Posts by Warm Braw

Re: EMA - puzzling

communication in Hawaii has the distinct risk of not working

Actually, Hawaii is an elecronic communications pioneer.

Re: Security appliances memory errors and programming bugs

I sense a whoosh...

Re: It was also HARDWARE that no longer exists.

I'd be surprised if the signalling from a satellite launched in 2000 were so high-speed or so complex that it couldn't be processed in software these days - assuming the effort is justified.

El Reg is a red-top, just skim through...

The good news is it's not being exploited in the wild yet

It would be difficult to prove that assertion...

So you can't use SiFive's open-sourced designs based on RISC-V?

There are a number of preliminary implementations of RISC-V (and really only the user-mode instruction set is fully settled at this stage), but you have to read what they mean by "open source" very carefully. RISC-V is being touted as a common instruction set that can be targetted by open source software with the aspiration that this leads to a diversity of chip suppliers, freed of the licensing constraints for the ISA. That doesn't say anything about licensing of the hardware design, though. It also says nothing about the large number of patents on processor design that might constrain any particular implementation seeking to be entirely open.

I've not loooked into it in detail, but I'm aware of only one significant project aiming to produce truly "open" hardware based on RISC-V. Although SiFive say they're "changing the way people buy IP", their hardware is not, as far as I can tell, "open source" - there's still a licence agreement and a fee, as there would be, say, with ARM, although the process overhead is said to be much lower.

Re: JavaScript for Ads?

you end up downloading the same jQuery/Angular/Whatever todays framework is javascript file for every site you visit rather than downloading it once from a CDN

Good. I can then hold the publisher of the site responsible for any nasties in their code and not have to rely on the probity and security of some entirely unconnected third party.

But that would slow things down, you cry? Well, perhaps that might persuade the site authors only to include the code they actually need and can test and verify.

And of course if all responses had to go to the single origin too, then the publisher would be responsible for all the data they hand over to dubious analytics and tracking organisations, which might make them think twice. Sounds like a win all round.

Re: First create the infrastructure for taxes

as tax on petrol and diesel goes down the tax on charging goes up

Fuel duty alone brings in around £28bn at present, almost 4% of the government's income, and there's VAT on top of that. Of course that income will have to be replaced (or public services cut) if there is a significant drop in the consumption of conventional fuels.

Petrol duty is potentially quite an effective form of taxation since it is roughly correlated with mileage and road damage and there's nothing much else petrol is routinely used for. Trying to tax "transport electricity" differently to other forms of electricity sounds like taking the "red diesel" problem and scaling it up by many orders of magnitude, so I suspect distance-based taxation is going to be the preferred option.

Re: @ anonymous boring coward

So you think if we trade with China, the US or anywhere else in the world they should make laws to govern our country and how we do business even if it is only domestic?

Have you even any idea what a trade treaty consists of? They are legally binding, take precedence over national laws and of course they govern "how we do business even if it is only domestic" because they prohibit us from doing things that would prevent trade partners from other countries being disadvantaged in the supply of goods and services to the domestic market. That includes things like standards for safety and animal welfare and financial support to domestic industry.

And if you're really concerned about "supranational governments", I suggest you read up on Investor-state dispute settlement.

All trade agreements result in a loss of sovereignty over domestic policy. Some are better/worse than others in that respect (depending on whether you believe in free trade or protectionism) but none offers "having your cake and eating it".

Re: end of x86 & x64?

the performance penalty inherent to context switching

One thing we've learned over the last week is that speeding things up at the cost of security is not a great idea. And it's a bit of a circular argument in any case - the faster mode switch, SYSCALL, only provides a kernel mode switch as the other modes weren't actually being used. We really need to look at what we need in terms of security, not constantly optimise and compromise for benchmarks.

And we need to do it right. As I've been delving into this a bit deeper, I notice that AMD's encrypted memory does notseem to extend past the memory bus - information in the cache (and CPU) is in the clear. That means similar side-channel techniques could potentially be used to bypass memory encryption. It's going to take some time to get our collective heads around this.

"It has the most Nobel prizes precisely because most of the people who have won them have immigrated from other countries to be there."

In the 2018 Bloomberg Innovaton Index I can't see any obvious correlation between list position and levels of immigration - though that's not to say the UK's ranking (17th...) might not be even worse without overseas academics, but clearly other factors are at play.

Having said that, I really don't see the frenzy - and it's not restricted to the US: Australia and the UK are pretty keen on it too - to deport people who are otherwise legal residents but who have committed crimes. We don't deport our own citizens - we regard their sentence as being the punishment for the crime; I'm not sure that returning people to places to which they've had no connection for decades can be regarded as anything other than xenophobic vindictiveness.

Re: I've been pointing this out for years.

The thing I keep pointing out is that an awful lot of people aren't able to bring their vehicles into close proximity to their electricity supply - they park their cars on the street. Even (UK) people with garages typically can't get their cars in because as houses get smaller, the garage gets increasingly full of the stuff that won't fit indoors.

For a lot of people, quick charging in a shared location will be a necessity - and that brings a different set of infrastructure challenges.

Re: Dream On Apple

It might be worth thinking again

The up-front cost of these devices is eventually irrelevant, it's the revenue from ongoing subscriptions that's significant. Of particular note is that all of those Alexa "skills" (and their equivalents) have to run in the cloud somewhere and someone has to pay for that. Amazon is currently swallowing the cost of the basic built-in capabilities, but the only logical long-term economic model would require you to pay a monthly subscription for the benefit of being able to turn your lights on and off and another one to view your doorbell and another one to use your security camera and another one...

Amazon and Google obviously decided they needed to sell devices cheaply to overcome consumer resistance - Apple cracked that problem years ago.

what would be happening if AMD's chips weren't affected

In one of the many posts there have been on various forums, I saw a suggestion that the only reason that AMD is not vulnerable to Meltdown is that Intel patents prevented AMD from using those particular techniques. I don't know how accurate that is, but I'd be surprised if AMD's apparent prescience is simply a matter of great foresight.

Re: Senior service

why is there no mention...

Presumably because the secretary for defence thinks there's a chance he can still save what's left of the army but has already written off the navy as a lost cause (which, given its mission is presently to pay for a seemingly unrelated assortment of factory preservation projects, it probably is).

conventional malware

Unfortunately, given that you can potentially exploit these bugs from JavaScript on a web page, you're at risk from a far greater range of potential malware than one might at first imagine. And if you provide a public cloud service, you have to be robust against even unconventional malware.

That said, the meltdown issue wouldn't be a problem (necessarily) if the kernel memory were encrypted - though you'd have to be reasonably convinced that the encryption key wasn't exposed and that, having downloaded the contents of encrypted memory, an attacker then having the time and resources couldn't brute-force the key by some means (and it is quite likely that there will be known data patterns at various kernel addresses).

Spectre is more of a problem, but it could potentially be dealt with by having "sandboxed" code (such as JavaScript...) run in an address space separate from that of the host process and the latter also having its memory encrypted - the same caveats applying.

It might be OK to ignore the problem on your own particular desktop computer, but if the cloud providers want to stay in business these issues have to be fixed.

Re: American democracy

Nobody's holding a gun to anyone's head who wants to leave

Merely threatening to tax their worldwide income in perpetuity.

Re: How long would IBM last if

.... "India's Best Men" start demanding pay rises?

they are repayments to investors for their money

Only very tenuously. The only people who actually "invest" in companies are people who buy freshly-issued stock. The company receives no money from people who buy those shares subsequently: they don't "invest" in the company at all, they simply speculate on its ability to generate future returns.

The resale of shares is the way the original investors can get a return on their investment, but that's a very small amount of the market by volume of share trades. It's principally the present speculators who would be disadvantaged by a rule prioritising pension funding over dividends - future speculators would factor that into their speculation by marking down the share price.

Unfortunately, of course, your & my pension fund may well be one of those present speculators that would be disadvantaged.

They're hoping to generate a lot of buzz online...

Re: "responsible for products sold since they were aware of the problem"

how about having a patch ready on August 1, 2017?

How about having the Midland Metropolitan Hospital open next week? And maybe a Mars base by the end of March?

Re: AC Cognitive Dissonance

we are all getting pigeon holed depending on opinions

Actually, we're pigeon-holing ourselves by constantly repeating the same totemic memes, demonstrating that our opinions are worthless.

Agreed, there's a significant risk of passing off and it seems petulent to complain about it as no-one in the NHS acutally asked them to do this stuff as far as I can tell.

If they want to piss off their only potential customer in a legally-acceptable way, they could just change the name to UbHUNTu.

Re: Shame they pay no tax elsewhere

If you want to renounce your US citizenship, you will have to pay a fee and possibly an exit tax - which may be applicable even if you simply had a green card.

And UK banks (amongst many others) are obliged to assist the US treasury in enforcing their taxation rules.

Re: That's not an erection...THIS is an erection...

He could have someone's eye out with that...

Re: Endless

The point is that the usual suspects don't actually have the huge numbers of staff sitting around on the off chance that they'll win the contract for which they've bid - they build teams and consortia when they know the money is secure and not before.

And as we've seen with Carillion, their role as gatekeeper to major projects means that a ruthless primary contractor can pass all the "fronting" risk down to their subcontractors (accept our crap terms for late payment or get no work) and use the up-front payments from the government to prop up the dividends and bonuses.

What you're actually buying from the mega company may be very little more than its database of desperate suppliers and some contracted project managers.

Re: Yes, and on the disadvantage side

I suppose if you compare QUIC with (TLS + TCP) you're looking at a similar level of complexity overall.

Setting aside the cryptographic stuff, QUIC does fix a number of inherent security problems with TCP and finally deals with its window size limitations, though it curiously does not incorporate any message boundary delineation. I have a suspicion that the complexity of the stream multiplexing and the individual acknowledgment of small chunks of data in each stream is a bear trap - that in practice a lost packet will stall more streams and result in more data being held pending retransmission than if the streams were sent individually.

That might not matter if the main application is retrieving web pages - the improvement in connection overhead is likely to be more than adequate compensation, but it would be interesting to see data from other types of application.

The only performance figures I've seen compare QUIC and HTTP (which I presume means they're not using the cryptographic features) and in those circumstances QUIC doesn't seem to be a clear winner and no more robust in the face of packet loss than HTTP over TCP.

Re: Nice evasion router vendors...

While the router shouldn't totally lock up under these conditions and ought eventually to recover, receiving a large number of short packets back to back will inevitably seriously impact the throughput for other devices on the network and could result in network devices being dropped temporarily, simply because the radio space is being hogged by the amount of traffic from one source.

Domestic access points are typically not equipped with particularly fast processors and so there is a depdency on the underlying network hardware to be able to discard or ignore data that's arriving too quickly - it's possible in this case that because the packets are multicast they're being passed up the stack to the CPU but there's no limit on the number of buffers that can be allocated for that purpose, the CPU is getting behind and hence memory is being exhausted. A better thing to do might be to stop receiving altogether, but the AP would then effectively go deaf until it had caught up with the multicast traffic. However, unless you have a device that can process all potential traffic at the speed of the physical medium you're going to have problems of some sort - and that device wouldn't be competitive in a domestic market.

Even if it were, shared-media systems (like wired and wireless ethernet) depend to some extent on the connected devices behaving: if you have a device that jabbers constantly, there's not much you can do.

In short, it's OK to expect better, but you're not going to get perfect.

Matthew Dine

You don't even need to do the highlight trick on the PDF.

If you google "comug correspondence ofcom", the PDF file seen by The Register appears at or near the top of the search listings. If you click on the down arrow adjacent to the link and select "cached", Google will helpfully give you the entire text of the document, e-mail addresses included.

I hope the PR people have spent as much time hounding Ofcom...

Re: Non-timing side channels?

There are plenty of applications that need high-precision timers: media synchronisation, in-process threading, etc. Taking them away from applications isn't really an option - though if you did, you'd also have to "fuzz" the lower-resolution timers because otherwise an application can simply execute, say, increment instructions to pad out the longer period and use the resulting number to work out how long the rest of the operation took.

The point of the processor is to run non-privileged, end-user applications. The operating system is just there to get multiple processes to play nicely together - it's not a repository for application code that processor bugs make unsafe to run.

Re: meh

Does this account for any potential partnership with the US or China

The point is that there's nothing stopping us having partnerships with the US or China right now - the EU doesn't have exclusivity over our research programmes. Our research partnerships with countries like Canada fall largely within their participation in EU programmes.

The EU has always made research funding a priority, partly because it sees the technical dominance of the US (in particular) as a threat not only to European industry, but also to European social policy. I would be very surprised if the UK had the same interest in continuing to fund research - it's been at best a grudging concession from the Treasury in the past - or to provide the freedom of movement for international scientists that has underpinned our research collaborations within Europe.

... £6k a year, that would cost something like £200,000 to purchase

The reason that isn't equivalent to wealth is that you're not "entitled" to it in any way under your control. There is no fund of equivalent value in which you have a share, all you have is a promise that a future government will require future taxpayers to pay you that sum out of their earnings.

If there's noone to tax (because the winners are offshore and the losers are impoverished), it will quickly become apparent that "wealth" is of very little value.