* Posts by ecarlseen

217 posts • joined 16 Jul 2013


Ubiquiti dev charged with knocking $4bn off firm's value after insider threat spree


Re: Either way, this is an indictment of Ubiquiti

Customers (and Ubiquiti, for that matter) had no way of knowing the difference and had to react accordingly. "No significant damage was done" only if you assume this costs nothing.

We must deal with information that we are given. We then evaluate the credibility vs. the costs / benefits of reacting. In this case, the most reasonable response was to react as if the information was true.

The problem is that Ubiquiti made themselves custodians of data whose security was absolutely vital and wound up in a position (due to decisions they made) where they could not determine the security of that data.

In fairness, this is an extremely difficult problem to tackle well. But if a company is making that commitment on a large scale, then they need to be able to deliver on that commitment. Ubiquiti failed catestrophically.


Either way, this is an indictment of Ubiquiti

Even if all of these allegations are true, I'm not sure if this makes Ubiquiti come out looking better or worse. If one person can cause this much infrastructure-level damage, what does it say about their infrastructure security architecture and overall commitment to security?

One of the reasons I've been sharply critical about the mass-centralization of vital data is that it increases the value of a security breach to obscene levels. Even if an inside threat isn't inherently malicious, what about blackmail, extortion, etc.? There are many parts of the world where grabbing somebody's family and cutting off parts until compliance is reached is not exactly out of the question. I would never blame that person for complying. And if the value of a large-scale breach of, say, Google or Microsoft's cloud-hosted workspaces is in the hundreds of millions or even billions of dollars / Euros / pounds, how do you even defend against some group with the budget and discipline to make a serious, no-holds-barred attempt at that? With the current state of international relations, can we even rule out governments (including the "civilized Western" ones) if they're not in it for profit, just creating mass damage?

Our industry has had many bad experiences caused by the technological equivelants of biological monoculture, and instead of learning from these it seems to be betting harder and harder on this.

Even before information technology, there was an adage about putting all of your eggs in one basket.

Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK's National Cyber Security Centre


Magento updates are a mess

One of the big reasons people don't update Magento as much as they should is that the update process is a complete trash fire. Since Adobe took over the updates have been of the quality we expect from the people who brought us Flash. For example, a recent security patch in the 2.3 release train cut out compatibility with PHP 7.2, and if you have critical third-party modules that don't like PHP 7.3 or 7.4 yet then tough luck. For complex sites it can take several weeks or months of re-development work to fix this, and to have it dumped on you without any notification is just sloppy.

Cisco thinks you're happy to wait ages for new kit, then pay premium prices


Re: cancellations are down

Exactly this. We were Cisco fanatics for years because they had the cool features we wanted and more importantly they delivered the closest thing you could get to a guarantee of no unscheduled downtime.

Neither of these is the case anymore. The features in question have long since been commoditized, and Cisco reliability is nowhere close to what it once was. In fact, we're seeing much better reliability from products that cost less than 1/10 as much - because they have far simpler software stacks based on mostly on generic Linux functionality that's stable, tested, and mature. I'm fine with that if it gives us the features and performance that we need. And I'm delighted with spending less money for better uptime.


This was a problem before the lockdowns

I do most of my work in the SMB space ($10s to $100s of $Ms in revenue) and we've had lead-time issues with Cisco for years. Granted, these were "weeks and months" not "months and quarters." But still. I get that companies don't want to have inventory on the books, but Cisco has been taking JIT to such a ridiculous extreme that any disruption was going to be painful and a huge disruption has created absurdity.

Let's just call this what it is: a company deliberately shifting its inventory management risks (and associated costs) onto its customers.

Yes, carrying inventory costs them money - it ties up capital and capital has cost. But inavailability costs their customers far more. It is perfectly clear where Cisco's priorities lie, and they are not with their customers.

I started moving my customers away from Cisco a while ago because of the costs of project delays, along with their noticeable decrease and ongoing decline in software quality over the last decade or so.

Perhaps other customers and consultants should consider the same.

Google's Pixel 6 fingerprint reader is rubbish because of 'enhanced security algorithms'


How is this even a thing in 2021?

Meanwhile, my iPhone builds a 3D model of my face and compares it in near real time.

Google experiments with user-choice-defying Android search box


Re: Ban the Blob

I have this crazy solution for this called: “I don’t use any Google products [well, except for compatibility testing] and I help others to not use any Google products either.” Nobody forces anyone to use their shit.


Oh ffs El Reg, shill for Google much?

The one itsy bitsy witsy little difference being that Apple’s implementation *forces* all apps to respect the user’s browser preferences, which is a huge plus for user privacy. And which is the complete and total opposite of what Google is doing.

Of course, in The Register this is not worth mentioning. The comparison is made without context. The article just spews the Google propaganda response, almost making you wonder if the author’s real intent is to say “Yes, Google is doing something terrible, but so is everyone else” when nothing could be further from the truth. Even the mention of Microsoft’s annoying behavior with Edge doesn’t really compare in any meaningful way.

VMware shreds planned support for 'cheese grater' Mac Pro


It would indeed be nice and it was confusing at first but now the reason is obvious. With the planned transition to Apple Silicon they probably didn't want to validate another CPU architecture and deal with the differences instruction sets and other CPU-specific features, optimizations, bug workarounds, etc. for two or three years of products.

Report details how Airbus pilots saved the day when all three flight computers failed on landing


Re: Hit the brakes hard?

Have to be awake to do that afaik.


My saying...

"Never trust a computer completely for anything too important."

Microsoft abandons semi-annual releases for Windows Server


Re: More pincer movements for Azure

The funny thing is that the relative instability and forced pace of change with Office365 is undermining Microsoft's biggest lock-in: people being unwilling to switch to an unfamiliar office suite. Now that there are alternatives for Word and Excel that are reasonably feature-compatible and Outlook is no longer as "must have" as it used to be, there just isn't as much of a reason to care about Windows outside of vertical market systems that aren't cross-platform or web-based. I'm finding myself using Windows server less and less, and Windows desktop almost not at all.


Few enterprises want continuous release

Outside of certain, relatively narrow cases, the concept of continuous release software is an absolute dumpster fire. What most businesses want and need is stability and control. Every change is both an expense and a risk, and most changes being pushed incur this without adding value.

Iranian state-backed hackers posed as flirty Scouser called Marcy to target workers in defence and aerospace


Re: Retaliation

Are you saying that the UK Cyber Defence Force would dare imply that gender is binary?!??

Samsung commits to 5 years of Android updates... for its enterprise smartphone users at least


Re: 5 years from when ?

Yeah, but that's every tech vendor on the planet.

Cisco names Micron as supplier of SSDs that make Nexus and Firepower kit snooze


On the plus side, we can't buy this kit anyway.

Cisco has been problematically committed to JIT inventory for years now, leading to unnacceptable supply delays. Right now with the current supply chain messes, lead time on Firepower gear is over four months. So, in a sense, the problem has resolved itself.

'Millions' of Dell PCs will grant malware, rogue users admin-level access if asked nicely


This is “we don’t care” level of competence.

Like the Intel vPro remote management bug the other year that would accept a null string instead of a password, this is Dell saying “we just don’t care about security.” This never could have passed any meaningful code review or internal red teaming.

Samsung stops providing security updates to the Galaxy S8 at grand old age of four years


"For an Android"

No one dare speak of the other major mobile device vendor that is currently providing updates on even their low-end devices for 5-6 years past introduction and 2-3 years past end-of-sale, without anyone having to make a fuss about it. (note to butthurt downvoters: your tears are delicious).

Michael Collins, once the world's 'loneliest man,' is dead. If that name means little or nothing to you, read this


If that name means little or nothing to you...

... just hand in your geek card now and start reading TMZ instead.

Best of FRANDs: Judge allows Apple retrial following $506m patent infringement ruling


Ah, the Eastern District of Texas Federal Courts - Friends to Patent Trolls.

The courts in this district have essentially created a "business" of being extremely litigant-friendly in IP disputes. By encouraging patent trolls to file there, they need more judges, more staff, etc. It's very shady, and anything decided there should be viewed through that lens (and these are federal courts, so don't blame it on Texas - they have no say in the matter).

Zorin OS 16 beta claims largest built-in app library 'of any open source desktop ever'


Wine and Crossover are nowhere near ready for prime time.

I love the idea of both, and both can be of great use to hobbyists and enthusiasts. But as a mainstream mechanism for running Windows apps in Linux? No freaking way. I know how to troubleshoot issues with these systems, and even I simply lack the patience. Someone without the background knowledge would just be frustrated beyond all belief. At the end of the day, it's easier to run Windows as a VM if there are Windows apps that you simply can't get away from (or Windows on bare metal / dual boot for gaming).

That being said, for users who simply need a consistent look-and-feel and aren't hopelessly married to apps like Outlook and Visio (for example), this looks like an interesting project. Ironically enough, Microsoft's constant monkeying with their app UX has made transitions to alternatives like LibreOffice much more palatable. But promising or even suggesting Windows compatibility will likely backfire horribly in the market they're trying to enter.

Asahi Linux devs merge effort to run Linux on Apple M1 silicon into kernel


Relax already

I don’t know if the results need to be integrated into the official kernel, but reverse-engineering bleeding-edge hardware enough to make Linux even semi-functional is a cool project that builds and exercises all kinds of worthwhile skills. I’ll probably never do anything with it, but I have tons of respect to this team for their work.

W3C Technical Architecture Group slaps down Google's proposal to treat multiple domains as same origin


Re: the W3C Technical Architecture Group (TAG)

I currently have a 4:1 upvote:downvote ratio, which I think is healthy. If I'm not getting blasted with downvotes on occasion then I'm probably not contributing anything interesting to the discussion. If people can't detect irony, sarcasm, or satire then... oh well. Their tears taste sweet to me.

And, yes, I already know which groups of people might upvote this and which groups of people might downvote this. Whatever.

Vegas, baby! A Register reader gambles his software will beat the manual system


As someone who lives in Vegas, you might want to be a bit more specific about what a "T&A system" is. The first guess would not be the correct guess.

Outsourced techie gets 2-year sentence after trashing system of former client: 1,200 Office 365 accounts zapped


No excuse for the criminal... or the company

So many companies assume that because their systems are cloud-based that they don't need separate backups. This should have been a straigthforward restore operation - still very damaging and deeply inconvenient, but not a half-a-million-dollar problem. Also left unanswered is how the criminal was able to get access to delete these accounts. With 2FA required for admins, the most likely explanation is that the client or contracting company was sloppy with access control. This is extremely common with outsourced IT work - lots of password sharing with few controls and audit trails, and passwords aren't changed even when a disgruntled employee leaves. I strongly doubt that it was some sort of "sophisticated attack."

Micron: We're pulling the plug on 3D XPoint. Anyone in the market for a Utah chip factory?


Unmentiond in the article...

XPoint never even came remotely close to predicted speed, latency, or write endurance.

Netflix reveals massive migration to new mix of microservices, asynchronous workflows and serverless functions


Huh. I wonder if they had ever just considered producing and licensing less crappy content. Could have saved money all over the place.

After spending $45bn on 5G licences, Verizon tells customers to turn off 5G to save battery life


Re: High battery usage

iPhone 12 models have a mode that auto-selects 5G only when it's available and won't significantly impact battery life, and reverts to LTE the rest of the time.


Re: What they need in cellular settings

"What they need in cellular settings is a toggle between 'best speed', 'best signal' and 'least power use'."

The iPhone 12 has this.

You can set it to use 5G only when the signal is strong enough to avoid meaningful excess battery drain (Settings -> Cellular -> (phone number) -> Voice & Data -> 5G On / 5G Auto / LTE), and there is also a setting it to control more- or less-aggressive cellular bandwidth consumption when 5G is available to improve streaming quality (Settings -> Cellular -> (phone number) -> Data Mode -> Allow More Data on 5G / Standard / Low Data Mode).

Splunk junks 'hanging' processes, suggests you don't 'hit' a key: More peaceful words now preferred in docs


These changes are plusplusgood.

Synology to enforce use of validated disks in enterprise NAS boxes. And guess what? Only its own disks exceed 4TB


In Synology's defense, we see a whole lot of stupid in this area.

I'm not personally thrilled about this change, but I can see why it makes sense. We've sold and maintained a ton of Synology units. In the ones we don't spec or sell, people will just throw the cheapest garbage hard drive they can in them with literally no regard whatsoever for fitness of purpose. This has become more and more important as higher recording densities have pushed manufacturers into producing more and more specialized firmware to optimize performance for specific tasks (standalone, general-purpose RAID, drives that mostly do sequential writes for things like DVRs, write-once/read-rarely applications, etc). The wrong drive will run relatively poorly and will likely fail early, and who is the customer going to blame? Themselves, for choosing the wrong drive? Guess again.

We'll see how well Synology handles this. Their branded SSDs are a decent value for what they are, and if they follow the same practices with HDDs then I'm ok (not thrilled, but just ok) with this unless supply constraints start interfering with rollouts.

Chip fab Intel said to be using better chip fab TSMC to make 5nm Core i3 processors, 20% of its non-CPU parts


Re: Single point of failure

TSMC is building a leading-edge fab in the U.S. so there will be some geographic diversity if China and Taiwan start fighting. Other than that there’s Samsung. GloFo seems to have dropped out of the bleeding-edge fab race.


TSMC yes. Leading nodes, no.

That Intel will be using TSMC to fab CPUs is not exactly a secret anymore. But why would they give a rival fab looking for an interim solution wafer starts on their leading nodes when their loyal and long-term customers are willing, able, and eager to fill that capacity? Intel is begging for scraps and that’s what they’ll get.

To plug gap left by CentOS, Red Hat amends RHEL dev subscription to allow up to 16 systems in production


Can't put the toothpaste back in the tube.

Announcing LTS for CentOS was a huge commitment that influenced a lot of behavior (including ours). To back out on it creates a significant reputation hit, but one that could have been managed if done in a halfway intelligent manner. To back out without notice for organizations to change their behavior is the reputational equivalent of dropping a thermonuclear bomb on themselves. It's complete annihilation. There is no coming back from this. RHEL is dead to us, because they have rendered their commitments have been rendered meaningless.

Taiwan’s silicon titan TSMC says three-nanometre tech is on track for 2021 debut and a 2022 flood of kit


“...and other effects”

Other effects like Intel hiring a bunch of drunk frat jocks to do their process engineering.

Geekbench stats show Apple Silicon MacBook Air trouncing pricey 16-inch MacBook Pro


Unsurprising results

Apple's A-series CPUs have been knocking on Intel's laptop performance door for a few years now, and that was from a position of dealing with the thermal and power constraints of a cell phone form factor. That they are blowing Intel away in a laptop should be expected. Let's start at the beginning - Apple's CPU team was recruited / purchased from companies specializing in highly-optimized CPUs. They got the right people. Their CPUs are now effectively two process nodes ahead of Intel (TSMC 5nm vs. Intel 14+++++++++++nm for their volume parts, which is most comparable to TSMC 10nm). They also have a simpler instruction set to optimize for, no 32-bit backwards compatibility issues, and they can hyper-optimize for one OS. Not to knock Apple - this is amazing work - but it's the amazing work we've been expecting when a company gets the best people and gives them a gigantic pile of money to work with.

With so many cloud services dependent on it, Azure Active Directory has become a single point of failure for Microsoft


Not all downtime is equal.

With private cloud services, we balance the risk of maintenance operations agains the impact against business operations and schedule accordingly. The impact of a massive system failure at 2AM local time on a Sunday morning is not the same as 10AM on Monday morning. This does not mean nothing ever goes wrong, but it means that we tilt the odds as far as we can in our favor and for the most part it works out very well.

With public cloud services, every site is servicing customers in every time zone and maintenance operations are performed at any time of the day or night (relative to us) with precisely zero consideration of specific customer impact and there is precisely nothing you can do about this.

Think your smartwatch is good for warning of a heart attack? Turns out it's surprisingly easy to fool its AI


Huh. That’s what Apple says.

The ECG and heart monitoring functionality on the Apple watch is overloaded (to the point of annoyance) with disclaimers saying “This product does not detect heart attacks.” Of course, actual facts like that never protect against cheap shots from El Reg, which is incapable of detecting facts when it comes to Apple.

Firefox now defaults to DNS-over-HTTPS for US netizens and some are dischuffed about this


It's straightforward to roll your own DNS-over-HTTPS

There are several Linux-based tutorials out there, and the overhead is minuscule. I'd imagine that pre-rolled containers will be popping up shortly. At that point you can control how DNS resolution occurs within your personal or business environment; what is forwarded upstream, filtered, etc.

The Nokia 3.2 is a phone your nan will love: One camera's more than enough, darling


Re: I updated to iPhone SE

You're assuming that the point is to have a highly functional phone at a low price, when the point is actually to hate Apple no matter what.

It's all in the wrist: Your fitness tracker could be as much about data warfare as your welfare


Sadly, if you want privacy then your only real choice is Apple.

Unfortunately, an anti-privacy tech economy has become pervasive and has conditioned people to free / very low prices for stuff in exchange for information about themselves. Apple seems to be the only major player taking a hard stand here, and they charge a very pretty penny for it. On the plus side, at least their products tend to be excellent so you do get something great for your money - but it's still an expensive habit. If you have to drink the kool-aid, at least it's pretty damned tasty.

Apple Watch must be used with an iPhone, no exceptions. But the health-monitoring capabilities are top-notch, and Apple is raining money into R&D to make it better. Allegedly they have about thirty research medical doctors actually on the payroll in Cupertino working on this stuff - normally this is outsourced because MDs are expensive. Data is stored on the iPhone, can be viewed / graphed and managed by the end-user (down to deleting individual data points), sharing is strictly opt-in, controls are nicely granular, permissions are easily managed and revoked, and Apple at least puts some effort into policing the behavior of app developers (if they're willing to start throwing ban-hammers at the likes of Facebook and Google, then these smaller fish have plenty to worry about). They give their customers about as much power as is reasonably possible over gathering and controlling their health data. Having watched these features evolve, it's pretty clear that Apple considers these to be strategically-critical capabilities for their product lines.


Re: Missing detail

Depends on the product. I use an Apple Watch (yes, I'm one of those people) and it's scary-accurate at detecting what activity I'm doing. If I'm starting a workout and forget to tell it to start tracking that, it alerts me to start tracking and suggests which activity to track. It's almost always right. Allegedly it even works well for people with physical disabilities (wheelchair-based exercises, etc.).

The biggest downside to the Apple Watch is that it *must* be used with an iPhone, period, no exceptions. It's also relatively pricey.

On the plus side, it integrates into Apple's typically excellent "privacy-by-default" health data management system (all sharing is strictly opt-in, with fairly granular permissions that are fairly easily-removed if you want).

The interchangeable bands are a massively overlooked feature. So far, all of the bands have worked between generations of watches - the bands I got for my first generation watch have continued to work perfectly through to the current generation. Changing bands takes literally five seconds - the mechanism is pretty ingenious, and the only issues I've had have been with cheap third-party bands. Why is this such a big deal? Because it means that I have one watch for all occasions. I can put on a plastic sports band and go running or swimming with it. I can swap to a metal or leather band and it looks great with a suit or business-casual attire. It can be color-coordinated with what you're wearing. No, guys typically don't care - but women tend to care and tend to notice guys that do (they also tend to notice shoes, big-time). Guys have been dressing for guys in the workplace for centuries, but with women entering more positions of power it's time to start paying attention to and accommodating the social cues that they look for as well. And this stuff doesn't exactly hurt outside of the workplace either.

Halleluja! The Second Coming of Windows Subsystem For Linux blesses Insider faithful


So what we're doing is...

... increasing the OS bloat and attack surface to accomplish a task that would be handled almost infinitely better in every possible way through ordinary virtualization that costs somewhere between nothing and close to it.

Got it.

Silence of the vans: Uber adds 'Plz STFU, driver' button to app for posh passengers using Black


Once you go black?

Wow. This may make the much higher price of the black car service worthwhile!

Where's Zero Cool when you need him? Loose chips sink ships: How hackers could wreck container vessels


That's it.

I'm hiring Penn Jillette for my NOC right freaking now.

Furious Apple revokes Facebook's enty app cert after Zuck's crew abused it to slurp private data


Popcorn time!

It's one thing to swing the ban-hammer at Facebook... Google is another level. Waiting to see how this shakes out.

Mozilla security policy cracks down on creepy web trackers, holds supercookies over fire


Re: Tracking will still happen

So your bet is that your pull with legislatures and their capacity to set and enforce rules over time exceeds the amount of pull combined with the legal and technical resources of some of the largest and wealthiest organizations on the planet.

That's adorable, but good luck with that.

In practice, even people with dynamic IPs don't change that often (mobile usage being an exception) - sometimes less than once a year, so as a practical matter we're all more or less in the same boat.

As a general philosophy, the most robust responses to things you don't like are responses that work unilaterally - things you can do where it doesn't matter what the other party does. There are always limits, but the more unilateral your focus the more success you will find in practice. This applies in most areas of life. As to this specific area...

I block certain domains at the DNS level. I avoid using the services and resources of certain companies whose practices I consider abusive - this really isn't as difficult as it sounds. I use a combination of VPNs, browser and / or VM isolation, onion routing, and pseudonymous accounts in areas where the above measures are insufficient or too restrictive of what I want to accomplish. And in some cases on some days I just accept that I'm giving up a little bit of privacy. You can actually accomplish quite a bit on your own with a reasonable amount of effort if you're conscientious enough.

In the long run, privacy will be a privilege of the wealthy and those who are both technically astute and disciplined. This can't be fixed legislatively (and arguably may not even be immoral - work with me on this), because there are a lot of people who will gleefully give up all knowledge of themselves for a few minutes of Candy Crush or whatever. If people *want* to make these choices then you really can't save them from themselves and even if you could you'd be inhibiting their learning to make better life decisions (assuming they're not the more rational ones - I personally prefer privacy but I'm not arrogant enough to believe that my choice "is correct" for everyone else on the planet. An argument can be made that for poor people trading privacy for entertainment may be acceptable - again, not my thing, but it's not like I can prove that I'm right).

You were told to clean up our systems, not delete 8,000 crucial files


Oh, it gets worse...

It's one thing to have users "store" old email and files in the Recycle Bin or trash folder or whatever. There's enough of this lunacy going around to where I would guess that it's a small double-digit percentage of people (frightening!).

But it gets worse. Much, much worse.

We dealt with a vertical-market ERP vendor (now fairly dominant in their field) who for years would store critical local machine configuration files and scanned document data in subfolders of C:\TEMP. They would then have pearl-clutching, screaming fucktard shit-fits whenever an admin had the temerity (oh my!) to actually delete stuff in C:\TEMP. Eventually they knocked this particular bit of stupid off, but to this day they still do things that make my head explode...

You think you're hot bit: Seagate tests 16TB HAMR disk drive


Re: Amazing advances

Even today, my digital music archive is littered with CD rips that need to be done over because they used a squealing MP3 codec.

I ripped mine to FLAC first and then transcoded to MP3. I’ve re-done the transcoding a few times since as the capacity of my portable devices increased...



Biting the hand that feeds IT © 1998–2022