnson 1

Why didn't the earth leakage detector trip?

Don't offices have earth leakage detectors (aka residual current devices RCDs)? If that much current went from live to earth then it ought to have tripped the instant it was plugged in.

We are absolutely, definitively, completely and utterly out of IPv4 addresses, warns RIPE

Paul Johnson 1

IPv4 is a barrier to entry, so ISPs like it.

The article says "Then there’s the fact that some ISPs just don’t see it impacting their bottom line and so can’t be bothered."

Its actually worse than that.

One of the things you want in a business is a barrier to entry for would-be competitors, the higher the better. If there is no barrier to entry then competition will drive prices down to the point where you can barely make any money (as any Uber driver will tell you). Having a barrier to entry lets you raise prices to just below the point where competitors would find it profitable to buy in.

Exhaustion of IPv4 addresses makes it difficult to start up a new ISP; you can't just request a few nice big /16 blocks to get you started, you have to go out and buy a /8 here and a /8 there. Meanwhile existing ISPs are sitting pretty with their existing pools of IPv4 addresses. In fact the secondary market makes those an appreciating asset, something else that businesses like to have.

If IPv6 becomes widespread then this barrier to entry disappears and the existing pools of IPv4 become worthless. So it is in the ISPs interests to delay this evil day for as long as possible.

One man's mistake, missing backups and complete reboot: The tale of Europe's Galileo satellites going dark

Paul Johnson 1

Where were the risk assessment and reversion procedure?

I used to work in a related area where high accuracy, uptime and reliability are critical. Anything done on the live system had to be rehearsed on the test system first. It had to be done according to a written procedure which had been reviewed and approved beforehand. Part of the review was a risk assessment (i.e. ask "what could possibly go wrong?"). There also had to be a reversion procedure (i.e. "We screwed up; put it back the way it was").

We did have occasional outages, including one particularly embarrassing incident where "Do routine thing" was next to "Shut down the system" on a menu. But they were rare, and both management and engineering took justifiable pride in that.

One thing we would *NEVER* do is blame the engineer holding the mouse (short of actual malice). If they made a mistake, its because the system upstream of them enabled that mistake and set them up to fail. You don't shoot the engineer, you fix the system.

Tor blimey, Auntie! BBC launches dedicated dark web mirror site

Paul Johnson 1

Re: BBC News

Well, a .onion address is the hash of a private key. "bbcnews" is 7 letters, and .onion domains use letters and numbers, so a search for a name with that prefix would need on average 36^7/2 = 39,182,082,048 hashes. At 20 million hashes per second that is about half an hour.

Paul Johnson 1
IT Angle

Why a ".onion" service?

Why does the BBC need a ".onion" service?

TOR routes your packets through its "onion" layers to obfuscate your location, but when those packets reach an onion "exit router" they are put out on the normal Internet. So someone in Elbonia who needs to hide the fact that they are accessing the BBC can use TOR to go to bbc.co.uk, and the Elbonian Secret Service will be non the wiser.

The .onion domain works the other way round; if you want to offer a web server without giving away your location then you can generate a name in the .onion domain, and the TOR exit router will then route your packets to your secret server. This would be useful for an Elbonian dissident who wants to host a secret bulletin board, but publicly saying "We are the BBC and we offer bbcnewsv2vjtpsuy.onion" defeats the purpose of having a .onion address in the first place.

Samsung on fridge cert error: Someone tried to view 'unsavoury content' in middle of John Lewis

Paul Johnson 1

Actually, its probably for any HTTPS site

Company intranets that block NSFW websites (basically meaning all of them) do so using a HTTPS proxy. The browser connects to the proxy instead of the real web site and the proxy masquerades as the site. In order for this to work the browser needs to have a certificate for the proxy, basically telling it that the same certificate is owned by every single web site on the Internet. In-house PCs will have this certificate installed by the IT department, but obviously someone forgot to notify them about the fridge.

So this message is not the result of someone trying to access porn, its probably just from the fridge trying to phone home and getting a certificate error.

Which is actually a Good Thing: the fridge security is configured properly, at least for outgoing HTTPS access.

Confused why Trump fingered CrowdStrike in that Ukraine call? You're not the only one...

Paul Johnson 1
Black Helicopters

Trump really believes a conspiracy theory

Trump is referring to a conspiracy theory about a "missing" DNC server containing Hilary Clinton's emails. According to this theory, the FBI deliberately failed to seize this server, and it was subsequently smuggled to the Ukraine by Crowdstrike, who were the company hired by the Democrats to investigate the hack which obtained the original emails. He wanted Zelensky to use his police force to go find this mythical server (presumably in the custody of the Knights Who Say Ni).

See https://www.rollingstone.com/politics/politics-news/what-is-the-crowdstrike-conspiracy-theory-890459/ or just google "crowdstrike conspiracy".

The fact that Zelensky is a professional comedian just adds extra wierdness. He was probably thinking "I could never have invented this in a million years."

Apple's looking at you, kid: Fanbois froth over AR patent docs for gaze tracking headset

Paul Johnson 1
Big Brother

Big brother will know what you like.

What you look at, and for how long, is a big clue about what you like. If your eyes spend more time on something then its a good bet its because you like looking at it. People with weight problems often spend more time looking at food adverts or outlets. And which bits of which other people do your eyes tend to linger on? See this article for more details. https://www.vice.com/en_us/article/bj9ygv/the-eyes-are-the-prize-eye-tracking-technology-is-advertisings-holy-grail

Robot Rin Tin Tin can rescue you from that collapsed mine shaft

Paul Johnson 1

Rin Tin Tin Can

No need for any extra words, this is just a story about a Rin Tin Tin Can

An Army Watchkeeper drone tried to land. Then meatbags took over from the computers

Paul Johnson 1

Re: Army culture vs Air Force culture

Thanks for the reply. I must admit this was second hand information, so sorry for any errors.

I never meant to suggest that this happened merely because the Watchkeeper wasn't being flown by an officer, more that it wasn't being flown by a pilot. As you point out, the two are not synonymous.

Paul Johnson 1
Black Helicopters

Army culture vs Air Force culture

The important difference between Watchkeeper and Air Force drones like Global Hawk is the mentality of the organisation.

In the Air Force, flying is done by Flying Officers, emphasis on Officer. To fly a drone you must be a properly qualified pilot with many hours in the cockpit. Air force drone user interfaces are designed on that assumption; the pilot is controlling the drone second by second, steering it on the correct course and altitude while monitoring airspeed and responding to any unusual situations as pilot in control. The Air Force will not buy a drone which does not require a pilot to fly it.

In the army, operating machinery is done by enlisted men (OK, maybe a few enlisted women as well). Officers have more important things to do. If it is complicated machinery then there may be a two week training course during which time you learn the drill. Hence the Watchkeeper user interface is designed on the assumption that it is going to be operated by someone who doesn't know how to fly, but can press the right buttons. The user enters waypoints on a map using click and drag as instructed by an officer who has decided what needs to be patrolled or surveilled, and the drone handles the aviation part. The Army will not buy a drone which requires a pilot to fly it.

So when something unexpected happens the Watchkeeper operator has no pilot's training to fall back on. Maybe at some point during the 2-week training course the sergeant instructor mentioned what to do if it takes off again after trying to land, but trying to remember exactly what the drill was a year later when it's never happened before is a bit too much to expect. Much easier to decide its gone out of control and hit the kill switch before it reaches somewhere populated.

How does UK.gov fsck up IT projects? Let us count the ways

Paul Johnson 1

How do you hold a supplier to account?

If you sue them, you have a long court case and no working system.

If you withhold payment, they sue you and refuse to deliver. See above.

If you refuse to work with them again, you run out of contractors because the number of companies in any area of industry capable of taking on a hundred million pound project can be counted on the fingers of one hand.

Paul Johnson 1

Re: How does this compare?

Unfortunately some of the things we need a government for involve big technology projects. Unless you think the government should still be using pen and paper to administer everything.

Paul Johnson 1

Re: CoD

You know the old saying: if you owe the bank £1,000 you have a problem, but if you owe £1,000,000 the bank has a problem? Its like that with big projects too.

A big project has work needed on both sides: merely writing the requirements and evaluating bids will be a multi-million pound project in itself. Then there is all the planning, adaptation, training, procedures etc. Property must be purchased, building space allocated. Its not just a matter of waiting for the delivery truck to roll up. And of course in the meantime the problems that drove the original procurement are still there and getting worse.

So when the contractor tells you that there is a problem and the budget needs to be increased you have to choose between abandoning all the work done so far and starting over with a new contractor, or else paying the extra. CoD terms make no difference to this. At best you will get a system that sticks to the letter of the contract but is entirely useless. At worst you will get a decade long lawsuit, at the end of which you might get some money. You certainly won't get a system that actually works.

Paul Johnson 1

How does this compare?

Does the private sector do much better? The likelihood of project delivery on time and on budget decreases with project size, but very few companies are in a position to regularly bet hundreds of millions of pounds on giant projects. Those that do sometimes get it wrong too (the TSB fiasco springs particularly to mind).

When a big company does have a big project go pear-shaped the public don't generally get to hear about it; its not taxpayer money so its not a scandal. Everyone involved has an incentive to pretend that everything is really fine. So we have very little clue about whether government actually does worse than the rest of the world. Its possible that the UK civil service is comparatively good at project delivery.

Guess who reserved their seat on the first Moon flight? My mum, that's who

Paul Johnson 1

You should take this along to the Antiques Roadshow next time they are in your area. I'm sure they'd do a piece on it.

The dread sound of the squeaking caster in the humming data centre

Paul Johnson 1

Re: What do you think ?

Well as we are dealing with secret identities the obvious names are Alice and Bob.

We knew it was coming: Bureaucratic cockup triggers '6-month' delay of age verification block on porno in the UK

Paul Johnson 1
Thumb Down


No. Stupid as it is, it isn't that bad. Sites that show less than 33% porn are exempt. Not only is pre-moderation not required, but sites like Reddit (where NSFW material is permitted) do not need to implement the age block.

Of course this makes a nonsense of the claim that the ban is to stop children coming across porn *by accident*, but hey ho.

Paul Johnson 1
Big Brother

Just keep postponing it

Anyone who knows anything at all about the Internet knows that this will make exactly no difference. It won't stop teenagers because VPNs, and the exclusion of sites like Reddit means it won't stop younger children coming across porn by accident.

The government knows this, and they also know that three months after it goes live we will have a Panorama programme about how ineffective it all is, followed by opposition calls for the Home Secretary to resign. The only way to avoid this happening is to never get around to implementation.

In 6 months there will be some other excuse found.

Blighty's online pr0n gatekeepers are begging for a regulatory beating, says digital rights org

Paul Johnson 1

Not done with DNS

That's not how its going to work. The planned scheme won't use DNS blocks. You will get to the website, but if it detects that you are in the UK then it will put up the verification wall. If the website fails to put up the verification wall then the operator is liable under UK law (at least, if the UK.Gov know who they are and they ever come within UK jurisdiction).

The method of detecting that you are in the UK is presumably going to be based on IP address, which is why foreign VPNs are the obvious workaround.

Paul Johnson 1

Here is a picture of the prOn age verification scheme.


Autonomy's one-time US sales chief can't remember if he took part in grand jury hearing

Paul Johnson 1

Caught between two legal systems?

Obviously this is speculation, but its quite possible that the second Grand Jury (the "I don't recall" one) is still sealed, so he can't tell anyone about it under US law. However when on the witness stand in the UK he was required to answer all questions fully and honestly. By claiming forgetfulness he could avoid breaking US law. If he was lying about his lack of memory then of course that would be perjury, but in the absence of mind-reading it could not be proved.

Chinese dev jailed and fined for posting DJI's private keys on Github

Paul Johnson 1

Set up to fail

This poor guy is being left to dangle in the breeze for management failings. If his employer had properly protected their secret key then it would never have been possible to put it in a public repo.

The policy of hanging a minion who screwed up "pour encourager les autres" is a classic symptom of an immature organizational culture. Its the *system* that screwed up; the minion was just the last link in the causal chain. Hence the correct response is not to hang the minion but to fix the broken system.

Daddy, are we there yet? How Mrs Gates got Bill to drive the kids to school

Paul Johnson 1

So why are men still not getting it?

"It's an elementary life 101 message.". Yeah it is. So why are so many men still unable to grasp it.

Wannacry-slayer Marcus Hutchins pleads guilty to two counts of banking malware creation

Paul Johnson 1

Plead innocent to stay under house arrest, guilty to go free

Hutchins has been under house arrest "awaiting trial" for 2 years. Federal sentence guidance is complicated, but according to The Guardian he is likely to get 1 year each for the two counts. By an amazing coincidence this is the amount of time he has already served, as in the USA house arrest can be used as imprisonment for non-violent offenders. (Of course you have to pay for your own housing and food: in the USA you get the justice you can afford).

So it seems he has been given a choice between pleading innocent and staying under house arrest for an indeterminate period, or pleading guilty and getting out immediately.

We've read the Mueller report. Here's what you need to know: ██ ██ ███ ███████ █████ ███ ██ █████ ████████ █████

Paul Johnson 1

Re: The Mueller report was one big nothingburger

Only if you are happy to have one of Putin's "useful idiots" as your president.

Paul Johnson 1

Yes it is part of the training course.

Particularly in the USA any false statement to any federal official is a felony punishable with up to 5 years in prison. So when you talk to any federal official you need to watch your words with great care to make sure that you don't inadvertently commit a serious crime by mistake. This particularly applies when talking to federal law enforcement because they can and do use this to create crimes. Any corporate lawyer who knows that the FBI are going to come and talk to an employee will give them the same briefing and teach them the same weasel words.

Paul Johnson 1

Honest people use careful wording too

"'I don't recall' [...] the exact template that crooks use so they cannot be accused of outright lying."

Honest people (at least, honest ones who have spent a few minutes talking to a lawyer first) also use it to make sure that an innocent failure of memory doesn't become a crime. In America the presumption of innocence only applies in the court room. The rest of the system just assumes that you are guilty.

Let 15 July forever be known as P-Day: When UK's smut fans started being asked for their age

Paul Johnson 1

Pushing kids and ignorant adults towards dodgy VPNs

There are a lot of free VPNs out there, but most of them are pretty scammy (big surprise there). If you are lucky you just get a bunch of adverts injected into your browsing experience. If you are unlucky you get your passwords stolen and malware delivered.

The people most likely to fall for these outfits are:

* Children (wow! think of the children!) because they don't have credit cards or spare money to pay for a reputable VPN.

* Unsophisticated adults who don't know any better.

* Poor people of all ages who don't have the spare money (see above).

So measures that are ostensibly aimed at protecting children will actually put them even more at risk than they are now.

So you've 'seen' the black hole. Now for the interesting bit – how all that raw data was stored

Paul Johnson 1
Thumb Up

1/3 mm total error

For me the most stunning thing is the required accuracy. The observations were taken at a wavelength of 1.3mm. A telescope works "perfectly" if it is accurate to 1/4 of a wavelength (the Rayleigh Limit, not to be confused with the equally important Ralyleigh Criterion which is about the aperture). So the total error in the system had to be kept down to 0.4mm across the Earth. If I mention that the moon creates tides of up to 1m in solid Earth every day, and one of the telescopes was on a moving ice sheet, you will have some idea of the practical difficulties.

Timing was equally important. 0.3mm is 1 light-picosecond, so clocks accurate to 1ps had to be used to time the incoming signals.

Russian sailors maroon themselves in Bristol Channel after drunken dinghy ride goes awry

Paul Johnson 1

The sheep were right there...

What are you suggesting they should have done with the sheep?

* Knitted themselves some woollies?

* Set them on fire and gathered round to keep warm, just like Grandma did in the Great Patriotic War?

* Eviscerated them and curled up inside the nice warm bodies, like Han Solo and Luke Skywalker (hint: sheep are smaller than taun-tauns).

* Something NSFW to keep their extremities warm?

Brit Parliament online orifice overwhelmed by Brexit bashers

Paul Johnson 1

Re: The only conspiracy

> "The characters are much more believable, especially U+25AE."

I thought he was a bit too square; a more rounded character would have fit better.