* Posts by Dan from Chicago

18 publicly visible posts • joined 19 Aug 2013

No 'decoupling' here: Apple, Samsung, and Qualcomm sing China's praises

Dan from Chicago

We caught them doing it back in 2018...

Do you think this has become less of a goal for China since 2018? Apple is specifically mentioned as one of the targeted products.

https://arstechnica.com/gadgets/2018/10/bloomberg-super-micro-motherboards-used-by-apple-amazon-contained-chinese-spy-chips/

One of the comments on this article:

You're kind of not versed on this subject at all. That's not even how supply chain risks work. You cant reverse engineer a prebuilt FPGA or PCL/SCADA based interface once its already constructed. SoCs that you design can be intercepted in transit and replaced by fraudulent versions of the same SoC based on your very own design except now with a malicious security system as part of the SoC's community of processors. Just because you design something and have a damn CAD file doesnt mean jack if you have someone else build it and arent standing there watching them make it and moving along with the shipment. The whole purpose of Critical Program Information identification on major systems like these in the SCRM process is to identify which components are the most vital and need the most compensatory security across the ENTIRE SUPPLY CHAIN.

You also haven't really accounted for a lot of other factors but i'm not here to give you a lesson on SCRM when you're whole defense is that they "designed it and have CAD files." What are you going to plug it in and see if it works like intended? Do you know how easy it is to spoof and modulate the exact parameters if you have the original blueprint? Do you know how convincing counterfeit chips are? You cant detect adversarial penetration in a FPGA/SoC or subcomponent chip without destroying it for reverse engineering AND using advanced forensic techniques (that usually National Labs specialize in). You gonna destroy 1 out of every a 100 chips to stratify your test lot? They only need access to a few systems to get inside a data center. There is minimal electro-pathway-analysis capability to detect modifications but they can be bypassed by PLC controlled logic gates that were part of the original design! Full program protection and SCRM standards are the best way to avoid these risks from the start.

BTW don't question someone's expertise on a subject if you clearly have no DEPTH in the field yourself. Because your naive answer is the reason company's have such crappy security assumptions in their risk management planning.

Sensitive DoD emails exposed by unsecured Azure server

Dan from Chicago

Here's what happens:

Going with a public (well, GovCloud) provisioning approach has the following effects:

Costs may or may not be lower.

Availability may improve.

Integrity may improve.

Confidentiality will be almost certainly be less.

- All connections, including administrative connections, will be remote and they'll be controlled by external 3rd party admins.

- As you outsource your cyber and administrative expertise and experience, your internal cyber competence will be less.

Ukraine's secret cyber-defense that blunts Russian attacks: Excellent backups

Dan from Chicago

Maintaining offline backups is expensive and a lot of boring, repetitive work. But online backups can be zapped by exploits - they're part of the live system, even though some very clever approaches exist to buffer them against exploits and make them pseudo read-only. But a lot of clever approaches exist to stop the exploits in the first place, and they never seem to be enough.

When this idiocy is over, Ukrainian IT people are going to be in high demand, everywhere!

Google tests battery backups, aims to ditch emergency datacenter diesel

Dan from Chicago

Re: Can someone do the math for me please?

Portable generators have a way of becoming unavailable during any extended power outage. Places without any backup rent everything that's available right away and places that think they'll be OK because they have 24 or 36 hours of battery backup are too late.

Purifying lithium to make batteries is currently an environmental nightmare. Given the environmental impact of running a generator a few hours a year vs. mining and processing tens to hundreds of tons of lithium ore (and some cobalt, nickel, graphite, and lead) to make gigantic batteries is bad, not good, for the environment.

Growing US chip output an 'expensive exercise in futility', warns TSMC founder

Dan from Chicago

Intel has FABs in Arizona, New Mexico, and Oregon in the US, in Ireland, in Israel, and soon in Ohio and Germany and they all make money. Intel seems to know how to build and run FABs almost anywhere while TSMC (at least used to) have trouble doing it anywhere but Taiwan. Maybe Intel knows something that TSMC does not?

Global foundries, TI, Micron and more manufacture in the US and make money.

TSMC has benefited from years of government subsidies (and done a great job of leveraging them).

Intel now has some counterbalancing subsidies - it will be interesting to see how this pans out.

Top chipmakers ignore India's semiconductor factory subsidies

Dan from Chicago

They don't need a research project to intercept VPN traffic, they just need to buy some COTS boxes. With very, very, very, few exceptions, there are no traditional VPNs any more (that use out of band key transmission, typically on hardware). Instead TLS/SSL is used to set up VPNs dynamically. The boxes intercept set up packets on each side and set up a pair of VPNs. The boxes receive your packet, decrypt it, (do whatever they want with that data, including sending decrypted copies somewhere) then re-encrypt it and forward it on to the site you "securely" connected to. For example https://www.sonicguard.com/Deep-Packet-Inspection.asp It's a "man in the middle" since the box sites between the two VPNs it has set up, one for each of two communicating computers.

Google engineer urges web devs to step up and secure their code in this data-spilling Spectre-haunted world

Dan from Chicago

There's only one way to do it

Make everyone liable for their mistakes. If you're injured because the maker of the car failed to secure the connection between the fuel line and the engine, the car company will have to pay - so they're careful to try to not let that happen. They're willing to spend time and money to make sure that doesn't happen.

Web sites do the equivalent of killing and injuring millions of their customers very day, but since all of the costs are born by the users, web site developers continue to send their "death traps" out into the the network.

We've tried the "honor system." It didn't work. Time to let the lawyers get involved.

It's a horrible solution, but it's better than every other solution.l

No one likes a heart-stopping AWS bill shock so now there's a machine learning tool to help detect cost anomalies

Dan from Chicago

Cloud hosting is intrinsically less secure, since administration logins have to pass through an external, public, network (however well thought out the session initiation encryption may be) from an infrastructure that's outside of the cloud's security framework. There are often significant economies of scale to be gained, particularly for small and medium sized organizations that can't afford dedicated administration staff for tasks like patching, backup, and netflow monitoring. But paying a cloud provide for hosting administration denies the organization the economies of scale that would otherwise be gained for local administration and security, making any local security more expensive. If local security is weak, then the logins to administer cloud services are easily compromised from the client location, and the cloud security fails. This is how most cloud security failures occur. Two factor logins provide limited benefits, since a legitimate session from a compromised local machine can be hijacked.

Very large organizations that use public cloud are often wasting money and taking unnecessary risks.

Large organizations can gain most of scale benefits of cloud hardware and platform maintenance and add to that the benefit of protecting the organization with scale savings on very strong local security.

Apple fires legal salvo at Corellium claiming the virtual iPhone flinger is infringing copyright

Dan from Chicago
Happy

As long as Corellium is OK with me requesting a free eval, cloning it, and then selling copies for $200 less than they do, it all sounds perfectly fair!

My product would be totally different, since it will be spelled "correlium."

Amazon makes lift-and-shift play for Windows File, Lustre workloads

Dan from Chicago

In other words....

$6048 per year is the minimum cost. $18,000 for a typical refresh cycle.

So why is it listed it at 0.14 cents?

They wouldn't be trying to confuse pointy haired boss types about the cost of their cloud services compared to buying your own kit, would they?

...considering that you buy those same four 1TB nvme disks for about $600.

That's a 30,000% profit on the storage cost. Really we need to be considering the cost of electricity, host boxes, and staff. At that point, profits at that Mother Theresa like company could be scraping along at only a few thousand percent!

:-) - Am I being a little unfair? Maybe it's Amazon that is.

It's like selling bags of rice under a big sign that has the price per grain of rice. Not nice!

Party like it's 1989... SVGA code bug haunts VMware's house, lets guests flee to host OS

Dan from Chicago

The big bang is when the escape is on AWS

Hook into the host process (up the chain to the top) that updates infrastructure and guest OS's and deploy a ransomware "patch."

let it get replicated and backed up for a couple days, on all storage types, then fire it off on D-day (d for the dummies who didn't have some form of offline backup, whether local or cloud).

Clean up costs would be incredible. Millions of servers would be looking at pay up or start from scratch. Tracking down and re-running even a couple of days of transactions would be an incredible amount of work.

Cryptocurrencies are a big part of the problem. They make getting away while keeping ransom payments too easy.

Huawei's Watch GT snubs Google for homegrown OS

Dan from Chicago

Gets killed by Garmin

There are hundreds of apps and widgets available for Garmin watches, its charge is good for 2 weeks of non active-sport activity and a charge can be topped off (from 50% to 100%) in about a half hour.

The integration with cloud based analytic apps, phone, and 3rd party platforms like Strava is extensive and seamless.

The performance is due to using a purpose built OS for portable device hardware vs. accepting the power and performance baggage of any general purpose OS.

Lenovo Thinkpad X280: Choosing a light luggable isn't so easy

Dan from Chicago

Service -

The old Thinkpad warranty service center was on the edge of the main FedEx hub in Atlanta. You'd drop your notebook off at a FedEx box as late as 9PM, they'd work on it overnight, and then you'd get it back by 10AM the following morning. And shipping was covered, as well.

...but the notebook cost about $8,000 in today's dollars, so there's that, too. With current notebooks you could just buy a new one and move over the hard drive, more than once, and still spend less. It would be even quicker. But the "wings" folding keyboard was a really useful trick!

'Alexa, find me a good patent lawyer' – Amazon sued for allegedly lifting tech of home assistant

Dan from Chicago

I call BS

I call BS - After spending all of 22 seconds on a google search - confirmation that natural language queries had already become old news in 1982. Makes me think that Rensselaer Polytechnic Institute and Trump University share quite a bit in terms of integrity and fundamental understanding of fields in which they claim expertise.

December 1982, Volume 4, Issue 4, pp 471–504

Notice that this paper has not claimed that all natural languages are CFL's. What it has shown is that every published argument purporting to demonstrate the non-context-freeness of some natural language is invalid, either formally or empirically or both.18 Whether non-context-free characteristics can be found in the stringset of some natural language remains an open question, just as it was a quarter century ago.

https://link.springer.com/article/10.1007/BF00360802

Car-crash television: 'Excuse me ma'am, do you speak English?' 'Yes I do,' replies AMD's CEO

Dan from Chicago

Lisa Su seems to be a real class act - no wonder why AMD is doing so much better.

Can you imagine any of her predecessors saying "I'm here with AMD" instead of "Back off, peasant, I'm the PRESIDENT, CEO, and all around BIG BOSS of AMD?"

Serverless: Should we be scared? Maybe. Is it a silly name? Possibly

Dan from Chicago

"Codeless" maybe?

The server aspect seems rather orthogonal to your intent, calling it gluten-free technology seems to be as suitable a term as serverless.

:-)

Google BLOCKS access to Goldman client-leak email

Dan from Chicago

Always surprising

Everyone seems to think it's fine that google, apple, amazon, telcos, comcast, etc. have dozens (hundreds/) of staff and contractors who can look through our emails, photos, etc. but it's time for hysterics if a government agency (that generally has at least some mandated level of privacy protection) gets the same access.

Flash cheaper than disk? 'Customers aren't buying that', says NetApp CEO

Dan from Chicago

15k SAS is flat, and single level flash probably isn't doing much better

The time frame the NetApp guy was looking at was probably 3 years or so, and during that time dumping most data to big, very cheap, slow disk, then cleverly caching it in RAM and Flash in controllers, looks like a reasonable approach for many applications. It can provide superior performance to plain flash (RAM is so much faster than current flash) while being cheaper.

That 15k SAS is flat, and single level flash probably isn't doing much better makes sense.

What's growing are the denser, less expensive versions of storage technologies. It seems like systems that once collected a binary value using a single bit of storage are now archiving a Yes/No question as a 1920x1080 video of someone leaning into their webcam and saying "No" - which then has to get replicated to D2D backed storage in two or more clouds (once your cloud provider goes chapter 11 and sells off the boxes holding your data once, you learn to replicate). Even after compression and de-dup that bit has become a couple meg scattered across 4 sets of blocks!

Granted, that's a reductio ad absurdum worst case, but video and imagery (and backing up do disk) have been taking away a lot of what increasing density and falling costs have been giving to storage. It's why the NetApp guy was saying that they see demand very fast cheap storage growing faster than slightly faster expensive storage.