Posts by thames

Re: Hmm

You need to find out what they mean by "isolate", whether it's an actual air gap (probably not) or just separate networks (more likely).

When you say "the PLCs need to send a sizeable stream of data to the SQL servers over in the office network", is it the PLCs which are talking directly to the database servers, or is there one or more PCs in between which runs software which polls the PLCs and then writes to the database servers? I suspect it's the latter.

Alternatively, it may be the PCs which are the thing which needs to be isolated from the office network, especially if they are running some sort of SCADA or HMI software which is collecting the data as well as doing it's main job.

In either case you may need some sort of firewall and proxy server between the industrial network and the office network. Think of it as being a simplified version of what is used to isolate the office network from the Internet (I'm assuming you are doing this). That way an attacker who gets into the office network doesn't have direct access to the industrial network (the thing which is connected to the part of the company that actually makes money).

If you google for "scada firewall proxy server" (or something like that) you should be able to find plenty of examples.

Re: Snap....

Most Linux users have probably never built a package from source in their entire life, and many wouldn't know how. Most use pre-built packages from their distro's repositories.

There are source based distros, but the user base is small. If you like building packages as a hobby that's fine, but not many people do.

Snaps are well suited for the market that Ubuntu Core is addressing, which is dedicated "appliances" which do one thing and need regular completely automated atomic updates with no user interaction.

Re: Insightful

Perhaps the production environment needs to be designed from the ground up with recovery in mind rather than it being tacked on as an afterthought. And perhaps recovery needs to be tested regularly, with objective measures of how well it worked.

Like you said, eventually an attack will get through. The real test of your preparedness comes in terms of how fast you can recover from it.

Re: So, farewell then, VMware Fusion for macOS. Oh, you're still here …

I don't know what you've been doing with VMWare, but if you are using it on an Apple PC as opposed to a server then you may wish to have a look at VirtualBox. I've been using it for a number of years on a Linux PC to run a variety of operating systems for testing purposes with few problems.

I use the GUI to install and configure the VMs. I then use the VBoxManage command line utility to roll back, start up, monitor, and shut down VMs automatically controlled by bash scripts.

You can control pretty much everything about the VM via VBoxManage, As a very simple example if all you want to do is make launching the VM clickable with a mouse then you should be able to do this easily provided you can make a shell script clickable via an icon (this is easy with Linux).

Re: Thank you for a nice article

I installed 3.16 shortly after it came out, replacing an existing 3.15 installation. I use the "standard" ISO.

I tried an in-place upgrade from 3.15 to 3.16 which mostly worked but would for some reason not install a working pip (python).

I gave up on that and tried a fresh install. That kept getting stuck because when I tried to create a user (following the setup-alipine script) it would refuse saying that it wouldn't let me because the user already existed (I was creating the same user as was in the previous install).

I finally just re-formatted the disk using the disk setup script, which I believe is setup-disk.

I then ran setup-alpine again and was able to create the user. However, it didn't create a user directory for that user. I had to create that manually and set the appropriate permission bits manually.

I have gone through the installation process probably two dozen times now in order to get working systems for both 3.15 and 3.16.

I am using it on an old x86 32 bit system with a hard drive. I normally use it as a headless system accessing it by ssh. I plug in a monitor and keyboard for setup. The CPU does not support later x86 instructions, so for example 32 bit Debian will not run on it (the installer complains about a missing CMOV instruction). Alpine does run and this is the reason that I persisted with it.

The installation script has good and bad points. The good point is that it limits the number of options.

The bad points are that it's often not clear what is being asked and there isn't any way of going back and changing an option once you have made a selection.

The selection of mirrors is a complete train wreck. Most of the list scrolls off the top of the screen before you have a chance to see it. I always have to just pick "fastest" and then go back and edit the file manually after installation if I'm not happy with the choice it made.

I was never able to get through an installation in one go. The networking configuration would always seem to fail somehow and the process would stop due to a lack of network connection. I would then figure out how to get the network running and run through configuration again to get through the final steps.

I'm satisfied with the Debian text based installer. You might want to have a look at that for a guide. The Ubuntu server installer is also good guide.

What might be particularly useful is some way of doing a headless install which inserts a configuration file into the ISO so you just create and edit the file, run a script to insert it into the ISO (or build a new ISO), boot from that, and the configuration script reads the file and does what it needs to do based on that. The Raspberry Pi imaging program does this for its images (which are not ISOs). This would be useful for people setting up headless systems where they don't want to have to drag out an extra monitor to set it up.

I believe the setup system has some sort of way of creating a "replay" file, but that assumes you already have a working system that you want to duplicate. It doesn't help if you don't have that.

According to the web site 0.3 means that the part that handles audio is ready to replace Pulseaudio and Jack.

They have a list of other features to add, many of which are not directly related to audio (they also intend to handle video), but those milestones come later.

Re: Bit late to the party, aren't they?

Canada does independent security reviews on all telecommunications kit from all suppliers, not just Huawei, and has done so for many years.

No problems were ever found with Huawei kit of a nature which didn't also exist in that of their competitors such as Nokia or Ericsson.

The complaints from intelligence officials in Canada relating to Huawei had to do with how it affected diplomatic relations with their counterparts in the US intelligence apparatus and US threats to cut off security cooperation via "Five Eyes" if Canada didn't fall into line on the Huawei issue.

Re: Military implications?

The Russians modernized a lot of their military kit starting before 2010 and carried on doing so up until today. They have reasonably modern kit for their "contract" (full time professional) army, but they also have big reserves of older and simpler hardware which they can pull out and use at need, including with their reservists.

Their main problem is that they will have limited manufacturing capacity to replace modern kit lost in combat, and modern warfare eats equipment at an alarming rate. This is simply a result of the finite size of their economy.

Re: The McDonald's of programming languages

Most of the people who were primarily using Visual Basic either kept on using it or switched to C#. Their language choice tended to be determined by a combination of vendor platform support (Microsoft and their various products), IDE familiarity (Visual Studio), familiarity with third party libraries, etc., rather than features of the language itself. They were mainly interested in developing software for desktop PCs running MS Windows.

Python users originally mainly came from a Linux/unix/BSD background and were interested in server side development for web servers, numerical processing on super computers, biology, machine learning, large scale system administration tools, etc. A large community and set of third party libraries grew up around this. The main competitors to Python were Perl and Ruby.

With the rise of the Internet and the smartphone / tablet, the focus of the overall software market shifted away from the PC to server side, and Python was well positioned to take advantage of it.

An increasing number of new people coming into the software development learned Python because it was already well established in those up and coming areas as the language for rapid development of applications. As the market shifted away from the PC, people working in that field were drawn to Python for the same reason. Educators noticed the trend as well and started using Python as a teaching language, but most were very late to change curricula and did so only years after the trend was well established.

So the trend to Python came about due to a number of large scale industry trends coming together over the past couple of decades. The features of the language may have determined why people picked Python over Perl or Ruby, but they would have picked something along those lines regardless.

Re: Plenty of reasons to choose RISC-V

India are also very interested in RISC-V as well, for all the reasons you state plus another one as well. The additional reason is that allows Indian companies to participate in the market on an equal footing to those of other countries. This will allow the Indian technology sector to grow without being subsidiary to the global plans or priorities made in other countries.

Re: Beginners'

Some sort of BASIC was pretty much the "standard" way of adding a programming language to hardware back in the days when Visual Basic was relevant. Lots of industrial and laboratory equipment was programmed using an embedded BASIC interpreter. Every vendor had their own slightly different dialect of it.

There was a whole class of hardware known as "single board computers" which were 8 bit micros intended for embedded applications. Many came with BASIC burned into ROM. This is old style basic complete with line numbers and GOTO, rather than VB of course.

Intel had a version of their 8031 microcontroller called the 8052AH Basic which had a BASIC interpreter burned into ROM on the chip and it was a big seller in embedded applications. At least one other major company also made the chip under license.

I used a lot of BASIC in embedded industrial applications. It's what was available and would run on very limited hardware. It also allowed for rapid iterative development on systems (manufacturing cells) which were often unique and expensive. You would connect to the hardware using an RS-232 cable and program it by typing directly into it. If you were clever of course you would actually do your editing in a text editor on your PC and set up your terminal emulator to "type" the text file into the embedded system.

If you drove a car in those days, almost certainly some parts of it were made by equipment controlled by an embedded BASIC.

Re: I wonder

I did some digging yesterday when I first saw the news of this. From what I can see TOTP is one of the main options. Github are pushing their phone app as the preferred TOTP solution, but I don't see any reason why you would have to use it.

I installed "oathtools" (sudo apt install oathtools) to see how that worked, although I haven't tried it with Github yet however. Oathtools uses HMAC by default, but has a TOTP option.

Apparently once you have registered your key with Github you give oathtools your key and it generates a second key which basically amounts to a series of one time and time limited passwords. You then use that to log into Github. Your PC's clock obviously has to be reasonably correct for this to work, as the one time password uses the current time as one of its inputs.

The intent of this is to prevent replay attacks where someone gets a copy of your password and reuses it over again later. With TOTP your "password" stays on your PC and you just use an encrypted one time version of it instead.

Here's an example:

oathtool --totp 0123456789abcdef

197691

In the above "0123456789abcdef" is your secret key (in hex) which you register with Github and "197691" is an example of the one time password you use to log in with. Each time you run it you will get a different output.

I haven't tried this yet (I'm in no rush to be one of the guinea pigs) but from what I can see it should work. I will probably end up using zenity to turn the command line program into a simple GUI app which I would launch with a click from the desktop.

The whole thing could probably use a Register article showing how the best options are done as I found the Github explanation to be convoluted and difficult to understand. Github's explanation is very "Microsoftian" in that it only really makes sense after you've spent time figuring it out based on other sources.

Re: WTF???

There isn't one big lockdown across the whole city. The city is divided into districts and different levels of control are applied to different areas depending upon the local infection rate.

So in some areas people are not allowed to leave their homes while in other areas they are, but are limited in the size of gatherings. Movement between districts is controlled.

Re: OpenBSD is Faaast!

I run a large set of benchmarks for my software in VMs on my PC, testing a wide variety of Linux and BSD OS distros. FreeBSD and OpenBSD were always measurably slower than any of the Linux distros, and roughly comparable to Windows. I suspected that this was mainly a reflection of the respective compilers.

A big gap opened up however after Meltdown/Spectre mitigations were put into place, with OpenBSD and FreeBSD slowing down very significantly, OpenBSD much more so than FreeBSD. I suspect this was a result of different ideas of what a suitable compromise was in terms of security versus performance.

Whether any of this makes a difference will depend on your application. If your application is I/O bound, then the CPU performance difference probably won't matter. So, OpenBSD might be a good choice for a mailserver or firewall or the like, but not a good choice for a supercomputer. Benchmark your application and keep the security / performance trade offs in mind.

Re: Why not CentOS?

I write software and run automated tests on a dozen different platforms using both VMs and direct hardware targets. When I do a release I list all of the platforms on which I ran tests, including the versions so that users can have confidence that it has been well tested and should work.

I use AlmaLinux in a VM to test software which my users may choose to run on RHEL. There is no point in me using Centos Stream because it doesn't act as an equivalent to any particular current RHEL release. What's the point of testing on Centos Stream when my users are unlikely to deploy on it?

There no doubt other people for whom Centos Stream serves a purpose, but I'm not one of them.

Re: So what other sanity checks did they leave out on the rewrite?

The whole thing sounds like a lack of serious testing. I have written a fair bit of numerical code over the past few years and one of the things that I learned was that there is lots of room for all sorts of non-obvious errors. The only viable solution seemed to be testing. I just ran a check over one project and have roughly 5 times as much testing code as there is code which is being tested.

Since it isn't possible to test every possible numerical combination (although test values can be generated algorithmicly), a good sense of what sort of numbers can be problematic is necessary.

Testing for (0, 0) is one of those really obvious problematic value pairs if you are doing anything involving any numerical operations. There are so many errors associated with 0 that if you are going to test anything at all, it should be 0.

This really raises the question for me that if they didn't test (0, 0), do they have any systematic testing at all? Or did they just pick a few numbers at random and checked to see that they got the same answer as the C++ implementation and called it a day?

This is not exactly confidence inspiring if that's the case.

Re: RISC-V maybe ?

RISC-V is probably the future for Russia and quite a few other countries some day, but if you want to buy off the shelf CPUs today with the necessary speed and memory capacity and which are available in large numbers from distributors who aren't going to ask too many questions about what you are going to do with them, then you're talking about x86_64.

Re: TITSUP

You can create a user named "pi", the installer just tells you that it's not a good idea.

Re: Software with western components

I suspect it's mainly about who does commercial support. To pick a simple example, if a customer has a server with an American Linux distro, it can be replaced by an equivalent Russian distro. The customer then deals with a Russian company for support rather than an American company.

For things like Oracle databases, convert to using Postgres (or whatever) with a Russian company providing commercial support.

Obviously for some situations this is a bigger job than others. However, there is probably a lot of low hanging fruit to be taken which will cut American and western European companies out of the picture, greatly reducing the effects of Western trade boycotts.

It's the obvious response. It's not like the Russians are just going to sit there and do nothing.

Re: Other languages....

I read Beingessner's original post. There is no core argument and Beingessner doesn't really have a point. It's just a long meandering rant about some the problems which are inherent in writing a compiler and some of the possible ways of getting around them.

From the context I gather the author of the original post was working on a number of issues relating to trying to auto-generate Rust bindings for C libraries, how to handle differences in language calling conventions, problems with different underlying hardware having different native integer sizes, and problems with less than ideal user programs having hardware related assumptions hard coded into them.

It would be nice if all of these were simple to handle, but they inherently aren't. There is and likely never will be either a one-size-fits-all programming language or an ultimate programming language that solves all problems for all time.

The original post author's attempts to redefine the English language does not somehow make the argument somehow more profound or more correct. It just instead implies that there really isn't a coherent argument to be made.

Re: Whodathunkit

There were a couple of reports published recently on "excess deaths", which is a long standing system for measuring current deaths against historical trends, taking into account changing factors such as population age profiles, etc. Health experts have been saying since the start of when the pandemic got serious that the only accurate measure of how many people die during the pandemic will be the excess deaths stats, but those will be an after the fact measure rather than a real time daily count.

Well, I just read one of the excess deaths studies covering 2020 and 2021 and the UK stands out as having their official COVID-19 deaths count nearly bang on to the excess deaths estimate (within 3 per cent). Western Europe as a whole underestimated their deaths by roughly 50 per cent on average, with some being off by a factor of 2 or more.

On a per capita basis, excess deaths in the UK were below the averages for any of western, southern, central, or eastern Europe and almost identical to France or Germany.

Excess deaths estimates for the third world were often an order of magnitude or more above the official count.

We'll find out how many people omicron killed when the excess deaths estimates come in months or in some cases years after it's over. Loads of people are dying from omicron, it's only "mild" if you're vaccinated or survived previous infection and so already have immunity to serious disease. Omicron is roughly the same degree of seriousness as the original strain or alpha, which shouldn't be too surprising as that is what it is descended from, instead of delta.

Re: Thank god for small favors

I live in Canada. I've never had heated seats or steering wheels and I don't seen any need for them. They're gimmicks with no real practical value in a modern car.

I remember long ago when vinyl seats were common and they were rock hard and cold when you first sat on them in the morning in the winter. However, it's been decades since I've seen a vinyl seat, and cloth just doesn't have the same problems and modern foams don't get as hard in the cold. Heated seats solve a problem that ceased to exist long ago.

As for heated steering wheels, if it's actually cold then you will be wearing gloves anyway. Just leave them on until the interior warms up enough at which point you don't need a heated steering wheel to take your gloves off. Again it's a solution looking for a problem.

I have a car for the purposes of transportation, not as an expensive toy with pointless widgets to fiddle with.

There are emulators for IBM mainframes that run on Linux. I don't see why the same couldn't be done for Fujitsu systems.

The problem will be the operating system and other associated software. At the last that I heard customers attempting to run the above mentioned IBM emulators run into problems because IBM won't license their OS for use on emulators. I don't know if Fujitsu will take a different position.

The first paying software development job that I had was reverse engineering an IBM mainframe application to run on a PC. That is, here's the inputs, here's the outputs we desire, write a program which does this on a PC running MS-DOS. I did it for a small fraction of the cost of the proposed charge to be added as a customer on the existing mainframe application, which was running in a EDS data centre (the original "cloud"). I know someone else for whom one of his first paying software development jobs was also to move a mainframe application to a PC. In his case the mainframe was nearing end of life and moving to another mainframe was seen as not really providing a long term solution.

There were obviously small, specialized applications, but loads of these were around at the time as big companies had IT departments that preferred doing things on mainframes which smaller companies used PCs for. Most mainframe applications didn't involve anything that couldn't be done with a fast enough PC with a big enough hard drive provided you knew what you were doing and weren't trying to just duplicate how the mainframe application approached the problem.

There's probably no single answer to this sort of question. Each company will have to look at their own individual situation and figure out how to deal with it. The biggest problems for most companies probably aren't going to be the technical ones, bur rather the ones involving their own internal bureaucracies which will attempt to throw barriers in the way of any sort of change.

With Linux you need to use a different audio system for that. The standard one is made for ease of use which is fine for what nearly everyone needs, but there is a different audio system you install for serious audio work.

There is a project to replace both with a single system that does both, and it will probably become the default some time in the near future.

Re: Puzzled

The issue has nothing to do with who the original developer was. It has to do with that it had few users to begin with (mainly Suse), and hardly anyone has used it in years. It was a niche file system to begin with and it's been an obsolete file system for years.

Nearly everybody uses Ext4, which does everything that they need. Other alternatives include XFS, ZFS, and BTRFS. ReiserFS was always an also-ran a long way behind the leaders.

As I understand it, Hans Reiser ran a small company which licensed out a non-open source version of his file system to proprietary SAN vendors. The open source Linux version of ReiserFS gave his small company a larger user base which gave the file system more testing than his small company could have economically done themselves. It always however had very limited use as compared the the more mainstream Linux file systems.

If anything what this shows is the overall stability of the underpinnings of Linux, that ReiserFS should have continued on for so long with so few Linux users.